Sep 22 2021 04:22 AM - edited Sep 22 2021 06:46 AM
Hello,
Looking to integrate our 3rd party VPN solution with MSFT Defender for Identity.
The solution is using Microsoft's Network Policy Server (NPS) for authentication, and there are options inside NPS's Connection Request Policies for forward RADIUS accounting logs.
I have this configured and enabled the VPN RADIUS Accounting settings in MSFT Defender for Identity but I am not getting anything or "Accessed VPN locations".
I read on here about making sure the <User-Name data_type="1"></User-Name> field forwarded by NPS matches the user UPN. In my case it was realm\user and using regex I changed this to user@domain.com which matches the AD UPN attribute.
However I am not getting any data.
Here is the event when NPS is configured to dump to log file.
<Event><Timestamp data_type="4">09/22/2021 06:28:30.133</Timestamp><Computer-Name data_type="1">XXXXX</Computer-Name><Event-Source data_type="1">IAS</Event-Source><NAS-Identifier data_type="1">XXXXX</NAS-Identifier><Calling-Station-Id data_type="1">XXXXX</Calling-Station-Id><Client-IP-Address data_type="3">172.16.XXX.XXX</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">XXXXX</Client-Friendly-Name><Proxy-Policy-Name data_type="1">XXXXX</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><User-Name data_type="1">user@domain.com</User-Name><SAM-Account-Name data_type="1">XXXXX</SAM-Account-Name><NP-Policy-Name data_type="1">NetMotion</NP-Policy-Name><Class data_type="1">311 1 172.16.XXX.XXX 08/30/2021 07:33:12 1463</Class><Authentication-Type data_type="0">8</Authentication-Type><Fully-Qualifed-User-Name data_type="1">XXXXX</Fully-Qualifed-User-Name><EAP-Friendly-Name data_type="1">Microsoft: Secured password (EAP-MSCHAP v2)</EAP-Friendly-Name><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
Sep 22 2021 01:45 PM
Sep 22 2021 03:36 PM - edited Sep 22 2021 03:46 PM
It looks like the NPS server is not forwarding accounting messages to the DC based on wireshark data, we use the Azure MFA extensions and I read somewhere because of this it can't forward them.
Is there a way to feed this data into identity protection by other means? We have the NPS accounting logs on disk in DTS Compliant format.
In MCAS we can upload logs (https://docs.microsoft.com/en-us/cloud-app-security/discovery-docker), can we upload the NPS logs and have that tied to the "Accessed VPN Locations"?
Sep 23 2021 01:44 PM
Sep 23 2021 03:17 PM
Sep 27 2021 02:39 PM
Sep 16 2022 01:33 AM
@EliOfek @Mirza Dedic hi, do you know if this feature has been added yet? I am also looking to configure VPN integration with Defender for Identity, Cisco ASA RADIUS client and RADIUS server is NPS with NPS extension.