VPN Integration with Network Policy Server (NPS) RADIUS Accounting?

Occasional Contributor

Hello,

 

Looking to integrate our 3rd party VPN solution with MSFT Defender for Identity.

 

The solution is using Microsoft's Network Policy Server (NPS) for authentication, and there are options inside NPS's Connection Request Policies for forward RADIUS accounting logs.

 

I have this configured and enabled the VPN RADIUS Accounting settings in MSFT Defender for Identity but I am not getting anything or "Accessed VPN locations".

 

I read on here about making sure the <User-Name data_type="1"></User-Name> field forwarded by NPS matches the user UPN. In my case it was realm\user and using regex I changed this to user@domain.com which matches the AD UPN attribute.

 

However I am not getting any data.

 

  1. https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/always-on-vpn-integration/m-p...
  2. https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/atp-and-vpn-integration-vpn-l...

 

Here is the event when NPS is configured to dump to log file.

 

<Event><Timestamp data_type="4">09/22/2021 06:28:30.133</Timestamp><Computer-Name data_type="1">XXXXX</Computer-Name><Event-Source data_type="1">IAS</Event-Source><NAS-Identifier data_type="1">XXXXX</NAS-Identifier><Calling-Station-Id data_type="1">XXXXX</Calling-Station-Id><Client-IP-Address data_type="3">172.16.XXX.XXX</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">XXXXX</Client-Friendly-Name><Proxy-Policy-Name data_type="1">XXXXX</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><User-Name data_type="1">user@domain.com</User-Name><SAM-Account-Name data_type="1">XXXXX</SAM-Account-Name><NP-Policy-Name data_type="1">NetMotion</NP-Policy-Name><Class data_type="1">311 1 172.16.XXX.XXX 08/30/2021 07:33:12 1463</Class><Authentication-Type data_type="0">8</Authentication-Type><Fully-Qualifed-User-Name data_type="1">XXXXX</Fully-Qualifed-User-Name><EAP-Friendly-Name data_type="1">Microsoft: Secured password (EAP-MSCHAP v2)</EAP-Friendly-Name><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
6 Replies
See some details here about the needed RADIUS format:
https://docs.microsoft.com/en-us/defender-for-identity/install-step6-vpn

If it's still not helping, open a support case, support can give you best effort support to show you what is "broken" in the format that will cause MDI to ignore the message.
Make sure to have a network trace ready containing the radius messages sent to the sensor.

It looks like the NPS server is not forwarding accounting messages to the DC based on wireshark data, we use the Azure MFA extensions and I read somewhere because of this it can't forward them.

Is there a way to feed this data into identity protection by other means? We have the NPS accounting logs on disk in DTS Compliant format.

 

In MCAS we can upload logs (https://docs.microsoft.com/en-us/cloud-app-security/discovery-docker), can we upload the NPS logs and have that tied to the "Accessed VPN Locations"?

Sadnly no, Radius messages (properly formatted) are currently the only way.
Thanks Eli,

Is there a way to request feature enhancements for MDI? Would be very useful to train the system with our NPS VPN authentication logs to enhance Accessed VPN Locations reporting.
You can email MDI Feedback : AatpFeedback at microsoft com.

@Eli Ofek @Mirza Dedic hi, do you know if this feature has been added yet? I am also looking to configure VPN integration with Defender for Identity, Cisco ASA RADIUS client and RADIUS server is NPS with NPS extension.