IPsec VPN using Azure MFA on local NPS not working

Question

Hello, 
 I set up a new NPS server on 2019 and installed the Azure MFA extension. I'm using this as the authentication method for IPsec VPN using the Sophos Connect app. As far as I can tell I have set everything up correctly but I get a "User Authentication Failed" message on the client. If I check the NPS Server logs it shows a successful authentication for my user account. I get the push notification on my phone and approve it and then within a couple seconds it fails. I checked the "access_server.log" file and am seeing the following error message: "handle_pam_authorization: VPN/SSLVPN/MYACC Authorization Failed, result_code=1" 
 If I change the authentication service back to my AD controller which is leveraging the same security group that my NPS server has set up, it connects (without MFA obviously) but switching back to RADIUS and my NPS server it fails. 
 SFV4C6 (SFOS 18.0.5 MR-5-Build586)

RickardNordahl · Answer

Hi. 
 
 I Hade the same issue with Duo MFA. The solution is to first create a local user in the firewall with only the username (remove @domain.com). This can be done using the user portal using your setup (put the Radius server on to on the Auth tab) or manually. After that it should work. 
 The Radius settings in Sophos MR5 have the domain filed so it should work if that's set. But have not tried it since the Duo setup (MR4 and there is no domain filed in MR4). 
 Also check the timeout settings for your radius. we put in 30 seconds and that was fine for us. 
 
 So anyway our solution was to create a "new" user as stated above. 
 //Rickard