Please capture a dump on the VPN server, see if Access-Reject packets are being sent by the NPS server. If yes, please check the event log of the AD NPS to get some insight about the cause.

Pulse Connect Secure Certified Expert

Same problem here. TCPdump capture shows "Code: Access-Reject (3)" The event log shows Reason Code 49, Reason The RADIUS request did not match any configured connection request policy (CRP). I've tried changing the CRP to match on things like Client Name and Client IP Address (matching exactly to the values in the event in the Security log) but I keep getting the same error. I had a ticket open earlier where I was trying to match on the external IP of the PSA-5000 which was quickly corrected. The support engineer somehow got it working, but the next day it stopped working. This is extremely frustrating. There's got to be someone out there SUCCESSFULLY using Server 2016 NPS for RADIUS auth.

Can you confirm what type of Network Access Server was selected on the CRP? Please set it to "Unspecified" and check the behavior.

Pulse Connect Secure Certified Expert

I tried Unspecified but I'm still getting the same error. I have a case open with Microsoft. Hopefully they can figure it out.

The supporter from Microsoft was able to get me up and running. MS has a dearth of documentation for getting this up and running with Pulse Secure.

To benefit anyone else who runs into this...don't use the wizard unless you're prepared to go back and edit both the CRP and Network Policies. I'd prefer to manually add and not have to go back and make changes. In the NPS console right-click on the CRP folder on the left. Give your policy a name, but leave the server type as Unspecified and click Next. Now set your condition. Since we allow all users VPN access I chose a Day and time restrictions set to...Permitted all days and times! Click Next and Next. Do NOT overide the authentication settings. Click Next twice more and Finish.

Right-click on the Network Policies folder to create a new policy. Give your policy a name and leave the serrver type as Unspecified. Click Next. Since we allow all users VPN access I added a condition for Windows Groups set to Domain Users. Click Next. Select Access granted and click Next. For configure authentication methods check off only PAP (uncheck MS-CHAP and MS-CHAPv2). No, I don't want to see the Help topic, I'm following your instructions. Accept the defaults for the next two screens, then click Finish.

Assuming you set up a user realm or two that uses the RADIUS auth server you set up and have assigned a sign-in page and set a unique URL. Then browse to the URL and sign in. You should see Event ID 6272 in the Network Policy and Access Server custom view, or directly in the Security log in Event Viewer. This indicates the NPS server granted access to the user.

I'm going to run this way for a few more days for testing before I install the NPS extension for Azure MFA.

---

@Mycfavisit wrote:

The supporter from Microsoft was able to get me up and running. MS has a dearth of documentation for getting this up and running with Pulse Secure.

 

To benefit anyone else who runs into this...don't use the wizard unless you're prepared to go back and edit both the CRP and Network Policies. I'd prefer to manually add and not have to go back and make changes. In the NPS console right-click on the CRP folder on the left. Give your policy a name, but leave the server type as Unspecified and click Next. Now set your condition. Since we allow all users VPN access I chose a Day and time restrictions set to...Permitted all days and times! Click Next and Next. Do NOT overide the authentication settings. Click Next twice more and Finish.

 

Right-click on the Network Policies folder to create a new policy. Give your policy a name and leave the serrver type as Unspecified. Click Next. Since we allow all users VPN access I added a condition for Windows Groups set to Domain Users. Click Next. Select Access granted and click Next. For configure authentication methods check off only PAP (uncheck MS-CHAP and MS-CHAPv2). No, I don't want to see the Help topic, I'm following your instructions. Accept the defaults for the next two screens, then click Finish.

 

Assuming you set up a user realm or two that uses the RADIUS auth server you set up and have assigned a sign-in page and set a unique URL. Then browse to the URL and sign in. You should see Event ID 6272 in the Network Policy and Access Server custom view, or directly in the Security log in Event Viewer. This indicates the NPS server granted access to the user.

 

I'm going to run this way for a few more days for testing before I install the NPS extension for Azure MFA.

 

---

I've tried changing the CRP to match on things like Client Name and Client IP Address (matching exactly to the values in the event in the Security log) but I keep getting the same error. I had a ticket open earlier where I was trying to match on the external IP of the PSA-5000 which was quickly corrected. The support engineer somehow got it working, but the next day it stopped working. This is extremely frustrating. 

It took removing all the configuration from the NPS server, restarting it, and configuring the Connection Request and Network Policies from scratch so that it would authenticate a user based on domain username and password, then we added the MFA part.