F5 with Azure NPS Extensions

Had a quick question. I am working on integrating the F5 with Azure MFA using the Azure Radius NPS extension. I have it all setup according the MS documentation (https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-nps-extension) and from an F5 perspective have the APM policies setup to use the Azure NPS Radius server. The Windows event log message is NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User azure.token with response state AccessReject, ignoring request.

 

When I try to authenticate a user , I keep getting an “Access Reject” Message no matter what I do. The user is setup and enabled for Azure MFA. I have also tried to use this method where I use the full Azure MFA server and configure it based on the these F5 articles (https://devcentral.f5.com/articles/heres-how-i-did-it-integrating-azure-mfa-with-the-big-ip-19634, https://devcentral.f5.com/articles/how-i-did-it-15-integrating-azure-mfa-with-office-365-20475 ) and if everything is working right then the behavior should be as shown in this video (https://www.youtube.com/watch?v=61juFt3J4Rw&feature=youtu.be)

 

I am tearing what’s left of my hair trying to get this to work and would appreciate it if you have any insights into how to get this working . My APM policy is as below – the one below is the simple one I am testing.

 

The One I want to implement in production is as below. Symantec 2FA is Radius based authentication as well.

 

Would love to hear your opinion on this.