NPS extension request specific authentication method from Azure MFA service

Question

Hello,
I have implemented successfully MFA solution for GlobalProtect VPN client users. Simplified workflow is following:

1. Remote/HomeOffice users initiate VPN connection via GlobalProtect VPN client application and provide their AD credentials
2. VPN gateway (Palo Alto firewall acting as RADIUS client) pass authentication request to local RADIUS server (Windows Server running NPS service with NPS extension installed) for each VPN user connection request.
3. Local RADIUS server performs primary authentication with local AD server (synchronized to Azure AD via Azure AD Connect service) and upon successful primary authentication performs secondary authentication check by sending request Azure MFA)
4. Azure MFA sends default authentication method challenge to user (authenticator app, SMS, phone call etc) and communicate RADIUS server about it which in turn communicate VPN gateway about it which in turn communicate VPN client application GlobalProtect about it. Thus if user have SMS configured as default MFA method, GlobalProtect app will prompt user to enter SMS OTP.
5. After user confirm authenticator app push notification authentication process completes successfully as well as in case with SMS OTP.
   However, if user have trouble with authenticator app, which is mostly used as primary authentication method in my organisation, there is no prompt to user to try with alternative MFA authentication methods (such as provided in O365 MFA authentication). It seems that such alternative workflow is not supported in GlobalProtect VPN client application.
   Furthermore, Palo Alto firewall VPN gateway and GlobalProtect VPN client application can offer VPN users possibility to connect to multiple gateways (user can select connection point) and each VPN gateway point can be configured to use different RADIUS server i.e. each VPN gateway would have dedicated RADIUS server.
   Now, my question is: Is it possible to configure NPS extension to request specific authentication method from MFA Azure service? My idea is to have four RADIUS servers each running NPS extension but first one would request specifically authenticator app MFA method, second one would specifically request SMS MFA method, third one would specifically request authenticator code MFA method while fourth one would request phone call MFA method.
   Thanks in advance for people trying to help me.
   Haris Alatović

Answer 1

it is not possible to let user select one of the MA method or fall back to different MFA method while connecting to VPN client using RADIUS based authentication.

After Primary authentication is successful, NPS extension for Azure Multi-Factor Authentication communicates with Azure Active Directory, retrieves the user's details, and performs the secondary authentication by using the preferred method that's configured by the user (cell phone call, text message, or mobile app).

I also understand your point on allowing user to select different MFA method in case primary MFA method is not available but this is current not supported/ available. when NPS extension is used for MFA.

Also, another use case will be based on Protocols used with RADIUS. Like in case of PAP with RADIUS user can set any one of the all available MFA methods as default ( Phone call, SMS, Mobile app notify, OTP from app or hard token ) , however, in case of other protocols like Mschap or EAP, only phone call and mobile app notification is supported. Now, in a use case where user has Phone call selected for office 365 MFA , fall back to SMS is possible on office 365 , however, the same cannot be used for VPN with Mschap/RADIUS as it only supports Phone call or mobile app notification.

But your point is valid it is not limited to your VPN solution. This is applicable on different VPN / RADIUS based solutions like RD Gateway or CISCO anyconnect client or even web based VPN.

Answer 2

Hello @Anuj Rana ,

I just found this thread when looking for exactly the same capability as @Haris Alatovic : we have a scenario where our staff authenticates using MFA via NPS extension over RADIUS. Typically, Microsoft Authenticator App notifications (on their managed mobile phones) are selected by the users as preferred MFA method. However, there are situations where app notifications are not possible (e.g. because of data roaming restrictions on the mobile phones used for MFA). In this case, a fallback to an "offline" method (e.g. TOTP, SMS OTP) is required and we are currently struggeling on implementing that.

In your above answer you stated that "allowing user to select different MFA method in case primary MFA method is not available but this is current not supported/ available. when NPS extension is used for MFA."

My question is: will this capability be implemented in the nead future (e.g. using the Vendor-Specific attribut in the RADIUS protocol as provided in https://tools.ietf.org/html/rfc2865#section-5.26 )? It would really be an important and helpful feature unless the O365 MFA authentication (which implements fallback scenarius) can somehow be generally re-used for custom authentication scenarios (other than O365)

Thanks already for your help
Alex

Answer 3

This would be a really nice feature to add to the MFA NPS Extension