question

HarisAlatovi-2451 avatar image
1 Vote"
HarisAlatovi-2451 asked RasmusHougaardChristiansen-0330 published

NPS extension request specific authentication method from Azure MFA service

Hello,
I have implemented successfully MFA solution for GlobalProtect VPN client users. Simplified workflow is following:
1. Remote/HomeOffice users initiate VPN connection via GlobalProtect VPN client application and provide their AD credentials
2. VPN gateway (Palo Alto firewall acting as RADIUS client) pass authentication request to local RADIUS server (Windows Server running NPS service with NPS extension installed) for each VPN user connection request.
3. Local RADIUS server performs primary authentication with local AD server (synchronized to Azure AD via Azure AD Connect service) and upon successful primary authentication performs secondary authentication check by sending request Azure MFA)
4. Azure MFA sends default authentication method challenge to user (authenticator app, SMS, phone call etc) and communicate RADIUS server about it which in turn communicate VPN gateway about it which in turn communicate VPN client application GlobalProtect about it. Thus if user have SMS configured as default MFA method, GlobalProtect app will prompt user to enter SMS OTP.
5. After user confirm authenticator app push notification authentication process completes successfully as well as in case with SMS OTP.
However, if user have trouble with authenticator app, which is mostly used as primary authentication method in my organisation, there is no prompt to user to try with alternative MFA authentication methods (such as provided in O365 MFA authentication). It seems that such alternative workflow is not supported in GlobalProtect VPN client application.
Furthermore, Palo Alto firewall VPN gateway and GlobalProtect VPN client application can offer VPN users possibility to connect to multiple gateways (user can select connection point) and each VPN gateway point can be configured to use different RADIUS server i.e. each VPN gateway would have dedicated RADIUS server.
Now, my question is: Is it possible to configure NPS extension to request specific authentication method from MFA Azure service? My idea is to have four RADIUS servers each running NPS extension but first one would request specifically authenticator app MFA method, second one would specifically request SMS MFA method, third one would specifically request authenticator code MFA method while fourth one would request phone call MFA method.
Thanks in advance for people trying to help me.
Haris Alatović

azure-ad-multi-factor-authentication
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just out of curiosity, how can they enter the SMS OTP or authenticator code, as I thought the GlobalProtect VPN client does only accept the user name and password, and has no third field like the FortiGate VPN client has for an additional code?

0 Votes 0 ·

Hello Patrick,

GlobalProtect VPN client support MFA authentication. When MFA service responds with challenge (SMS code or authentication code) it shows additional popup window so that user be able to enter SMS or authenticator code OTP.

1 Vote 1 ·
AnujRana-1707 avatar image
0 Votes"
AnujRana-1707 answered

it is not possible to let user select one of the MA method or fall back to different MFA method while connecting to VPN client using RADIUS based authentication.

After Primary authentication is successful, NPS extension for Azure Multi-Factor Authentication communicates with Azure Active Directory, retrieves the user's details, and performs the secondary authentication by using the preferred method that's configured by the user (cell phone call, text message, or mobile app).

I also understand your point on allowing user to select different MFA method in case primary MFA method is not available but this is current not supported/ available. when NPS extension is used for MFA.

Also, another use case will be based on Protocols used with RADIUS. Like in case of PAP with RADIUS user can set any one of the all available MFA methods as default ( Phone call, SMS, Mobile app notify, OTP from app or hard token ) , however, in case of other protocols like Mschap or EAP, only phone call and mobile app notification is supported. Now, in a use case where user has Phone call selected for office 365 MFA , fall back to SMS is possible on office 365 , however, the same cannot be used for VPN with Mschap/RADIUS as it only supports Phone call or mobile app notification.

But your point is valid it is not limited to your VPN solution. This is applicable on different VPN / RADIUS based solutions like RD Gateway or CISCO anyconnect client or even web based VPN.










5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlexF-5862 avatar image
0 Votes"
AlexF-5862 answered KasperJensen-7681 commented

Hello @AnujRana-1707,

I just found this thread when looking for exactly the same capability as @HarisAlatovi-2451: we have a scenario where our staff authenticates using MFA via NPS extension over RADIUS. Typically, Microsoft Authenticator App notifications (on their managed mobile phones) are selected by the users as preferred MFA method. However, there are situations where app notifications are not possible (e.g. because of data roaming restrictions on the mobile phones used for MFA). In this case, a fallback to an "offline" method (e.g. TOTP, SMS OTP) is required and we are currently struggeling on implementing that.

In your above answer you stated that "allowing user to select different MFA method in case primary MFA method is not available but this is current not supported/ available. when NPS extension is used for MFA."

My question is: will this capability be implemented in the nead future (e.g. using the Vendor-Specific attribut in the RADIUS protocol as provided in https://tools.ietf.org/html/rfc2865#section-5.26 )? It would really be an important and helpful feature unless the O365 MFA authentication (which implements fallback scenarius) can somehow be generally re-used for custom authentication scenarios (other than O365)

Thanks already for your help
Alex

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I've voted, commented and shared on Twitter.
Azure MFA NPS Extension needs to be a first-class citizen. ADFS is too complex and with the old PhoneFactor server (Azure MFA Server) discontinued, there's no good way to provide a good user experience. There are a ton of apps that cannot speak SAML or OIDC.

1 Vote 1 ·
RasmusHougaardChristiansen-0330 avatar image
0 Votes"
RasmusHougaardChristiansen-0330 answered RasmusHougaardChristiansen-0330 published

This would be a really nice feature to add to the MFA NPS Extension

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.