question

JamesEdmonds-7766 avatar image
0 Votes"
JamesEdmonds-7766 asked SunnyQi-MSFT edited

NPS MFA Extension with single RADIUS server

Hello,

We have an existing NPS and RADIUS setup running that covers our SSTP VPN clients, as well as 802.11x authentication on our UniFi access points.
We are looking to cover our VPN access with Azure MFA using the NPS extension.

On the deployment documentation provided by Microsoft, it states the below:

After you install and configure the NPS extension, all RADIUS-based client authentication that is processed by this server is required to use MFA. If all your VPN users are not enrolled in Azure AD Multi-Factor Authentication, you can do either of the following:

Set up another RADIUS server to authenticate users who are not configured to use MFA.

Create a registry entry that allows challenged users to provide a second authentication factor if they are enrolled in Azure AD Multi-Factor Authentication.

Create a new string value named REQUIRE_USER_MATCH in HKLM\SOFTWARE\Microsoft\AzureMfa, and set the value to TRUE or FALSE.

Based on that statement, does that mean that regardless of policies defined within NPS, all the VPN clients and all wireless client connection requests, would be subject to an MFA challange?
The workaround being to create a second VPN deployment that does not use the same NPS/RADIUS server, or to approach using the registry keys mentioned?

Thanks
James

windows-serverazure-active-directorywindows-server-2019windows-10-networkwindows-server-infrastructure
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The issue is more related to Azure AD, I will help add the related tags. Appreciate your understanding.

0 Votes 0 ·

0 Answers