NPS server with Azure MFA Extension

Matthew Riddler 21 Reputation points
2020-11-16T23:01:29.447+00:00

Hello,
I have just installed a pair of NPS Servers to be able to use as a second factor auth, using the Azure MFA extension.
I believe I cannot just use the Azure MFA Extension on its own, I need to authenticate to AD as well. All of our users are mfa registered & synced into the cloud.

There are 2 things that I am trying to achieve.

Use AD & MFA Authentication from NPS to provide citrix netscaler access, using MFA. This seems to be quite a simple thing to do. I just need to move the AD authentication to the NPS server, rather than AD servers.

Setup an Always On VPN. As part of this an NPS server is required. I am still waiting to see if the management want MFA on this.
Is it possible to not send the authentication requests to the Azure MFA service, or does it always send the request to it as part of the extension being installed.
If it always sends the request to Azure would I need to build a new set of NPS Servers without the MFA Extension installed?

Thanks
Matt

Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
509 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,317 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,301 Reputation points
    2020-11-17T09:09:07.247+00:00

    Hello @Matthew Riddler · Thank you for reaching out.

    Azure MFA Extension can't work on its own and requires NPS Server to work with. NPS extension translates RADIUS calls to HTTP REST calls and forwards to Azure AD and translate the response back from REST to RADIUS and pass that to NPS server. If the request meets the conditions defined in CAP policy on the NPS server, it gets forwarded to NPS extension which facilitates MFA. To achieve your requirement, you may consider one of the below options:

    • You can configure the policy conditions e.g. the policy should apply only to members of a specific windows group.
    • You can also have another NPS server without extension.
    • You can configure IP_Whitelist registry setting to skip MFA for given IP Addresses.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.