Glad you found a workaround. Regarding the issue you mentioned about 802.1x PEAP-TLS authentication with Azure MFA, here are my recommendations:
- About Azure MFA and 802.1x compatibility
802.1x PEAP-TLS authentication with Azure MFA is possible, but in some cases, compatibility issues may be encountered. Azure MFA is primarily used for user authentication, while 802.1x authentication typically involves machine authentication. In this case, you may encounter some limitations, especially in the authentication process for computer objects. - Recommendations for using two NPS servers
The workaround you mentioned to whitelist IPs in the NPS server registry is an effective temporary solution. Indeed, many organizations choose to use an architecture with two NPS servers: one for user authentication (with Azure MFA) and one for machine authentication (without Azure MFA). This practice reduces potential conflicts and complexity, ensuring that each authentication method works correctly. - Best Practices
Split authentication: If you have a large number of 802.1x authentication requests in your environment, we recommend that you use two NPS servers. This ensures that traffic for machine authentication and user authentication doesn't interfere with each other.
Monitoring and logging: Ensure that the logs of both NPS servers are monitored so that potential issues can be identified and resolved in a timely manner.
Best Regards,
Jill Zhou