Azure MFA with VPN using SMS OTP

Question

Azure MFA with VPN using SMS OTP

Will McKay 21

Hello all. I am looking for some input on using Azure MFA with our on-prem VPN server using the NPS extension that leverages Azure MFA when accounts have the requirement to use MFA. Currently I have a test environment working with MFA enabled accounts and users that have the Authenticator app from Microsoft. These users can use MFA by responding with an approval in the app when prompted as part of connecting to the test vpn. The problem lies in users who have SMS set up as their primary authentication method in Azure MFA. These users receive the SMS OTP but there is no dialog to input the number on the workstation.

Accepted answer

0 additional answers

Your answer

Answer 1

@Will McKay
Thank you for your post! We received a similar issue to yours not too long ago, which I'll share here.

Issue:
From my understanding, you set up Azure MFA with the NPS extension, and users with the Authenticator app can authenticate to your VPN, while users who use SMS don't have any place to input the SMS OTP.

Authentication methods:

PAP supports all the authentication methods of Azure AD Multi-Factor Authentication in the cloud: phone call, one-way text message, mobile app notification, OATH hardware tokens, and mobile app verification code.
CHAPV2 and EAP support phone call and mobile app notification.

Based off these authentication methods, when you deploy the NPS extension, if your RADIUS client supports PAP, but the client UX doesn't have input fields for a verification code, then phone call and mobile app notification are the two supported options.

Also, regardless of the authentication protocol that's used (PAP, CHAP, or EAP), if your MFA method is text-based (SMS, mobile app verification code, or OATH hardware token) and requires the user to enter a code or text in the VPN client UI input field, the authentication might succeed.

If you configured SMS as an authentication method, can you make sure your VPN has the ability to support the SMS code option, if it does and you'd like us to take a closer look into your environment, please let me know.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Will McKay 21 Reputation points

2021-01-28T15:59:11.527+00:00

Thank you, since PAP is considered weak we may have to rule out SMS as an authentication method based on what you said here.

We use a RRAS server running Windows Server 2016, I don't know if that changes anything. We are using the native VPN client in Windows 10 to connect to this server.
Оразгалиев Ерлан 0 Reputation points

2023-02-23T05:45:18.02+00:00

Hello! I have the similar problem, if users have push notification on mobile app all works fine. But when user switch auth method to sms or app code, VPN (FortiClient IPSec) prompt field to input sms or app code, but it doesn't work with Azure AD. I tried the same thing with mfa on-prem and all works great.

I tried to solve this issue with workaround script crpusernamestuffing (https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension from this article). It didn't work also.

If you have any other solutions, please could you be so kind to provide it

Share via

Azure MFA with VPN using SMS OTP

0 additional answers

Your answer