1,920 questions
Azure NPS Extension - Conditional Access for 802.1x (Bypass MFA)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 16%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Me At Worky
21
Reputation points
Hi all,
Currently using Azure NPS Extension on a RADIUS server for user based MFA dial-in authentication. We also use RADIUS on another server to authenticate Wireless 802.11 connectivity from corporate devices, without the NPS Extension.
Is it possible to bypass the MFA request on the Azure NPS server for only 802.11 devices (not users) authenticating via PEAP? So that I can consolidate RADIUS to just one server, all that is required.
Ideal Scenario: 1 RADIUS server that handles both user auth (identity verified via MFA communicated to Azure via the NPS extension), and the same server that can auth trusted devices via PEAP without attempting MFA.
Many thanks.
Windows for business | Windows Server | Devices and deployment | Set up, install, or upgrade
Microsoft Security | Microsoft Entra | Microsoft Entra ID
25,081 questions
Windows for business | Windows Server | User experience | Other
20,212 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Shashi Shailaj 7,631 Reputation points Microsoft Employee Moderator2022-02-02T18:51:52.92+00:00 @Me At Worky , Apologies for the late reply on this one. AS I understand you want to use one single RADIUS server with MFA extension for authenticating User's MFA requests and also authenticate your wireless clients. I checked this and I believe that we have an advanced setting which you can do on the NPS/RADIUS server where you have Azure NPS extension installed. You can create IP-based Exceptions for your second RADIUS . Basically you can add WLAN 802.11 controller IP as RAIDUS client on your NPS extension server and also add its IP as an exception on the NPS extension server. You can do this by editing the registry setting . To configure an IP allowed list, go to
HKLM\SOFTWARE\Microsoft\AzureMfain the registry and configure the following registry value:Name Type Default value Description IP_WHITELIST string Empty Provide a semi-colon separated list of IP addresses. Include the IP addresses of machines where service requests originate, like the NAS/VPN server. IP ranges and subnets are not supported. <br><br> For example, 10.0.0.1;10.0.0.2;10.0.0.3 This value is not present by default and you would need to restart the NPS service again . Let us know if this works.
Thank you .
Sign in to comment
Sign in to answer