Azure MFA NPS Extensions with NetScaler nFactor Authentication

[utterances-bot]

Azure MFA NPS Extensions with NetScaler nFactor Authentication

Configuring a seamless MFA experience with nFactor and the Azure MFA Extensions

https://jkindon.com/azure-mfa-nps-extensions-with-netscaler-nfactor-authentication/

[fus1996]

Fantastic Write-up! I have been trying to get this working for 3 days. I am almost there but I think there may be an error or a step missing with your code and I cannot figure it out. Near the bottom of the article, you have us applying this code but it does not seem right:

bind authentication vserver AuthVS-AzureMFA-NPS -policy nFactor-AzureMFA-Schema-Pol -priority 100 -gotoPriorityExpression END

this guide has no mention of creating an advanced policy called nFactor-AzureMFA-Schema-Pol

What I am experiencing is this: If I am part of the AzureMFA security group all works great, I get prompted for Azure MFA If I am not part of the security group, I can still log in, and it does not prompt me for Azure MFA I am thinking it should deny me access bc I am not part of the group

Can you please help me out with what the above code does.

Thanks

[c3rberus]

Great write up, I followed this guide to get MFA working. The command block to redirect some users to pass-through instead of MFA was very useful.

One issue I ran into is that our NPS server where we have the Azure MFA extensions installed and configured with both "Forward" and "No Forward" Connection Request Policy, is that when the RADIUS client (ADC) sends the authentication request it fails.

The error raised is: "NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User xxxxx with response state AccessReject, ignoring request.".

MSFT docs state that "Once you enable MFA for a RADIUS client using the NPS extension, all authentications for this client are required to perform MFA. If you want to enable MFA for some RADIUS clients but not others, you can configure two NPS servers and install the extension on only one of them." and "NPS Extension triggers a request to Azure AD Multi-Factor Authentication for the secondary authentication.".

This means any request that lands on the NPS server will be treated as "secondary authentication" and will not work, having multiple connection request policies does not resolve this.

The only way I got this to work is to configure the connection policy's authentication to "accept users without validating credentials".

I have not attempted this with two NPS servers, where one would perform the primary authentication (no extensions installed) and then forward the request to a remote RADIUS server where the NPS extensions are installed for MFA. I am not sure this would work, since looking at the logs there is only ever a single authentication request from the RADIUS client (ADC).

Wondering if anyone ran into this or has a solution, I am concerned with the connection request policy accepting credential without validation, although the request would never reach the NPS server if primary (LDAPS) fails on the ADC side.

Curious if you have any thoughts on this.

[c3rberus]

The issue was that MS-CHAPv2 relies on NTLMv2, and in most Active Directory environments this is disabled. If you use MSFT secure group policy baselines, it gets disabled. ADC talks to NPS using mschapv2, meaning NTLMv1 must be enabled otherwise the request fails.

On NPS server:

Select Start > Run, type regedit in the Open box, and then select OK. Locate and select the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy On the Edit menu, point to New, and then select DWORD Value. Type Enable NTLMv2 Compatibility, and then press ENTER. On the Edit menu, select Modify. In the Value data box, type 1, and then select OK. Exit Registry Editor.

Everything now works :)