Forum Discussion

PeterJoInobits's avatar
PeterJoInobits
Brass Contributor
Mar 18, 2022

NPS extension for Azure MFA and MFA prompts

HI team

 

My situation is as follows:

 

I'm setting up MFA on a Palo Alto Global Protect VPN device and I'm attempting to use RADIUS and the NPS extension for Azure MFA. 

 

I appear to have got this all working 100%, except for some timing issues and the client package not being 100% correctly configured.

 

My customer's complaint is that they are required to enter the password and do the Azure MFA every time they connect to the VPN and they find this inconvenient. 

 

Is there any configuration or setup option I can do that would only require the MFA approval every 24 hours say? I know this is a long way from best security practice but it's a jarring experience for the customer's users because the current VPN connection method is just a credential login to the Palo Alto device.

 

I'm also aware that the best practice on this would actually be to configure the PA device to use SAML for authentication but that is outside of the design presented to the customer 😞 

 

Anyone got any ideas or suggestions. I suspect it's some in depth radius stuff but I'm not sure... 

 

 

  • BilalelHadd's avatar
    BilalelHadd
    Iron Contributor
    Hi Peter,

    As you already stated and as far as I am aware, since Palo Alto isn't federating against Azure AD but against the RADIUS server, you shouldn't be able to configure conditions on sessions with, e.g., Conditional Access. Furthermore, we don't control the displayed UX with RADIUS, other than returning a RADIUS challenge-response. So I would prefer SAML and check if you can start a pilot with a subset of users.

Resources