Azure Cloud MFA for on-premises Firewall

%3CLINGO-SUB%20id%3D%22lingo-sub-1198397%22%20slang%3D%22en-US%22%3EAzure%20Cloud%20MFA%20for%20on-premises%20Firewall%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1198397%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20have%20to%20enable%20Azure%20cloud%20MFA%20for%20my%26nbsp%3Bon-premises%20firewalls.%20(FortiGate%20%2F%20palo%20alto%20Global%20protect%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20i%20get%20any%20document%20or%20step%20by%20step%20guide%20for%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1198397%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1198704%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Cloud%20MFA%20for%20on-premises%20Firewall%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1198704%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20not%20something%20I%20have%20done%20but%20in%20my%20previous%20job%20some%20colleagues%20integrated%20Azure%20MFA%20with%20a%20Cisco%20VPN%20and%20also%20an%20RDS%20Gateway%20using%20the%20NPS%26nbsp%3Bextension%20using%20radius%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-nps-extension%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-nps-extension%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CEM%3EThe%20Network%20Policy%20Server%20(NPS)%20extension%20for%20Azure%20MFA%20adds%20cloud-based%20MFA%20capabilities%20to%20your%20authentication%20infrastructure%20using%20your%20existing%20servers.%3C%2FEM%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20an%20involved%20configuration%20but%20I%20see%26nbsp%3BPalo%20Alto%20support%20any%20MFA%20platform%20that%20can%20use%20radius%2C%20so%20it%20could%20be%20worth%20investigating%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.paloaltonetworks.com%2Fcompatibility-matrix%2Fmfa-vendor-support%2Fmfa-vendor-support-table.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.paloaltonetworks.com%2Fcompatibility-matrix%2Fmfa-vendor-support%2Fmfa-vendor-support-table.html%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20used%20to%20be%20an%20Azure%20MFA%20Server%20you%20could%20install%20to%20integrate%20on-premise%20systems%20but%20that%20isn't%20supported%20for%20new%20installations.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi,

I have to enable Azure cloud MFA for my on-premises firewalls. (FortiGate / palo alto Global protect

 

Can i get any document or step by step guide for this.

1 Reply
Highlighted

It's not something I have done but in my previous job some colleagues integrated Azure MFA with a Cisco VPN and also an RDS Gateway using the NPS extension using radius:

 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

 

"The Network Policy Server (NPS) extension for Azure MFA adds cloud-based MFA capabilities to your authentication infrastructure using your existing servers."

 

It's an involved configuration but I see Palo Alto support any MFA platform that can use radius, so it could be worth investigating:

 

https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support/mfa-vendor-support-table.h...

 

There used to be an Azure MFA Server you could install to integrate on-premise systems but that isn't supported for new installations.