cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

NPS extension for Azure MFA and MFA prompts

PeterJoInobits
Brass Contributor

‎Mar 18 2022 02:00 AM

‎Mar 18 2022 02:00 AM

NPS extension for Azure MFA and MFA prompts

HI team

 

My situation is as follows:

 

I'm setting up MFA on a Palo Alto Global Protect VPN device and I'm attempting to use RADIUS and the NPS extension for Azure MFA. 

 

I appear to have got this all working 100%, except for some timing issues and the client package not being 100% correctly configured.

 

My customer's complaint is that they are required to enter the password and do the Azure MFA every time they connect to the VPN and they find this inconvenient. 

 

Is there any configuration or setup option I can do that would only require the MFA approval every 24 hours say? I know this is a long way from best security practice but it's a jarring experience for the customer's users because the current VPN connection method is just a credential login to the Palo Alto device.

 

I'm also aware that the best practice on this would actually be to configure the PA device to use SAML for authentication but that is outside of the design presented to the customer :( 

 

Anyone got any ideas or suggestions. I suspect it's some in depth radius stuff but I'm not sure... 

 

 

Labels:
2,045 Views
0 Likes
3 Replies
Reply
3 Replies
BilalelHadd

‎Mar 28 2022 01:04 AM

‎Mar 28 2022 01:04 AM

Re: NPS extension for Azure MFA and MFA prompts

Hi Peter,

As you already stated and as far as I am aware, since Palo Alto isn't federating against Azure AD but against the RADIUS server, you shouldn't be able to configure conditions on sessions with, e.g., Conditional Access. Furthermore, we don't control the displayed UX with RADIUS, other than returning a RADIUS challenge-response. So I would prefer SAML and check if you can start a pilot with a subset of users.
0 Likes
Reply
joeyvldn

‎Mar 29 2022 01:32 PM

‎Mar 29 2022 01:32 PM

Re: NPS extension for Azure MFA and MFA prompts

Agree. Try to convince the customer to switch to SAML unless of the design.

We implemented Palo Alto VPN into Azure AD as an Enterprise App many times. This is the preferred method to my opinion.

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/palo-alto-networks-globalprotect-t...
0 Likes
Reply
PeterJ_Inobits

‎Mar 29 2022 09:02 PM

‎Mar 29 2022 09:02 PM

Re: NPS extension for Azure MFA and MFA prompts

Fully agree with everyone in the thread. However the RADIUS solution is in the design and I’m not in a position to fight that one at the moment…

0 Likes
Reply