NPS extension for Azure MFA and MFA prompts

Brass Contributor

HI team


My situation is as follows:


I'm setting up MFA on a Palo Alto Global Protect VPN device and I'm attempting to use RADIUS and the NPS extension for Azure MFA. 


I appear to have got this all working 100%, except for some timing issues and the client package not being 100% correctly configured.


My customer's complaint is that they are required to enter the password and do the Azure MFA every time they connect to the VPN and they find this inconvenient. 


Is there any configuration or setup option I can do that would only require the MFA approval every 24 hours say? I know this is a long way from best security practice but it's a jarring experience for the customer's users because the current VPN connection method is just a credential login to the Palo Alto device.


I'm also aware that the best practice on this would actually be to configure the PA device to use SAML for authentication but that is outside of the design presented to the customer :( 


Anyone got any ideas or suggestions. I suspect it's some in depth radius stuff but I'm not sure... 



3 Replies
Hi Peter,

As you already stated and as far as I am aware, since Palo Alto isn't federating against Azure AD but against the RADIUS server, you shouldn't be able to configure conditions on sessions with, e.g., Conditional Access. Furthermore, we don't control the displayed UX with RADIUS, other than returning a RADIUS challenge-response. So I would prefer SAML and check if you can start a pilot with a subset of users.
Agree. Try to convince the customer to switch to SAML unless of the design.

We implemented Palo Alto VPN into Azure AD as an Enterprise App many times. This is the preferred method to my opinion.
Fully agree with everyone in the thread. However the RADIUS solution is in the design and I’m not in a position to fight that one at the moment…