I recently completed on a project where I was tasked to implement Azure Multi-Factor Authentication (MFA) with the RADIUS authentication of a password vault. We all know that an organisation’s password vault is one of their most critical assets, containing all the admin credentials to their environment. Azure MFA needs to be already enabled to users in your organisation to be able to use RADIUS authentication for MFA.
NPS Extension for Azure MFA
I would suggest building a new RADIUS (NPS) server to manage your Azure MFA extension. From experience, I have seen the extension affecting existing RADIUS policies, preventing users from accessing their networks. The advantage of using a new NPS server for your Azure MFA extension is that you can use the server to configure and manage all your existing RADIUS clients, and well as future RADIUS clients for MFA.
Configuring the NPS server is simple with the following steps:
Enable role NPS role on your server;
Download and install the Visual C++ Redistributable Packages for Visual Studio 2013 (X64);
Download and install the Microsoft Azure Active Directory Module for Windows PowerShell version 184.108.40.206;
Download and install the NPS Extension for Azure MFA
The installer will create a PowerShell that performs the following actions when it is run:
Create a self-signed certificate;
Associate the public key of the certificate to the service principal on Azure AD;
Store the cert in the local machine cert store;
Grant access to the certificate’s private key to Network User;
Restart the NPS.
Run the PowerShell script to complete the installation:
Open Windows PowerShell as an administrator;
cd “C:\Program Files\Microsoft\AzureMfa\Config”
Run the PowerShell script created by the installer:
You will be prompted to sign in to Azure AD as Global Administrator;
You are then prompted for your organisation’s Azure Tenant ID;
PowerShell will show a success message when the script finishes.
Open the Network Policy Server Role to complete the RADIUS configuration:
Configure a RADIUS client, with the target server. In my case, it was our Password Vault server.
Create two Connection Request Policy:
MFA Server No Forward with the Client IPv4 Address of the target server;
MFA Server Request Forward with the NAS Identifier as MFA.
Create one Network Policy:
MFA with Windows Groups assigned to your users you would like to apply MFA.
Configuration of the Password Vault
You should now be able to configure your Password Vault. As an administrator, identify the authentication configuration page. Configure your Password Vault for RADIUS Authentication, with the RADIUS server IP being the NPS Server previously configured. You should now be set to use MFA when authenticating to your RADIUS client.
It may happen that you run into authentication issues following the MFA configuration. Event Viewer on the NPS server will provide excellent information for troubleshooting. Common issues you may run into are:
No connection between the NPS Server and RADIUS Client;
Incorrect MFA configuration on the NPS Server or RADIUS client;
User has not activated Azure MFA;
Encryption protocol configured on the NPS server is not supported by the Azure MFA verification methods used by the users.