Skip to main content
Shagma
Shagma
New Member
April 17, 2020
Question

NPS with Azure MFA - Unable to sign in with code, only push works

  • April 17, 2020
  • 2 replies
  • 4840 views

I know this is not a Fortigate issue, but I'm posting here in hopes that someone has experienced the same problem.

 

I already made a post about this on the Technet forum over here: 

https://social.technet.microsoft.com/Forums/Windowsserver/en-US/ad4a9f6e-4d59-47b7-9725-19663833e4b1/nps-with-azure-mfa-unable-to-sign-in-with-code-only-push-works?forum=winserverNAP

 

Since it's not possible to describe my issue with multiple screenshots here, I'm just going to refer you to my Technet post.

Can anyone tell me why this is happening? Why would the NPS not send the group attribute (and apparently other attributes as well) when using code from authenticator?

    2 replies

    suthomas1
    suthomas1
    New Member
    April 18, 2020

    looking at your other post, does your setup have any full radius appliance involved or is it only NPS?

    Are you getting the code input notification? it may well worth be trying to disable/enable the policy post changing the method from push to code in MFA before getting the user to test again.

     

    [One of the client implementations had issues with NPS limitations being detected on how attributes could/were used for connection checks. Personally, i do not consider NPS as a proper radius but just a low-cost add on with usual MS package.Post issues/limitations with NPS, the client finally agreed to using a proper radius appliance which is now helping a lot.Troubleshooting with NPS was a nightmare.]

     

    I am not contributing much to your issue, but just thought of sharing my experience.

    Shagma
    ShagmaAuthor
    New Member
    April 19, 2020

    Hi, it's only NPS I'm afraid. It works fine with code and app notification. The problem I have is when the user in Office/Azure is configured for code from app or SMS. Then the group attribute is not sent to the Fortigate and the authentication fails as the Fortigate doesn't know which group the user belongs to.

     

    This may, as you say, be caused by RADIUS being poorly implemented. It could also be that the problem is how the Azure MFA plugin handles groups when using code authentication. 

    emnoc
    emnoc
    New Member
    April 20, 2020

    NPS can be challenging but have you looked at the logs and ran the   "diag test authserver radius"  from cli?

     

    Ken Felix

     

    Terms & ConditionsAccessibility statement