| Description |
This article describes a limitation of certain MFA methods for Azure AD and NPS Extension.
While authentication and delivery of MFA codes works with Azure NPS Extension, Radius Attributes configured in NPS policies will not be forwarded to Radius Client if the following MFA methods are used: |
| Scope | SSL-VPN and Azure NPS Extension for MFA. |
| Solution |
It is known that it is possible to match specific groups created on FortiGate based on Radius Attributes configured in NPS policies.
Considering that Azure AD integration with NPS Servers and MFA are becoming more popular every day, the use of Microsoft NPS Extension in Azure is required. This all works well, but there is one caveat depending on the delivery method of the MFA code.
If the user needs to manually insert the Token from SMS, mobile app or hardware token, the Radius attributes configured in the NPS policy will not be forwarded, therefore, group matching will behave unexpectedly.
This is a limitation on the Microsoft NPS Extension, and they have updated their documentation. Please see below: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension
A possible workaround in cases where push notifications are not possible and yet group matching is needed, is to make use of NAS IP to differentiate each group being mapped to each radius server created on FortiGate.
See the below high level steps:
With that set, even though the VSA (Vendor Specific Attributes) from NPS policies are not forwarded, the match is being done by the conditions set to the Connection Request and Network Policies. |
