Re: [WIRELESS-LAN] ISE-NPS-Azure MFA
I would check your RADIUS timeout. The RADIUS session times out waiting for the MFA and it retries, resulting in multiple confirmations. Sent from my iPhone > On Aug 26, 2021, at 11:50 AM, Heavrin, Lynn wrote: > > > Anyconnect has a SAML built-in browser (which doesn’t seem to share SSO > sessions unfortunately) and I believe you can also have it open up your > preferred browser at least on windows anyway. I have it running in my lab > right now and seems to work fine, though it’s been finnicky at best until > recently. Here’s a screenshot of what it looks like on Mac OS. It pops up > automatically then connects like normal after creds are confirmed. > > > > I’ll tell you it’s a much better experience for your users if they’re used to > logging in via SAML to other university resources because it’s familiar and > not the ugly anyconnect login client page. > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of Matthew Craig > > Date: Thursday, August 26, 2021 at 12:35 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA > > > Isn’t SAML entirely a web-based thing? Sure, you can tie it into the actual > website URL of your ASA, but what about logging in directly from the > AnyConnect client itself? This is not referenced in any documents I’ve seen > so far. Is this possible? > > website login for AnyConnect would be unfriendly to many users who are > already hostile to having to use VPN in the first place. > > > > My research on the topic is that many people are going to ISE 3.0 and using > PAP to go to Azure AD for RA AnyConnect. Additionally Azure AD doesn’t seem > to support PEAP-MSCHAPv2 right now, which does directly concern wireless. > (and yes I know EAP-TLS is the the way that it “should” be done, but the > “should" doesn’t materialize into reality for many people. Many simply are > not in a position to roll out EAP-TLS) > > Azure AD seems to be designed with Cloud web-apps in mind only, and this > apparently is creating alot of gaps on the Networking end, and Microsoft is > not in the Networking business to care. > > > Please correct me on any point, I do have alot of knowledge gaps on this > subject. > > > - > Matt > > > > > > > > > On Aug 26, 2021, at 9:14 AM, Jeffrey D. Sessler > wrote: > > WARNING: This email originated external to the NMSU email system. Do not > click on links or open attachments unless you are sure the content is safe. > I 2nd Tim’s suggestion. If the VPN is Cisco-based, they support using SAML > against AzureAD including MFA. > > https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html > > Jeff > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of Manon Lessard > > Date: Thursday, August 26, 2021 at 7:54 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA > > We are talking VPN here and for the entire campus… > > Manon Lessard > Chargée de programmation et d’analyse > CCNP, CWNE #275, AWA 10, ESCE Design > Direction des technologies de l'information > Pavillon Louis-Jacques-Casault > 1055, avenue du Séminaire > Bureau 0403 > Université Laval, Québec (Québec) > G1V 0A6, Canada > 418 656-2131, poste 412853 > Télécopieur : 418 656-7305 > manon.less...@dti.ulaval.ca > www.dti.ulaval.ca > Avis relatif à la confidentialité | Notice of Confidentiality > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of James Andrewartha > > Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv > > Date: Thursday, August 26, 2021 at 10:50 AM > To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" > Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA > > Microsoft note this behaviour and have some sort of workaround in their NPS > MFA extension: > https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension > > Really though, doing MFA for RADIUS is a square peg in a round hole, use MFA > to provision a client cert and do EAP-TLS instead. > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of Manon Lessard > > Reply to: The EDUCAUSE Wireless Issues Community Group Listserv > > Date: Thursday, 26 August 2021 at 10:20 pm > To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" > Subject: [WIRELESS-LAN] ISE-NPS-Azure MFA > > A question not directly related to Wi-Fi, b
Re: [WIRELESS-LAN] ISE-NPS-Azure MFA
I'd recommend you use SAML with your VPN solution directly to AAD and not go through ISE. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of James Andrewartha Sent: Thursday, August 26, 2021 10:50 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA Microsoft note this behaviour and have some sort of workaround in their NPS MFA extension: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-nps-extension%23radius-protocol-behavior-and-the-nps-extension=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C3b7f3b5647474f061d7108d968a0db1f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637655862403830669%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=fJDk1ByDV7DXFYUQEfAapTTY2U9PoYDZyYs6YvMfLzQ%3D=0> Really though, doing MFA for RADIUS is a square peg in a round hole, use MFA to provision a client cert and do EAP-TLS instead. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Manon Lessard Reply to: The EDUCAUSE Wireless Issues Community Group Listserv Date: Thursday, 26 August 2021 at 10:20 pm To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: [WIRELESS-LAN] ISE-NPS-Azure MFA A question not directly related to Wi-Fi, but related to ISE which seems to be something some of you use. We are currently authenticating a VPN test group via ISE through NPS servers (defined as a token server). The goal is to do MFA with Azure through the Authenticator app on people’s phones. Everything works, but Authenticator pops up for confirmation, sometimes 2 to 3 times, even if one has accepted the first confirmation… I would like to have feedback from people who used something like that and have solved the multiple Authenticator prompts. Thank you Manon Lessard Chargée de programmation et d’analyse CCNP, CWNE #275, AWA 10, ESCE Design Direction des technologies de l'information Pavillon Louis-Jacques-Casault 1055, avenue du Séminaire Bureau 0403 Université Laval, Québec (Québec) G1V 0A6, Canada 418 656-2131, poste 412853 Télécopieur : 418 656-7305 manon.less...@dti.ulaval.ca<mailto:manon.less...@dti.ulaval.ca> www.dti.ulaval.ca<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.dti.ulaval.ca%2F=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C3b7f3b5647474f061d7108d968a0db1f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637655862403840618%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=gGUra2erT%2FywrwEcBBo0aGj2DIXV%2B49zl%2BOYn2N31H4%3D=0> Avis relatif à la confidentialité | Notice of Confidentiality<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rec.ulaval.ca%2Flce%2Fsecurite%2Fconfidentialite.htm=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C3b7f3b5647474f061d7108d968a0db1f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637655862403840618%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=uD42LcJ%2B8FgscDvpzoPm1Y4orrJ8u6G6tjndaemyiUY%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C3b7f3b5647474f061d7108d968a0db1f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637655862403840618%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=kFxTnB%2FoAvFSa1sy32YxiK3%2Fz%2FaEvzP6%2FD28ORHt%2F3Y%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C3b7f3b5647474f061d7108d968a0db1f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637655862403850583%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=%2FaMozeNc6Iy0ZnSxonl1E%2BVcuIjMMx60M3e8KqNcLZM%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email a
Re: [WIRELESS-LAN] ISE-NPS-Azure MFA
Isn’t SAML entirely a web-based thing? Sure, you can tie it into the actual website URL of your ASA, but what about logging in directly from the AnyConnect client itself? This is not referenced in any documents I’ve seen so far. Is this possible? website login for AnyConnect would be unfriendly to many users who are already hostile to having to use VPN in the first place. My research on the topic is that many people are going to ISE 3.0 and using PAP to go to Azure AD for RA AnyConnect. Additionally Azure AD doesn’t seem to support PEAP-MSCHAPv2 right now, which does directly concern wireless. (and yes I know EAP-TLS is the the way that it “should” be done, but the “should" doesn’t materialize into reality for many people. Many simply are not in a position to roll out EAP-TLS) Azure AD seems to be designed with Cloud web-apps in mind only, and this apparently is creating alot of gaps on the Networking end, and Microsoft is not in the Networking business to care. Please correct me on any point, I do have alot of knowledge gaps on this subject. - Matt On Aug 26, 2021, at 9:14 AM, Jeffrey D. Sessler mailto:j...@scrippscollege.edu>> wrote: WARNING: This email originated external to the NMSU email system. Do not click on links or open attachments unless you are sure the content is safe. I 2nd Tim’s suggestion. If the VPN is Cisco-based, they support using SAML against AzureAD including MFA. https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Manon Lessard mailto:manon.less...@dti.ulaval.ca>> Date: Thursday, August 26, 2021 at 7:54 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA We are talking VPN here and for the entire campus… Manon Lessard Chargée de programmation et d’analyse CCNP, CWNE #275, AWA 10, ESCE Design Direction des technologies de l'information Pavillon Louis-Jacques-Casault 1055, avenue du Séminaire Bureau 0403 Université Laval, Québec (Québec) G1V 0A6, Canada 418 656-2131, poste 412853 Télécopieur : 418 656-7305 manon.less...@dti.ulaval.ca<mailto:manon.less...@dti.ulaval.ca> www.dti.ulaval.ca<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.dti.ulaval.ca%2F=04%7C01%7Cmatcraig%40nmsu.edu%7Cbc3bcb57a0ee44d7f87208d968a45373%7Ca3ec87a89fb84158ba8ff11bace1ebaa%7C1%7C0%7C637655877252337862%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=%2FfwassNcb%2F%2BSGKqQ82Se5KxpAUoBFPbPtZDbU7Uylm4%3D=0> Avis relatif à la confidentialité | Notice of Confidentiality<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rec.ulaval.ca%2Flce%2Fsecurite%2Fconfidentialite.htm=04%7C01%7Cmatcraig%40nmsu.edu%7Cbc3bcb57a0ee44d7f87208d968a45373%7Ca3ec87a89fb84158ba8ff11bace1ebaa%7C1%7C0%7C637655877252347857%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=yi11CEEfHsdZlahlQGe89SW7lkOpikhLlSbTGS7%2BZQg%3D=0> From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of James Andrewartha mailto:jandrewar...@ccgs.wa.edu.au>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Thursday, August 26, 2021 at 10:50 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA Microsoft note this behaviour and have some sort of workaround in their NPS MFA extension: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-nps-extension%23radius-protocol-behavior-and-the-nps-extension=04%7C01%7Cmatcraig%40nmsu.edu%7Cbc3bcb57a0ee44d7f87208d968a45373%7Ca3ec87a89fb84158ba8ff11bace1ebaa%7C1%7C0%7C637655877252347857%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=ftbr5gySi10k6XMgZeL%2B48rmHs4dWCx4LAiv%2Bw%2BByUw%3D=0> Really though, doing MFA for RADIUS is a square peg in a round hole, use MFA to provision a client cert and do EAP-TLS instead. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Manon Lessard mailto:manon.less...@dti.ulaval.ca>> Reply to: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-
Re: [WIRELESS-LAN] ISE-NPS-Azure MFA
You can separate the authentication and the authorization if you want to use ISE for controlling authorization. If your vpn solution is cisco, the ASA can talk directly to Azure via SAML and then send authorization requests separately to ISE. For Duo, you can set up a Duo Proxy via ISE and the ASA would only talk to ISE, but I’m not sure Azure has that. I like having ISE in the mix on our Anyconnect VPN for auditing and pulling authentication reports, especially if you have multiple vpn profiles. Thanks, Lynn Heavrin Network Engineer III | Network Engineering Washington University in St. Louis 4480 Clayton Ave, St. Louis, MO 63110 Mail stop 8218-45-01 •: 314.935.3877 | •:lheav...@wustl.edu<mailto:lheav...@wustl.edu> From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Jeffrey D. Sessler Date: Thursday, August 26, 2021 at 10:15 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA I 2nd Tim’s suggestion. If the VPN is Cisco-based, they support using SAML against AzureAD including MFA. https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Manon Lessard Date: Thursday, August 26, 2021 at 7:54 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA We are talking VPN here and for the entire campus… Manon Lessard Chargée de programmation et d’analyse CCNP, CWNE #275, AWA 10, ESCE Design Direction des technologies de l'information Pavillon Louis-Jacques-Casault 1055, avenue du Séminaire Bureau 0403 Université Laval, Québec (Québec) G1V 0A6, Canada 418 656-2131, poste 412853 Télécopieur : 418 656-7305 manon.less...@dti.ulaval.ca<mailto:manon.less...@dti.ulaval.ca> www.dti.ulaval.ca<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.dti.ulaval.ca%2F=04%7C01%7CJeff%40scrippscollege.edu%7Cce9c136021d74345c1f408d968a17373%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637655864918082036%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=eqZwxE8m9bPxeyUSLvKrkuVpc5CwXcJY7bjoCYMUZIM%3D=0> Avis relatif à la confidentialité | Notice of Confidentiality<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rec.ulaval.ca%2Flce%2Fsecurite%2Fconfidentialite.htm=04%7C01%7CJeff%40scrippscollege.edu%7Cce9c136021d74345c1f408d968a17373%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637655864918082036%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=p4eCgT1m44O3jU1SKQZvGFA5WdU0%2BLvL2tkZ963Ilqk%3D=0> From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of James Andrewartha Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Thursday, August 26, 2021 at 10:50 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA Microsoft note this behaviour and have some sort of workaround in their NPS MFA extension: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-nps-extension%23radius-protocol-behavior-and-the-nps-extension=04%7C01%7CJeff%40scrippscollege.edu%7Cce9c136021d74345c1f408d968a17373%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637655864918092027%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=Lnnx9DjqwbGZ%2BlmZ%2Fo%2B%2FfXkRG%2B2EeykBJF%2BcP3bLk4k%3D=0> Really though, doing MFA for RADIUS is a square peg in a round hole, use MFA to provision a client cert and do EAP-TLS instead. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Manon Lessard Reply to: The EDUCAUSE Wireless Issues Community Group Listserv Date: Thursday, 26 August 2021 at 10:20 pm To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: [WIRELESS-LAN] ISE-NPS-Azure MFA A question not directly related to Wi-Fi, but related to ISE which seems to be something some of you use. We are currently authenticating a VPN test group via ISE through NPS servers (defined as a token server). The goal is to do MFA with Azure through the Authenticator app on people’s phones. Everything works, but Authenticator pops up for confirmation, sometimes 2 to 3 times, even if one has accepted the first confirmation… I would like to have feedback from people who used something like that and have solved the multiple Authenticator prompts. Thank you Manon Lessard Chargée de programmation et d’analyse CCNP, CWNE #275, AWA 10, ESCE Design Direction des technologies de l'information Pavillon Louis-Jacques-Casault 1055, avenue du Séminaire Bureau 0403
Re: [WIRELESS-LAN] ISE-NPS-Azure MFA
I 2nd Tim’s suggestion. If the VPN is Cisco-based, they support using SAML against AzureAD including MFA. https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Manon Lessard Date: Thursday, August 26, 2021 at 7:54 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA We are talking VPN here and for the entire campus… Manon Lessard Chargée de programmation et d’analyse CCNP, CWNE #275, AWA 10, ESCE Design Direction des technologies de l'information Pavillon Louis-Jacques-Casault 1055, avenue du Séminaire Bureau 0403 Université Laval, Québec (Québec) G1V 0A6, Canada 418 656-2131, poste 412853 Télécopieur : 418 656-7305 manon.less...@dti.ulaval.ca<mailto:manon.less...@dti.ulaval.ca> www.dti.ulaval.ca<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.dti.ulaval.ca%2F=04%7C01%7CJeff%40scrippscollege.edu%7Cce9c136021d74345c1f408d968a17373%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637655864918082036%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=eqZwxE8m9bPxeyUSLvKrkuVpc5CwXcJY7bjoCYMUZIM%3D=0> Avis relatif à la confidentialité | Notice of Confidentiality<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rec.ulaval.ca%2Flce%2Fsecurite%2Fconfidentialite.htm=04%7C01%7CJeff%40scrippscollege.edu%7Cce9c136021d74345c1f408d968a17373%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637655864918082036%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=p4eCgT1m44O3jU1SKQZvGFA5WdU0%2BLvL2tkZ963Ilqk%3D=0> From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of James Andrewartha Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Thursday, August 26, 2021 at 10:50 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA Microsoft note this behaviour and have some sort of workaround in their NPS MFA extension: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-nps-extension%23radius-protocol-behavior-and-the-nps-extension=04%7C01%7CJeff%40scrippscollege.edu%7Cce9c136021d74345c1f408d968a17373%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637655864918092027%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=Lnnx9DjqwbGZ%2BlmZ%2Fo%2B%2FfXkRG%2B2EeykBJF%2BcP3bLk4k%3D=0> Really though, doing MFA for RADIUS is a square peg in a round hole, use MFA to provision a client cert and do EAP-TLS instead. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Manon Lessard Reply to: The EDUCAUSE Wireless Issues Community Group Listserv Date: Thursday, 26 August 2021 at 10:20 pm To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: [WIRELESS-LAN] ISE-NPS-Azure MFA A question not directly related to Wi-Fi, but related to ISE which seems to be something some of you use. We are currently authenticating a VPN test group via ISE through NPS servers (defined as a token server). The goal is to do MFA with Azure through the Authenticator app on people’s phones. Everything works, but Authenticator pops up for confirmation, sometimes 2 to 3 times, even if one has accepted the first confirmation… I would like to have feedback from people who used something like that and have solved the multiple Authenticator prompts. Thank you Manon Lessard Chargée de programmation et d’analyse CCNP, CWNE #275, AWA 10, ESCE Design Direction des technologies de l'information Pavillon Louis-Jacques-Casault 1055, avenue du Séminaire Bureau 0403 Université Laval, Québec (Québec) G1V 0A6, Canada 418 656-2131, poste 412853 Télécopieur : 418 656-7305 manon.less...@dti.ulaval.ca<mailto:manon.less...@dti.ulaval.ca> www.dti.ulaval.ca<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.dti.ulaval.ca%2F=04%7C01%7CJeff%40scrippscollege.edu%7Cce9c136021d74345c1f408d968a17373%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637655864918092027%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=s8G%2BX4wka7yv34xtgKGsVXs8VAzSlzvGkf6vgof9gEc%3D=0> Avis relatif à la confidentialité | Notice of Confidentiality<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rec.ulaval.ca%2Flce%2Fsecurite%2Fconfidentialite.htm=04%7C01%7CJeff%40scrippscollege.edu%7Cce9c136021d74345c1f408d968a17373%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637655864918102025%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMz
Re: [WIRELESS-LAN] ISE-NPS-Azure MFA
We are talking VPN here and for the entire campus… Manon Lessard Chargée de programmation et d’analyse CCNP, CWNE #275, AWA 10, ESCE Design Direction des technologies de l'information Pavillon Louis-Jacques-Casault 1055, avenue du Séminaire Bureau 0403 Université Laval, Québec (Québec) G1V 0A6, Canada 418 656-2131, poste 412853 Télécopieur : 418 656-7305 manon.less...@dti.ulaval.ca<mailto:manon.less...@dti.ulaval.ca> www.dti.ulaval.ca<http://www.dti.ulaval.ca/> Avis relatif à la confidentialité | Notice of Confidentiality<http://www.rec.ulaval.ca/lce/securite/confidentialite.htm> From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of James Andrewartha Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Thursday, August 26, 2021 at 10:50 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA Microsoft note this behaviour and have some sort of workaround in their NPS MFA extension: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-nps-extension%23radius-protocol-behavior-and-the-nps-extension=04%7C01%7CManon.lessard%40DTI.ULAVAL.CA%7Cbcba44b7c2dc4ff56cdc08d968a0db0e%7C56778bd56a3f4bd3a26593163e4d5bfe%7C1%7C0%7C637655862342712675%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=aKcdanE0ZVL8fAW8obig1tUNKBwKgH5OGVrbE0gKRik%3D=0> Really though, doing MFA for RADIUS is a square peg in a round hole, use MFA to provision a client cert and do EAP-TLS instead. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Manon Lessard Reply to: The EDUCAUSE Wireless Issues Community Group Listserv Date: Thursday, 26 August 2021 at 10:20 pm To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: [WIRELESS-LAN] ISE-NPS-Azure MFA A question not directly related to Wi-Fi, but related to ISE which seems to be something some of you use. We are currently authenticating a VPN test group via ISE through NPS servers (defined as a token server). The goal is to do MFA with Azure through the Authenticator app on people’s phones. Everything works, but Authenticator pops up for confirmation, sometimes 2 to 3 times, even if one has accepted the first confirmation… I would like to have feedback from people who used something like that and have solved the multiple Authenticator prompts. Thank you Manon Lessard Chargée de programmation et d’analyse CCNP, CWNE #275, AWA 10, ESCE Design Direction des technologies de l'information Pavillon Louis-Jacques-Casault 1055, avenue du Séminaire Bureau 0403 Université Laval, Québec (Québec) G1V 0A6, Canada 418 656-2131, poste 412853 Télécopieur : 418 656-7305 manon.less...@dti.ulaval.ca<mailto:manon.less...@dti.ulaval.ca> www.dti.ulaval.ca<http://www.dti.ulaval.ca/> Avis relatif à la confidentialité | Notice of Confidentiality<http://www.rec.ulaval.ca/lce/securite/confidentialite.htm> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7CManon.lessard%40DTI.ULAVAL.CA%7Cbcba44b7c2dc4ff56cdc08d968a0db0e%7C56778bd56a3f4bd3a26593163e4d5bfe%7C1%7C0%7C637655862342712675%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=1j2DtzIZberOqSgoGnB8UxAp%2B%2FRZm1rYCVMcEerC%2BZU%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7CManon.lessard%40DTI.ULAVAL.CA%7Cbcba44b7c2dc4ff56cdc08d968a0db0e%7C56778bd56a3f4bd3a26593163e4d5bfe%7C1%7C0%7C637655862342712675%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=1j2DtzIZberOqSgoGnB8UxAp%2B%2FRZm1rYCVMcEerC%2BZU%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] ISE-NPS-Azure MFA
Microsoft note this behaviour and have some sort of workaround in their NPS MFA extension: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension Really though, doing MFA for RADIUS is a square peg in a round hole, use MFA to provision a client cert and do EAP-TLS instead. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Manon Lessard Reply to: The EDUCAUSE Wireless Issues Community Group Listserv Date: Thursday, 26 August 2021 at 10:20 pm To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: [WIRELESS-LAN] ISE-NPS-Azure MFA A question not directly related to Wi-Fi, but related to ISE which seems to be something some of you use. We are currently authenticating a VPN test group via ISE through NPS servers (defined as a token server). The goal is to do MFA with Azure through the Authenticator app on people’s phones. Everything works, but Authenticator pops up for confirmation, sometimes 2 to 3 times, even if one has accepted the first confirmation… I would like to have feedback from people who used something like that and have solved the multiple Authenticator prompts. Thank you Manon Lessard Chargée de programmation et d’analyse CCNP, CWNE #275, AWA 10, ESCE Design Direction des technologies de l'information Pavillon Louis-Jacques-Casault 1055, avenue du Séminaire Bureau 0403 Université Laval, Québec (Québec) G1V 0A6, Canada 418 656-2131, poste 412853 Télécopieur : 418 656-7305 manon.less...@dti.ulaval.ca<mailto:manon.less...@dti.ulaval.ca> www.dti.ulaval.ca<http://www.dti.ulaval.ca/> Avis relatif à la confidentialité | Notice of Confidentiality<http://www.rec.ulaval.ca/lce/securite/confidentialite.htm> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community