Forum Discussion

Raghbir_Sandhu's avatar
Raghbir_Sandhu
Icon for Altocumulus rankAltocumulus
Apr 16, 2021

Radius Authentication with Microsoft NPS and Azure MFA not working

We have configured F5 with Microsoft NPS to leverage Microsoft Azure AD MFA. F5 is sending Radius authentication request to Microsoft NPS server. However NPS server error. Looks like NPS server with Azure MFA extension expecting UPN value (john.smith@mydomain.com) but radius attribute User-Name is sending sAMAccount (or session.logon.last.username). The Microsoft Azure AD MFA is expecting UPN. I don't want to use the SAML based configuration.

Q: How do we extract / search for UPN value and assign it to radius attribute User-Name. I believe UPN value can be extract with LDAP Query but how to send UPN value in the radius authentication request. Any suggestion advise.

 

NPS serverError:

Log Name:   AuthZOptCh

Source:    Microsoft-AzureMfa-AuthZ

Date:     4/15/2021 5:06:35 PM

Event ID:   1

Task Category: None

Level:     Information

Keywords:    

User:     NETWORK SERVICE

Computer:   123server.mydomain.com

Description:

NPS Extension for Azure MFA: CID: f6d91669-8579-4da0-8968-dfa4ea5ef928 : Request Discard for user Smith, John with Azure MFA response: InvalidParameter and message: UserPrincipalName must be in a valid format.,,,23090ad2-da92-4800-ae4c-8b59182f5fb7

 

 

F5 Radius tcpdump shows the following Radius authentication request with the sAMAccount (or session.logon.last.username) in the User-Name attribute:

RADIUS Protocol

  Code: Access-Request (1)

  Packet identifier: 0xab (171)

  Length: 74

  Authenticator: abd00d0218bc6541842a401dcfb64d52

  Attribute Value Pairs

    AVP: l=10 t=User-Name(1): johnsmith01

      User-Name: johnsmith01

    AVP: l=18 t=User-Password(2): Decrypted: Ajitkaur02@

      User-Password: xxxxxxxxx

    AVP: l=6 t=Service-Type(6): Authenticate-Only(8)

      Service-Type: Authenticate-Only (8)

    AVP: l=14 t=Tunnel-Client-Endpoint(66): 65.60.150.62

      Tunnel-Client-Endpoint: 65.60.150.62

    AVP: l=6 t=NAS-Port(5): 0

      NAS-Port: 0

 

  • which version are you on? I can see this feature from 13.x and onwards.

     

    By default apm uses session.logon.last.username variable for username. See if you can set custom APM variable for it and change it to UPN variable you get after LDAP query.