Integrate Azure MFA(Multi-Factor Authentication) Server with Windows VPN
Azure MFA is one of the many great features available in Azure AD(need Azure AD Premium if you want to deploy this for anyone except Azure or Offic365 admins). If you haven’t heard about Azure MFA, go here. Recently i was working with a client, where the client was using the Windows Server based VPN and they needed to integrate the Azure MFA with that VPN. Although Microsoft doesn’t have supporting documentation for all the VPN solutions but MFA will work if you have a RADIUS authentication enabled on your VPN device so that authentication requests can be sent to the Azure MFA Server when the user tries to login to the VPN server. Azure MFA works well in the VPN deployments since that allows great security everytime.
Below are the steps which would be required for the Windows based VPN to work with Azure MFA and also lessons learned.
- Login to the classic Azure AD portal. Azure AD in the new ARM portal is still in Preview so i will be using the old portal for this. Go to https://manage.windowsazure.com to login to the classic portal. Scroll to the bottom and choose the Active Directory option. After clicking on the page, click on Muti-Auth Providers. Implementation of Azure MFA for Azure AD admins and Office365 admins doesn’t need a MFA authentication provider but if we are implementing MFA for other users, we need to create a new MFA authentication provider.
2. Create a new MFA authentication provider by clicking on the arrow. This will open the wizard for adding the provider to the Azure subscription and also link it to the existing Azure AD. You can only choose one model for usage(per user or per authentication). Below i have used per enabled user for usage model and we click Create
Once done, you will have a new MFA auth provider setup with your Azure AD. To Manage the Azure MFA, click on the Manage button in the below bar. This link will open the phonefactor.net from where you can manage your MFA settings.
3. On the phonefactor.net website, you would need to go under the download section and click on the download button on the Download server page. Also click on the generate activation credentials for server since they would be needed during the deployment of the MFA server on premise. Cool part about this is is that you have a lot of Windows flavors to choose from on where you want to deploy the server. When you click on the activation credentials, they would be in the form of an email and password. This email is automatically generated by the Azure MFA and would be needed during the deployment. Keep in mind that these credentials expire in 10 mins so a new password can be generated again by clicking on the link again if needed.
4. Once you run the setup, you would need Visual C++ “14” runtime libraries for both x64 and x86 platform.
5. After the installation of the prereqs, specify the path where you want to install the MFA server. Once you hit Next, the install will start and complete itself. After you click Finish, the MFA agent will run to start the configuration of the MFA Server.
6. Click on the next button and click on Skip the Authentication Configuration Wizard. We will do that manually.
7. Provide the MFA credentials for authentication of the server with Azure MFA. If you credentials are expired by now, you would need to regenerate them.
8. Once authenticated, MFA server console will open. You can check the status of the MFA server from the status page and it needs to be online as shown below. The second step would be to import the users we would want to enable the MFA for. You can click on users and import the users from AD.
9. Click on the RADIUS authentication button and check Enable RADIUS authentication. Add a server in the Clients tab. This server would be the VPN server you would want to connect with MFA so that it can pass the authentication to the MFA. You would need to provide a preshared secret for that server as well which will need to be added on both MFA and the VPN server. YOu can check the option so that the user on the MFA matches with the user who is trying to connect to the VPN.
10. OOB users are disabled when they added to MFA but they can authenticate without using the second factor, this setting can be changed in the advanced tab. We would enable the users in MFA by going to user’s properties and checking the Enabled option which will force the user to complete the MFA in order to authenticate. We would also need to select the way we want to get the user authenticated. By default,phone method is selected. Once done, click Apply to save the settings. Phone and text authentications can be done without any further configurations, if you want the mobile app authentication, you would need to setup the MFA portal and then publish it online. Each user can have different settings based and users can set their own settings if they want as well.
11. By now you would have the MFA server configuration complete and the MFA server would need to talk to the phonefactor website so the port 443 needs to be open to the internet for this server. For the windows server, we have two options
11.1. Using default RRAS security properties : In this scenario, you would not have a NPS server installed with the VPN setup. You can go to the properties of the RRAS server and click on the security tab. Once there, change the Authentication provider to “RADIUS Authentication” from Windows Authentication and then Click Configure. On the configure tab, you would enter the MFA server IP address, Preshared secret entered earlier(on the MFA client setting) and change the timeout to at least 60 seconds from 5 seconds. This will not let the server to timeout before the authentication.
11.2. For the servers with NPS configured, open the NPS policy server and add the MFA server in the Remote RADIUS Server Groups.
Also, change the Connection request policy to forward the authentication request to the RADIUS server group mentioned above.
Thats it from the Windows VPN server perspective. Now we have configured the Windows VPN server with Azure MFA.
NOTE: One more thing I noted with this setup was that the duration for the connection maintained by the VPN client so that the authentication can take place was fairly small(less than 15 seconds). This would cause problems since if the user is using MFA with phone,text or app the VPN connection will timeout before they can authenticate themselves using the MFA. The trick to solve this is in the VPN registry key on the client machine where the VPN is installed.
On the client machines, Go to HKLM\System\CurrentControlSet\Services\RasMan\PPP\. Change the registry key for the MaxConfigure from 10 to 60. that will give the VPN client enough time so that user can authenticate with MFA without the VPN timing out on them.
And we are done. Now when the test user connects to the VPN, he\she will get a phone call from Microsoft to authenticate themselves before connecting to the VPN.
Please leave any questions or comments below. Happy to help. 🙂