Secure Azure Gateway Radius Authentication with Azure MFA NPS Extension/MFA Server

Hello All,

Ahmad Yasin

It’s a new year and here it’s very Rainy day with fog, under these weather conditions i am happy to share below info.

Recently, Microsoft announced that Azure Gateway supported for Radius authentication and we start expecting that some customers will start looking in how to secure this connection using Azure MFA ( Since Azure MFA support to secure radius connections).

In this article, we will go through the steps in how to secure this Gateway radius authentication and how to setup it from both sides, MFA and Azure Gateway.

I am not a specialist in Azure Networking, but i followed below article to deploy the Gateway to do this lab and deliver this article to you:

https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-how-to-radius-ps#2-a-nameradiusaset-up-your-radius-server

in addition to above article, i will go quickly through the steps i did with screenshots ( as MS article used power-shell commands only):

The first step after you created the virtual Network in azure, you need to create a Gateway subnet, if you didn’t do that, just click in the Gateway subnet button and create new one by choosing the subnet address as below:

Now, Search for Virtual Network Gateway and create new one ( assuming you didn’t have a gateway, otherwise you can skip these steps). Click Create button from below page:

Choose any name for the gateway, Make sure that you selected the Gateway type to be VPN and the VPN type to be Route-Based, this is a required configuration to allow gateway to work with radius authentication as mentioned in the article i shared above, then choose the SKU type based on your requirements, Finally Click in Virtual Network and select the virtual network which we created the Gateway subnet on it in previous steps, Click Create button:


Till this steps, we have a virtual network and we configured the basic setting for Gateway.

Let’s skip now for the MFA Part, in Azure MFA we have currently two deployments model as below:

1- Full MFA on-premise deployment, in this type you will deploy the MFA with full features, i already explained how to deploy this in previous articles, see http://azuredummies.com/2016/02/06/secure-terminal-services-rdp-using-azure-multi-factor-authentication-mfa-part-2/

2- MFA NPS Extension model: in this deployment you will install the Extension only, noting that this model supporting Radius authentication only, Also i already explained about this, see http://azuredummies.com/2017/07/01/securing-rdp-connection-using-azure-mfa-for-windows-2012-r22016/

Official MS documentation for both Models deployment can be found below:

Full MFA server deployment: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server
MFA NPS Deployment: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-nps-extension ; make sure to go through the steps here to deploy the MFA NPS extension as i will assume in next part that you already did this step.

Which deployment you should choose to work with Azure Gateway Radius Authentication:

The good question here, which deployment to choose, the answer is very simple and it depends.

Basically, if you don’t have any MFA deployment i recommend you to use the MFA NPS model as it support the Radius authentication.

Now, if you have an existing MGA NPS then you can use it without the need to deploy new one, but what if you have MFA full server deployment in your environment and you need to use it ?! GOOD QUESTION … The answer is: YOU CAN USE IT, but when it come to configure the Radius client in MFA Full server deployment, you need to enter the IP of Radius client, in Azure Gateway Radius Authentication, the IP of the Radius will be the gateway subnet (not only one IP), the question here, what is the problem with that !

Assume that when you created the Gateway subnet you chose it to be 192.168.10.0./16, this means you have 2^16 IP’s, in this case and if you use MFA full deployment, then you need to enter these IP’s manually as a radius client in MFA console (Under Radius configuration) because simply till the time of this article MFA not support Subnets in Radius client configuration, only one IP per radius client.

Now, this issue not exist in MFA NPS extension, because in this model you can enter a subnet instead of single IP as radius client in one shot instead of entering all IP’s manually, this is why we recommend this model for now.

Note: if you have a gateway subnet include small number of IP’s then it should not be an issue to enter these IP’s manually even in MFA full deployment model.

MFA NPS Extension configuration:

In this article we decided to use the MFA NPS extension, i am assuming you followed the article i shared above and you have MFA extension installed with NPS role, now open the NPS console as right click on Radius Clients then click in New option as below:

Enter any friendly name for the Radius client, then it asks for the Address, here you want to enter the gateway subnet of Azure Gateway that we created at the first of this article, as you see here that we can enter the whole subnet at one shot using the prefix /24 for example (This is not availble in MFA full deployment), finally choose any secret key and remember it as we will use it later on, as below:

in the advance tab, make sure we have below configuration, finally click Ok to close this box:

Now, go to Network Policies section, the default policy will Deny access for all as you see below, double click on the first policy:

Choose Grant Access instead of Deny one, then click Ok:

Now, the MFA NPS is ready …

 

Azure Gateway Radius Configuration:

Now. it’s the time to configure the Radius in Azure gateway, again just make sure that the gateway type is VPN and the VPN type is Route-Based, then click in point to site configuration (we will discuss only point to site in this article):

In the address pool, i chose the same Gateway subnet, make sure to select the Radius authentication under authentication type, under server IP address enter the IP of the MFA NPS server, then enter the secret key that we created previously in the NPS console then click save, now from the green box you can install the VPN client:

After you installed the VPN client in your machine, open control panel -> Network Connections, double click on the VPN client as below:

 

Enter the username and the password, it will start connect and you will receive the MFA challenge:

when using MFA NPS extensions, the users should be in azure AD ( Synced or cloud only) and the user should already completed the proof up process for MFA, users can complete the proof up process using https://myapps.microsoft.com or aka.ms/MFASetup.

Prepare for users that aren’t enrolled for MFA

For testing scenarios, where you need to enable MFA with Radius authentication, maybe some of users or all of them still not enrolled in MFA service, in that case you can use below approach to apply it only for the enrolled users while allow other users to use the gateway without MFA (Remember: NO MFA = NO Security).

If you have users that aren’t enrolled for MFA, you can determine what happens when they try to authenticate. Use the registry setting REQUIRE_USER_MATCH in the registry path HKLM\Software\Microsoft\AzureMFA to control the feature behavior. This setting has a single configuration option:

Key Value Default
REQUIRE_USER_MATCH TRUE/FALSE Not set (equivalent to TRUE)

The purpose of this setting is to determine what to do when a user is not enrolled for MFA. When the key does not exist, is not set, or is set to TRUE, and the user is not enrolled, then the extension fails the MFA challenge. When the key is set to FALSE and the user is not enrolled, authentication proceeds without performing MFA. If a user is enrolled in MFA, they must authenticate with MFA even if REQUIRE_USER_MATCH is set to FALSE.

You can choose to create this key and set it to FALSE while your users are onboarding, and may not all be enrolled for Azure MFA yet. However, since setting the key permits users that aren’t enrolled for MFA to sign in, you should remove this key before going to production.

If you are using full MFA server deployment, then you need to enable Radius authentication, add all gateway subnet IP’s one by one as it will not work if you are using the prefix as below, also don’t forget to configure the target tab also

 

 

 

Ahmad Yasin

Ahmad Yasin (MCSA office 365, MCSE, Messaging, Azure certified)

Ahmad Yasin is a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.

Find Ahmad at Facebook and LinkedIn.

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *