Radius Authentication with Microsoft NPS and Azure MFA not working
We have configured F5 with Microsoft NPS to leverage Microsoft Azure AD MFA. F5 is sending Radius authentication request to Microsoft NPS server. However NPS server error. Looks like NPS server with Azure MFA extension expecting UPN value (john.smith@mydomain.com) but radius attribute User-Name is sending sAMAccount (or session.logon.last.username). The Microsoft Azure AD MFA is expecting UPN. I don't want to use the SAML based configuration.
Q: How do we extract / search for UPN value and assign it to radius attribute User-Name. I believe UPN value can be extract with LDAP Query but how to send UPN value in the radius authentication request. Any suggestion advise.
NPS serverError:
Log Name: AuthZOptCh
Source: Microsoft-AzureMfa-AuthZ
Date: 4/15/2021 5:06:35 PM
Event ID: 1
Task Category: None
Level: Information
Keywords:
User: NETWORK SERVICE
Computer: 123server.mydomain.com
Description:
NPS Extension for Azure MFA: CID: f6d91669-8579-4da0-8968-dfa4ea5ef928 : Request Discard for user Smith, John with Azure MFA response: InvalidParameter and message: UserPrincipalName must be in a valid format.,,,23090ad2-da92-4800-ae4c-8b59182f5fb7
F5 Radius tcpdump shows the following Radius authentication request with the sAMAccount (or session.logon.last.username) in the User-Name attribute:
RADIUS Protocol
Code: Access-Request (1)
Packet identifier: 0xab (171)
Length: 74
Authenticator: abd00d0218bc6541842a401dcfb64d52
Attribute Value Pairs
AVP: l=10 t=User-Name(1): johnsmith01
User-Name: johnsmith01
AVP: l=18 t=User-Password(2): Decrypted: Ajitkaur02@
User-Password: xxxxxxxxx
AVP: l=6 t=Service-Type(6): Authenticate-Only(8)
Service-Type: Authenticate-Only (8)
AVP: l=14 t=Tunnel-Client-Endpoint(66): 65.60.150.62
Tunnel-Client-Endpoint: 65.60.150.62
AVP: l=6 t=NAS-Port(5): 0
NAS-Port: 0
which version are you on? I can see this feature from 13.x and onwards.
By default apm uses session.logon.last.username variable for username. See if you can set custom APM variable for it and change it to UPN variable you get after LDAP query.