Forum Discussion

Altocumulus

Apr 16, 2021

Radius Authentication with Microsoft NPS and Azure MFA not working

We have configured F5 with Microsoft NPS to leverage Microsoft Azure AD MFA. F5 is sending Radius authentication request to Microsoft NPS server. However NPS server error. Looks like NPS server with ...

BIG-IP Access Policy Manager (APM)

LTM

security

spalande
Apr 16, 2021
which version are you on? I can see this feature from 13.x and onwards.

By default apm uses session.logon.last.username variable for username. See if you can set custom APM variable for it and change it to UPN variable you get after LDAP query.

Raghbir_Sandhu

Altocumulus

Sanjay. Thanks for the reply. How do i get username source and password source attributes in my radius AAA in VPE. how to add the two attributes.

spalande

Nacreous

Apr 16, 2021

when you select radius auth action in access policy those variables are added by default. You can read more below

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/7.html

Raghbir_Sandhu
Altocumulus
Apr 16, 2021
Sanjay, I don't see the additional two attributes. see the attached screenshot.
spalande
Nacreous
Apr 16, 2021
which version are you on? I can see this feature from 13.x and onwards.

By default apm uses session.logon.last.username variable for username. See if you can set custom APM variable for it and change it to UPN variable you get after LDAP query.
Raghbir_Sandhu
Altocumulus
Apr 16, 2021
we are using 12.1.5.3. May be that's why I don't see two additional variables. what the question remain same. The radius request attribute name is "User-Name". can i just assign UPN value to the "User-Name" attribute via variable assignment step. before the MFA step. Please advise.
spalande
Nacreous
Apr 19, 2021
LDAP query to get UPN
Set custom variable for session.logon.last.username to UPN variable
Radius auth
spalande
Nacreous
Apr 20, 2021
Have you made this working? It would be good to share your solution, it may benefit others using similar setup. Thanks!
Raghbir_Sandhu
Altocumulus
Apr 20, 2021
Yes. It is working. I ended up creating registry entry "LDAP_ALTERNATE_LOGINID_ATTRIBUTE". Some how our NPS not able to process the User-Name attribute properly passed from F5 Radius authentication request. That fixed our problem and I don't have to do the LDAP query for UPN attribute.

Thanks,
Raghbir Sandhu

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Radius Authentication with Microsoft NPS and Azure MFA not working

Recent Discussions

Management IP F5 cant be accessed

ASD

Big-IP VE edition for MacBook M4 Chip

301 redirect and waf policy log problem

Background Tasks

Related Content

Microsoft Powershell with iControl

Application Programming Interface (API) Authentication types simplified

Microsoft SharePoint and Microsoft Exchange December 2020 Security Update

Form Based Authentication with Tomcat not working on F5

Microsoft Skype for Business Server 2015

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS