Forum Discussion
View 1.5.5 iApp Access Policy with Microsoft Network Policy Server (NPS) and Azure MFA
Hello,
Has anyone set up the VMware Horizon View 1.5.5 iApp to do multi-factor authentication against Azure MFA? We are working through a POC, but have yet to find a full setup guide for this use case.
There is an on-prem Windows 2016 Server running the Network Policy and Access Services role. This provides the Network Policy Server (NPS) and RADIUS server. The BIG-IP becomes a RADIUS client of the NPS.
Then, there is a NPS Extension for Azure MFA that Microsoft publishes. This is installed on the NPS server and provides the two factor authentication against Azure MFA.
Hoping to find some guideance on this configuration- both the iApp configuration on BIG-IP and the NPS RADIUS client configuration on the NPS server.
Thanks
- Doug_Walton_354Nimbostratus
I've just done the BIG-IP (13.1)/NPS RADIUS client/Azure part but not the Horizon/iAPP part
These were the most useful resources for me;
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn
- merter_319420Nimbostratus
Thanks. I'll read through those. Can you share the Connection Request Policy and the Network Policy you implemented in NPS?
- Doug_Walton_354Nimbostratus
Here is what works for me;
Network Policy
New policy = Grant Access Condition = IP of F5 (check if its your inside interface or floating IP) Access = Grant Authentication = MS-CHAPv2 Framed-Protocol = PPP Service-Type = Framed BAP Percentage of Capacity = Reduce Multilink if server reaches 50% in 2 minutes
*Most of these were default
Connection Request Policy
New policy Conditions = NAS Identifier (Name of your F5 NAS identifier that you may have set in your radius profile) Setting = Authentication Provider (Local Computer)
On the Azure side I'm just using a conditional policy that says, if user is in AD group then do MFA. I'm only using it for remote access at this point.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com