Forum Discussion

Raghbir_Sandhu's avatar
Raghbir_Sandhu
Icon for Altocumulus rankAltocumulus
Apr 20, 2021

APM Radius based MFA with NPS and Azure AD Microsoft Authenticator App

We are using F5 APM for fist factor authentication with AD authentication and second factor authentication with Microsoft NPS / Microsoft authenticator App. When F5 send radius second factor authentication request to the NPS services for MFA with Microsoft Authenticator App. F5 APM initiated radius MFA request and it is working. However, there is no indication or message shows in the F5 login page that the F5 is waiting for response from user with the Microsoft Authenticator app MFA access approval. It is not a good end user's user experience. How can we add a message box (with out OK button) or other message to the users to take action for the MFA request on the Mobile Authenticator app.

 

It works for SMS, it show a message that enter the SMS response. But for Microsoft mobile authentication app, there is no indication to the users that F5 is waiting for the response from the user for MFA request.

 

Any suggestion, recommendation.

 

Thanks,

Raghbir

APM
Azure
cloud
security

2 Replies

Sort By
  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Apr 23, 2021

    For Microsoft you are using push notification and the user does not need to type anything in the login page but just to confirm by phone with one click? You can play with the Message Box action to inform the users before the radius auth that they will need to use their microsoft mfa.

     

     

    https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-access-policy-manager-visual-policy-editor/access-policy-item-reference/about-general-purpose-items/about-the-message-box-action.html

     

     

     

    You may also see the example below for the duo auth and modify it for your microsoft auth.

     

    https://duo.com/docs/f5bigip

    • Raghbir_Sandhu's avatar
      Raghbir_Sandhu
      Icon for Altocumulus rankAltocumulus
      May 10, 2021

      Nikoolayy1,

      We are not using duo. It is has java plugin JS code to include into the APM code. We are using Microsoft MFA which does have any plugin code for APM. The message box will not work, because it require users response (bad user experience).