cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Radius Authentication with Microsoft NPS and Azure MFA not working

Raghbir_Sandhu
Altocumulus
Altocumulus

We have configured F5 with Microsoft NPS to leverage Microsoft Azure AD MFA. F5 is sending Radius authentication request to Microsoft NPS server. However NPS server error. Looks like NPS server with Azure MFA extension expecting UPN value (john.smith@mydomain.com) but radius attribute User-Name is sending sAMAccount (or session.logon.last.username). The Microsoft Azure AD MFA is expecting UPN. I don't want to use the SAML based configuration.

Q: How do we extract / search for UPN value and assign it to radius attribute User-Name. I believe UPN value can be extract with LDAP Query but how to send UPN value in the radius authentication request. Any suggestion advise.

 

NPS serverError:

Log Name:   AuthZOptCh

Source:    Microsoft-AzureMfa-AuthZ

Date:     4/15/2021 5:06:35 PM

Event ID:   1

Task Category: None

Level:     Information

Keywords:    

User:     NETWORK SERVICE

Computer:   123server.mydomain.com

Description:

NPS Extension for Azure MFA: CID: f6d91669-8579-4da0-8968-dfa4ea5ef928 : Request Discard for user Smith, John with Azure MFA response: InvalidParameter and message: UserPrincipalName must be in a valid format.,,,23090ad2-da92-4800-ae4c-8b59182f5fb7

 

 

F5 Radius tcpdump shows the following Radius authentication request with the sAMAccount (or session.logon.last.username) in the User-Name attribute:

RADIUS Protocol

  Code: Access-Request (1)

  Packet identifier: 0xab (171)

  Length: 74

  Authenticator: abd00d0218bc6541842a401dcfb64d52

  Attribute Value Pairs

    AVP: l=10 t=User-Name(1): johnsmith01

      User-Name: johnsmith01

    AVP: l=18 t=User-Password(2): Decrypted: Ajitkaur02@

      User-Password: xxxxxxxxx

    AVP: l=6 t=Service-Type(6): Authenticate-Only(8)

      Service-Type: Authenticate-Only (8)

    AVP: l=14 t=Tunnel-Client-Endpoint(66): 65.60.150.62

      Tunnel-Client-Endpoint: 65.60.150.62

    AVP: l=6 t=NAS-Port(5): 0

      NAS-Port: 0

 

1 ACCEPTED SOLUTION

which version are you on? I can see this feature from 13.x and onwards.

 

By default apm uses session.logon.last.username variable for username. See if you can set custom APM variable for it and change it to UPN variable you get after LDAP query.

View solution in original post

9 REPLIES 9

SanjayP
MVP
MVP

Yes, you would need to perform LDAP query first and get the UPN. You can then use that UPN session variable in the radius auth item in VPE.

 

 0691T00000CnKWcQAN.png 

Raghbir_Sandhu
Altocumulus
Altocumulus

Sanjay. Thanks for the reply. How do i get username source and password source attributes in my radius AAA in VPE. how to add the two attributes.

 

 

when you select radius auth action in access policy those variables are added by default. You can read more below

 

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-...

Sanjay, I don't see the additional two attributes. see the attached screenshot.

which version are you on? I can see this feature from 13.x and onwards.

 

By default apm uses session.logon.last.username variable for username. See if you can set custom APM variable for it and change it to UPN variable you get after LDAP query.

we are using 12.1.5.3. May be that's why I don't see two additional variables. what the question remain same. The radius request attribute name is "User-Name". can i just assign UPN value to the "User-Name" attribute via variable assignment step. before the MFA step. Please advise.

  • LDAP query to get UPN
  • Set custom variable for session.logon.last.username to UPN variable
  • Radius auth

 

Have you made this working? It would be good to share your solution, it may benefit others using similar setup. Thanks! ​

Yes. It is working. I ended up creating registry entry "LDAP_ALTERNATE_LOGINID_ATTRIBUTE". Some how our NPS not able to process the User-Name attribute properly passed from F5 Radius authentication request. That fixed our problem and I don't have to do the LDAP query for UPN attribute.

 

Thanks,

Raghbir Sandhu