Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Radius Authentication with Microsoft NPS and Azure MFA not working

Go to solution
Raghbir_Sandhu
Altocumulus
Altocumulus

‎16-Apr-2021 05:08

We have configured F5 with Microsoft NPS to leverage Microsoft Azure AD MFA. F5 is sending Radius authentication request to Microsoft NPS server. However NPS server error. Looks like NPS server with Azure MFA extension expecting UPN value (john.smith@mydomain.com) but radius attribute User-Name is sending sAMAccount (or session.logon.last.username). The Microsoft Azure AD MFA is expecting UPN. I don't want to use the SAML based configuration.

Q: How do we extract / search for UPN value and assign it to radius attribute User-Name. I believe UPN value can be extract with LDAP Query but how to send UPN value in the radius authentication request. Any suggestion advise.

 

NPS serverError:

Log Name:   AuthZOptCh

Source:    Microsoft-AzureMfa-AuthZ

Date:     4/15/2021 5:06:35 PM

Event ID:   1

Task Category: None

Level:     Information

Keywords:    

User:     NETWORK SERVICE

Computer:   123server.mydomain.com

Description:

NPS Extension for Azure MFA: CID: f6d91669-8579-4da0-8968-dfa4ea5ef928 : Request Discard for user Smith, John with Azure MFA response: InvalidParameter and message: UserPrincipalName must be in a valid format.,,,23090ad2-da92-4800-ae4c-8b59182f5fb7

 

 

F5 Radius tcpdump shows the following Radius authentication request with the sAMAccount (or session.logon.last.username) in the User-Name attribute:

RADIUS Protocol

  Code: Access-Request (1)

  Packet identifier: 0xab (171)

  Length: 74

  Authenticator: abd00d0218bc6541842a401dcfb64d52

  Attribute Value Pairs

    AVP: l=10 t=User-Name(1): johnsmith01

      User-Name: johnsmith01

    AVP: l=18 t=User-Password(2): Decrypted: Ajitkaur02@

      User-Password: xxxxxxxxx

    AVP: l=6 t=Service-Type(6): Authenticate-Only(8)

      Service-Type: Authenticate-Only (8)

    AVP: l=14 t=Tunnel-Client-Endpoint(66): 65.60.150.62

      Tunnel-Client-Endpoint: 65.60.150.62

    AVP: l=6 t=NAS-Port(5): 0

      NAS-Port: 0

 

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
SanjayP
MVP
MVP
In response to SanjayP

‎16-Apr-2021 08:21

which version are you on? I can see this feature from 13.x and onwards.

 

By default apm uses session.logon.last.username variable for username. See if you can set custom APM variable for it and change it to UPN variable you get after LDAP query.

View solution in original post

0 Kudos
9 REPLIES 9

Go to solution
SanjayP
MVP
MVP

‎16-Apr-2021 05:56

Yes, you would need to perform LDAP query first and get the UPN. You can then use that UPN session variable in the radius auth item in VPE.

 

 0691T00000CnKWcQAN.png 

0 Kudos

Go to solution
Raghbir_Sandhu
Altocumulus
Altocumulus

‎16-Apr-2021 07:05

Sanjay. Thanks for the reply. How do i get username source and password source attributes in my radius AAA in VPE. how to add the two attributes.

 

 

0 Kudos

Go to solution
SanjayP
MVP
MVP
In response to Raghbir_Sandhu

‎16-Apr-2021 07:21

when you select radius auth action in access policy those variables are added by default. You can read more below

 

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-...

0 Kudos

Go to solution
Raghbir_Sandhu
Altocumulus
Altocumulus
In response to SanjayP

‎16-Apr-2021 07:57

Sanjay, I don't see the additional two attributes. see the attached screenshot.

0 Kudos

Go to solution
SanjayP
MVP
MVP
In response to SanjayP

‎16-Apr-2021 08:21

which version are you on? I can see this feature from 13.x and onwards.

 

By default apm uses session.logon.last.username variable for username. See if you can set custom APM variable for it and change it to UPN variable you get after LDAP query.

0 Kudos

Go to solution
Raghbir_Sandhu
Altocumulus
Altocumulus
In response to SanjayP

‎16-Apr-2021 08:27

we are using 12.1.5.3. May be that's why I don't see two additional variables. what the question remain same. The radius request attribute name is "User-Name". can i just assign UPN value to the "User-Name" attribute via variable assignment step. before the MFA step. Please advise.

0 Kudos

Go to solution
SanjayP
MVP
MVP
In response to SanjayP

‎19-Apr-2021 00:21

  • LDAP query to get UPN
  • Set custom variable for session.logon.last.username to UPN variable
  • Radius auth

 

0 Kudos

Go to solution
SanjayP
MVP
MVP
In response to SanjayP

‎20-Apr-2021 10:46

Have you made this working? It would be good to share your solution, it may benefit others using similar setup. Thanks! ​

0 Kudos

Go to solution
Raghbir_Sandhu
Altocumulus
Altocumulus
In response to SanjayP

‎20-Apr-2021 11:55

Yes. It is working. I ended up creating registry entry "LDAP_ALTERNATE_LOGINID_ATTRIBUTE". Some how our NPS not able to process the User-Name attribute properly passed from F5 Radius authentication request. That fixed our problem and I don't have to do the LDAP query for UPN attribute.

 

Thanks,

Raghbir Sandhu

0 Kudos
Copyright © 2023 Khoros, LLC