In this article, we will be covering the implementation of the Azure Multi Factor Authentication for Cisco VPN using the Network Policy Server. We assume that the users are already synced from Active directory to the Azure Active directory and have the licenses assigned for the Multi Factor Authentication. Below are the steps we will following,

  • Create an AD group for VPN Users
  • Enable the MFA for the users in Office365/Azure Active Directory
  • Install and register the Network policy server
  • Add the RADIUS client and Policy for Cisco ASA
  • Add a new AAA group in Cisco ASA with the NPS server details
  • Install the Azure MFA extensions on the NPS server
  • Login to the Cisco AnyConnect client and check the MFA is working fine

  • Create a new AD group for VPN Users

  • Enable the MFA for the users in Office365/Azure Active Directory

Login in to Https://portal.office365.com with your office365 administrator credentials

Go to Multi Factor Authentication

Enable the MFA for the user

Make sure, users are registered in MFA using https://aka.ms/mfasetup

  • Install and register the Network policy server in windows server 2016

  • Add the RADIUS client and Policy for Cisco ASA

  • PAP supports all the authentication methods of Azure MFA in the cloud: phone call, one-way text message, mobile app notification, OATH hardware tokens, and mobile app verification code.
  • CHAPV2 and EAP support phone call and mobile app notification.

  • Add a new AAA group in Cisco ASA with the NPS server details
    • Log in to the Cisco ASDM console for the VPN appliance

    • Navigate to Configuration|Remote Access VPN|AAA/Local users|AAA server groups

    • Click Add to create a new group

    • The Add a new AAA Server Group dialog opens

    • Leave the default settings except for the following:
      • AAA Server Group – specify a name to identify the group for the MFA server
      • Protocol – select RADIUS
      • Click OK
    • In the AAA Server Groups list, select the server group you just created

    • In the Servers in the Selected Group pane, click Add

    • The Add AAA Server dialog opens

    • Leave the default settings except for the following:
      • Interface Name – select the interface that will handle communication with the MFA Server
      • Server Name or IP Address – specify the name or the IP address of the MFA server
      • Timeout (seconds) – it is important to set a sufficient length of time for users to authenticate. 60 seconds is a common duration but may need to be adjusted. For example, large organizations may need more time to accommodate a higher volume of requests
      • Server Authentication port – enter the port number used for RAIDUD authentication with NPS
      • Server Accounting Port – enter the port number used for RAIDUD accounting with NPS
      • Server Secret Key – enter the secret key generated from the NPS Radius client configuration step
      • Click OK
    • Click APPLY to save the configuration
    • Select a test option:

Please refer the below configuration document

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-nps-vpn

Once the configuration has been done, user can test to login to the Cisco AnyConnect client and make sure the primary authentication is successful against the Active directory and the user is able to connect to the VPN.

Once you hit enter, it will prompt for login, please enter the Office365 administrator credentails.

  • Login to the Cisco AnyConnect client and check the MFA is working fine
    • On a computer, launch the AnyConnect client and connect to the network

    Example:

    • Enter user credentials
    • Check the Microsoft Authenticator App for the notification

    Example:

    • The authentication application will communicate with the MFA server to complete authentication
    • Note: Here, I have set the preferred method as Notify Authenticator App in MFA settings and in the NPS Policy for Cisco, it is set to MS-CHAPV2

Also, we can verify the event ID’s on the NPS server for verification,

Event id 6272 in the security logs for NPS. For Azure MFA, Application and Services Log -> Microsoft -> AzureMfa

References:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-nps-vpn

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

Happy learning!! 🙂

By Ashok M

A technology enthusiast with 9+ years of experience in Planning, Designing, Implementation, Migration and Operations of various Microsoft Infrastructure & Cloud Services. Extensive knowledge of Cloud Computing, Microsoft Messaging & Collaboration, Digital Transformation, IT Services & Emerging technologies. • One of the Authors of the book – “Reimagine Remote Working with Microsoft Teams : A practical guide to increasing your productivity and enhancing collaboration in the remote world” - https://www.amazon.com/Reimagine-Remote-Working-Microsoft-Teams/dp/1801814163 • Blogger at CloudExchangers - https://cloudexchangers.com/ • Microsoft Community Contributor in Microsoft Q&A - https://docs.microsoft.com/en-us/users/ashokm-8240 • Microsoft Certified Professional in MS Azure, Microsoft365, MS Teams and Skype for Business

5 thoughts on “Configuring Azure MFA for Cisco VPN using the NPS Server”
    1. Thank you for the feedback! Have updated the screenshots, beginning of the article has the flow diagram with RADIUS.

  1. I noticed you configured the ASA to use LDAP integration, but I thought NPS was used for RADIUS communication. Can you confirm the ASA should be using LDAP, and not RADIUS?

Comments are closed.