The current Azure MFA doesn’t have a plug-in for local workstation and sever authentication. So testing some other scenarios using an open source application called pGina. You can read more information here – http://pgina.org/ .
PGina supports different protocols, for this testing I was using RADIUS . From an MFA perspective, it is same as any other RADIUS and 2FA configuration. Here are some of my notes:
Azure MFA and RADIUS configuration details are well documented in https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started-server-radius/ so I am not planning to add any details here. For this testing, I have added my client machines as “Clients” as shown in the following screenshot:
Since I am using domain joined machines, I have selected Windows Domain as the target.
Those are the only configuration you need to make on the MFA server. Next step is to configure the PGina application on your workstation – of course it has to be locally installed on the machine. Open pGina application from the workstation and select the appropriate plug-in. I have selected RADIUS.
Select Configure button to enter your MFA server information.
You don’t need to make any other changes unless you are planning to configure multiple authentication and priorities. From the Simulation tab, you can validate your authentication configuration. Based your MFA configuration (Phone call, Text message, Mobile app, OATH token) the user will receive a second after authentication prompt.
Since my test account was configured to use MFA Mobile App, I received the following 2FA request on my configured device.
You will also see the authentication status in the Result section.
If your MFA server is in Azure or planning to connect it remotely, make sure to open the appropriate ports. In Azure, additional End Points (port 1812 and 1813) need to be opened for your MFA.
Note: You are enabling public access to your servers. Understand the risk before making these configuration changes 🙂
You also need to modify pGina client with correct Azure server name or IP address. It is easier to use the Cloud Service name (name.cloudapp.net).