The current Azure MFA doesn’t have a plug-in for local workstation and sever authentication. So I was testing some other scenarios using an open source application called pGina. You can read more information here – http://pgina.org/ .

PGina supports different protocols, for this testing I was using RADIUS . From an MFA perspective, it is same as any other RADIUS and 2FA configuration. Here are some of my notes:

Azure MFA and RADIUS configuration details are well documented in https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started-server-radius/ so I am not planning to add any details here. For this testing, I have added my client machines as “Clients” as shown in the following screenshot:

image

Since I am using domain joined machines,  I have selected Windows Domain as the target. 

image

Those are the only configuration you need to make on the MFA server. Next step is to configure the PGina application on your workstation – of course it has to be locally installed on the machine.    Open pGina application from the workstation and select the appropriate plug-in. I have selected RADIUS. 

image

Select Configure button to enter your MFA server information. 

image

You don’t need to make any other changes unless you are planning to configure multiple authentication and priorities.   From the Simulation tab, you can validate your authentication configuration. Based your MFA configuration (Phone call, Text message, Mobile app, OATH token) the user will receive a second after authentication prompt.   

image

Since my test account was configured to use MFA Mobile App, I received the following 2FA request on my configured device. 

image

You will also see the authentication status in the Result section. 

image

If your MFA server is in Azure or planning to connect it remotely, make sure to open the appropriate ports.  In Azure, additional End Points (port 1812 and 1813) need to be opened for your MFA.

Note: You are enabling public access to your servers.  Understand the risk before making these configuration changes 🙂

image

You also need to modify pGina client with correct Azure server name or IP address. It is easier to use the Cloud Service name (name.cloudapp.net).

image

http://www.amazon.com/dp/1849687447/?tag=packtpubli-20

Powered by WPeMatico

Categories: Microsoft

Related Posts

Microsoft

Azure AD and Manual UPN Update

In Azure AD, the UserPrincipalName (UPN) can be manually updated using Set-MsolUserPrincipalName Power Shell cmdlet.  The details and syntax are explained here – https://msdn.microsoft.com/en-us/library/azure/dn194135.aspx One of the common issues you experience during this process is Read more…

Microsoft

Azure Password Reset – The Password you’ve selected does not meet your Active Directory password policy

This is a common error message when you try to reset a password from Azure management port or Self service portal.  The error message is very clear here – “The Password you’ve selected does not Read more…

Microsoft

Azure – Your account is temporarily locked to prevent unauthorized use

Here is the another common error message when dealing with directory and password synchronization.  Error Message: Your account is temporarily locked to prevent unauthorized use. Try again later. Contact Customer Support if the problem persists Read more…