I 2nd Tim’s suggestion. If the VPN is Cisco-based, they support using SAML against AzureAD including MFA.
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Manon Lessard <manon.less...@dti.ulaval.ca> Date: Thursday, August 26, 2021 at 7:54 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA We are talking VPN here and for the entire campus… Manon Lessard Chargée de programmation et d’analyse CCNP, CWNE #275, AWA 10, ESCE Design Direction des technologies de l'information Pavillon Louis-Jacques-Casault 1055, avenue du Séminaire Bureau 0403 Université Laval, Québec (Québec) G1V 0A6, Canada 418 656-2131, poste 412853 Télécopieur : 418 656-7305 manon.less...@dti.ulaval.ca<mailto:manon.less...@dti.ulaval.ca> www.dti.ulaval.ca<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.dti.ulaval.ca%2F&data=04%7C01%7CJeff%40scrippscollege.edu%7Cce9c136021d74345c1f408d968a17373%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637655864918082036%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=eqZwxE8m9bPxeyUSLvKrkuVpc5CwXcJY7bjoCYMUZIM%3D&reserved=0> Avis relatif à la confidentialité | Notice of Confidentiality<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rec.ulaval.ca%2Flce%2Fsecurite%2Fconfidentialite.htm&data=04%7C01%7CJeff%40scrippscollege.edu%7Cce9c136021d74345c1f408d968a17373%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637655864918082036%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=p4eCgT1m44O3jU1SKQZvGFA5WdU0%2BLvL2tkZ963Ilqk%3D&reserved=0> From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of James Andrewartha <jandrewar...@ccgs.wa.edu.au> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Thursday, August 26, 2021 at 10:50 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] ISE-NPS-Azure MFA Microsoft note this behaviour and have some sort of workaround in their NPS MFA extension: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-nps-extension%23radius-protocol-behavior-and-the-nps-extension&data=04%7C01%7CJeff%40scrippscollege.edu%7Cce9c136021d74345c1f408d968a17373%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637655864918092027%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Lnnx9DjqwbGZ%2BlmZ%2Fo%2B%2FfXkRG%2B2EeykBJF%2BcP3bLk4k%3D&reserved=0> Really though, doing MFA for RADIUS is a square peg in a round hole, use MFA to provision a client cert and do EAP-TLS instead. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Manon Lessard <manon.less...@dti.ulaval.ca> Reply to: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Thursday, 26 August 2021 at 10:20 pm To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] ISE-NPS-Azure MFA A question not directly related to Wi-Fi, but related to ISE which seems to be something some of you use. We are currently authenticating a VPN test group via ISE through NPS servers (defined as a token server). The goal is to do MFA with Azure through the Authenticator app on people’s phones. Everything works, but Authenticator pops up for confirmation, sometimes 2 to 3 times, even if one has accepted the first confirmation… I would like to have feedback from people who used something like that and have solved the multiple Authenticator prompts. Thank you Manon Lessard Chargée de programmation et d’analyse CCNP, CWNE #275, AWA 10, ESCE Design Direction des technologies de l'information Pavillon Louis-Jacques-Casault 1055, avenue du Séminaire Bureau 0403 Université Laval, Québec (Québec) G1V 0A6, Canada 418 656-2131, poste 412853 Télécopieur : 418 656-7305 manon.less...@dti.ulaval.ca<mailto:manon.less...@dti.ulaval.ca> www.dti.ulaval.ca<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.dti.ulaval.ca%2F&data=04%7C01%7CJeff%40scrippscollege.edu%7Cce9c136021d74345c1f408d968a17373%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637655864918092027%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=s8G%2BX4wka7yv34xtgKGsVXs8VAzSlzvGkf6vgof9gEc%3D&reserved=0> Avis relatif à la confidentialité | Notice of Confidentiality<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rec.ulaval.ca%2Flce%2Fsecurite%2Fconfidentialite.htm&data=04%7C01%7CJeff%40scrippscollege.edu%7Cce9c136021d74345c1f408d968a17373%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637655864918102025%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=u07Hc3VBzpjH%2FVK37%2Fx22xhrDOZxqj6g9Qy8YlFpyl4%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7CJeff%40scrippscollege.edu%7Cce9c136021d74345c1f408d968a17373%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637655864918102025%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Hzvghel%2FHO1bzOpLaWEbv36fWd9%2FTiX8WVN%2FirPVNDU%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7CJeff%40scrippscollege.edu%7Cce9c136021d74345c1f408d968a17373%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637655864918112018%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hpRqXgafNcAssWwbNXGCJ0sTp5hn%2F5DGuIx%2BQOoHYX8%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7CJeff%40scrippscollege.edu%7Cce9c136021d74345c1f408d968a17373%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637655864918112018%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hpRqXgafNcAssWwbNXGCJ0sTp5hn%2F5DGuIx%2BQOoHYX8%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community