2

I want to auth VPN with Azure AD MFA. I have followed the instructions in the link https://learn.microsoft.com/en-gb/azure/active-directory/authentication/howto-mfa-nps-extension-vpn

It works by push notify to the Microsoft authenticator app.

However, I want to auth by entering TOTP at the login window on windows instead of using push notify.

So,I changed default method from "Microsoft Authenticator - notification" to "Authenticator app or hardware token", but it didn't work.

enter image description here

Setting Adapter

Setting Adapter

Setting Routing and Remote Access

enter image description here

Setting Policies

enter image description here

Wrong settings or windows do not support TOTP windows?

Thank you in advance for your help.

Lóng Lực
  • 76
  • 5

1 Answers1

1

No, it will not work, the NPS can only send the trigger to Azure MFA and cannot send your OTP code to be verified. so Push, Call and SMS will work, but not OTP. You should have a third party solution, for example TOTPRadius.

Emin
  • 573
  • 3
  • 13
  • Thanks for your reply But I referenced [Microsoft's guid video](https://www.youtube.com/watch?v=qV9wddunpCY), and they said TOTP was possible. Is it because windows doesn't support this feature? – Lóng Lực Mar 23 '21 at 03:44
  • If you listen carefully, on that video around 3:35 and in a couple of other places, they clearly say that this will work if MFA methods configured to be one of "notification methods", which is MS Authenticator "push" or a phone call. This is easy to understand as the client can only send username and password. So, the successful password only triggers Azure MFA to send a notification (or a phone call) to be verified as the second factor. There is something in the flow diagram they show that shows the possibility of TOTP, but only if the VPN client supports "additional challenge" option – Emin Mar 24 '21 at 17:21
  • Sorry, comment had a limit on the chars. So, yes the reason is that your RADIUS client (which is your VPN Server) and the VPN Client used on the workstations do not support this "double challenge-response" method. I am not aware of systems supporting this natively. – Emin Mar 24 '21 at 17:27