none
RRAS/SSTP/MFA RRS feed

  • Question

  • So...I'm reading that Azure MFA is not compatible with an SSTP VPN using EAP-MSCHAP v2 when using the MFA server as a Radius server.

    So assuming the MFA server is acting as a Radius proxy, and I've got NPS/Radius on the RRAS box, is that a scenario that would work?  If so, has anyone actually performed that configuration and found it to work?

    thanks

    -Matt

    Thursday, February 16, 2017 11:11 PM

All replies

  • Hi Matt,

    >>is that a scenario that would work?

    Yes, it would be able to work.

    When MFA server acts as a RADIUS proxy server to another RADIUS proxy which supports this protocol, please check link below for further understanding:

    RADIUS Authentication and Azure Multi-Factor Authentication Server

    https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-radius

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by John Lii Friday, February 17, 2017 7:15 AM
    Friday, February 17, 2017 7:15 AM
  • Is there any supporting documention on creating this configuration?  The theoretical part is fine, but I've tried multiple combinations of settings and can't get it to work with any of them.  If my only option includes using a less secure protocol, like ms-chap or pap, I'm going to have to abandon this project. 

    -Matt

    Friday, February 17, 2017 4:41 PM
  • Let me pose a second question:  based on my understanding of the way SSTP works, the PPP negotiation happens only after the initial SSL tunnel is built.  If that is the case, the entire PPP frame and user authentication is happening inside the SSL tunnel.  Would that then make the use of PAP or MS-CHAP less of a security issue?  

    -Matt

    Friday, February 17, 2017 7:21 PM
  • Hi Matt,

    >>Is there any supporting documention on creating this configuration?

    I did not find specific document to descript that how to configure MFA server to be RADIUS server, you could post it on MFA forum to get effect support:

    https://social.msdn.microsoft.com/Forums/SqlServer/en-US/home?forum=windowsazureactiveauthentication

    Please check link below to understand RADIUS proxy:

    RADIUS Proxy

    https://msdn.microsoft.com/en-us/library/cc731320(v=ws.11).aspx

    >>based on my understanding of the way SSTP works, the PPP negotiation happens only after the initial SSL tunnel is built

    When client connect to SSTP VPN, it will try to create SSL for VPN tunnel.

    You could check link below to understand process of VPN created:

    SSTP Remote Access Step-by-Step Guide: Deployment

    https://technet.microsoft.com/en-us/library/cc731352(v=ws.10).aspx

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 20, 2017 6:40 AM
  • Hi Matt,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 2, 2017 9:45 AM