none
Azure MFA on NPS/Radius RRS feed

  • Question

  • I am trying to set up Azure MFA for our Cisco AnyConnect VPN clients following this document. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn

    We currently run RADIUS on Windows 2012 R2 for our Wireless Authentication.

    After installing the MFA Azure Extension, all of our Wireless users began getting prompted for MFA. All we want us VPN users to get prompted for MFA, not our WiFi users. How can I separate it out so Wireless does not get prompted but Cisco AnyConnect users do get prompted? It seems like an all or nothing. Any help would be appreciated.

    Friday, June 28, 2019 8:22 PM

All replies

  • Hi,

    Did you add the condition NAS port type in VPN policy?

    I would suggest you create a new policy for wireless.

    网络策略显示虚拟专用网络连接策略

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, July 1, 2019 2:45 AM
    Moderator
  • The Azure MFA for NPS Extension forces all connections through the NPS server it is installed on to be validated by Azure MFA. This overrides any conditional access or MFA settings configured in Azure. You will need to install a different NPS server for separating wireless and VPN connections to achieve the outcome you’ve described
    Wednesday, July 10, 2019 10:40 AM
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, July 12, 2019 6:14 AM
    Moderator