Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1745
Views
5
Helpful
0
Replies

Azure AD ROPC style EAP-TTLS auth Fails because of MFA on user account

Arne Bier
VIP
VIP

‎10-14-2021 04:37 PM

Hello

 

I have had my initial play with ISE 3.0 and ROPC integration to AzureAD. I setup my EAP-TTLS supplicant to perform PAP-ASCII authentication against a user account in Azure. It was all going quite well until I realised that the authentication was failing because the Azure user account was subject to Microsoft MFA (Multi Factor Authentication). 

 

REST-Azure.PNG

 

I guess this is not an uncommon scenario - MFA protection of an employee account requires the MFA acceptance every time that user logs into a web browser or new instance of Teams etc. - the usual stuff. But. It breaks network authentication

 

Has anyone run into this before, and if so, how do you get around it without disabling MFA?

 

The use case is: using Azure AD user accounts to perform 802.1X authentication over ROPC (EAP-TTLS).

When using an on-prem AD Domain Controller, which synchronises user accounts up to Azure, the EAP-PEAP works great, because the on-prem AD Domain Controller obviously doesn't enforce the MFA step (because it's not aware of it). The plan was to not use an on-prem AD for network authentication.

 

thanks in advance

6 people had this problem
0 Replies 0
Customers Also Viewed These Support Documents