Hi. I am planning to setup 2 factor authentication for anyconnect clients, anyconnect vpn has already setup and working with Radius(NPS serverwith AD). i have taken subscription from Azure MFA oncloud and want to deploy second authentication using azure MFA .Could anyone please share any good document to setup anyconnect with NPS and oncloud azure MFA.
Also in anyconnect i see only one password field to enter password which i think would be primary Radius-AD but for how to get second authentication field to enter PIN/password from Azure MFA. Please help.
Here's some info i used:
Hi Cristian, I gone through below link which you share and need some clarification.
The VPN server receives an authentication request from a VPN user that includes the username and password for connecting to a resource, such as a Remote Desktop session.
In this procedure anyconnect client send request to ASA with primary credentials.
Acting as a RADIUS client, the VPN server converts the request to a RADIUS Access-Request message and sends it (with an encrypted password) to the RADIUS server where the NPS extension is installed.
In this procedure, ASA converts request to Radius request and send to NPS server(Radius server)
The username and password combination is verified in Active Directory. If either the username or password is incorrect, the RADIUS Server sends an Access-Reject message.
lets suppose Primary auth get success
If all conditions, as specified in the NPS Connection Request and Network Policies, are met (for example, time of day or group membership restrictions), the NPS extension triggers a request for secondary authentication with Azure Multi-Factor Authentication.
If primary auth get success NPS extension triggers a request for secondary auth with MFA. So here do we need also to configure secondary auth on ASA pointing again to same NPS server as for Primary auth, please clear.
Azure Multi-Factor Authentication communicates with Azure Active Directory, retrieves the user’s details, and performs the secondary authentication by using the method that's configured by the user (cell phone call, text message, or mobile app).
If user get code as secondary auth on phone where does it need to put as there is only one password filed in anyconnect client application so how to get another field to put secondary auth in anyconnect client application.