cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
339
Views
0
Helpful
4
Replies
latenaite2011
Enthusiast

Microsoft NPS Radius Authentication for Internal Switches using Microsoft Authenticator for MFA

Hi Everyone,

 

Just wondering if anyone has configured Microsoft NPS Radius Authentication for Internal Switches using Microsoft Authenticator for MFA for internal Cisco switches.  This is all on-premise. Is there a guide for this?

 

Thanks! LN

 

4 REPLIES 4
balaji.bandi
VIP Expert

I am sure ISE with Cisco device works as expected as below Link :

 

https://community.cisco.com/t5/security-documents/two-factor-authentication-on-ise-2fa-on-ise/ta-p/3636120

 

I know with cisco device and MS NPS radius authentication, never trried Multi fact Authenticaiton. need to check check MS document NPS support on prem ?  they do Azure

 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

Yes, Azure MFA with NPS on prem works fine.

From the point of view of the network device (switch etc.), it is just asking the defined RADIUS server (NPS in this case) for an authentication and authorization. When NPS receives the RADIUS authentication request from the device, it contacts Azure to confirm the user credentials, including MFA verification. When NPS gets confirmation back from Azure, it sends the appropriate RADIUS result(s) (access-accept, access-deny, and other configured a-v (Attribute-Value) pairs etc.) to the network device.

So all the MFA bits are "invisible" to the network device - except that the response is delayed while the MFA verification happens.

Hey Marvin and balaji.bandi, thanks for the reply.  Looks like I did post this a while back :).

 

Any guide to get this working with Azure AD and NPS with MFA for internal switches?

Marvin Rhoads
VIP Community Legend

If you follow the Microsoft link it shows how to connect your NPS to Azure AD. With that in place, it works fine with Microsoft Authenticator for MFA.

The only "special" thing I did when setting it up for a customer was to change the RADIUS server timeout on the switches to 15 seconds. The default (5 seconds) makes it challenging to respond to the MFA prompt in time.

Content for Community-Ad