cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4165
Views
0
Helpful
5
Replies

Microsoft NPS Radius Authentication for Internal Switches using Microsoft Authenticator for MFA

latenaite2011
Level 4
Level 4

Hi Everyone,

 

Just wondering if anyone has configured Microsoft NPS Radius Authentication for Internal Switches using Microsoft Authenticator for MFA for internal Cisco switches.  This is all on-premise. Is there a guide for this?

 

Thanks! LN

 

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

I am sure ISE with Cisco device works as expected as below Link :

 

https://community.cisco.com/t5/security-documents/two-factor-authentication-on-ise-2fa-on-ise/ta-p/3636120

 

I know with cisco device and MS NPS radius authentication, never trried Multi fact Authenticaiton. need to check check MS document NPS support on prem ?  they do Azure

 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Yes, Azure MFA with NPS on prem works fine.

From the point of view of the network device (switch etc.), it is just asking the defined RADIUS server (NPS in this case) for an authentication and authorization. When NPS receives the RADIUS authentication request from the device, it contacts Azure to confirm the user credentials, including MFA verification. When NPS gets confirmation back from Azure, it sends the appropriate RADIUS result(s) (access-accept, access-deny, and other configured a-v (Attribute-Value) pairs etc.) to the network device.

So all the MFA bits are "invisible" to the network device - except that the response is delayed while the MFA verification happens.

Hey Marvin and balaji.bandi, thanks for the reply.  Looks like I did post this a while back :).

 

Any guide to get this working with Azure AD and NPS with MFA for internal switches?

If you follow the Microsoft link it shows how to connect your NPS to Azure AD. With that in place, it works fine with Microsoft Authenticator for MFA.

The only "special" thing I did when setting it up for a customer was to change the RADIUS server timeout on the switches to 15 seconds. The default (5 seconds) makes it challenging to respond to the MFA prompt in time.

Marvin. 

Would seem i have everything set up correctly for this on both the switch and MFA NPS server but am not getting an MFA prompt when attempting to log into the 3850 switch. When looking at the logs on the MFA server I cant even see the request coming from the switch? Any pointers please?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: