Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
5672
Views
0
Helpful
5
Replies

Microsoft NPS Radius Authentication for Internal Switches using Microsoft Authenticator for MFA

latenaite2011
Level 4
Level 4

‎06-08-2021 07:30 AM

Hi Everyone,

 

Just wondering if anyone has configured Microsoft NPS Radius Authentication for Internal Switches using Microsoft Authenticator for MFA for internal Cisco switches.  This is all on-premise. Is there a guide for this?

 

Thanks! LN

 

1 person had this problem
Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎06-08-2021 08:07 AM

I am sure ISE with Cisco device works as expected as below Link :

 

https://community.cisco.com/t5/security-documents/two-factor-authentication-on-ise-2fa-on-ise/ta-p/3636120

 

I know with cisco device and MS NPS radius authentication, never trried Multi fact Authenticaiton. need to check check MS document NPS support on prem ?  they do Azure

 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎06-12-2021 07:21 PM

Yes, Azure MFA with NPS on prem works fine.

From the point of view of the network device (switch etc.), it is just asking the defined RADIUS server (NPS in this case) for an authentication and authorization. When NPS receives the RADIUS authentication request from the device, it contacts Azure to confirm the user credentials, including MFA verification. When NPS gets confirmation back from Azure, it sends the appropriate RADIUS result(s) (access-accept, access-deny, and other configured a-v (Attribute-Value) pairs etc.) to the network device.

So all the MFA bits are "invisible" to the network device - except that the response is delayed while the MFA verification happens.

0 Helpful

pwong
Level 1
Level 1
In response to Marvin Rhoads

‎07-15-2021 04:24 AM

Hey Marvin and balaji.bandi, thanks for the reply.  Looks like I did post this a while back :).

 

Any guide to get this working with Azure AD and NPS with MFA for internal switches?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to pwong

‎07-15-2021 05:24 AM

If you follow the Microsoft link it shows how to connect your NPS to Azure AD. With that in place, it works fine with Microsoft Authenticator for MFA.

The only "special" thing I did when setting it up for a customer was to change the RADIUS server timeout on the switches to 15 seconds. The default (5 seconds) makes it challenging to respond to the MFA prompt in time.

0 Helpful

aeddicott
Level 1
Level 1
In response to Marvin Rhoads

‎08-03-2022 07:58 AM

Marvin. 

Would seem i have everything set up correctly for this on both the switch and MFA NPS server but am not getting an MFA prompt when attempting to log into the 3850 switch. When looking at the logs on the MFA server I cant even see the request coming from the switch? Any pointers please?

0 Helpful
Customers Also Viewed These Support Documents
Top