| title | F5 - Azure AD Integration - Radius based MFA |
|---|---|
| description | |
| author | RZomerman |
| ms.date | 05/5/2020 |
| layout | LandingPage |
| ms.topic | landing-page |
| ms.service | |
| ms.subservice |
In this tutorial, you'll learn how to integrate F5 with Azure Active Directory (Azure AD) with the NPS MFA Agent
You will require an Active Directory, an Azure Active Directory (both connected using Azure AD Connect) an F5 appliance with APM module
You can integrate F5 with an external radius server, this is not something new. What is new is that that Radius Server can now also have the Azure MFA NPS extension installed. This tutorial will discuss the integration for radius authentication with the Azure MFA NPS agent. When you install the default Azure MFA NPS agent the default policies in NPS dictate a call needs to have username & password, but this tutorial also covers using the radius servers as a step-up MFA provider.
Network Policy and Access Services are a role within the Windows Server system. After installing a Windows Server (add the server to the domain - the NPS agent maps the users to AD), add the role through the server manager (or powershell) and open the configuration:
Install-WindowsFeature NPAS -IncludeManagementTools
#To open the Firewall ports, run
New-NetFirewallRule -DisplayName 1812 -Profile 'Any' -Direction Inbound -Action Allow -Protocol UDP -LocalPort 1812The full installation guide for the NPS agent can be found on: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension
- Make sure to disable IE Enhanced security - as the NPS Azure MFA agent will trigger a login through the built-in web browser
But in short, download the package from: https://aka.ms/npsmfa and install the agent on the NPS server. Next open PowerShell in an administrative prompt and run:
cd "C:\Program Files\Microsoft\AzureMfa\Config"
.\AzureMfaNpsExtnConfigSetup.ps1- Sign in to Azure AD as an administrator.
- PowerShell prompts for your tenant ID. Use the Directory ID GUID
- PowerShell shows a success message when the script is finished.
- Next, a client needs to be configured (the F5 connecting into the radius server). For this, go to Radius Clients and Servers -> Clients
- Add a new client and give it a name (F5) and set the IP address for the client – matching your F5 IP address (internal or closest route).
- Provide a client secret or generate a new one. Copy the client secret as this will be required in a later step.
Next is the configuration of the policies, there are 2 policies in NPS, Connection Policies and Network Policies.
Radius by default expects a username and a password, which in many cases is required to provide a secure authentication. But in this case we will rely on the NPS/MFA server to only provide step-up authentication based on the username. A federated login (or user without password) will not be able to provide the password in the system and thus we will only require the username. This means we need to disable the authentication for the Radius Client. While it is possible to alter the built-in policy (use Windows authentication for all users), this tutorial will describe the creation of a new policy that is only applied to the F5 client created earlier.
- Create a new Connection Request Policy by right clicking Connection Request Policies and selecting New.
- Provide a name for the policy (Unauthenticated MFA)
- And leave the type of network access server to unspecified
- On the specify conditions page, select Add
- Go to Radius Client Properties
- Select Client IPv4 Address and click Add
- In the pop-up type the IP address of the F5 device and click OK
- Click Next
- Under the Specify Connection Request Forwarding select Accept users without validating credentials under the Authentication tab.
- Click Next
- On the configure settings page, click Next
- Review the settings and click Finish
- Change the order so the newly created policy is on top
Next a network policy needs to be configured.
- Right click Network Policies and select New
- Provide a name for the policy "Unauthenticated MFA"
- Set the type of network access server to Unspecified
- Click Add on the conditions window
- Select Client IPv4 Address under Radius Client Properties
- Click Add
- In the pop-up type the IP address for the F5 device (same as Radius Client) and click OK and click Next
- Click Granted Access in the specify permission window and click Next
- On the Configure Authentication Methods window, select Unencrypted Authentication (PAP, SPAP) and click Next, click No on the pop-up
- Click Next on the constraints window
- Click Next on the Configure Settings window
- Review the settings made and click Finish
The NPS server is now configured.
F5 Access policies can make use of the radius server configured in NPS. When F5 now sends the username to the radius server, the Azure MFA agent will kick-in and request the user to perform an MFA (note that only response is possible in this scenario – no code challenge). In order to configure the NPS server as the Radius server in F5:
- Go to Access >> Radius and click Create
- Provide a name for the radius server <azure_mfa>
- Select Authentication for the mode
- Set the Server Connection to Direct (or pooled if you create multiple NPS installations)
- And provide the IP address of the NPS server
- Leave the port to 1812
- Type the secret used earlier in NPS – when creating the Client in NPS
- Set the Timeout to 60 seconds
- Click Finish
Next is the creation of an access policy. This defines the authentication method used, for this POC I will first ask the user to provide their username, to then trigger an MFA for the user. Note that we do not require the password for the user in this POC – this will be added later. While we do not ask for the password, the user must still exist in Azure (users can login with sAMAccountName or UPN, but UPN must match a user in AAD - configured for MFA)
- Go to Access >> Profiles / Policies : Access Profiles (Per-Session Policies) and click Create
- Give the profile a name and select LTM-APM for the Profile Type
- Under language settings, select English (en) and click << to add it to the profile and click Finished
- The profile will be created, after creation click Edit on the created policy in the Per-Session Policy column
- A new tab will open with the policy. Click + to add a new item in the flow
- In the pop-up, select the Authentication tab and choose Radius Auth and click Add Item
- A new pop-up will be shown; select the created Radius entry for the AAA server entry and click Save
- The radius entry will be added to the flow
- Click on the + sign in front of the Radius Auth box
- A pop-up will be shown, select Logon Page from the (main) Logon tab and select Add item
- A new pop-up will be shown, remove the password fields from that page by setting the type column in front of the password field to None and click Save
- Click the DENY outcome of the successful Radius Auth and in the pop-up select Allow as the option and click Save
- Finally, click Apply Access Policy
- Publish a new web site using the new access profile
The testing website will request only a username, enter the sAMAccountName for an AD user with a UPN that is known (and configured for MFA) in Azure AD.
The NPS agent will validate the user in AD and convert it to the UPN of that user to use that to request Azure AD to perform MFA.
