Hello,
I have implemented successfully MFA solution for GlobalProtect VPN client users. Simplified workflow is following:
1. Remote/HomeOffice users initiate VPN connection via GlobalProtect VPN client application and provide their AD credentials
2. VPN gateway (Palo Alto firewall acting as RADIUS client) pass authentication request to local RADIUS server (Windows Server running NPS service with NPS extension installed) for each VPN user connection request.
3. Local RADIUS server performs primary authentication with local AD server (synchronized to Azure AD via Azure AD Connect service) and upon successful primary authentication performs secondary authentication check by sending request Azure MFA)
4. Azure MFA sends default authentication method challenge to user (authenticator app, SMS, phone call etc) and communicate RADIUS server about it which in turn communicate VPN gateway about it which in turn communicate VPN client application GlobalProtect about it. Thus if user have SMS configured as default MFA method, GlobalProtect app will prompt user to enter SMS OTP.
5. After user confirm authenticator app push notification authentication process completes successfully as well as in case with SMS OTP.
However, if user have trouble with authenticator app, which is mostly used as primary authentication method in my organisation, there is no prompt to user to try with alternative MFA authentication methods (such as provided in O365 MFA authentication). It seems that such alternative workflow is not supported in GlobalProtect VPN client application.
Furthermore, Palo Alto firewall VPN gateway and GlobalProtect VPN client application can offer VPN users possibility to connect to multiple gateways (user can select connection point) and each VPN gateway point can be configured to use different RADIUS server i.e. each VPN gateway would have dedicated RADIUS server.
Now, my question is: Is it possible to configure NPS extension to request specific authentication method from MFA Azure service? My idea is to have three RADIUS servers each running NPS extension but fist one would request specifically authenticator app MFA method, second one would specifically request SMS MFA method while third one would request phone call MFA method.
Thanks in advance for people trying to help me.
Haris Alatović