Use Azure MFA With Microsoft NPS (RADIUS) Server

 

KB ID 0001759

Problem

I was in a forum last week and someone asked, “Can I enable Azure MFA, on my RADIUS server, to secure access to my switches and routers etc”. It turns out if you want to enable Azure MFA with Microsoft NPS it’s actually quite  simple.

So, I’m using RADIUS auth (above) on my NPS server, and it’s simply checking the authenticating user is a member of a domain security group. Once it has satisfied that requirement, it will authenticate against my Azure AD, which will trigger an MFA event, (in my case send a request to the Microsoft Authenticator Application on my Android Phone).

Azure MFA With Microsoft NPS Pre-Requisites

The remote user needs EITHER an Azure P1 License, or a Microsoft 365 license. 

“But I can use the Authenticator App with my Office 365 subscription?”

Well yes you can, but we are not authenticating to office 365 are we?

Below you can prove the licence is allocated in Office 365

And the same in Azure AD.

Now your user needs to have MFA enabled, (this should be pretty obvious), to use the Microsoft authenticator application the USER chooses that method of authentication, when you enable MFA for them (the first time they login). You can re-force that, from the following screen if you wish.

Azure MFA With Microsoft NPS: Deploying NPS

So I’ve pretty much covered this half a dozen times before, but for completeness I’ll quickly run though setting up NPS / NPAS. The quickest simplest method is to use PowerShell.

[box]

Install-WindowsFeature NPAS -IncludeManagmentTools

[/box]

From administrative tools open > Network Policy Server >Right click (Top Level) > Register Server in Active Directory  > OK > OK

Execute the following PowerShell command to create a registry key

[box]

New-Item 'HKLM:\SOFTWARE\Microsoft\AzureMfa' -Force | New-ItemProperty -Name REQUIRE_USER_MATCH -Value TRUE -Force | Out-Null

[/box]

Enable NPS RADIUS on Windows Firewall

Now for some reason installing NPS does not open the correct ports on the Windows Firewall? So issue the following command;

[box]

Get-NetFirewallRule -DisplayGroup "Network Policy Server" | where DisplayName -like "*RADIUS*" | Set-NetFirewallRule -Service Any

[/box]

Azure MFA With Microsoft NPS: Domain (on Premises and Azure AD)

You will need to know what your Azure Tenant ID is, keep a copy of this handy either in notepad or on the clipboard because you will need it in a minute.

Below you can see I’ve got my domain user, their remote access (Dial In Tab) is set to control access though policy, and I’ve placed them in a security group called SG-Azure-MFA.

Configure NPS for RADIUS Access

Note: You may already have this configured, if so please skip to the next section.

The first task is to define the RADIUS CLIENT, in my case it will be a Cisco firewall, yours could be any device that requires RADIUS authentication. Locate REDIUS Clients  > New > Provide a ‘Friendly Name’ (REMEMBER WHAT IT IS) > Enter its IP address > Then provide and confirm a shared secret (think of it like a password, you will need to add this to the radius clients config) > OK

Policies > Network Policies > New > Give it a sensible name > Next.

Add in a ‘Condition‘ for User Group, then add in the user group you created/used above.

Add in another ‘Condition‘ > Set the friendly name to the one you used when you created your RADIUS client.

Accepts all the defaults until you get to Configure Authentication Methods > Tick ‘Unencrypted Authentication (PAP, SPAP)’> Click yes if you want to read the warning > Next > Accept all the defaults from this point forward.

Enable Azure MFA With Microsoft NPS

Download the ‘NPS Extension For Azure MFA‘ software form Microsoft, and install it on your NPS server.

To actually enable it against your Azure AD, Execute the following PowerShell commands;

[box]

cd "c:\Program Files\Microsoft\AzureMfa\Config"
.\AzureMfaNpsExtnConfigSetup.ps1

[/box]

Eventually you will be asked to authenticate to Azure, do so with an administrative account.

You will be asked to provide your Azure Tennant ID.

When complete REBOOT THE NPS SERVER!

Testing Azure MFA With NPS

Again for Cisco ASA I’ve already blogged about this, but for completeness here’s me making sure it works;

Remember to RAISE the RADIUS timeout, by default its 10 seconds, I raised it to 30 seconds.

And on my phone I get prompted to allow

 

Authentication successful!

Troubleshooting (NPS Azure MFA Not Working)

Event ID 6274: The Request Was Discarded by a third-party extension DLL file. 

This happens when the user you are authenticating does not have the correct license in Azure (or you have just allocated the license and have not waited for a while).

Full Error

[box]

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          15/07/2021 16:42:58
Event ID:      6274
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      PKI-02.pnl.com
Description:
Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			PNL\tanya.long
	Account Name:			tanya.long
	Account Domain:			PNL
	Fully Qualified Account Name:	pnl.com/PNL/Users/Tanya Long

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	Called Station Identifier:		-
	Calling Station Identifier:		-

NAS:
	NAS IPv4 Address:		192.168.254.254
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Virtual
	NAS Port:			6

RADIUS Client:
	Client Friendly Name:		Firewall
	Client IP Address:			192.168.254.254

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		NP-Azure-MFA
	Authentication Provider:		Windows
	Authentication Server:		PKI-02.pnl.com
	Authentication Type:		PAP
	EAP Type:			-
	Account Session Identifier:		-
	Reason Code:			9
	Reason:				The request was discarded by a third-party extension DLL file.

[/box]

Event ID 6273: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection

In my case I had re-install the NPS Azure extension.

Full Error

[box]

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          15/07/2021 17:24:39
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      PKI-02.pnl.com
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			NULL SID
	Account Name:			tanya.long
	Account Domain:			PNL
	Fully Qualified Account Name:	PNL\tanya.long

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	Called Station Identifier:		-
	Calling Station Identifier:		-

NAS:
	NAS IPv4 Address:		192.168.254.254
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Virtual
	NAS Port:			10

RADIUS Client:
	Client Friendly Name:		Firewall
	Client IP Address:			192.168.254.254

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		-
	Authentication Provider:		Windows
	Authentication Server:		PKI-02.pnl.com
	Authentication Type:		Extension
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			21
	Reason:				An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.

[/box]

 

Related Articles, References, Credits, or External Links

NA

Duo: ADSync and Enroll Users via SMS

KB ID 0001648

Problem

Before you can use Duo 2FA/MFA you need to have your users enrolled. Theres a number of ways to enrol them, you can bulk email them, or manually add them. Below I’m going to Sync Duo with my Active Directory, so that if users are members of a specific AD group, they will ‘appear’ in the Duo Admin Portal. Then I’m going to enter a users mobile phone number and send them an SMS to enrol.

Tip: When setting up your Duo Account, I’d recommend creating as new user, just for Duo admin, you can use your own account, but it means enrolling twice.

Duo: Setup ADSync

Log into the Duo Admin Portal > Users > Directory Sync > Active Directory > Add New Active Directory Sync > Take note of the Integration Key, Secret Key, and the API hostname (copy them to a text file). Add your domain controllers (internal IP address(s) and set the port to 636 (LDAPS). Scroll down.

Set the ‘Base DN’ of your domain, here I’m simply using the root of the domain, you can set to to a specific OU of you prefer. Scroll down.

Select LDAPS > Paste in the PEM certificate file of your CA Server certificate. Save Directory.

Note: If you don’t know what a PEM file is, read this post.

On a member server in your domain, install the Duo Security Authentication Proxy software. (Note: This server needs TCP port 443 (HTTPS) outbound permitted on your corporate firewall.

Navigate to C:\Program Files (x86) Duo Security Authentication Proxy/conf folder locate the authproxy.cfg file and open it with WORDPAD.

Delete the contents, and paste in the following, change the values in red to match you domain and put in the keys you coped to Notepad earlier;

[box]

[ad_client]
host=192.168.100.3
service_account_username=svc_duo
service_account_password=Password1
search_dn=dc=pnl,dc=com

[cloud]
ikey=XXXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=XXXXXXXXXXXXXXXXXXXXXXXXXXXX

[/box]

Note: Where 192.168.100.3 is your domain controller, and svc_duo is the service account you created for the proxy service, and Password1 is the password for that account.

Then start the service with the following command;

[box]

net start DuoAuthProxy[/box]

Note: If your service wont start, you may need to grant your ‘service user’ some additional rights, see this post for further information.

Back in the Duo Admin Portal your ADSync should now say ‘Connected’.

Now you can see your groups, select the group that contains the users you want to sync.

Note: DON’T USE ‘Domain Users’, it wont work, neither will creating a group and putting the domain users group within it. Add your users, if theres a lot, you can bulk add users to the group.

Duo: Enrol Users via SMS

Obviously you will need know the users mobile phone number, and they will need to have the Duo app installed, this can be done on Android/iPhone/iPAD from either the App Store or Google Play. (The app is free).

Select your user in the portal  > Add Phone > Enter the mobile number > Add Phone.

Activate Duo Mobile.

Generate Duo Mobile Activation Code.

Send instructions by SMS.

On the users phone, they will see something like this, they need to click the link.

This is what it should look like when successful, (Note: The reason I have TWO entries is because I’m also the Duo Admin for this site).

Related Articles, References, Credits, or External Links

NA

Android – Stop ‘Facebook’ Messenger Hijacking Your SMS

KB ID 0001222 

Problem

Just because Facebook changed the name to simply ‘messenger’ then had it as a separate ‘app’ to confuse the masses into thinking it was nothing to do with Facebook, does not mean I want it to handle my SMS messages!

I already have something to handle my SMS messages, MY PHONE! Yes it’s running Android so I’m slowly giving my soul to Google, but that doesn’t mean Facebook can get in on the act, and serve me adverts based on whats in my text messages.

After a recent update, it decided to jump in and intercept my SMS messages then keep prompting me to change my default SMS app to Messenger, which if you are in a hurry you can inadvertently do.

 

Solution

From within Messenger > Profile > SMS.

TURN OFF the toggle switch at the top for ‘Default SMS app’.

 

Related Articles, References, Credits, or External Links

NA

I’m Going on Holiday, What do I need to Disable on my iPhone?

KB ID 0000622 

Problem

Here in Europe the big mobile Telco’s are being forced to keep roaming prices down. But going abroad with all your data services turned on can mean you might come back to a big bill.

Solution

1. On most peoples phones “Data Roaming” is already disabled (Mines always off).Data Roaming is designed to let you use another provider’s phone network if your carrier signal is too weak. On some sites it says you cant use your phone abroad if you have this disabled I DISAGREE, I’ve got it disabled and I use my phone every time I’m out of the country?

Settings > General > Network > Data Roaming.

2. If you see ActiveSync and/or have mail pushed to your phone, you might want to also disable “Mobile Data” to stop that happening while your away.

Settings > General > Network > Mobile Data.

3. That’s Data stopped but your phone will still function as a phone. WARNING you may still be charged “call forwarding” if your phone rings and you let it go to answer phone while you are away. I don’t mind that, because I prefer to keep my phone on. If you want to disable the phone and text features as well, e.g. You Just want to use the Camera, iPod, and Alarm capabilities. Then just put the phone in Airplane mode, (which isn’t a word Apple! The word is Aeroplane!)

Settings > Airplane Mode.

Related Articles, References, Credits, or External Links

NA

‘BTTRAYCE’ is not a valid Pocket PC application

KB ID 0000168

Problem

Seen, post install of TomTom 7 you will get this error when the phone boots, also Bluetooth will NOT WORK

This happens because TomTom drops in a couple of .dll files to the phones Windows Directory.

 

Solution

You need to rename the .dll files in question, thay are,

WindowsBtSdkCE30.dll
WindowsBtCoreIf.dll

This should be done on the device, launch “File Explorer”, Note: thes files are hidden by default, whilst in file explorer click Menu > “Show all files”, then you will be able to see them.

Then reboot the phone

 

Related Articles, References, Credits, or External Links

NA

Manage your Cisco Firewall from your Windows Mobile Device

KB ID 0000158 

Problem

You have a new windows mobile device and your bored! – well not really, I hope I never have to do this in anger but, It was an exercise in proving it can be done 🙂

Solution

Before you start you need to ensure the following has been done,

1. The firewall in question needs an RSA Key generating on it, (on the firewall issue the following command “crypto key generate rsa” {without the quotes}.

2. The IP of the phone needs allowing – you can analyse the logs to see what’s trying to connect on port 22 and allow that, or issue the following command “ssh 0 0 outside” NOTE that opens your firewall up to SSH access from ANY IP address – so only turn that on when you need it, or find the ip of the phone and allow that!

3. You need a copy of “PocketPuTTY” on your phone.

To put PocketPuTTY on your phone, either use Active Sync, Windows Mobile Device Center, or copy it on with an SD card.

Then on the phone simply navigate to PocketPuTTY, run it, and give it the IP address of the firewall. (Note: You may need to un-tick the “Use Compression” option).

Related Articles, References, Credits, or External Links

Connecting to and Managing Cisco Firewalls

Cisco AnyConnect – Essentials / Premium Licenses. Explained

KB ID 0000628 

Problem

Note: With Anyconnect 4 Cisco now use Plus and Apex AnyConnect licensing.

When Cisco released the 8.2 version of the ASA code, they changed their licensing model for AnyConnect Licenses. There are two licensing models, Premium and Essentials.

Solution

Cisco ASA AnyConnect Premium Licenses.

You get two of these free with your firewall*, with a ‘Premium License’ you can use the AnyConnect client software for remote VPN Access, and you can access Clientless SSL facilities via the web portal.

*As pointed out by @nhomsany “The two default premium licenses available are NOT cross-platform, (i.e. only Mac or Windows).

Additionally you can use this license’ model with the Advanced Endpoint Assessment License’, this is the license’ you require for Cisco Secure Desktop. You can also use this license’ with the AnyConnect Mobile license’ for access from mobile devices like phones or tablets, (both these licenses are an additional purchase).

For most people wishing to buy extra AnyConnect licensing, this will be the one you want. Their type and size differ depending on the ASA platform in question, e.g. the 5505 premium licenses. are available as 10 session and 25 session licenses. the 5510 are in 10, 25, 50, 100 and 250 Sessions. (Note: These are correct for version 8.4 and are subject to change, check with your re seller).

Failover: If you are using failover firewalls you can (but don’t have to) use a shared license’ model, this lets you purchase a bundle of Premium licenses. and share them across multiple pieces of hardware, This requires an ASA to be setup as the license’ server’. Before version 8.3 you needed to purchase licenses for both firewalls. After version 8.3, Cisco allowed the licenses. to be replicated between firewalls in a failover pair. The exception is Active/Active where the amount of licenses. is aggregated together from both firewalls and ALL are available providing the figure does not exceed the maximum for the hardware being used.

Cisco ASA AnyConnect Essential Licenses

When you enable ‘Essential Licensing’, your firewall changes it’s licensing model and the two Premium licenses. you get with it are disabled*. The Firewall will then ONLY accept AnyConnect connections from the AnyConnect VPN client software.

Note: The portal still exists, but can only be used to download the AnyConnect Client Software.

With Essentials licensing enabled, the firewall will then accept the maximum VPN sessions it can support for that hardware version (see here), without the need to keep adding licenses.

Note: Remember these are “Peer VPN Sessions”. If you have a bunch of other VPN’s (including IPSEC ones), then these are taken from the ‘pot’.

Additionally, you can also use this license’ with the AnyConnect Mobile license’ for access from mobile devices like phones or tablets, this license’ is an additional purchase.

Failover: Prior to version 8.3, if you have failover firewalls and are using Essentials licenses you need to purchase an Essentials license’ for BOTH firewalls. After version 8.3 Cisco allowed the licenses. to be replicated between firewalls in a failover pair.

Cisco ASA Maximum VPN Peers / Sessions

5505 = 25
5510 = 250
5520 = 750
5540 = 5,000
5550 = 5,000
5580 = 10,000

Next Generation Platform (X)

5512-X = 250
5515-X = 250
5525-X = 750
5545-X = 2500
5555-X = 5000
5585-X = 10,000

*To re-enable the built in Premium Licenses. you need to disable Essentials licensing by using the ‘no anyconnect-essentials” command or in the ASDM> Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials.

Related Articles, References, Credits, or External Links

Cisco ASA5500 AnyConnect SSL VPN 

Cisco AnyConnect Mobility License’

Cisco ASA 5500 – Adding Licenses