none
mobile app (or other method) in-flight WiFi RRS feed

  • Question

  • Hi everyone - I have a question about Azure MFA under certain conditions.  We have the Azure MFA server and mobile app portal set up and working fine, MFA is working for phone calls, texts, and mobile app.

    But some users tell me that they have can't sign in on their laptop when using the in-flight WiFi on a plane.  They obviously can't receive phone calls or texts because their phone won't have cell signal.  You would think they could use the in-flight WiFi on both their phone and laptop and use the mobile app.  But they are telling me that they are only allowed to use the in-flight WiFi on one device at a time, and if they connect it on one device it will kick the other one off.  So that means they can’t receive mobile app notifications.   So when they try to sign into remote desktop or VPN on their laptop, they can’t get a notification on their phone app. 

    Has anyone else run into this and can tell me what you recommend in this situation?   Maybe I can use OATH somehow, I know that the Azure mobile app can display OATH tokens, but I don't know how to make that work with VPN (which is Routing and Remote Access PPTP VPN using RADIUS) or Remote Desktop Services.  Any suggestions you can offer would be much appreciated.  Thanks!

     
    Tuesday, March 15, 2016 2:20 PM

Answers

  • OATH token fallback would be the recommendation which you can enable on each RADIUS client. However, it only works if the system sending the RADIUS request can process Access Challenge responses so that the user can be prompted for their one-time passcode (OTP). Neither RRAS nor Remote Desktop Gateway can do this. Therefore, neither OATH tokens nor one-way SMS work with those systems. Other systems such as Cisco VPN, Juniper VPN and Citrix Netscaler can all process Access Challenge responses so OATH tokens can be used.

    The only alternative for your systems is to allow one-time bypass via the User Portal. Your users can navigate to User Portal and sign in. User Portal will attempt 2FA, but that will be denied unless the user is configured for OATH token mode. Once the MFA verification is denied due to no user response, the User Portal can fallback and prompt for the user's current OTP if they have the mobile app installed. If the user doesn't have the mobile app installed, the User Portal can fallback and prompt the user to answer security questions.

    After the user has successfully entered their current mobile app OTP or answered the security questions, they will be signed into the User Portal. One of the options in the User Portal (if enabled) is to generate a one-time bypass. Once generated, the user can sign into VPN or RDP. The user will be allowed in one time during a window of time (typically 5 minutes) without MFA so the VPN/RDP connection will succeed with username/password only that one time.

    For all of this to work, click on the User Portal icon in your MFA Server. On the Settings tab, ensure that "Use OATH token for fallback" is enabled to support that option, and ensure that "Use security questions for fallback" is enabled for that option. If a user has both the mobile app installed and has security questions set up, they will only be able to use the OATH token option for fallback.

    Thursday, March 17, 2016 12:16 AM
    Moderator

All replies

  • Hello,

    We are checking on the query and would get back to you soon on this.
    I apologize for the inconvenience and appreciate your time and patience in this matter.

    Regards,
    Neelesh
    Wednesday, March 16, 2016 9:38 AM
    Moderator
  • OATH token fallback would be the recommendation which you can enable on each RADIUS client. However, it only works if the system sending the RADIUS request can process Access Challenge responses so that the user can be prompted for their one-time passcode (OTP). Neither RRAS nor Remote Desktop Gateway can do this. Therefore, neither OATH tokens nor one-way SMS work with those systems. Other systems such as Cisco VPN, Juniper VPN and Citrix Netscaler can all process Access Challenge responses so OATH tokens can be used.

    The only alternative for your systems is to allow one-time bypass via the User Portal. Your users can navigate to User Portal and sign in. User Portal will attempt 2FA, but that will be denied unless the user is configured for OATH token mode. Once the MFA verification is denied due to no user response, the User Portal can fallback and prompt for the user's current OTP if they have the mobile app installed. If the user doesn't have the mobile app installed, the User Portal can fallback and prompt the user to answer security questions.

    After the user has successfully entered their current mobile app OTP or answered the security questions, they will be signed into the User Portal. One of the options in the User Portal (if enabled) is to generate a one-time bypass. Once generated, the user can sign into VPN or RDP. The user will be allowed in one time during a window of time (typically 5 minutes) without MFA so the VPN/RDP connection will succeed with username/password only that one time.

    For all of this to work, click on the User Portal icon in your MFA Server. On the Settings tab, ensure that "Use OATH token for fallback" is enabled to support that option, and ensure that "Use security questions for fallback" is enabled for that option. If a user has both the mobile app installed and has security questions set up, they will only be able to use the OATH token option for fallback.

    Thursday, March 17, 2016 12:16 AM
    Moderator
  • Thank you so much for this great response. I do think this is the only solution for now.  (I confirmed at https://custhelp.gogoinflight.com/app/home/c/7 that Gogo only supports 1 device at a time.)  I will work on setting up the user portal (I already have the mobile app portal working so this should be simple) and test it out, but I can see that it could work.
    Thursday, March 17, 2016 8:03 PM