locked
MFA Server - RADIUS & ADFS RRS feed

  • Question

  • We currently have MFA Server configurednwith RADIUS with our NetScaler. This is working great and user get MFA challenge when logging into Citrix.

    Now we want to intergrate MFA Server with our ADFS server, by installing the ADFS adapter.

    Question I have is, do users het 2 MFA challenges ? One when logging into Citrix (radius) and then one when they go to office 365 via ADFS ?

    So is there single MFA when using RADIUS & ADFS?

    Saturday, February 18, 2017 10:09 PM

Answers

  • Dear Dirk,

    Azure MFA only initiate an MFA request if it's requested via Radius or AD FS.

    So If you're configuration states that all request through AD FS needs MFA and also from applications opened in Citrix. Yes you will get an second prompt, after this other applications will reuse the authentication cookie.

    The Radius token cannot be reused by AD FS.

    That's why I mentioned the claim rules. 

    Is my answer clear?

    Monday, February 20, 2017 8:58 AM

All replies

  • Dear Dirk,

    It depens on your AD FS configuration.

    AD FS default makes the following decision:
    Extranet is access through Web Application Proxy's.
    Intranet is access through AD FS farm.

    I don't know you AD FS setup, but if you have you're back-end AD FS used for the internal clients/citrix and from the internet the Web Application Proxy's then you can specify that only access through extranet need to perform MFA authentication in addition of the username and password.

    Citrix will access the back-end side of AD FS and will be considered as internal client and no additional MFA would be needed if you configure so.

    You can make more complex conditional access rules with AD FS, but that depends on you requirements.


    Sunday, February 19, 2017 11:59 AM
  • Hi B Arkesteijn,

    I know we can disable MFA when coming from the intranet or if you are member of a specific group, this is certainly something we can use.

    But I would like to know if users authenticate with MFA+RADIUS they don't get a second MFA challenge when accessing ADFS+MFA ?

    Monday, February 20, 2017 6:49 AM
  • Dear Dirk,

    Azure MFA only initiate an MFA request if it's requested via Radius or AD FS.

    So If you're configuration states that all request through AD FS needs MFA and also from applications opened in Citrix. Yes you will get an second prompt, after this other applications will reuse the authentication cookie.

    The Radius token cannot be reused by AD FS.

    That's why I mentioned the claim rules. 

    Is my answer clear?

    Monday, February 20, 2017 8:58 AM
  • Mr Arkesteijn,

    Bedoel dus idd als je een MFA radius token hebt of de MFA token dan ook voor ADFS MFA werkt maar dat is dus niet zo, helaas. Maar bedankt voor de verduidelijking.

    Back to English :-)

    So the MFA radius token cannot be reused by the MFA ADFS token, check.

    Shame that MFA does not 'share' it's authentication acros different authentication types.


    Monday, February 20, 2017 2:30 PM