Common NPS Extension Authentication Flow (VPN & RD Gateway)

1 year ago
Ruian Ding
3 minutes

VPN with NPS MFA Extension Flow

1. User / VPN Client initiate the connection to VPN Server

2. The VPN Server receives requests from the VPN client and convert the request into a RADIUS to NPS Server.

3. Both Primary Authentication and Secondary Authentication will happen accordingly

Primary Auth: NPS Server will perform primary auth for the RADIUS request, against AD DS (Active Directory Domain Service)

Secondary Auth: NPS MFA Extension triggers a request to Azure MFA for the Secondary Auth. In this stage, it converts the RADIUS request to REST and authenticate against the AAD tenant.

4. Azure MFA identifies the default authentication method for the user and send the challenge.

5. Azure MFA provides responses based on the user’s input. It generates a token that includes a trust assertion, relying on the fact that ESTS trusts anyone who trusts the token.

6. NPS MFA Extension verifies the secondary authentication response from Azure MFA. Later it converts the response to a RADIUS and forwards it to NPS Server.

7. NPS Server sends the converted the RADIUS Response to the VPN Server

8. VPN Server forwards the RADIUS response to the VPN Client and the connection completes.

RD Gateway Sever with NPS MFA Extension Flow

1. User / RDP Client initiate the connection to Remote Desktop Gateway Server

2. The RD Gateway server converts the request into a RADIUS Access-Request Message and sends the message to the RADIUS Server (Central NPS Server with MFA extension).

3. Both Primary Authentication and Secondary Authentication will happen accordingly

Primary Auth: NPS Server will perform primary auth for the RADIUS request, against AD DS (Active Directory Domain Service)

Secondary Auth: NPS MFA Extension triggers a request to Azure MFA for the Secondary Auth. In this stage, it converts the RADIUS request to REST and authenticate against the AAD tenant.

4. Azure MFA identifies the default authentication method for the user and send the challenge.

5. Azure MFA provides responses based on the user’s input. It generates a token that includes a trust assertion, relying on the fact that ESTS trusts anyone who trusts the token.

6. NPS MFA Extension verifies the secondary authentication response from Azure MFA.

7. Central NPS Server sends a RADIUS Access-Accept message for the RD CAP policy to the Remote Desktop Gateway Server

8. VPN Server forwards the RADIUS response to the VPN Client and the connection completes.

How does NPS Extension converts the RADIUS Request to REST? How the extension authenticates against AAD tenant?

1. During the process, a client certificate is utilized, which is typically a self-signed certificate. The creation of this certificate takes place when the NPS Extension setup scripts are executed.

* Certificate Subject Name “CN=<TenantID>, OU = Microsoft NPS Extension”. It stored in the certificate local machine store.

2. The process involves the participation of the AAD MFA Service Principal.

* SPN Name Azure Multi-Factor Auth Client, Applicaiton ID 981f26a1-7f43-403b-a875-f8b09b8cd720

3. Azure STS verifies the extension credentials and issues a token to the NPS Extension

* login.microsoftonline.com

4. Extension passed a REST call to Azure cloud-based MFA using the token issued by ESTS