Thursday, September 3, 2015

Azure MFA with pGina and Local Authentication

The current Azure MFA doesn't have a plug-in for local workstation and sever authentication. So I was testing some other scenarios using an open source application called pGina. You can read more information here - http://pgina.org/ .

PGina supports different protocols, for this testing I was using RADIUS . From an MFA perspective, it is same as any other RADIUS and 2FA configuration. Here are some of my notes:

Azure MFA and RADIUS configuration details are well documented in https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started-server-radius/ so I am not planning to add any details here. For this testing, I have added my client machines as “Clients” as shown in the following screenshot:

image

Since I am using domain joined machines,  I have selected Windows Domain as the target. 

image

Those are the only configuration you need to make on the MFA server. Next step is to configure the PGina application on your workstation – of course it has to be locally installed on the machine.    Open pGina application from the workstation and select the appropriate plug-in. I have selected RADIUS. 

image

Select Configure button to enter your MFA server information. 

image

You don’t need to make any other changes unless you are planning to configure multiple authentication and priorities.   From the Simulation tab, you can validate your authentication configuration. Based your MFA configuration (Phone call, Text message, Mobile app, OATH token) the user will receive a second after authentication prompt.   

image

Since my test account was configured to use MFA Mobile App, I received the following 2FA request on my configured device. 

image

You will also see the authentication status in the Result section. 

image

If your MFA server is in Azure or planning to connect it remotely, make sure to open the appropriate ports.  In Azure, additional End Points (port 1812 and 1813) need to be opened for your MFA.

Note: You are enabling public access to your servers.  Understand the risk before making these configuration changes :)

image

You also need to modify pGina client with correct Azure server name or IP address. It is easier to use the Cloud Service name (name.cloudapp.net).

image

1 comments:

Thank you so much for this wonderful blog..This website consists of informative posts only. Very helpful..

Post a Comment

Popular Posts

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More