Thanks for the reply. I have setup the service as per the document and it does work but with some fairly major limitations.
As it says in the document, when configured with IKEv1 and PAP in order to get the text message or verification code working, you have to disable the "allow user to save password" option, unfortunately this causes XAuth to fail on Mac devices so has to be switched on. So that rules out text and verification code.
With IKEv1 and MSCAHPv2, push notification and phone call work, as long as you are quick as you only have 30 seconds due to the auth server timeout.
I would obviously prefer to use IKEv2 as the IETF use phrases like "IKEv1 is deprecated and MUST NOT be deployed" and "Systems that support IKEv1 but not IKEv2 are most likely also unsuitable candidates for continued operation".
When you turn on IKEv2 with MSCHAPv2, push notifications via the app still work but for some reason that 30 second time limit becomes around 5 seconds, so I'm wondering if there is a setting that I've missed for this, I can't find anything.
I currently have a TAC case open via our partner for this so hopefully will get somewhere with it, but thought I would ask in case anyone else has tried.
Thanks
Dave
Original Message:
Sent: May 11, 2021 10:54 AM
From: Herman Robers
Subject: VIA and Microsoft Authenticator MFA
From the document:
- PAP supports all the authentication methods of Azure MFA in the cloud: phone call, one-way text message, mobile app notification, OATH hardware tokens, and mobile app verification code.
- CHAPV2 and EAP support phone call and mobile app notification.
I would assume (have not tested) that EAP is possible with IKEv2. PAP may only be available on IKEv1, however with EAP-GTC in v2, you might be able to get it working as well. The document seems to describe quite closely what you are asking.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: May 07, 2021 06:09 AM
From: David Gratton
Subject: VIA and Microsoft Authenticator MFA
Thanks Herman, I did follow that document while I was testing but it seems to just suggest using IKEv1
Original Message:
Sent: May 05, 2021 04:35 AM
From: Herman Robers
Subject: VIA and Microsoft Authenticator MFA
Unsure if it is relevant, there is a VIA Technote on using Microsoft Cloud MFA together with VIA.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: May 04, 2021 08:17 AM
From: David Gratton
Subject: VIA and Microsoft Authenticator MFA
Hi All
I've been doing some testing with VIA and Clearpass with Microsoft MFA using the NPS extension. Managed to get it working however there are some limitations, one of which is the maximum that can be set for the authentication server timeout is 30 seconds, which is just about long enough for a push notification but a bit of a stretch for phone call authorization. We are currently running AOS 8.6.0.7 does anyone know if this has been changed in a later version and can be set to something longer than 30 seconds.
Thanks
Dave