We are in the process of looking at using Clearpass to Proxy Radius requests to Microsoft NPS and then onto Azure for MFA authentication. I have gotten this to work however I ran into an issue.
(Right now Microsoft NPS is the only way to talk to Microsoft Azure MFA)
I noticed that in Clearpass under Server Configuration, the maximum response delay for Radius can only be set to a maximum of 5 seconds, however, Microsoft is recommending up to 60 second delay as the user will either have to enter a token code or approve of the request via the Authenticator app.
Is there a workaround?
This seems to have been an issue with TACACS at one point and seems to be addressed but not for Radius:
https://community.arubanetworks.com/t5/Security/ClearPass-TACACS-timeout/td-p/433414
https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.7.3/Default.htm#WhatsNew/NewFeatures_PolicyMgr.htm
For multi-factor authentication (MFA) workflows that use TACACS+, a new TACACS+ Authentication Timeout service parameter lets you specify the TACACS server’s timeout interval. The default value for this parameter is 30 seconds. The minimum allowed value is 1 second, and the maximum allowed value is 300 seconds (5 minutes). Previously, the default timeout value was 10 seconds and could not be changed. An extended TACACS+ timeout interval might be needed when MFA workflows such as phone calls or text messages are used, which can take longer for the user to complete. To use this feature, go to the Administration > Server Manager > Server Configuration and select the service. On the Service Parameters tab, select Tacacs server as the service and then configure a value for the TACACS+ Authentication Timeout parameter. (#43268)