Azure MFA for users

Hi, All our services currently use Azure MFA, but i was hoping there is some way of adding this to the firewall logon. Is that possible or do you need to use Authpoint? I dont really want two different MFA systems for our students.

thanks

--
WatchGuard M4600 (x2 Cluster)
WatchGuard M640 (x2 Cluster)
Firmware : 12.8

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Abertay
    You can use RADIUS or AD for firewall logins. I would suggest against using MFA for WSM connections as it will require a push for every instance the logon box pops up or the firewall is logged into. (Multiple just to get to policy manager, and more when FSM refreshes data.)

    -James Carson
    WatchGuard Customer Support

  • Hi @james.carson Its for users only not WSM. We already use AD via Radius, but that won't force an MFA prompt.

    --
    WatchGuard M4600 (x2 Cluster)
    WatchGuard M640 (x2 Cluster)
    Firmware : 12.8

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Abertay
    If it can be addressed like any other domain controller, it should work with no issues via the authentication servers AD tab. You can also use RADIUS if you prefer.

    If you're using a VPN to get to Azure, please keep in mind that the firewall will address it via its public IP if the server on azure is not on a network the firewall owns. If you want it to use an IP from your trusted network you'll need to expose the any from firebox rule, and set a rule above it from Firebox to that server, with the set source IP box checked and defined.

    -James Carson
    WatchGuard Customer Support

  • Hi, The azure/ad auth works fine, it just won't force an MFA request. Is there a way to do this?

    --
    WatchGuard M4600 (x2 Cluster)
    WatchGuard M640 (x2 Cluster)
    Firmware : 12.8

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Abertay
    The firewall just makes the request -- the response comes from Azure. If Azure is getting the request and is failing to invoke MFA, there's likely a problem on that side.

    -James Carson
    WatchGuard Customer Support

  • @Abertay said:
    Hi, The azure/ad auth works fine, it just won't force an MFA request. Is there a way to do this?

    If you're using AD via RADIUS, then the RADIUS server itself needs to be configured to trigger the MFA prompt.
    For Windows NPS, you have to install and configure the Azure MFA extension - but be warned if you do this on your production server, all requests to it go to Azure for MFA (so any local AD only users will fail to authenticate for one).

    You may need to spin up a separate Windows NPS server if going down this path.

Sign In to comment.