topic Re: Connecting to Remote access vpn , not getting prompted fore 2Fa in SASE and Remote Access

Connecting to Remote access vpn , not getting prompted fore 2Fa

nflnetwork29 — Wed, 18 May 2022 18:52:12 GMT

hello i have configured remote access vpn to work with azure active directory.

when i connect my endpoint client i can successfully login but im Not getting any 2Fa prompting.

does anyone know where i can look to verify my settings for this?

would this be something on the azure portal side?.

any suggestions?

thanks,

Re: Connecting to Remote access vpn , not getting prompted fore 2Fa

nflnetwork29 — Wed, 18 May 2022 21:30:28 GMT

we also just noticed during some initial testing that any subsequent vpn login attempt do not even ask for credentials of any sort? i have no idea how the endpoint client is even connecting . something must be cached somewhere? it is now connecting without any credential input request.

Re: Connecting to Remote access vpn , not getting prompted fore 2Fa

the_rock — Thu, 19 May 2022 01:24:14 GMT

If its on CP side, then its on gateway properties, vpn -> authentication

Andy

Re: Connecting to Remote access vpn , not getting prompted fore 2Fa

nflnetwork29 — Thu, 19 May 2022 02:44:22 GMT

i belive this to be azure issue there is a property that gets set on the client workstation .

it can be verified by running dsregcmd /status op the workstation

under the single sign on section there is the following property

AzureAdPrt : YES

If this property is set to yes it will essentially bypass the conditional access policy / request for MFA.

my workstaion

+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

AzureAdPrt : YES
AzureAdPrtUpdateTime : 2022-05-18 20:56:09.000 UTC
AzureAdPrtExpiryTime : 2022-06-02 00:59:03.000 UTC
AzureAdPrtAuthority : https://login.microsoftonline.com/4e3b121b-1d6b-491c-873e-95e5f3eec8e0
EnterprisePrt : NO
EnterprisePrtAuthority :
OnPremTgt : NO
CloudTgt : YES
KerbTopLevelNames : .windows.net,.windows.net:1433,.windows.net:3342

Re: Connecting to Remote access vpn , not getting prompted fore 2Fa

nflnetwork29 — Thu, 19 May 2022 13:26:27 GMT

some images of the login process . (attached)

as you can see i never get prompted for MFA or credentials.

Re: Connecting to Remote access vpn , not getting prompted fore 2Fa

the_rock — Thu, 19 May 2022 13:39:57 GMT

What identity provider are you using? I tested this before with a colleague and worked fine. I still have it in my lab I believe.

Re: Connecting to Remote access vpn , not getting prompted fore 2Fa

nflnetwork29 — Thu, 19 May 2022 13:41:07 GMT

Azure

Re: Connecting to Remote access vpn , not getting prompted fore 2Fa

the_rock — Thu, 19 May 2022 13:43:03 GMT

We were using another one (cant think of a name now), but never had this problem. Are there some settings in Azure portal that might be missing? I find it odd that you dont even get a prompt, I got a feeling there is something simple being omitted here.

Re: Connecting to Remote access vpn , not getting prompted fore 2Fa

nflnetwork29 — Thu, 19 May 2022 13:45:03 GMT

will check with Microsoft support .will report back what i find out .

Re: Connecting to Remote access vpn , not getting prompted fore 2Fa

the_rock — Thu, 19 May 2022 13:46:14 GMT

Please do, because more and more people use cloud stuff now days, so any solution shared is big help.

Cheers.

Re: Connecting to Remote access vpn , not getting prompted fore 2Fa

nflnetwork29 — Mon, 18 Jul 2022 13:42:57 GMT

Here is the response from Microsoft. Does anyone know how I can add this parameter?

@the_rock wrote:

Please do, because more and more people use cloud stuff now days, so any solution shared is big help.

Cheers.

Thank you for posting your question on Microsoft Q&A.

This could happen when your device is registered/Azure AD joined/hybrid joined to your organization's Azure AD, in case of which a PRT (Primary Refresh Token) is issued to the device. The PRT is then used to provide a seamless single sign-on experience by automatically signing in with the account used to log in to the device. If there was MFA prompted initially in the process of device registration/Azure AD joined/hybrid joined, then even MFA claim is stored in PRT.

Now, whenever user tries to access any application from this device, and if there is any conditional access policy which is configured to prompt for MFA while accessing, then Azure AD will make use of this PRT and both first factor authentication and MFA will not be prompted as PRT contains the MFA claim in it.

You can refer below article to know how PRT is utilized during app token requests,
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#prt-usage-during-app-token-requests

To require users in your organization's directory to prompt for MFA every time they access the application, you need to update your application code to include forceAuthn="true" parameter in the authentication request. This is an SAML parameter that forces interactive authentication regardless of whether a valid PRT and/or Cookies are present or not.