Create a Post
Showing results for 
Search instead for 
Did you mean: 

RA VPN authentication with and without MFA ( with password change from Harmony Endpoint)


I have a customer (currently on R81 HFA44) who would like to fully realize the following scenario for the connection of his users via Harmony Endpoint (currently on E86.10):

1. RADIUS auth with MFA for users in a specific AD group (i.e. VPN_WITH MFA), WITHOUT password change from the CP Harmony Endpoint (they do it from the Azure portal)

2. users in this specific group (VPN_WITH_MFA) must NOT be able to change the authentication to LDAP in the CP Harmony Endpoint local configuration

3. LDAP auth for users in a different AD groups (i.e. VPN_USERS) but WITH change password from the CP Harmony Endpoint.


All the configuration and devices are on premise, except the users of the VPN_WITH_MFA who are on Azure and using Microsoft Authenticator through Radius.


Actually, points 1 & 3 are working, but users in the VPN_WITH_MFA group are able to bypass the MFA authentication by simply selecting the login via Username&Password in their Harmony Endpoint client.

In fact, the actual configuration is the following:


Is there a way to allow the 1 & 2 & 3 configuration at the same time?

Thank you,


0 Kudos
0 Replies


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events