MFA NPS ext - Support for Network policies via RADIUS-Challange msg via SMS & OTP
When you have NPS extension, The problem is that when a user is using SMS or OTP, the user is not granted access based on the network policies that are defined in RADIUS server.
This is known limitation (MS says) with NPS where the network policies are not applied for SMS or OTP Flows.
If you use a challenge method it does not support the NAP policies. These are only evaluated during primary authentication.
When using Radius Challenge(for SMS or OTP), the Challenge response skips primary auth and so these policies are not evaluated.
But when the users have chosen MFA method PhoneAppnotification or VoiceCall, the user is granted acces bases on the right network policy.

1 comment
-
Matthijs Vader commented
After having ran into this ourselves, I'd think this is super urgent. SMS and OTP are the simplest to use in countries where its difficult to obtain internet access (think being in an hotel in West Africa, Cameroun for example).
And the other bad thing about this is that its totally opposite of what you expect; so a security flaw / issue.