I suggest you ...

enable Azure MFA server to accept RADIUS attribute 31 for trusted IP evaluation.

Currently the RADIUS client must send the authenticating user's IP address via attribute 66 for Azure MFA RADIUS server to correctly evaluate trusted IP addresses. It would be tremendously helpful if that was configurable so that an admin could select a different RADIUS attribute (such as 31) for trusted IP evaluation. We use a NetScaler gateway and it will currently only send RADIUS attribute 31 (Calling-Station-Id) to the RADIUs server. Quick fix I presume!

24 votes
Sign in
Sign in with: Microsoft
Signed in as (Sign out)
You have left! (?) (thinking…)
Amos shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →


Sign in
Sign in with: Microsoft
Signed in as (Sign out)
  • kyujin Choi commented  ·   ·  Flag as inappropriate

    FYI, Citrix will release 12.1 April 30, 2018 which will include attribute 66.

    Stephen, can you tell me encoding type (UTF-8, MS-ANSI) and value for attribute 31? Thanks

  • Stephen Williams commented  ·   ·  Flag as inappropriate

    I have an ASA5510 that cannot be configured to send type 66 for trusted IP eval. The client IP is sent as Type 31. The following example is sent by ASA5510 and received by MFA Radius server but not recorded or acted on

    Radius: Type = 31 (0x1F) Calling-Station-Id
    Radius: Length = 28 (0x1C)
    Radius: Value (String) =
    [hex values] | ip:source-ip=99
    [hex values] | .199.99.99

Feedback and Knowledge Base