enable Azure MFA server to accept RADIUS attribute 31 for trusted IP evaluation.
Currently the RADIUS client must send the authenticating user's IP address via attribute 66 for Azure MFA RADIUS server to correctly evaluate trusted IP addresses. It would be tremendously helpful if that was configurable so that an admin could select a different RADIUS attribute (such as 31) for trusted IP evaluation. We use a NetScaler gateway and it will currently only send RADIUS attribute 31 (Calling-Station-Id) to the RADIUs server. Quick fix I presume!
kyujin Choi commented
FYI, Citrix will release 12.1 April 30, 2018 which will include attribute 66.
Stephen, can you tell me encoding type (UTF-8, MS-ANSI) and value for attribute 31? Thanks
Raised a request with Citrix to support radius attribute 66.
Time will tell if Citrix makes the change first to implement attribute 66 or if M$ will make the change to accept attribute 31.
6 months later, still waiting for this request to become a reality.
Stephen Williams commented
I have an ASA5510 that cannot be configured to send type 66 for trusted IP eval. The client IP is sent as Type 31. The following example is sent by ASA5510 and received by MFA Radius server but not recorded or acted on
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 28 (0x1C)
Radius: Value (String) =
[hex values] | ip:source-ip=99
[hex values] | .199.99.99