This post is the second in a short series that uses another Azure AD feature, the NPS agent that allows the Network Policy Server (Radius) in Windows Server to act as an MFA provider using Azure AD MFA. – read the first post on: https://blog.azureinfra.com/2020/05/28/f5-azure-ad-radius-mfa-agent-part-1/

The scenario is still a user logging into an F5 published portal using their Azure AD credentials (only user+password). But as soon as the user hits a sub-URI (/auth/*) the user will be required to provide MFA. Obviously we could create another Azure AD Application, but it would be hard to configure and it would send the user back to Azure AD to provide authentication. Easier would be to invoke the Azure MFA NPS extension and run this through a regular Radius call.

The initial website will request SAML authentication from Azure (with or without MFA), but will require the user to perform an MFA when reaching a particular URL within that website.

  • /* regular SAML authentication
  • /auth/* step-up MFA authentication


To get started, you need the following items:

Per-Request Policy

In order to implement this, we need to have a Per-Session policy as well as a Per-Request policy.

The per-session policy will authenticate the user based on SAML (Azure AD) and grant access to the base of the website.

The Per-Request policy will be implemented to monitor the URLs used and request the user to perform Radius Authentication if /auth/ is being accessed. Obviously the URL can be more strict. To create the Per-Request policy:

  1. Go to Access >> Profiles / Policies : Per Request Policies and click create..
  2. Give a name to the policy [contoso-portal-mfa] and click Finished
  3. Once the policy is created, click Edit in the Per-Request Policy column
  4. A new window will be shown with Start–+–Allow
  5. Click Add New Subroutine
  6. Give the routine a name [Radius-MFA]
  1. Click Save
  2. Open the subroutine: Radius-MFA by clicking the + sign in front of it
  3. A new flow is shown with In—>+–>Out
  4. Click the + sign and a new window will open
  5. Select the authentication tab and choose Radius Auth
  6. Set the AAA server to the earlier created Radius entry [azure_mfa]
  7. For the username source set it to: %{subsession.logon.last.username}
  8. Click Save to put the Radius Auth in the flow
  9. Click Edit Terminals to change the outcome
  10. Click Add Terminal to add a second output
  11. Rename Terminal 1 to Deny
  12. Rename Out to Accept
  13. Click ^ on the Accept terminal to move it up
  1. Click Save
  2. Click the Accept terminal for the Radius Auth fallback branch and change it to Deny
  3. Click the + in front of the Radius Auth (In-+-Radius Auth)
  4. In the pop-up window select the Assignment tab
  5. Select Variable Assign and then Add Item
  6. On the pop-up window, select Add new entry
  7. click change to create an assignment
  8. On the left side of the window, select Custom Variable and Secure
  9. In the text field type: subsession.logon.last.username
  10. On the right side of the window select Session Variable and type: session.saml.last.identity
  11. Click Finished
  12. Click Save

This completes the subroutine creation.

  1. In the Per-Request Policy flow, click +
  2. In the pop-up window, select the General Purpose tab
  3. Select the URL Branching object and click Add item
  4. In the pop-up window for URL Branching select the Branch Rules tab
  5. Change the name from Allow to step-up and select change
  6. Click Add Expression
  7. For the Agent Sel: select URL Branching
  8. For the Condition, select Glob Match
  9. For the URL glob pattern: /auth/
  10. Click Add Expression
  1. On the overview page, click the X to remove the URL Contains: domain.com to remove that condition.
  1. Click Finished
  2. Click Save
  3. The URL branching object will be added with 2 branches – step-up & fallback
  4. Click the Reject in the fallback branch and change it to Allow
  5. Click the + on the step-up branch
  6. In the pop-up select Subroutines
  7. Select the Radius-MFA subroutine created earlier and click Add Item
  1. The policy is now complete

Assigning the policy to a virtual server

The policy needs to be added to the published website, this can be done through the properties of the virtual server.

  1. Go to Local Traffic >> Virtual Servers and select the virtual server hosting the webpage
  2. Under the Access Policy section, select contoso-portal-mfa under the per-request policy
  3. Add the SAML authentication policy under Access Profile
  1. Click Update to make the change active


Open the main page (https://portal.contoso.com) and login to Azure AD (access policy). Go to the /auth/ url (https://portal.contoso.com/auth/) and the user will be triggered to perform an MFA. Note that it will only be a push notification or phone call.


If it doesn’t work like expected, add Logging items in the policies to see where things go wrong. Session logging can be viewed by going to:

Access >> Overview : Active Sessions


Access >> Overview : Access Reports

Tagged , , ,