Jump to content
Welcome to our new Citrix community!

Azure MFA bypass based on external IP

Mark Norton

Recommended Posts

Afternoon Netscalers,


I have a requirement here to bypass MFA for certain external IP-addresses and was wondering how to best approach it.


We run a Netscaler Advanced VPX (v13.0) for external users and vendors to access ICA resources. We have 1x virtual server which uses on-prem AD-auth and RADIUS/NPS. The RADIUS server has the Azure MFA extension for 2-factor auth. Currently MFA is only enforced for users that are Azure-MFA enrolled - if a user is not enrolled, it skips MFA. We would like to fine-tune this further and set up an IP-based Radius/MFA redirection.


I'd like to only allow defined external IPs to skip Azure-MFA by pointing to a different RADIUS/NPS server. The idea is to have 2x VPN servers. One for the pre-defined public IPs which would point to a non-MFA RADIUS and the 2nd one for everyone else pointing to an MFA-enabled RADIUS. 


We tried to manage the whitelisting on the Radius side but Netscaler is not passing on the external IP in the correct field. Azure-MFA expects the external IP in attribute NAS_IP_ADDRESS but Netscaler shoots it across in attribute Tunnel_Client_Enpoint. So that's a no-no.


What would be the best way to approach this? I have to admit that I'm not the most seasoned Netscaler guru. We usually only touch it when it's broken so please keep it simple :)




Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...