Azure RADIUS MFA Not Prompting for Text Code for GlobalProtect

• GlobalProtect Authentication set to RADIUS
• RADIUS Server Authentication Protocol PEAP-MSCHAPv2
• Azure RADIUS MFA configured with Text Message
• After entering username/password for GlobalProtect second authentication prompt for "Enter PIN code" never popped up.  
• The authd.log in CLI shows ""Auth FAILED"

>less mp-log authd.log

Auth FAILED for user "testuser" thru <"Radius_Authentication", "vsys1">: remote server 10.0.0.10 of server profile "Radius" is down, or in retry interval, or request timed out (elapsed time 55 secs, max allowed 55 secs)

• Text Message MFA option requires Azure Radius server to send authentication challenge to the firewall relaying to the GP client. In firewall authd.log, we did not see any indication of receiving RADIUS challenge to pass down to client. 

• PAN-OS 8.1.3
• GlobalProtect
• RADIUS Authentication using PEAP-MSCHAPv2
• Azure MFA via Text message

• one-way text message is not supported for CHAPV2 and EAP for Azure AD Multi-Factor

• PAP supports all the authentication methods of Azure AD Multi-Factor Authentication in the cloud: phone call, one-way text message, mobile app notification, OATH hardware tokens, and mobile app verification code.
• CHAPV2 and EAP support phone call and mobile app notification.