How to enable MFA for VPN logins and RADIUS-supported endpoint logins

Note: MFA for VPN logins requires the Professional edition of ADSelfService Plus with Endpoint MFA.

ADSelfService Plus' Endpoint MFA adds an extra step of authentication for VPN and endpoint logins that use RADIUS authentication (like Microsoft Remote Desktop Gateway and VMware Horizon View, etc.) for enhanced security.

ADSelfService Plus requires the usage of a Windows Network Policy Server (NPS) in the VPNs and endpoints. It comes bundled with a NPS extension, which should be installed in the NPS server. This extension facilitates communication between the NPS server and ADSelfService Plus for MFA during VPN and endpoint logins.

How it works:

mfa-for-vpn-logins

Once the VPN or endpoint (Microsoft RD Gateway, VMware Horizon View, etc.) server is configured to use RADIUS authentication, and the NPS extension is installed in the RADIUS server, here is how the authentication process will work:

  1. A user tries to establish a connection by providing their username and password to the VPN or endpoint server.
  2. The server converts the request to a RADIUS Access-Request message and sends it to the NPS server where the ADSelfService Plus’ NPS extension is installed.
  3. If the username and password combination is correct, the NPS extension triggers a request for second-factor authentication with the ADSelfService Plus server.
  4. ADSelfService Plus performs the secondary authentication and sends the result to the NPS extension in the NPS server.
  5. If the authentication is successful, the NPS server sends a RADIUS Access-Accept message to the VPN or endpoint server.
  6. The user is granted access to the VPN or endpoint server and establishes an encrypted tunnel to the internal network.

Configuring MFA for VPN and RADIUS-supporting endpoints

Prerequisites:

Step 1: Enable the required authenticators

  1. Log into ADSelfService Plus as an admin.
  2. Go to Configuration → Self-Service → Multi-Factor Authentication → Authenticators

Authenticators supported for endpoint VPN MFA can be classified into:

  1. One-way authenticators
  2. These authenticators are applicable by default for all the endpoints providing RADIUS authentication.

    Note:
    • When you enable push notification or fingerprint/Face ID authentication, make sure the ADSelfService Plus server is reachable by the users (through the internet) from their mobile devices.
    • RADIUS authentication timeout should be set to at least 60 seconds in the VPN server's RADIUS authentication configuration settings.
  3. Challenge-based authenticators
  4. Challenge-based authenticators are applicable only when:

    • PAP is configured for the RADIUS authentication method.
    • The RADIUS client (VPN or endpoint server) supports challenge-response that is, it has a way for prompting challenge (verification code) from the user and sending back the entered challenge.
    Note: When challenge-based authenticators are used, the RADIUS attributes that are configured in the Network Policy won't be forwarded to the RADIUS client (VPN or endpoint server). As a result, the VPN client might either have more access than you want it to have, or less access, or no access. To address this, you can use the Send additional attributes as a response to the VPN server after successful MFA option under Advanced Settings to send the RADIUS attributes to the VPN server from ADSelfService Plus.

Click on the respective links to learn how to enable these authentication methods.

Step 2: Enable MFA for VPN logins in ADSelfService Plus

  1. Go to MFA for Endpoints.
  2. Select a policy from the Choose the Policy drop-down. This policy will determine the users for whom MFA for VPN login will be enabled. To learn more about creating an OU or a group-based policy, click here.
  3. In the MFA for VPN Login section, select the checkbox next to Select the authenticators required. Choose the number of authentication factors to be enforced. Select the authentication methods to be used. The authentication methods listed can also be rearranged by dragging and dropping at the necessary position.
  4. Click Save Settings.

Advanced settings

Refer to the Advanced Settings to send additional attributes to the VPN provider, configure the VPN MFA session limit, and enable the option to skip MFA if ADSelfService Plus is unavailable or the user is not enrolled.

You can send additional attributes to the VPN server after successful MFA, to determine the level of access each user should have or other purposes. Please refer to the documentation given by your VPN Provider for the full list of attributes you can utilize. A list of the most frequently used attributes for the top VPN vendors in the market is given below.

Vendor Attribute type Vendor ID Attribute number Format Attribute name Attribute Description
Fortinet Vendor-specific 12356 1 String Fortinet-Group-Name Fortinet performs group-based authorization restriction using this attribute.
Palo Alto Vendor-specific 25461 5 String PaloAlto-User-Group Palo Alto matches the group info against the groups specified in the Allow List of the authentication profile.
CISCO ASA AnyConnect Vendor-specific 3076 25 String Group-lock Cisco uses this attribute to lock access based on group identity.
SonicWall Vendor-specific 8741 3 String SonicWall-User-Group SonicWall uses this attribute to determine the group the user belongs to.
WatchGuard Standard - 11 String FilterID The FilterID attribute is used to identify the user's RADIUS ACL
Check Point Vendor-specific 2620 229 String CP-Gaia-User-Role Check Point uses this attribute to grant permissions to specific users.
Citrix Vendor-specific 3845 16 String Citrix-Group-Names Citrix uses this RADIUS group extraction method to enable authorization.

Step 3: Install the NPS extension

  1. Go to MFA for Endpoints.
  2. Click on the tooltip to view the architecture diagram and download the NPS extension using the link provided in the banner.
  3. Copy the extension file (ADSSPNPSExtension.zip) to the Windows server, which you have configured as the RADIUS server. Extract the ZIP file’s content and save it in a location.
  4. Open Windows PowerShell as administrator and navigate to the folder where the extension files content are located.
  5. Execute the following command:
  6. PS C:\> .\setupNpsExtension.ps1 install

    Note: If the NPS extension plugin has to be uninstalled or updated to newer versions and configuration data, enter Uninstall and Updated respectively instead of Install.

  7. After installation, you will be prompted to restart the NPS(ias) Windows service. Proceed with the restart.

Customizing the configuration of MFA for VPN and RADIUS-supported endpoints

You can customize the MFA configuration based on organizational requirements. To do so,

  1. Open the Registry Editor (type regedit in the Run dialog box).
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\ZOHO Corp\ADSelfService Plus NPS Extension.
  3. Note:
    • Take a backup of the registry key before editing it.
    • Only the built-in administrator group in the computer will have privilege to edit this key.
  4. You can customize the properties mentioned below according to your organization's requirements:
    • ServerName: Mention the HostName or IP address of the ADSelfService Plus web server.
    • ServerPortNo: Mention the TCP Port number for the ADSelfService Plus web server.
    • ServerContextPath: Mention the web server context (if changed).
    • MfaStatus: This can be set to true or false depending on whether you need MFA to be enforced or not.
    • ServerSSLValidation: This can be set to true or false. If set to true, it verifies the SSL certificate and hostname when establishing an HTTPS connection from the NPS extension to the ADSelfService Plus server. It is recommended that the property always be set to true for security reasons.
    • BypassMFAOnConnectionError (Optional): This property can be set to true or false depending on whether MFA can be bypassed if any connection issue is present during authentication.
    • CRPolicies (Optional): This property can be used to enforce MFA only for the user who falls under these connection request policies. Enter the connection request policy's names and if more than policy has to be mentioned, separate the policy names by semicolons (;).
    • NetworkPolicies (Optional): This property can be used to enforce MFA only for the user who falls under these network policies. Enter the network policy's names and if more than one policy has to be mentioned, separate the policy names by semicolons (;).

      Note: When both CRPolicies and NetworkPolicies are configured, an authentication request will be considered for MFA only if both the CRPolicies and NetworkPolicies of the RADIUS request matches with the ones configured. If the policies are not configured, MFA will be enforced for all the successful RADIUS requests sent to the NPS server.

    • LogLevel (Optional): This property can be used to determine the intricacy of the logged information on the feature's functioning. The property will be set to Normal by default and can be changed to Debug to additionally log details that will aid with debugging. It is recommended that the property be set to Normal.
    • UserIPAttribute (optional): This property's value is a RADIUS request attribute, which can be modified to receive the user's IP address and send it to ADSelfService Plus for conditional access.

      The value to be set as the UserIPAttribute property varies with each VPN provider. Please refer to the documentation provided by your VPN provider for the RADIUS attribute value, via which the end-user's IP address is sent.

      This attribute can be either standard or vendor-specific.

      • If it is a standard attribute, you can set the UserIPAttribute property to the attribute number alone.
      • If it is a vendor-specific attribute, you will need to mention the vendor ID followed by the vendor assigned attribute number as the UserIPAttribute value, separated by a comma.
    • Vendor Attribute Type Attribute Name Vendor ID Attribute Number UserIPAttribute value
      Juniper Networks Standard calling-station-id - 31 31
      Palo Alto Networks Vendor-Specific client-source-ip 25461 7 25461,7
    • Click OK.

Copyright © 2024, ZOHO Corp. All Rights Reserved.