How to enable MFA for VPN

ADSelfService Plus adds additional steps of authentication for VPN logins for enhanced security. To enable MFA for VPN logins, ADSelfService Plus requires the VPN server to use a Windows Network Policy Server (NPS) for authentication. ADSelfservice Plus comes bundled with a NPS extension, which should be installed in the NPS server. This extension facilitates communication between the NPS server and ADSelfService Plus for the MFA during VPN login.

How it works:

Once the VPN server is configured to use RADIUS authentication, and the NPS extension is installed in the RADIUS server, here is how the authentication process will work:

1. A user tries to establish a VPN connection by providing their username and password to the VPN server.
2. The VPN server converts the request to a RADIUS Access-Request message and sends it to the NPS server where the ADSelfService Plus’ NPS extension is installed.
3. If the username and password combination is correct, the NPS extension triggers a request for second-factor authentication with the ADSelfService Plus server.
4. ADSelfService Plus performs the secondary authentication and sends the result to the NPS extension in the NPS server.
5. If the authentication is successful, the NPS server sends a RADIUS Access-Accept message to the VPN server.
6. The user is granted access to the VPN server and establishes an encrypted tunnel to the internal network.

Configuring MFA for VPN

Prerequisites:

• Professional Edition license of ADSelfService Plus.
• Configure your VPN server to use RADIUS authentication.
• For RADIUS authentication, you must use a Windows server (Windows Server 2008 R2 and above) with Network Policy and Access Services (NPS) role enabled.
• Enable HTTPS in ADSelfService Plus (Admin → Product Settings → Connection).
Note:If you are using an untrusted certificate in ADSelfService Plus to enable HTTPS, you must disable the Restrict user access when there is an invalid SSL certificate option in Configuration → Administrative Tools → GINA/Mac/Linux (Ctrl+Alt+Del) →GINA/Mac/Linux Customization → Advanced.
• In Active Directory, set users’ Network Access Permission to Control access through NPS Network Policy in their Dial-in properties.
• The Access URL you have configured in Admin → Product Settings → Connection → Configure Access URL will be used by the NPS extension to communicate with the ADSelfService Plus server. Make sure you have updated the Access URL before installing the NPS extension.
• In the Windows NPS server, where the NPS extension is going to be installed, set the Authentication settings of the Connection Request Policy to Authenticate requests on this sever.

Step 1: Enable the required authenticators

Based on whether the RADIUS client (VPN server) supports RADIUS challenge-response or not, the authentication methods you can enable for VPN logins may vary.

By default, the following two authentication methods are supported:

• Push Notification Authentication
• Fingerprint/Face ID Authentication

When RADIUS challenge-response is supported by the RADIUS client, the following authentication methods can be enabled:

• ADSelfService Plus TOTP Authentication
• Google Authenticator
• Microsoft Authenticator
• Yubico OTP (hardware key authentication)

Click on the respective links to learn how to enable these authentication methods.

Step 2: Enable MFA for VPN in ADSelfService Plus

1. Log into ADSelfService Plus as an admin.
2. Go to Configuration → Self-Service → Multi-Factor Authentication → MFA for Endpoints.
3. Select a policy from the Choose the Policy drop-down. This policy will determine the users for whom MFA for VPN login will be enabled. To learn more about creating an OU or a group-based policy, click here.
4. In the MFA for VPN Login section, select the checkbox next to Select the authenticators required. Choose the number of authentication factors to be enforced. Select the authentication methods to be used. The authentication methods listed can also be rearranged by dragging and dropping at the necessary position.
5. Click Save Settings.

Step 3: Install the NPS extension

1. Log in to ADSelfService Plus as an admin, and go to Configuration > Self-Service > Multi-Factor Authentication > MFA for Endpoints. Download the NPS extension using the link provided in the Notes section.
2. Copy the extension file (ADSSPNPSExtension.zip) to the Windows server, which you have configured as the RADIUS server. Extract the ZIP file’s content and save it in a location.
3. Open Windows PowerShell(x64) as administrator and navigate to the folder where the ZIP file’s content are located.

4. Execute the following command:

   PS C:\> .\setupNpsExtension.ps1 <operation>

   where, the operation can by install, uninstall, or update.

   Install: installs the NPS extension plugin.

   Uninstall: uninstalls the NPS extension plugin.

   Update: updates the extension to newer versions and configuration data.

5. After installation, you will be prompted to restart the NPS(ias) Windows service. Proceed with the restart.

Advanced settings

Refer to Advanced Settings to configure VPN MFA session limit and the options to bypass MFA if ADSelfService Plus is not reachable or the user is not enrolled.

Enabling MFA for VPN based on connection request policies and network policies

If you have configured connection request policies or network policies in your RADIUS server, you can enforce MFA for VPN login to certain users based on those policies. To do so,

1. Open the Registry Editor (type regedit in the Run dialog box).
2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\ZOHO Corp\ADSelfService Plus NPS Extension.
Note:
• Take a backup of the registry key before editing it.
• Only the built-in administrator group in the computer will have privilege to edit this key.
3. Double-click on the CRPolicies or NetworkPolicies based on the policy you want to configure.
4. Enter the name of the policy in the Value data field. If there are multiple policies, use semicolon to separate them.
5. Click OK.