Application  Multi-factor Authentication  MFA for Endpoints  VPN and RADIUS Endpoints  NPS extension
 

NPS extension installation

The NPS extension enhances security by enabling passwordless authentication and MFA for VPNs and other RADIUS endpoints. For more details, click here.

This guide outlines the steps to install and configure the Identity360 NPS extension for VPNs and RADIUS endpoints.

System requirements

The NPS extension supports Windows Server 2012 R2 and above.

Prerequisites for installation:

  1. Follow the configuration and prerequisites mentioned in this guide before setting up the NPS extension.
  2. For an Active Directory environment, ensure that users’ Network Access Permission in Active Directory is set to Control access through NPS Network Policy in their Dial-in properties.
  3. In the Windows NPS, where the NPS extension is going to be installed, set the authentication settings of the required connection request policy to Authenticate requests on this server.
  4. Ensure a stable internet connection is maintained between the NPS server and Identity360.

Steps to install the NPS extension:

  1. Download the Identity360CloudNPSExtension.zip file through Identity360's admin portal by navigating to Applications > Multi-factor Authentication > MFA for VPN> Install NPS extension > Step 1 > Download.
  2. Copy the extension file (Identity360CloudNPSExtension.zip) to the Windows server that you have configured as the RADIUS server. Extract the ZIP file’s content and save it in a secure location.
  3. Open Windows PowerShell as an administrator and navigate to the folder where the extension file's content is located.
  4. Copy the command containing the NPS extension script and installation key from the Identity360 admin portal by navigating to Applications > Multi-factor Authentication > MFA for Endpoints > VPN and RADIUS Endpoints > Install NPS extension > Step 3.
  5. Paste and run the following command in PowerShell as an administrator.
  6. After installation, you will be prompted to restart the NPS (Network Policy Server) Windows service. Confirm and proceed with the restart for the changes to take effect.
  7. When passwordless authentication is enabled in Identity360, set the authentication settings of the required connection request policy to Accept users without validating credentials radio button in the Windows NPS.

Note: The technician who installs the NPS extension must be a member of the local administrator group or have Run as admin privilege on the machine.

Customizing the NPS extension

The customizations.json file is used to modify the default settings of the VPN extension. After installing the extension, you can make adjustments by editing this file, which is located at: C:\Program Files\ManageEngine\Identity360 Cloud NPS Extension\conf\customizations.json. This file should include any parameters that need to be customized.

Note: Please refrain from making any modifications to any files aside from customizations.json found in the installation folder, as these files are integral to the functioning of the NPS extension. Any changes to these files may disrupt the functionality of NPS extension.

Sample customizations.json file

JSON
Copy to Clipboard 
{
"IsMFAEnabled": "true",
"LogPath": "C:\\Program Files\\ManageEngine\\Identity360 Cloud NPS Extension\\logs",
"NetworkPolicies": "",
"CRPolicies": "",
"LogRotationMaxSize": "50",
"LogLevel": "DEBUG",
"LogArchivePath": "C:\\Program Files\\ManageEngine\\Identity360 Cloud NPS Extension\\logs\\archive",
"UserIPAttribute": "31",
"BypassConnectionError": "true"
}

The table below contains the list of default values and descriptions for all parameters.

Parameter Name Default Value Description
IsMFAEnabled true This indicates whether authentication is enabled. Set to true to enable authentication, or false to disable it.
LogPath C:\\Program Files\\ManageEngine\\Identity360 Cloud NPS Extension\\logs The log file is stored here.

Caution: Modifying the value is advised only if there is a valid reason to do so. If the value is altered, ensure that the folder permissions include write permissions for the Users group and the SYSTEM account.
NetworkPolicies (Optional) "" This property can be used to enforce MFA only for the user who falls under these network policies. Enter the network policy's name, and if more than one policy has to be mentioned, separate the policy names by semicolons.
CRPolicies(Optional) "" This property can be used to enforce MFA only for the user who falls under these connection request policies. Enter the connection request policy's names, and if more than one policy has to be mentioned, separate the policy names by semicolons.
LogRotationMaxSize 50 This parameter determines the maximum size of the log file. Upon reaching the specified limit, with a minimum of 10MB and a maximum of 50MB, a new log file is generated, and the previous log file is archived to the path specified in LogArchivePath.
LogLevel(Optional) DEBUG The default value is set to NORMAL, providing comprehensive information essential for regular operation. If the value is changed to DEBUG, the log will incorporate detailed troubleshooting information crucial for the support team. Exercise caution, as setting the value to DEBUG will generate extra log entries, potentially causing a rapid increase in the log file's size.
LogArchivePath C:\\Program Files\\ManageEngine\\Identity360 Cloud NPS Extension\\logs\\archive This refers to the file path where log files are archived once they reach the specified LogRotationMaxSize limit.
UserIPAttribute (Optional) 31 This parameter is a RADIUS request attribute, which holds the user's actual IP address to help with tracking and auditing MFA events within Identity360. The value to be set as the UserIPAttribute property varies with each VPN provider. Please refer to the documentation provided by your VPN provider for the RADIUS attribute value, via which the end-user's IP address is sent. This attribute can be either standard or vendor-specific.
  • If it is a standard attribute, you can set the UserIPAttribute property to the attribute number alone.
  • If it is a vendor-specific attribute, you will need to mention the vendor ID followed by the vendor assigned attribute number as the UserIPAttribute value, separated by a comma.
Examples:
  • For Palo Alto Networks, the attribute client-source-ip is a vendor-specific attribute. The value for this attribute is 25461,7, where 25461 represents the vendor ID, and 7 represents the attribute number.
  • For Juniper Networks, the attribute calling-station-id is a standard attribute. Since it is not vendor-specific, it does not require a vendor ID. The value for this attribute is simply 31, which corresponds to the attribute number.
BypassConnectionError true When set to true, if the system encounters a connection error, such as network issues, timeout, or failure to reach an authentication service, the MFA step will be skipped, allowing the user to access the system without completing the usual MFA checks.

Uninstalling the NPS Extension

To uninstall the NPS extension, open Windows PowerShell as an administrator and run the following command:

PS C:\> .\setupNpsExtension.ps1 uninstall

Note: When passwordless authentication is disabled in Identity360, ensure that the "Accept users without validating credentials" radio button is deselected in the NPS within the required Connection Request Policies. This prevents RADIUS requests from being accepted without authentication.

If you encounter any issues, please visit our troubleshooting guide for MFA for VPN for assistance.

Navigate to Previous Previous Topic Next Topic Navigate to next

Copyright © 2025, ZOHO Corp. All Rights Reserved.