VPN and RADIUS Endpoints

Identity360 provides passwordless authentication and MFA for VPN and other endpoint logins that use RADIUS authentication, such as Microsoft Remote Desktop (RD) Gateway and VMware Horizon View. It enhances security by eliminating the need for traditional passwords while also supporting MFA for additional protection when required.

Identity360 requires a Windows Network Policy Server (NPS) for VPNs and endpoints. It includes an NPS extension that must be installed on the NPS server. To enable MFA or passwordless authentication, install the NPS extension on the Windows Server where the NPS service is installed to proxy VPN authentication to Identity360.

How it works

Secure VPN login using MFA in Identity360

Once the VPN or endpoint server is configured to use RADIUS authentication, and the NPS extension is installed on the RADIUS server, here is how the authentication process works:

When configuring MFA for your VPN, the first step is to choose the authentication mode depending on the authenticators and type of MFA prompts you want to use. You can select from the following options:

VPN Client Verification:

Requirements

  1. PAP must be configured for the RADIUS authentication method.
  2. The RADIUS client (VPN or endpoint server) must support challenge-response functionality, meaning it can prompt users for a verification code and accept the code they enter.

    Note: When using challenge-based authenticators, RADIUS attributes configured in the Network Policy may not be forwarded to the RADIUS client (VPN or endpoint server). As a result, the VPN client might either have more access than you want it to have, or less access, or no access. To address this, you can enable the Send additional RADIUS attributes to the VPN server after successful authentication option in the Advanced Settings to send the RADIUS attributes to the VPN server from Identity360.

Supported authenticators

The following authenticators are supported by default in VPN Client Verification for all endpoints providing RADIUS authentication:

  1. Email Verification
  2. SMS Verification
  3. Google Authenticator
  4. Microsoft Authenticator
  5. Zoho OneAuth TOTP
  6. Custom TOTP Authenticator

Supported authenticators

If you will be selecting SecureLink Email Verification, you can secure your VPN using any authenticator supported by Identity360. You can find the list of authenticators here. Click the respective links to learn how to enable these authentication methods.

Note: When using SecureLink Email Verification, the VPN server's RADIUS authentication timeout should at least be set to 2-3 minutes, as this is the time required for users to complete the MFA process. By default, the timeout is set to 5 minutes.

Prerequisites for enabling MFA for VPN- and RADIUS-supporting endpoints

  1. Identity360's MFA and SSO license is required to enable MFA for VPN and RADIUS-supporting endpoints. Visit our store for pricing details.
  2. Your VPN or endpoint server must be configured to use RADIUS authentication with Windows Network Policy Server (NPS). Check the compatibility of your VPN with NPS as a RADIUS server here.

Step 1: Enable the required authenticators

  1. Log in to Identity360 as an admin.
  2. Go to Applications > Multi-factor Authentication > Authenticators Setup.

Enable the authenticators that are compatible with the MFA mode decided upon before starting the configuration process. Refer to this page for step-by-step instructions on configuring each authenticator.

Step 2: Enable MFA for VPN logins in Identity360

  1. Navigate to the Applications tab and go to Multi-factor Authentication > MFA for Endpoints > VPN and RADIUS Endpoints.
  2. For configuring MFA, ensure that the Enable additional authentication factors box is checked, and choose the number of authentication factors and authenticators of your choice from the drop-down menu. Refer to the Authenticators Setup page for the list of supported authentication methods and their configuration details, and Advanced Settings for further customization.
  3. Use the radio buttons to select one of the following modes based on your requirements: VPN Client Verification or SecureLink Email Verification.
  4. Passwordless verification with Identity360’s MFA is enabled by default. To use Active Directory password as your primary verification method, uncheck the Enable passwordless verification using Identity360's MFA box. If the NPS extension is already installed, disabling the passwordless verification option will require reinstallation of the NPS extension.

    Initiating passwordless authentication

    Since the VPN client typically expects a password by default, users must follow these steps to bypass the password and initiate passwordless authentication:

    • If using authenticators such as Google Authenticator, Microsoft Authenticator, Zoho OneAuth, or a custom TOTP, users can directly enter the time-based OTPs.
    • Alternatively, users can simply enter the term MFA (case insensitive) in place of a password to initiate passwordless authentication. Also, note that, for Email Verification, SMS Verification and SecureLink Email Verification, this is the only method to initiate authentication.
  5. Click Save.

    Secure VPN login using MFA in Identity360

Refer to the advanced settings help document to send additional attributes to the VPN provider, configure the VPN MFA session limit, and enable the option to skip MFA if Identity360 is unavailable or the user is not enrolled.

Configuring additional attributes for VPN access

You can send additional attributes to the VPN server after successful authentication to determine the level of access each user should have or to serve other purposes. Please refer to the documentation given by your VPN provider for the full list of attributes you can utilize. A list of the most frequently used attributes for the top VPN vendors in the market is given below.

Vendor Attribute type Vendor ID Attribute number Format Attribute name Attribute Description
Fortinet Vendor-specific 12356 1 String Fortinet-Group-Name Fortinet performs group-based authorization restriction using this attribute.
Palo Alto Vendor-specific 25461 5 String PaloAlto-User-Group Palo Alto matches the group info against the groups specified in the Allow List of the authentication profile.
CISCO ASA AnyConnect Vendor-specific 3076 25 String Group-lock Cisco uses this attribute to lock access based on group identity.
SonicWall Vendor-specific 8741 3 String SonicWall-User-Group SonicWall uses this attribute to determine the group the user belongs to.
WatchGuard Standard - 11 String FilterID The FilterID attribute is used to identify the user's RADIUS ACL.
Check Point Vendor-specific 2620 229 String CP-Gaia-User-Role Check Point uses this attribute to grant permissions to specific users.
Citrix Vendor-specific 3845 16 String Citrix-Group-Names Citrix uses this RADIUS group extraction method to enable authorization.

Step 3: Install the NPS extension

For detailed installation and configuration instructions, please refer to the NPS extension installation guide.

On this page

Copyright © 2025, ZOHO Corp. All Rights Reserved.