Identity360 provides passwordless authentication and MFA for VPN and other endpoint logins that use RADIUS authentication, such as Microsoft Remote Desktop (RD) Gateway and VMware Horizon View. It enhances security by eliminating the need for traditional passwords while also supporting MFA for additional protection when required.
Identity360 requires a Windows Network Policy Server (NPS) for VPNs and endpoints. It includes an NPS extension that must be installed on the NPS server. To enable MFA or passwordless authentication, install the NPS extension on the Windows Server where the NPS service is installed to proxy VPN authentication to Identity360.
How it works
Once the VPN or endpoint server is configured to use RADIUS authentication, and the NPS extension is installed on the RADIUS server, here is how the authentication process works:
When configuring MFA for your VPN, the first step is to choose the authentication mode depending on the authenticators and type of MFA prompts you want to use. You can select from the following options:
Note: If you are unsure if your VPN client supports the RADIUS challenge, consult the documentation from your VPN provider or contact their support team for confirmation.
Note: When using challenge-based authenticators, RADIUS attributes configured in the Network Policy may not be forwarded to the RADIUS client (VPN or endpoint server). As a result, the VPN client might either have more access than you want it to have, or less access, or no access. To address this, you can enable the Send additional RADIUS attributes to the VPN server after successful authentication option in the Advanced Settings to send the RADIUS attributes to the VPN server from Identity360.
The following authenticators are supported by default in VPN Client Verification for all endpoints providing RADIUS authentication:
If you will be selecting SecureLink Email Verification, you can secure your VPN using any authenticator supported by Identity360. You can find the list of authenticators here. Click the respective links to learn how to enable these authentication methods.
Note: When using SecureLink Email Verification, the VPN server's RADIUS authentication timeout should at least be set to 2-3 minutes, as this is the time required for users to complete the MFA process. By default, the timeout is set to 5 minutes.
Enable the authenticators that are compatible with the MFA mode decided upon before starting the configuration process. Refer to this page for step-by-step instructions on configuring each authenticator.
Initiating passwordless authentication
Since the VPN client typically expects a password by default, users must follow these steps to bypass the password and initiate passwordless authentication:
Refer to the advanced settings help document to send additional attributes to the VPN provider, configure the VPN MFA session limit, and enable the option to skip MFA if Identity360 is unavailable or the user is not enrolled.
You can send additional attributes to the VPN server after successful authentication to determine the level of access each user should have or to serve other purposes. Please refer to the documentation given by your VPN provider for the full list of attributes you can utilize. A list of the most frequently used attributes for the top VPN vendors in the market is given below.
Vendor | Attribute type | Vendor ID | Attribute number | Format | Attribute name | Attribute Description |
---|---|---|---|---|---|---|
Fortinet | Vendor-specific | 12356 | 1 | String | Fortinet-Group-Name | Fortinet performs group-based authorization restriction using this attribute. |
Palo Alto | Vendor-specific | 25461 | 5 | String | PaloAlto-User-Group | Palo Alto matches the group info against the groups specified in the Allow List of the authentication profile. |
CISCO ASA AnyConnect | Vendor-specific | 3076 | 25 | String | Group-lock | Cisco uses this attribute to lock access based on group identity. |
SonicWall | Vendor-specific | 8741 | 3 | String | SonicWall-User-Group | SonicWall uses this attribute to determine the group the user belongs to. |
WatchGuard | Standard | - | 11 | String | FilterID | The FilterID attribute is used to identify the user's RADIUS ACL. |
Check Point | Vendor-specific | 2620 | 229 | String | CP-Gaia-User-Role | Check Point uses this attribute to grant permissions to specific users. |
Citrix | Vendor-specific | 3845 | 16 | String | Citrix-Group-Names | Citrix uses this RADIUS group extraction method to enable authorization. |
For detailed installation and configuration instructions, please refer to the NPS extension installation guide.
Copyright © 2025, ZOHO Corp. All Rights Reserved.