VPN and RADIUS Endpoints

Identity360 provides passwordless authentication and MFA for VPN and other endpoint logins that use RADIUS authentication, such as Microsoft Remote Desktop (RD) Gateway and VMware Horizon View. It enhances security by eliminating the need for traditional passwords while also supporting MFA for additional protection when required.

Identity360 requires a Windows Network Policy Server (NPS) for VPNs and endpoints. It includes an NPS extension that must be installed on the NPS server. To enable MFA or passwordless authentication, install the NPS extension on the Windows Server where the NPS service is installed to proxy VPN authentication to Identity360.

How it works

Once the VPN or endpoint server is configured to use RADIUS authentication, and the NPS extension is installed on the RADIUS server, here is how the authentication process works:

• A user tries to establish a connection by providing their username and password to the VPN or endpoint server.
• The server converts the request to a RADIUS Access-Request message and sends it to the NPS server where the Identity360’ NPS extension is installed.
• The NPS server authenticates the credentials with Active Directory. If passwordless authentication is enabled, Identity360 will handle the primary authentication.
• The NPS extension triggers an authentication request to Identity360.
• Identity360 performs the authentication and sends the result back to the NPS extension.
• Upon successful authentication, the NPS server sends a RADIUS Access-Accept message to the VPN or endpoint server, granting the user access. An encrypted tunnel to the internal network is then established.

Configuring MFA for VPNs and RADIUS-supporting endpoints

When configuring MFA for your VPN, the first step is to choose the authentication mode depending on the authenticators and type of MFA prompts you want to use. You can select from the following options:

• VPN Client Verification
• SecureLink Email Verification

VPN Client Verification:

• VPN Client Verification enables users to receive MFA prompts directly from the VPN client during the login process.
• To use this mode, your VPN must support RADIUS challenge prompts. This means users will be prompted for a verification code (e.g., OTP) as part of the login process. However, keep in mind that this mode is designed for situations where only one authentication method is used at a time; multiple methods cannot be combined.

  Note: If you are unsure if your VPN client supports the RADIUS challenge, consult the documentation from your VPN provider or contact their support team for confirmation.

Requirements

1. PAP must be configured for the RADIUS authentication method.
2. The RADIUS client (VPN or endpoint server) must support challenge-response functionality, meaning it can prompt users for a verification code and accept the code they enter.

   Note: When using challenge-based authenticators, RADIUS attributes configured in the Network Policy may not be forwarded to the RADIUS client (VPN or endpoint server). As a result, the VPN client might either have more access than you want it to have, or less access, or no access. To address this, you can enable the Send additional RADIUS attributes to the VPN server after successful authentication option in the Advanced Settings to send the RADIUS attributes to the VPN server from Identity360.

Supported authenticators

The following authenticators are supported by default in VPN Client Verification for all endpoints providing RADIUS authentication:

1. Email Verification
2. SMS Verification
3. Google Authenticator
4. Microsoft Authenticator
5. Zoho OneAuth TOTP
6. Custom TOTP Authenticator

SecureLink Email Verification:

• When this method is selected, the user will receive a verification link to their primary email address, which they must click to verify their identity through a browser.
• Use this method if your VPN does not support RADIUS challenge-response or if you need to use non-PAP RADIUS protocols such as MS-CHAP, MS-CHAP-v2, CHAP, or EAP.
• Some VPN and RADIUS-endpoint providers, such as Cisco Meraki, Microsoft RRAS, and Microsoft RD Gateway, do not support RADIUS challenge-response prompts. In such cases, SecureLink Email Verification ensures security and works with all RADIUS endpoints, regardless of their support for RADIUS challenge prompts.

Supported authenticators

If you will be selecting SecureLink Email Verification, you can secure your VPN using any authenticator supported by Identity360. You can find the list of authenticators here. Click the respective links to learn how to enable these authentication methods.

Note: When using SecureLink Email Verification, the VPN server's RADIUS authentication timeout should at least be set to 2-3 minutes, as this is the time required for users to complete the MFA process. By default, the timeout is set to 5 minutes.

Configuration steps

Prerequisites for enabling MFA for VPN- and RADIUS-supporting endpoints

1. Identity360's MFA and SSO license is required to enable MFA for VPN and RADIUS-supporting endpoints. Visit our store for pricing details.
2. Your VPN or endpoint server must be configured to use RADIUS authentication with Windows Network Policy Server (NPS). Check the compatibility of your VPN with NPS as a RADIUS server here.

Step 1: Enable the required authenticators

1. Log in to Identity360 as an admin.
2. Go to Applications > Multi-factor Authentication > Authenticators Setup.

Enable the authenticators that are compatible with the MFA mode decided upon before starting the configuration process. Refer to this page for step-by-step instructions on configuring each authenticator.

Step 2: Enable MFA for VPN logins in Identity360

1. Navigate to the Applications tab and go to Multi-factor Authentication > MFA for Endpoints > VPN and RADIUS Endpoints.
2. For configuring MFA, ensure that the Enable additional authentication factors box is checked, and choose the number of authentication factors and authenticators of your choice from the drop-down menu. Refer to the Authenticators Setup page for the list of supported authentication methods and their configuration details, and Advanced Settings for further customization.
3. Use the radio buttons to select one of the following modes based on your requirements: VPN Client Verification or SecureLink Email Verification.
4. Passwordless verification with Identity360’s MFA is enabled by default. To use Active Directory password as your primary verification method, uncheck the Enable passwordless verification using Identity360's MFA box. If the NPS extension is already installed, disabling the passwordless verification option will require reinstallation of the NPS extension.

   Initiating passwordless authentication

   Since the VPN client typically expects a password by default, users must follow these steps to bypass the password and initiate passwordless authentication:

   • If using authenticators such as Google Authenticator, Microsoft Authenticator, Zoho OneAuth, or a custom TOTP, users can directly enter the time-based OTPs.
   • Alternatively, users can simply enter the term MFA (case insensitive) in place of a password to initiate passwordless authentication. Also, note that, for Email Verification, SMS Verification and SecureLink Email Verification, this is the only method to initiate authentication.
5. Click Save.

   

Refer to the advanced settings help document to send additional attributes to the VPN provider, configure the VPN MFA session limit, and enable the option to skip MFA if Identity360 is unavailable or the user is not enrolled.

Configuring additional attributes for VPN access

You can send additional attributes to the VPN server after successful authentication to determine the level of access each user should have or to serve other purposes. Please refer to the documentation given by your VPN provider for the full list of attributes you can utilize. A list of the most frequently used attributes for the top VPN vendors in the market is given below.

Step 3: Install the NPS extension

For detailed installation and configuration instructions, please refer to the NPS extension installation guide.