This article describes how to configure the Microsoft Network Policy Server to enable two factor authentication with a one-time access code or PUSH notification when VPN clients such as Cisco AnyConnect, FortiClient VPN and others are connected.
Network Policy Server (NPS) — a Windows Server component that allows network devices to connect via RADIUS with access control and Active Directory authentication.
Applies to versions:
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Available authentication methods:
Hardware OTP tokens
OTP applications: Google Authenticator or Yandex. Key
Mobile application (soon)
The NPS server can authenticate the user locally or forward to an external RADIUS authentication server, acting as RADIUS PROXY.
To verify the login and password locally in Active Directory and the second factor in MultiFactor Radius Adapter at the same time, you need to install MultiFactor Radius Adapter component and configure NPS to forward access requests to the component as a third-party authentication service.
The component is installed inside your network perimeter and is used to verify the second factor. The component does not transfer user passwords outside the network perimeter.
Data flow diagram
- The user connects to the VPN via a network access device, enters his login and password.
- The device accesses the NPS via the RADIUS protocol, transfers the login and password.
- The NPS server uses a RADIUS authentication server and proxies the request to the Multifactor Radius Adapter component.
- The component makes two requests:
- to the NPS server to check user login and password, acting as a RADIUS Client
- to the API Multifactor to create a query for the second access factor and sends the user a code or PUSH
- The user enters the one-time code or confirms the PUSH request.
- Component returns to NPS a response with access confirmation
- NPS provides access to a network device
Go to Multifactor Management System, go to the Resources section and create a new Network Policy Server resource. Once created, you will be able to access the NAS-Identifier and Shared Secret settings and you will need them for the next steps.
Configuring the MultiFactor Radius Adapter component
The component must be run on an NPS server. The configuration of the component is stored in MultiFactor.Radius.Adapter.exe.config.
adapter-server-endpoint: IP and port on which the component will receive requests from NPS, for example:
adapter-client endpoint: The IP and port from which the component will send requests to NPS, for example:
nps-server-endpoint: IP and NPS server port, for example:
- Multifactor &mdash API Address;
Multifactor-nas-identifier: parameter from Multifactor resource
Multifactor-shared-secret: parameter from Multifactor resource
Logging level: logging level.
The component can operate in console mode or in service mode.
To install as Windows Service, run it with the
/ikey on behalf of the Administrator.
The component is installed in automatic start mode on behalf of
To uninstall Windows Service, run it with
/u on behalf of the Administrator.
Debug logs of the component are located in the folder
Logs. If they are not available, make sure that the folder is writable to the user
In order for the NPS to redirect requests to the component:
- In the "Remote RADIUS Server Groups" section, create a new group "MultiFactor Radius Adapters".
- Add to the group a server with the address from the parameter
adapter-server-endpoint. 3 On the Authentication/Accounting tab, copy the Shared Secret from the MultiFactor resource settings.
- Select the "Request must contains message authenticator attribute" checkbox.
- On the "Load Balancing" tab, set timeouts to 30 seconds.
In order for the component to address the NPS.
- In the "RADIUS Clients" section, create a new client.
- Friendly Name: Radius Adapter
- Address: from parameter
- Shared Secret: from Multifactor resource settings
You should have two policies created under the 'Connection Request Policies' section:
- The policy of processing a request from a VPN device:
- On the "Settings" tab in the "Authentication" section, select "Forward requests to the following remote RADIUS server group for authentication" and specify the "MultiFactor Radius Adapters" group.
- Policy of processing a request from a component:
- On the "Conditions" tab add condition NAS Identifier and set the value from the MultiFactor resource settings
- on the Settings tab, under Authentication, select "Authenticate requests on this server".