Skip to main content

Using the Windows Server 2012 RADIUS plugin to route two-factor authentication credentials to the WiKID server.

This tutorial demonstrates how to implement two-factor authentication in your Windows network using NPS. Note that the users will login with their WiKID one-time passcode and their AD/WiKID username (which must be the same, without a domain). NPS will perform authorization based on the username and WiKID will perform authentication with the username and OTP.

We assume you have the server role NPS installed.

NPS 2FA getting started

Right click Radius Client and select new. Use the IP address of the server or service to which you are adding two-factor authentication, such as your VPN or a Linux server.

NPS add Radius client

Right click on Remote Radius Server and select New. Give it a name such as WiKID. Enter the IP Address of your WiKID server.

add IP of the WiKID Strong authentication server

Enter a shared secret. This is the same shared secret that will be entered on the WiKID server in the Network Clients tab. Check the box "Request must contain the message authenticator attribute".

add WiKID as radius server

Click OK. Now we need to create a policy that will use these RADIUS settings. Right click on Connection Request Policy and Select New. For this the type of network server was left as unspecified.

create connection request policy

Click Next. Then Add to create a condition. Since we know all the requests will be coming from a certain IP address we can use Client IPv4 Address as the condition. NB:  Many conditions that seem to make sense do not work.  The similarly named "Access Client IPv4" or the "NAS IPv4 address" condition do not work! 

create connection request conditions

Enter the IP address of the client, your VPN or whatever device.

add correct NPS constraint

Click OK, then Next. Select Forward request to the following remote RADIUS server and the WiKID group in the drop down.

Select Forward request

Select Next.

select next

Click on Vendor Specific and Add. Scroll down and choose Remote-RADIUS-to-Windows-User-Mapping.

choose Remote-RADIUS-to-Windows-User-Mapping.

Set it it True.

 Set it it True.

Then click Close. And Ok. Right click on "Use Windows Authentication for all users" and disable it. NPS should now look like this:

NPS should now look like this:

Now, we need to create a Network Policy. Isn't that what we just did? Why is it so complex? We don't know, ask Microsoft. Right click on Network Policy and select New.

create a Network Policy

Click Next and add a condition. It appears that this must be a different condition than in the connection request policy. For testing, we added a pointless condition allowing users to login at any time.  We recommend you start with this, test it and then come back and make a more restrictive constraint. 

add a condition to NPS

Next, specify that access should be granted.

specify that access should be granted.

If that works, add a more restrictive constraint.  Typically, you will want to make sure that the user is authorized for remote access by their group membership.  Double-click on Windows Groups and choose the proper group for remote access. 

Add NPS Policy

This is the best way to continue to manage your users in AD and it is the best reason to use NPS. If an employee is fired or their permission change it is managed in AD.  Simply disabling the user prevents them for getting access.  Your AD admins (or HR) do not need to be admins on your two-factor authentication server. 

Require AD user group for 2FA

Next, you can specify which EAP or CHAP/PAP protocols you want. Note that some services such as PAM-RADIUS only support PAP and that the encryption in CHAP is terrible. RADIUS should really only be used on trusted networks. Using one-time passcodes does limit the risks.

Click Next through the next three screens and then Finish. You should now have one enabled Network Policy.

 enabled Network Policy.

That's it for NPS. Please see our document on Troubleshooting RADIUS on the WIKID server as well. 




Copyright © WiKID Systems, Inc. 2017 | Two-factor Authentication