How to add two-factor authentication to NPS

NPS is the radius plugin for Windows 2008. It replaces IAS. NPS will allow user to login with an AD username and an OTP, preform authorization based on the username and proxy the creds for authentication.

Configuring NPS for Two-factor authentication

In this tutorial, we will be adding NPS into the authentication process for authorization. The users will be logging into your application or VPN with their username and WiKID one-time passcode. NPS will perform authorization based on the username alone - the AD password is not required. Keep in mind that in the RADIUS world, a client is asking for an authentication and a server is authenticating. So, your VPN or application is a RADIUS client to NPS and NPS is a RADIUS server to the VPN/application. In turn, WiKID is a RADIUS server to NPS and NPS is a Network Client to WiKID.

We provide this open content for the benefit of all and hope that you will download and test the WiKID Strong Authentication Server.

Add the NPS Role

Start but Adding the NPS role to your Windows 2008 server:

NPS_two-factor_how_to.1.jpg

 

NPS & Two-factor authentication

The only service we need is Network Policy Server

 

NPS & Two-factor authentication

 

NPS & Two-factor authentication

 

NPS & Two-factor authentication

 

You will need to restart the server.

Adding your VPN/remote service as a Radius Client

Once the server has rebooted, start the Network Policy Server admin tool, right-click on RADIUS Clients and select New.

 

Adding Two-factor authentication to NPS

 

Give your RADIUS client a friendly name such as "Enterprise VPN" or "Partner Extranet" and enter the IP address. Enter the same shared secret here as you did in your RADIUS client. This shared secret is used to encode the traffic between your VPN/remote access service/application and NPS.

 

Adding Two-factor authentication to NPS

 

Adding WiKID to NPS as a RADIUS Server


Next, right-click on Remote RADIUS Servers and select New. Under Server, enter the IP address of the WiKID Strong Authentication Server.

 

Adding Two-factor authentication to NPS

 

Click on the Authentication/Accounting tab. Enter the same Shared Secret here as you enter in the Network Client tab on the WiKID Server. This shared secret is used to encode the traffic between NPS and the WiKID Strong Authentication server. Check the box for "`Request must contain the message authenticator attribute".

 

Adding a Network Policy


Right-click on Connection Policy and select New. Give the Policy and Name and click Next

 

Two-factor authentication with NPS for authorization

 

Click Add to add a Condition.

 

Two-factor authentication with NPS for authorization

 

You need to add a condition or the policy will never be used. If you want all the users of this RADIUS client to use two-factor authentication, then you can specify that the NASIPv4Address be used.  Alternatively, you can state that connections at any time require two-factor authentication.  Please see the Microsoft documentation for more options and details.

 

Two-factor authentication with NPS for authorization

Click on NASIPv4Address and enter the IP Address of the RADIUS client (your VPN/remote services).

 

Two-factor authentication with NPS for authorization

 

Click Next and select Authentication. Choose the radio button for "Forward requests to the following remote RADIUS server group for authentication and select the WiKID server.

 

Two-factor authentication with NPS for authorization

 

Click Next. Do not specify any RADIUS Return Attributes, unless you know what you are doing.

 

NPS & Two-factor Auth

Click Finish.

 

NPS_two-factor_how_to.22.jpg

Adding Dial-in permissions to the user

If you tested this configuration now, you would see the following errors in the Windows Event log:

The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.

Start the Active Directory Users and Computers admin tool and click on Users.

 

Enable AD users for two-factor authentication

Right click on the user and click on the Dial-in tab. Under Network Access Permission, choose Control Access through NPS Network Policy.

 

Enable AD users for two-factor authentication

Notes

That should do it. You will also need to open port 1812 UDP for the radius traffic on your Windows server firewall. If you want to learn more about configuring NPS please see Microsoft's documentation on the NPS Authorization process.

Download the WiKID Strong Authentication Enterprise Edition.

 

Update:

Customers have mentioned having issues with getting the NPS Radius Connection Request Policy working. One sent us this screen shot of a working connection request policy.  They set up the Remote-RADIUS-to-Windows-User-Mapping to True:

Usernapping

Remember, at WiKID we believe that pre-sales engineering is better than post-sales support, so download a free trial of the WiKID Enterprise Server and get it working in your network.

Did this post help you? If so, please share it on Twitter!

Thanks for responding so fast! Great service.

INFOSEC PRO
SAN DIEGO, USA