Question
How can we add 2FA to a Microsoft NPS Server?
Answer
Note: This integration does not support the use of Push. You will need to use OTP.
Setting up MFA for RADIUS is a requirement for this integration. Please see this article for more information.
Configuring NPS to support RADIUS Authentication
- Go to the Start Menu and click on Administrative Tools.
- Go to Network Policy Server (NPS)
- Expand RADIUS Clients and Servers.
- Highlight Remote RADIUS Server Groups and right click > New.
- Name the group, then click Add to add a radius server.
- Type in the Address of the RADIUS agent.
- Click on the Authentication/Accounting tab to configure the RADIUS Server options.
- Type in the Shared Secret that has been configured in the RADIUS Agent
- Click on the Load Balancing tab to configure the RADIUS timeout.
- Under Advanced Settings, set Number of seconds without response before request is considered dropped from the default of 3 to a higher value, (10 seconds or higher is recommended), and click OK.
- Click OK to create the RADIUS server group.
- Expand Policies, then Connection Request Policies.
- Right click on Virtual Private Network (VPN) Access Policy > click Properties.
- Click on the Settings tab, then click Authentication.
- Select Forward requests to the following remote RADIUS server group for authentication and select the RADIUS server group that you created from the list.
- Click OK.
- Repeat steps 12 – 16 for all other policies with the source Remote Access Server (VPN-Dial up).
- Click Network Policies, then highlight Virtual Private Network (VPN) Access Policy and right click > Properties.
- Click on the Constraints tab, then click Authentication Methods.
- Deselect all methods except PAP and User can change password after it has expired, then click OK.
- Restart the NPS service by highlighting NPS and right click > Stop NPS Service, then right click > Start NPS Service.
See this article for configuring the connection to the VPN.