Ask the Community
Groups
Adding 2FA to a Microsoft NPS Server - Connect IT Community | Kaseya
<main> <article class="userContent"> <p><strong>Question</strong></p> <p>How can we add 2FA to a Microsoft NPS Server?</p> <p> </p> <p><strong>Answer</strong></p> <p><strong>Note</strong>: This integration does not support the use of Push. You will need to use OTP.</p> <p>Setting up MFA for RADIUS is a requirement for this integration. Please see this <a href="https://kaseya.vanillacommunities.com/kb/articles/aliases/idagent/hc/en-us/articles/360005105458" rel="undefined nofollow">article </a>for more information.<br><br></p> <h3 data-id="configuring-nps-to-support-radius-authentication"><strong>Configuring NPS to support RADIUS Authentication</strong></h3> <ol><li>Go to the Start Menu and click on <strong>Administrative Tools</strong>.</li> <li>Go to <strong>Network Policy Server</strong> (NPS)</li> <li>Expand <strong>RADIUS Clients and Servers</strong>.</li> <li>Highlight <strong>Remote RADIUS Server Groups</strong> and right click > <strong>New</strong>.</li> <li>Name the group, then click <strong>Add</strong> to add a radius server.</li> <li>Type in the Address of the RADIUS agent.</li> <li>Click on the <strong>Authentication/Accounting</strong> tab to configure the RADIUS Server options.</li> <li>Type in the Shared Secret that has been configured in the RADIUS Agent</li> <li>Click on the <strong>Load Balancing</strong> tab to configure the RADIUS timeout.</li> <li>Under <strong>Advanced Settings</strong>, set <strong>Number of seconds without response before request is considered dropped</strong> from the default of 3 to a higher value, (10 seconds or higher is recommended), and click <strong>OK</strong>.</li> <li>Click <strong>OK</strong> to create the RADIUS server group.</li> <li>Expand <strong>Policies</strong>, then <strong>Connection Request Policies</strong>.</li> <li>Right click on <strong>Virtual Private Network (VPN) Access Policy</strong> > click <strong>Properties</strong>.</li> <li>Click on the <strong>Settings</strong> tab, then click <strong>Authentication</strong>.</li> <li>Select <strong>Forward requests to the following remote RADIUS server group for authentication</strong> and select the RADIUS server group that you created from the list.</li> <li>Click <strong>OK</strong>.</li> <li>Repeat steps 12 – 16 for all other policies with the source <strong>Remote Access Server (VPN-Dial up)</strong>.</li> <li>Click <strong>Network Policies</strong>, then highlight <strong>Virtual Private Network (VPN) Access Policy</strong> and right click > <strong>Properties</strong>.</li> <li>Click on the <strong>Constraints</strong> tab, then click <strong>Authentication Methods</strong>.</li> <li>Deselect all methods except <strong>PAP</strong> and <strong>User can change password after it has expired</strong>, then click <strong>OK</strong>.</li> <li>Restart the NPS service by highlighting <strong>NPS</strong> and right click > <strong>Stop NPS Service</strong>, then right click > <strong>Start NPS Service</strong>.</li> </ol><h3 data-id="n-a"> </h3> <p>See this <strong><a href="https://kaseya.vanillacommunities.com/kb/articles/aliases/idagent/hc/en-us/articles/360005104157" rel="undefined nofollow">article</a></strong> for configuring the connection to the VPN.</p> <p> </p> </article> </main>