Skip to content
Docs

Windows VPN MFA Setup with Mideye (RRAS & NPS)

This guide describes how to integrate Mideye two-factor authentication (Touch Accept) with the built-in Windows VPN using Routing and Remote Access Service (RRAS) and Network Policy Server (NPS).

ComponentVersions
Windows Server (RRAS, NPS)2022 / 2019 / 2016
Mideye Server5.x / 6.x

Architecture

Section titled “Architecture”
VPN ClientRRAS / VPN ServerNetwork Policy ServerMideye Server 1. VPN connection (EAP-MSCHAPv2)2. RADIUS Access-Request3. RADIUS Access-Request (UDP 1812)4. Push notification (Mideye+ app)5. Accept6. Access-Accept7. Access-Accept8. VPN tunnel established

Prerequisites

Section titled “Prerequisites”

1. Install Remote Access Server

Section titled “1. Install Remote Access Server”

  1. Open Server ManagerAdd Roles and Features. Server Manager — open Add Roles and Features wizard

  2. Select Remote AccessDirectAccess and VPN (RAS). Add Roles — select Remote Access and DirectAccess/VPN

  3. Complete the installation and open the configuration wizard. Add Roles — installation complete, open configuration

    RRAS — routing and remote access configuration wizard

2. Configure the Remote Access server

Section titled “2. Configure the Remote Access server”

This example configures a VPN server using EAP-MS-CHAPv2 with Mideye two-factor authentication.

  1. Open the RRAS Management Console. RRAS — management console

    RRAS — server status overview

  2. Right-click the server → Configure and Enable Routing and Remote Access. RRAS — configure and enable routing

    RRAS — configuration wizard

  3. Select Remote access (dial-up or VPN)Next. RRAS — select remote access type

  4. Select VPNNext. RRAS — select VPN

  5. Choose the network interface for remote access VPN. RRAS — select network interface

  6. Select DHCP or a static IP pool for VPN clients. RRAS — IP address assignment

  7. Select Yes, set up this server to work with a RADIUS server. RRAS — enable RADIUS authentication

  8. Enter the Mideye Server IP and shared secret. RRAS — configure RADIUS server address and shared secret

  9. Complete the configuration. RRAS — configuration complete

3. Configure RADIUS settings

Section titled “3. Configure RADIUS settings”

  1. Open the RRAS Management Console → right-click the server → Properties. RRAS — open server properties

  2. Click Configure next to RADIUS Authentication. RRAS — RADIUS authentication configuration

  3. Select the RADIUS server → click Edit. RRAS — edit RADIUS server settings

  4. Set the timeout to 35 seconds and verify the port matches Mideye Server (default UDP 1812). RRAS — set RADIUS timeout to 35 seconds

  5. Click Authentication Methods and remove all methods except Extensible Authentication Protocol (EAP).

4. Configure Mideye Server

Section titled “4. Configure Mideye Server”

  1. Open the Mideye WebGUI → ConfigurationRADIUS ClientsCreate New. Mideye Server — create new RADIUS client

  2. Enter the VPN server IP and the same shared secret configured above. Navigate to Username Filtering. Mideye Server — configure RADIUS client IP and shared secret

  3. Select PREFIX as the filter method and enter \ in the filter separator field. This removes the domain\ prefix when users connect with “use windows credentials”. Mideye Server — configure username prefix filtering

  4. Select the LDAP server for authentication.

  5. Navigate to the LDAP Server tab → modify the LDAP server used by this RADIUS client. Mideye Server — configure LDAP server for authentication

  6. Change the authentication type to 8 Touch-Mobile. This only affects users with the Mideye+ app installed.

  7. Click OKClose to restart services.

5. Configure NPS

Section titled “5. Configure NPS”

  1. Open Network Policy Server and navigate to Policies → Network Policies.

  2. Select the policy used by Mideye → Properties.

  3. On the Conditions tab, add a Windows group with users allowed to connect via Mideye VPN. NPS — add Windows group condition to network policy

  4. On the Constraints tab, add Microsoft: Secured password (EAP-MSCHAPv2). NPS — add EAP-MSCHAPv2 authentication method

  5. Click OK.

For full NPS configuration, see the Network Policy Servers guide.

6. Set up VPN connection for end users

Section titled “6. Set up VPN connection for end users”

This configuration can be deployed via GPO for domain-joined computers. The following shows manual setup for a single computer.

  1. Open Network and Sharing CenterSet up a new connection or network. Windows — open Network and Sharing Center

  2. Select Connect to a workplace. Windows — connect to a workplace

  3. Select Use my Internet connection (VPN). Windows — use VPN over Internet

  4. Enter the VPN server IP and select Remember my credentialsCreate. Windows — enter VPN server address

  5. Open Network and Sharing CenterChange adapter settings. Windows — change adapter settings

  6. Right-click the VPN connection → Properties. Windows — VPN connection properties

  7. On the Security tab, select Require encryption (disconnect if server declines) and set authentication to Microsoft: Secured Password (EAP-MSCHAPv2) (encryption enabled). Windows — VPN security settings with EAP-MSCHAPv2

  8. Check Automatically use my Windows logon name and password (and domain if any). Windows — enable automatic Windows credentials for VPN

The VPN connection is now protected with Mideye two-factor authentication.

Troubleshooting

Section titled “Troubleshooting”
SymptomCheck
VPN connection times outVerify RADIUS timeout is at least 35 seconds on both RRAS and NPS.
No push notification receivedVerify the Mideye+ app is installed and activated. Check authentication type is set to Touch-Mobile on the LDAP server in Mideye.
Authentication rejected by NPSVerify the user is in the Windows group specified in the NPS network policy. Check shared secrets match between RRAS, NPS, and Mideye.
”Connection failed” after correct OTPVerify EAP-MSCHAPv2 is the only authentication method in RRAS. Other methods may conflict.
Domain prefix in usernameConfigure PREFIX username filtering with \ separator in the Mideye RADIUS client.
No RADIUS traffic on Mideye ServerVerify UDP 1812 is open between the VPN server and Mideye Server. Check radius-messages.log.
Section titled “Related links”

Mideye documentation

Section titled “Mideye documentation”

Official Microsoft documentation

Section titled “Official Microsoft documentation”