Introduction
The purpose of this guide is to provide guidelines on how to integrate Mideye two-factor authentication (Touch-accept) with Microsoft builtin remote VPN.
Prerequisites & general issues
Requirements
A Mideye Server, release 4.7.1. If there is a firewall between the Microsoft VPN server and the Mideye Server, it must be open for two-way RADIUS traffic (UDP, standard port 1812). Microsoft VPN acts as a RADIUS client towards the Mideye Server. Hence, the Microsoft VPN server must be defined as a RADIUS client on the Mideye Server. Refer to the Mideye Server Configuration guide for information on how to define a new RADIUS client.
Mideye+ app
Mideye+ app must be installed and activated.
Limitations using Microsoft VPN with two-factor authentication
Microsoft VPN do not support native challenge-respons in that sense that it can present a second authenticator with an OTP-prompt. Instead, Microsoft VPN must be used with Touch Accept to allow two-factor using data-traffic. Please refer to Touch-accept guide here for more info and how to activate it on smartphones.
Prerequisites
This guide will not explain how to setup a NPS-server. Refer to Windows NPS guide here. Also, some custom configuration have to be done to the NPS, which will be presented in this guide.
Integration steps
The following steps will describe how to configure the VPN service on a Windows Server machine, configuration of the Mideye-server and custom configuration on the NPS.
Installing Remote Access Server
The following steps will be a guide on how to install the Remote Access Server role.
Open “Add Roles and Features”
Select Remote Access followed by DirectAccess and VPN (RAS)
Finish the installation and open the configuration wizard
Configuration of the Remote Access server
The following configuration steps can be completed in more ways than presented in this guide. This configuration example will configure a remote VPN-server using EAP-MS-chap-v2 with Mideye two-factor authentication.
Right click the RAS-server and select Configure and enable Routing and Remote Access
Choose Remote Access (dial-up or VPN) and click Next
Choose VPN and click Next
Choose the interface that should be used for remote access VPN
Select DHCP or a static pool of addresses
Choose “Yes set up this server to work with a RADIUS server”
Enter the IP-address to the RADIUS-server followed by a shared secret.
Finish the configuration
Open the RRAS Management Console, right click the server and choose Properties.
Select Configure next the RADIUS authentication
Select the RADIUS-server and click edit
Change the timeout to 35 seconds and make sure that the port is the same port that the Mideye Server is listning on (default udp/1812). Click OK, followed by OK.
Click authentication methods and remove all authentication methods except for Extensible authentication protocol (EAP).
Configure Mideye Server
Open configuration tool and navigate to RADIUS-clients. Click create new.
Enter the IP of the Remote Access Server. Use the same shared-secret as configured above and click the User name filtering.
Select PREFIX as filter method and type a \ in the filter separator field. This function is used to remove the domain\ when a user tries to authenticate with the “use windows credentials to connect” flag in the VPN client. Navigate to LDAP Servers.
Select the LDAP-server that should be used for authentication and click “OK”.
Navigate to LDAP Server tab and choose to modify the LDAP-server used by the RADIUS-client configured above.
Change the authentication type to 8 Touch-Mobile. This will not affect any users that do not have the Mideye+ app installed on their smartphones.
Click OK followed by Close to restart the services.
Custom configuration for NPS
Last step is to make sure the NPS is configured under the NPS-tab. If not, refer to this guide on how to set it up for Mideye. Open Network Policy server and navigate to Policies followed by Network Policies. Select the policy that is being used by Mideye and select properties. Select the condition tab and, if not already present, add a windows group with users that should be able to login using Mideye.
Add a windows group
Select the Constraints tab and add Microsoft: Secured password (EAPmschap-v2)
Select Microsoft: Secured password (EAPmschap-v2). Click OK.
Setup VPN-connection for end users
Last step in this guide will be creating a VPN-connection that will be used for end-users to connect to the VPN. All this configuration can be pushed out using GPO´s to domain-joined computer, but in this guide a single computer will be configured to connect to the remote access server.
Open Network and sharing Center and click set up a new connection or network
Choose connect to a workplace
Choose Use my internet connection (VPN)
Enter the IP of the remote access server and select Remember my credentials. Click Create.
Again, from Network and sharing center, click Change adapter settings.
Right click the created VPN-connection and choose properties
Select the security tab and choose Require encryption (disconnect if server declines). Change the authentication to Microsoft: Secured Password (EAP-MSCHAPv2) (encryption enabled).
Check the Automatically use my Windows logon name and password (and domain if any)
Now this VPN connection should be protected with Mideye two-factor.
Troubleshooting
Check RADIUS-logs
Check if anything is written to the Mideye RADIUS logs
Mideye Server\log\radius-messages.log
If nothing is logged, verify that udp/1812 is allowed between your remote access server and Mideye Server. Also, check Event viewer for logs on the remote access server.
Contact Mideye support
For further support please contact Mideye support, support@mideye.com, +46854514750.