The purpose of this guide is to provide guidelines on how to integrate Mideye two-factor authentication (Touch-accept) with Microsoft builtin remote VPN.
Prerequisites & general issues
A Mideye Server, release 4.7.1. If there is a firewall between the Microsoft VPN server and the Mideye Server, it must be open for two-way RADIUS traffic (UDP, standard port 1812). Microsoft VPN acts as a RADIUS client towards the Mideye Server. Hence, the Microsoft VPN server must be defined as a RADIUS client on the Mideye Server. Refer to the Mideye Server Configuration guide for information on how to define a new RADIUS client.
Mideye+ app must be installed and activated.
Limitations using Microsoft VPN with two-factor authentication
Microsoft VPN do not support native challenge-respons in that sense that it can present a second authenticator with an OTP-prompt. Instead, Microsoft VPN must be used with Touch Accept to allow two-factor using data-traffic. Please refer to Touch-accept guide here for more info and how to activate it on smartphones.
This guide will not explain how to setup a NPS-server. Refer to Windows NPS guide here. Also, some custom configuration have to be done to the NPS, which will be presented in this guide.
The following steps will describe how to configure the VPN service on a Windows Server machine, configuration of the Mideye-server and custom configuration on the NPS.
Installing Remote Access Server
The following steps will be a guide on how to install the Remote Access Server role.
Configuration of the Remote Access server
The following configuration steps can be completed in more ways than presented in this guide. This configuration example will configure a remote VPN-server using EAP-MS-chap-v2 with Mideye two-factor authentication.
Configure Mideye Server
Open configuration tool and navigate to RADIUS-clients. Click create new.
Navigate to LDAP Server tab and choose to modify the LDAP-server used by the RADIUS-client configured above.
Click OK followed by Close to restart the services.
Custom configuration for NPS
Last step is to make sure the NPS is configured under the NPS-tab. If not, refer to this guide on how to set it up for Mideye. Open Network Policy server and navigate to Policies followed by Network Policies. Select the policy that is being used by Mideye and select properties. Select the condition tab and, if not already present, add a windows group with users that should be able to login using Mideye.
Select the Constraints tab and add Microsoft: Secured password (EAPmschap-v2)
Setup VPN-connection for end users
Last step in this guide will be creating a VPN-connection that will be used for end-users to connect to the VPN. All this configuration can be pushed out using GPO´s to domain-joined computer, but in this guide a single computer will be configured to connect to the remote access server.
Now this VPN connection should be protected with Mideye two-factor.
Check if anything is written to the Mideye RADIUS logs
If nothing is logged, verify that udp/1812 is allowed between your remote access server and Mideye Server. Also, check Event viewer for logs on the remote access server.
Contact Mideye support
For further support please contact Mideye support, firstname.lastname@example.org, +46854514750.