Introduction
The purpose of this guide is to provide guidelines on how to integrate Mideye two-factor authentication (Touch-accept) with Microsoft builtin remote VPN.
Prerequisites & general issues
Requirements
A Mideye Server, release 4.7.1. If there is a firewall between the Microsoft VPN server and the Mideye Server, it must be open for two-way RADIUS traffic (UDP, standard port 1812). Microsoft VPN acts as a RADIUS client towards the Mideye Server. Hence, the Microsoft VPN server must be defined as a RADIUS client on the Mideye Server. Refer to the Mideye Server Configuration guide for information on how to define a new RADIUS client.
Mideye+ app
Mideye+ app must be installed and activated.
Limitations using Microsoft VPN with two-factor authentication
Microsoft VPN do not support native challenge-respons in that sense that it can present a second authenticator with an OTP-prompt. Instead, Microsoft VPN must be used with Touch Accept to allow two-factor using data-traffic. Please refer to Touch-accept guide here for more info and how to activate it on smartphones.
Prerequisites
This guide will not explain how to setup a NPS-server. Refer to Windows NPS guide here. Also, some custom configuration have to be done to the NPS, which will be presented in this guide.
Integration steps
The following steps will describe how to configure the VPN service on a Windows Server machine, configuration of the Mideye-server and custom configuration on the NPS.
Installing Remote Access Server
The following steps will be a guide on how to install the Remote Access Server role.
Configuration of the Remote Access server
The following configuration steps can be completed in more ways than presented in this guide. This configuration example will configure a remote VPN-server using EAP-MS-chap-v2 with Mideye two-factor authentication.

Change the timeout to 35 seconds and make sure that the port is the same port that the Mideye Server is listning on (default udp/1812). Click OK, followed by OK.

Click authentication methods and remove all authentication methods except for Extensible authentication protocol (EAP).
Configure Mideye Server
Open configuration tool and navigate to RADIUS-clients. Click create new.

Enter the IP of the Remote Access Server. Use the same shared-secret as configured above and click the User name filtering.

Select PREFIX as filter method and type a \ in the filter separator field. This function is used to remove the domain\ when a user tries to authenticate with the “use windows credentials to connect” flag in the VPN client. Navigate to LDAP Servers.
Navigate to LDAP Server tab and choose to modify the LDAP-server used by the RADIUS-client configured above.

Change the authentication type to 8 Touch-Mobile. This will not affect any users that do not have the Mideye+ app installed on their smartphones.
Click OK followed by Close to restart the services.
Custom configuration for NPS
Last step is to make sure the NPS is configured under the NPS-tab. If not, refer to this guide on how to set it up for Mideye. Open Network Policy server and navigate to Policies followed by Network Policies. Select the policy that is being used by Mideye and select properties. Select the condition tab and, if not already present, add a windows group with users that should be able to login using Mideye.
Select the Constraints tab and add Microsoft: Secured password (EAPmschap-v2)
Setup VPN-connection for end users
Last step in this guide will be creating a VPN-connection that will be used for end-users to connect to the VPN. All this configuration can be pushed out using GPO´s to domain-joined computer, but in this guide a single computer will be configured to connect to the remote access server.

Select the security tab and choose Require encryption (disconnect if server declines). Change the authentication to Microsoft: Secured Password (EAP-MSCHAPv2) (encryption enabled).
Now this VPN connection should be protected with Mideye two-factor.
Troubleshooting
Check RADIUS-logs
Check if anything is written to the Mideye RADIUS logs
Mideye Server\log\radius-messages.log
If nothing is logged, verify that udp/1812 is allowed between your remote access server and Mideye Server. Also, check Event viewer for logs on the remote access server.
Contact Mideye support
For further support please contact Mideye support, support@mideye.com, +46854514750.