Microsoft Remote Access Server

Introduction

The purpose of this guide is to provide guidelines on how to integrate Mideye two-factor authentication (Touch-accept) with Microsoft builtin remote VPN.

Prerequisites & general issues

Requirements

A Mideye Server, release 4.7.1. If there is a firewall between the Microsoft VPN server and the Mideye Server, it must be open for two-way RADIUS traffic (UDP, standard port 1812). Microsoft VPN acts as a RADIUS client towards the Mideye Server. Hence, the Microsoft VPN server must be defined as a RADIUS client on the Mideye Server. Refer to the Mideye Server Configuration guide for information on how to define a new RADIUS client.

Mideye+ app

Mideye+ app must be installed and activated.

Limitations using Microsoft VPN with two-factor authentication

Microsoft VPN do not support native challenge-respons in that sense that it can present a second authenticator with an OTP-prompt. Instead, Microsoft VPN must be used with Touch Accept to allow two-factor using data-traffic. Please refer to Touch-accept guide here for more info and how to activate it on smartphones.

Prerequisites

This guide will not explain how to setup a NPS-server. Refer to Windows NPS guide here. Also, some custom configuration have to be done to the NPS, which will be presented in this guide.

Integration steps

The following steps will describe how to configure the VPN service on a Windows Server machine, configuration of the Mideye-server and custom configuration on the NPS.

Installing Remote Access Server

The following steps will be a guide on how to install the Remote Access Server role.

Open "Add Roles and Features"

Open “Add Roles and Features”

Select Remote Access followed by

Select Remote Access followed by DirectAccess and VPN (RAS)

Finish the installation and open the configuration wizard

Finish the installation and open the configuration wizard

Configuration of the Remote Access server

The following configuration steps can be completed in more ways than presented in this guide. This configuration example will configure a remote VPN-server using EAP-MS-chap-v2 with Mideye two-factor authentication.

Right click the RAS-server and select Configure and enable Routing and Remote Access

Right click the RAS-server and select Configure and enable Routing and Remote Access


Choose Remote Access (dial-up or VPN) and click Next

Choose Remote Access (dial-up or VPN) and click Next

Choose VPN and click Next

Choose VPN and click Next

Choose the interface that should be used for remote access VPN

Choose the interface that should be used for remote access VPN

Select DHCP or a static pool of addresses

Select DHCP or a static pool of addresses

Choose "Yes set up this server to work with a RADIUS server"

Choose “Yes set up this server to work with a RADIUS server”

Enter the IP-address to the RADIUS-server followed by a shared secret.

Enter the IP-address to the RADIUS-server followed by a shared secret.

Finish the configuration

Finish the configuration

Open the RRAS Management Console

Open the RRAS Management Console, right click the server and choose Properties.

Select Configure next the RADIUS authentication

Select Configure next the RADIUS authentication

Select the RADIUS-server and click edit

Change the timeout to 35 seconds and make sure that the port is the same port that the Mideye Server is listning on (default udp/1812). Click OK, followed by OK.

Click authentication methods and remove all authentication methods except for Extensible authentication protocol (EAP).

 

Configure Mideye Server

Open configuration tool and navigate to RADIUS-clients. Click create new.

Enter the IP of the Remote Access Server. Use the same shared-secret as configured above and click the User name filtering.

Enter the IP of the Remote Access Server. Use the same shared-secret as configured above and click the User name filtering.

Select PREFIX as filter method and type a \ in the filter separator field. This function is used to remove the domain\ when a user tries to authenticate with the “use windows credentials to connect” flag in the VPN client. Navigate to LDAP Servers.

Select the LDAP-server that should be used for authentication and click “OK”.

Navigate to LDAP Server tab and choose to modify the LDAP-server used by the RADIUS-client configured above.

Change the authentication type to 8 Touch-Mobile. This will not affect any users that do not have the Mideye+ app installed on their smartphones.

Click OK followed by Close to restart the services.

Custom configuration for NPS

Last step is to make sure the NPS is configured under the NPS-tab. If not, refer to this guide on how to set it up for Mideye. Open Network Policy server and navigate to Policies followed by Network Policies. Select the policy that is being used by Mideye and select properties. Select the condition tab and, if not already present, add a windows group with users that should be able to login using Mideye.

Add a windows group

Select the Constraints tab and add Microsoft: Secured password (EAPmschap-v2)

Select Microsoft: Secured password (EAPmschap-v2). Click OK.

Setup VPN-connection for end users

Last step in this guide will be creating a VPN-connection that will be used for end-users to connect to the VPN. All this configuration can be pushed out using GPO´s to domain-joined computer, but in this guide a single computer will be configured to connect to the remote access server.

Open Network and sharing Center and click set up a new connection or network

Open Network and sharing Center and click set up a new connection or network

Choose connect to a workplace

Choose connect to a workplace

Choose Use my internet connection (VPN)

Choose Use my internet connection (VPN)

Enter the IP of the remote access server and select Remember my credentials.

Enter the IP of the remote access server and select Remember my credentials. Click Create.

Again, from Network and sharing center, click Change adapter settings.

Again, from Network and sharing center, click Change adapter settings.

Right click the created VPN-connection and choose properties

Right click the created VPN-connection and choose properties

Select the security tab and choose Require encryption (disconnect if server declines). Change the authentication to Microsoft: Secured Password (EAP-MSCHAPv2) (encryption enabled).

Select the security tab and choose Require encryption (disconnect if server declines). Change the authentication to Microsoft: Secured Password (EAP-MSCHAPv2) (encryption enabled).

 

Check the Automatically use my Windows logon name and password (and domain if any)

Check the Automatically use my Windows logon name and password (and domain if any)

 

Now this VPN connection should be protected with Mideye two-factor.

Troubleshooting

Check RADIUS-logs

Check if anything is written to the Mideye RADIUS logs

Mideye Server\log\radius-messages.log

If nothing is logged, verify that udp/1812 is allowed between your remote access server and Mideye Server. Also, check Event viewer for logs on the remote access server.

Contact Mideye support

For further support please contact Mideye support, support@mideye.com, +46854514750.