---
locale: "en"
updated_at: "2025-12-22T09:09:06.909Z"
canonical: "https://www.isdecisions.com/en/userlock/docs/guides/mfa-implementation/vpn"
---

# Apply MFA for VPN

Install and configure for RADIUS challenge or RRAS.

## Introduction

UserLock enforces MFA on VPN connections through its integration with the **Microsoft Network Policy Server (NPS)**.

Two main configurations are possible, depending on your VPN environment:

- **VPNs supporting RADIUS Challenge**: 
MFA is applied directly through a standard RADIUS flow.
- **VPNs supporting RADIUS authentication and accounting**: 
Solutions like **Microsoft’s Routing and Remote Access Service (RRAS)** can use several methods to handle MFA, depending on your configuration and user experience goals. The **most seamless approach** is to use [UserLock VPN Connect](/userlock/docs/reference/modules/userlock-vpn-connect), a dedicated client that automatically manages MFA prompts for VPN connections.

The table below summarizes the available methods and their relative ease of use:

| VPN environment | MFA method | User experience |
| --- | --- | --- |
| VPN supporting **RADIUS Challenge** | MFA prompt appears after user credentials | ✅ Simple setup and clear MFA prompt ⚠️ Users must be enrolled |
| Microsoft **RRAS** with [UserLock VPN Connect](/userlock/docs/reference/modules/userlock-vpn-connect) | Dedicated UserLock VPN client handles MFA automatically | ✅ Seamless experience ✅ Users can enroll through UserLock VPN Connect tool |
| Microsoft RRAS with **MS-CHAPv2** authentication | MFA code entered in the `username` field | ⚠️ Manual entry, risk of user error ⚠️ Users must be enrolled |
| Microsoft RRAS with **PAP** authentication | MFA code entered in the `password` field | ⚠️ Manual entry, risk of user error ⚠️ Users must be enrolled |

> **Note**
>
> L2TP, SSTP, and PPTP are VPN types supported by Microsoft RRAS.
> When using **PAP authentication**, make sure the VPN tunnel is encrypted (e.g., with **L2TP/IPSec** or **SSTP**).
> Avoid **PPTP**, which does not provide sufficient security.

## Step 1. Install the NPS agent

1. In the **UserLock console**, go to **Environment ▸ Machines**.
2. Locate your **NPS server**, then click **Install** in the *NPS agent* column.
  ![](https://a.storyblok.com/f/122374/1461x314/e6ba8f4134/install-nps-agent-action-required.png)
3. If the "Routing and Remote Access" role or the "Remote Desktop Gateway" role is installed on the NPS server, restart the server. Otherwise, simply restart the **Network Policy Server** (**IAS**) service.
4. Connect once to the VPN and confirm that the user’s VPN session appears in the **Activity** page in the UserLock console.

This confirms that the NPS agent is correctly installed and communicating with the UserLock service.

For more information, see the [guide to install the NPS agent](/userlock/docs/guides/deploying-agents/nps-agent).

## Step 2. Apply MFA to VPN sessions

1. Open the **UserLock Console** and go to **Access Policies ▸ Add Policy**.
2. Follow the general steps described in [Configure an access policy](/userlock/docs/getting-started/configuration-access-policy) until you reach the **Policy type selection**.
3. Choose **Multi-factor authentication** to open the MFA policy form.
  ![](https://a.storyblok.com/f/122374/842x669/e93a8a5912/mfa-outside-distinct-first-logon-day.png)
4. Set **MFA application** to **Enabled**.
5. Choose configuration mode:
  - **All at once** (same settings for all session types)
  - **Distinct setting per session type** (recommended, so you can configure MFA separately for VPN connections).
6. **Configure VPN session rules**
  - For **Connection type**, choose whether MFA applies to all VPN logons, only remote ones, or only from outside IPs.
  - For **MFA frequency**, select how often MFA is required (at every logon, at first logon of the day, when connecting from a new IP, etc.).
7. **Save the rules**
The policy is now active and will enforce MFA on VPN connections.

> **Note**
>
> For the detailed meaning of the **Connection type** and **MFA frequency** options, see the [MFA policies reference](/userlock/docs/reference/access-policies/mfa).

## Method A. VPN supporting RADIUS Challenge

VPNs supporting **RADIUS Challenge** show a second MFA prompt after credentials.
Both **RADIUS authentication** and **accounting** must use the NPS server, with **PAP** authentication enabled.

> **Note**
>
> - **Supported VPNs** include OpenVPN, Palo Alto, Fortinet, and Pulse Secure.
> - ⚠️ For **Push MFA**, UserLock waits up to **5 minutes** for validation. If no response, a challenge prompt appears for the user to enter an OTP code manually.

### Configuration

1. In the **UserLock console ▸ Server settings ▸ Advanced ▸ Multi-Factor Authentication**, set: `MFA VPN Challenge = True`
2. Ensure your VPN server uses **PAP** as the authentication protocol.

### User experience

1. The user connects to the VPN and enters credentials.
  ![](https://a.storyblok.com/f/122374/400x516/253771b0cb/2-open-vpn.png)
2. The VPN prompts for an **OTP** or **Push** confirmation.
  ![](https://a.storyblok.com/f/122374/398x526/18cc4e350f/3-otp-open-vpn.png)
3. Access is granted once MFA is successfully validated.

## Method B. RRAS with VPN Connect

For Microsoft **RRAS** servers or VPN servers compatible with the Microsoft VPN client, you can use the [UserLock VPN Connect](/userlock/docs/reference/modules/userlock-vpn-connect) app which provides a seamless MFA workflow and enrollment.

### Configuration

1. [Deploy the VPN Connect](/userlock/docs/guides/installation/install-userlock-vpn-connect) app on client computers.
2. Install the [UserLock MFA IIS module](/userlock/docs/guides/mfa-implementation/iis-apps) to allow remote enrollment.
3. Configure the **RRAS server** to use **RADIUS authentication** with your NPS server.

### User experience

- On the first VPN connection, the app detects missing enrollment and opens the UserLock MFA registration page (via UserLock MFA IIS module).
  ![](https://a.storyblok.com/f/122374/334x367/fbca4ce329/userlock-vpn-connect-mfa-register.png)
- Users register and select their preferred authentication method (**Push** or **OTP**).
- On subsequent logons, MFA is requested automatically, either via Push approval or OTP entry.
  ![](https://a.storyblok.com/f/122374/384x522/b768c0b217/userlock-vpn-connect-verify-identity.png)

## Method C. RRAS using MS-CHAPv2

When using **MS-CHAPv2**, users can append their MFA code directly to the username during authentication.

### NPS Server configuration

1. Ensure a valid policy grants VPN access to the appropriate users.
  ![](https://a.storyblok.com/f/122374/852x257/f94b3c89ea/1-configuration.png)
  
  ![](https://a.storyblok.com/f/122374/736x610/05539cd2b4/2-connections.png)
2. Add the corresponding **Active Directory group** under **Conditions**.
  ![](https://a.storyblok.com/f/122374/686x377/573f4e9c4c/3-connections.png)

#### VPN Client configuration

- VPN type: **Automatic**
- Authentication: **MS-CHAPv2**

![](https://a.storyblok.com/f/122374/360x471/d748582e8e/4-vpn-connection.png)

#### 

### User experience

At login, users must enter:

- Username: `DOMAIN\user,123456`
- Password: `password`

![](https://a.storyblok.com/f/122374/448x266/a5809cf399/5-sign-in.png)

> **Note**
>
> - ✅ Separate the username and MFA code with a **comma**.
> - 💡 Enter the MFA code last, as it changes periodically.
> - 🔑 For TOTP/HOTP tokens, type the comma, then press the key to input the OTP.

## Method D. RRAS using PAP

If the VPN uses **PAP**, the MFA code must be added to the password field.

> **Note**
>
> ⚠️ Use this method only when encryption is already applied (for example, **L2TP/IPSec** or **SSTP**).
> 
> ❌ Do not use PAP with PPTP.
> 
> ###

### Server configuration

1. On the NPS server, select only **Unencrypted authentication (PAP, SPAP)**.
  ![](https://a.storyblok.com/f/122374/654x573/c803001aad/6-configuration.png)
2. In RRAS:
  - Configure a **pre-shared key** for **L2TP**.
    ![](https://a.storyblok.com/f/122374/410x581/b7a54f90cb/7-properties.png)
  - Select **PAP** as the authentication method.
    ![](https://a.storyblok.com/f/122374/388x339/5a24c49b4c/8-authentication-methods.png)

#### VPN client configuration

- Connection type: **L2TP with IPSec**
- Enter the pre-shared key.
- Authentication: **PAP**
  ![](https://a.storyblok.com/f/122374/361x474/81b1bc6530/9-vpn-properties-1.png)

#### User experience

At login, users must enter:

- Username: `<Domain>\<username>`
- Password: `<password>,<MFA code>`

![](https://a.storyblok.com/f/122374/445x261/32ac0bb2d9/10-sign-in.png)

> **Note**
>
> - ✅ Separate the password and MFA code with a **comma**.
> - 💡 Enter the MFA code last, as it changes periodically.
> - 🔑 For TOTP/HOTP tokens, type the comma, then press the key to input the OTP.

## RRAS Timeout configuration

When using **MFA Push** with VPN RRAS, both the **VPN client timeout** and the **RADIUS server timeout** must be longer than the **MFA push timeout** defined in UserLock.
This ensures the VPN connection remains active while the user validates the push notification.

- **VPN client timeout (Microsoft VPN)**
  On the client computer, adjust the following registry key:
  `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\MaxConfigure`
  - **Type:** REG_DWORD
  - **Value:** Timeout in seconds (default: `10`)
    ![](https://a.storyblok.com/f/122374/575x280/3116fe473b/3-registry-editor.png)
- **RADIUS server timeout (RRAS)**
  On the RRAS server, the **RADIUS timeout** can be configured in the **RADIUS server settings**.
  ![](https://a.storyblok.com/f/122374/380x266/aa1503af45/radius-authentication.png)
  
  ![](https://a.storyblok.com/f/122374/380x281/5bb7ffd5da/add-radius-server.png)
  
  > **Note**
  >
  > If the NPS server is installed locally it cannot be changed in the RRAS administration console.

## Limitations and workarounds

After enabling MFA for VPN sessions, users may be prompted again for credentials when accessing shared folders over VPN.

![](https://a.storyblok.com/f/122374/456x387/74b0106c7e/11-limitations.png)

To avoid this, if the client machine is member of the Active Directory :

1. On the client machine, open:
  `%USERPROFILE%\AppData\Roaming\Microsoft\Network\Connections\Pbk`
2. Edit **rasphone.pbk **file.
3. Set this value in the section related to the VPN connection:
  `UseRasCredentials=0`

![](https://a.storyblok.com/f/122374/406x328/a32ba948f2/12-use-ras-credentials.png)
