UserLock Documentation
UserLock Documentation
You are here: Use cases > Multi-Factor Authentication > How to apply MFA for VPN

How to apply MFA for VPN

Pre-requisites

  • A Network Policy Server (NPS) with the latest UserLock NPS agent installed (at least Version 10.2)
  • VPN connections managed by Microsoft Routing and Remote Access Service (RRAS)

To enable MFA for VPN connections, these users must:

  • belong to a pre-defined Active Directory group
  • belong to a protected account to which MFA has been applied
  • have previously logged on to the network using MFA

NOTE:
At present there exists no direct method to activate MFA for VPN sessions only. If MFA is enabled for a user then it will be activated for both VPN and interactive sessions; it is not possible to distinguish between the two methods.

It is recommended to add the users gradually since each user will have to verify the authentication within the configuration of their VPN.

MFA for VPN using MSCHAP-v2 by entering the MFA code in the username field

Configuration

  1. At the NPS Server, ensure that an active valid policy is in place that grants VPN access to the required users.

  2. In the « Conditions » section add the windows Active Directory group to which authorized VPN users belong

  3. In order to connect at the client level ensure the following :

    • VPN connection type is set to “Automatic”
    • MS-CHAP v2 authentication method is selected

MFA for VPN connections for end users

When a user with MFA enabled connects to a VPN session, they will be required to enter the MFA code when entering their username and password.

The user will need to enter the MFA code displayed in the authentication app or programmable token in the user name field, using the format:

Username : <Domain>\<username>,<MFA code>

For YubiKey users, they will need to type the comma, and then press on the YubiKey to enter the code.

In the example below, here are the requirements for a typical user
Domain = VDE
Username = Bob
MFA code = 123456

NOTE:
In the user field, a comma «,» is required to separate the username and MFA code.
Since the MFA code changes periodically, it is recommended to enter the password initially and then return to the previous field so that the MFA code is entered lastly.

Alternative method using PAP authentication by entering the MFA code in the password field

It is possible to use the authentication Password Authentication Protocol (PAP) in order to use VPN/MFA.
This method is less secure and is not recommended.

Configuration

  1. On the NPS Server, ensure that the unencrypted authentication method is solely selected (PAP, SPAP)

  2. On the Routing and Remote Access Server level ensure that a preshared key has been configured for L2TP connections:

  3. Ensure that the Unencrypted password (PAP) authentication method is selected

  4. At the VPN client level ensure that:

    • VPN connection type is set to L2TP with IPSec
    • Enter the preshared secret key that was preconfigured in RRAS
    • Set authentication method to PAP

MFA for VPN connections for end users

When a user with MFA enabled connects to a VPN session, they will be required to enter the MFA code when entering their username and password.

The user will need to enter the MFA code displayed in the authentication app in the password field, after the password, separated by a comma “,”. For YubiKey users, they will need to type the comma, and then press on the YubiKey to enter the code.

In the user name field: <Domain>\<username>
In the password field: <password>,<MFA code>

In the example below, here are the requirements for a typical user
Domain = VDE
Username = Bob
Password = password
MFA code = 123456

Limitations

At this time it is not possible to separate MFA for interactive sessions and VPN sessions.

Once you have configured MFA for VPN sessions, users will be prompted to enter their credentials when accessing shared folders through VPN.

As a workaround, it is possible to avoid this prompt if the client machine is member of the Active Directory by carrying out the following procedure:

On the host machine used for the VPN connection navigate to the following location:

"%USERPROFILE%\AppData\Roaming\Microsoft\Network\Connections\Pbk"

Edit the file “rasphone.pbk”

For the section related to the VPN connection that is used, ensure that the following value is set:
UseRasCredentials=0