Ukraine flag

We stand with our friends and colleagues in Ukraine. To support Ukraine in their time of need visit this page

> Windows VPN 2FA

Windows VPN 2FA

This guide shows how to set up Windows VPN 2FA (two-factor authentication) using Protectimus multi-factor authentication system. After integrating Windows VPN with the Protectimus MFA system, to connect to Windows VPN, users will need to pass two stages of authentication:

  1. Enter their username and password.
  2. Enter the one-time passcode, which is only valid for 30 seconds.

To generate one-time passcodes, the following types of two-factor authentication tokens will be available to your users: a 2FA application on a smartphone; delivery of one-time codes via Telegram, Viber, and Facebook Messenger; physical TOTP tokens; delivery of one-time codes by e-mail or SMS.

It is almost impossible to hack a standard password and a one-time password simultaneously. Therefore, two-factor authentication is a must-have element in protecting Windows VPN user accounts from unauthorized access and hacking using attacks such as phishing, brute force, keyloggers, social engineering, and the like.

1. Two-Factor Authentication for Windows VPN – How It Works

This guide shows you how to set up two-factor authentication for Windows VPN using Protectimus Cloud-Based Two-Factor Authentication Service or Protectimus On-Premise 2FA Platform and RRAS component. RRAS integration with Protectimus via the RADIUS authentication protocol is required.

The scheme of work of the Protectimus two-factor authentication solution for Windows VPN is shown below.

Windows VPN 2FA

2. How to Enable Windows VPN 2FA

You can set up Windows VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Install and configure RRAS.
  4. Configure Windows VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for OpenVPN 2-factor authentication using RADIUS are available here.

Specify “inline-mode” in the configuration file. In the “auth” section, add the following settings (you may specify any separator):

inline-mode: 
  enabled: true
  separator: ‘,’

2.3. Install and Configure Routing and Remote Access Service (RRAS)

RRAS installation

  1. Open Server Manager and select “Add Roles and Features Wizard” from the Manage menu.
  2. In the “Server Roles” section, select “Remote Access”.
  3. In the “Role Services” section, select “Direct Access and VPN (RAS)”.
  4. Complete the installation.

RRAS setup

  1. Start “Routing and Remote Access”.
  2. Select “Deploy VPN only”.
  3. Right click on the server name, then select “Configure and Enable Routing and Remote Access”.
Configure and Enable Routing and Remote Access

  1. Select “Custom Configuration”.
  2. Next, check “VPN Access”.
  3. Complete the installation and start the service.

Authentication setup

  1. Go to settings by right-clicking on the server name and selecting “Properties”, then switch to the “Security” tab.
  2. Select “RADIUS Authentication” from the “Authentication Provider” drop-down list.
  3. Click on the “Configure” button in the same drop-down list.
  4. Next, add a new server:
    • Server name: IP address of the PC component where the RADIUS server is installed.
    • Shared Secret: the shared secret that was specified in the radius.yml file when configuring RADIUS.
    • Also select “Always use message authenticator”.
    • Leave the rest of the settings as default.
  5. Save the added server.
Сохраните добавленный сервер

  1. Next, click on the “Authentication methods” button.
  2. ВIn the window that appears, leave only “Unencrypted password (PAP)” selected.
Unencrypted password (PAP)

  1. Save all settings.

2.4. Set up Windows VPN

  1. Go to VPN settings.
  2. Click “Add a VPN connection”.
    • VPN provider: Windows (built-in).
    • Server name or address: your server address.
    • Type of sign-in info: Username and password.
  3. Save the VPN connection.
Windows VPN 2FA setup - Save the VPN connection

  1. Next, go to the adapter settings: Control Panel > Network and Internet > Network Connections.
  2. Right-click on the created VPN connection appapter and click Properties.
  3. In the “Security” tab, select “Allow the following protocols”.
  4. Leave only “Unencrypted password (PAP)”.
Windows VPN 2FA setup - Leave only Unencrypted password (PAP)

  1. Save the settings.
  2. You have completed the Windows VPN 2FA setup, now you can test the connection.
The integration of two-factor authentication into Windows VPN is complete. If you have questions, please contact Protectimus Support.
Last updated on 2022-10-04