Two-factor authentication through Windows Server 2008 NPS

Nick Owen of WiKID Systems Inc. offers a step-by-step tutorial to help enterprises add strong authentication to the network.

Nick Owen (CSO (US))
Comments

From Administrative Tools select Network Policy Server

Right click on Radius Clients and Select New

Add a name, the ip address of your remote access server (RAS, VPN, etc) and create a shared secret. You will enter the same shared secret on the WiKID server.

Click OK

Add a new Radius Server - The WiKID Strong Authentication Server

Right click on Remote RADIUS servers and name the group, something like "WiKID".

Click the Add button to add a new radius server in the group.

Enter the IP address of the WiKID server on the first tab. On the second tab, enter the shared secret. That should be all you need to change.

Creating a Network Policy

Now that we've created the radius client and radius server (WiKID), we need a new Network Policy that tells IAS which users to proxy to WiKID.

Enter a name and leave Type of network access server as Unspecified or choose your remote access system.

Click on the Conditions tab. I added a condition for all requests from my server's IP address.

Click on the Settings Page. Click on Authentication and Select the button for "Forward requests to the following remote RADIUS server group for authentication. Choose WiKID.

Configuring the WiKID Strong Authentication Server.

Now that we've configured the NPS to proxy authentications, we need to configure WiKID to accept them. See the WiKID installation manual for the details on how to install and configure the WiKID server. Here we're just going to be adding a radius network client for the NPS:

Log into the WiKIDAdmin web interface.

Click on the Network Clients tab.

Click on "Create New Network Client". Give the Network Client a name, specify the IP address, select Radius as the protocol and choose which WiKID Domain to use. (WiKID domains hold the users and specify certain security parameters such as PIN length, the lifetime of the one-time passcodes, max bad PIN/passcode attempts, etc.)

Click Add

On the next page, enter the Shared Secret. This is the same secret you entered in NPS above in the second tab of the 'Add Radius Server' step on the NPS. Be sure these match! WiKID support adding radius return attributes at the Network Client level and on a per-user group level, however, that is beyond the scope of this document.

You will get a notice that the network client has been added. You will need to restart the WiKID server from the command line. This loads the network client into the radius interface and opens the radius ports on the built-in WiKID firewall.

# wikidctl restart

Next: Configuring the SSH Gateway Server

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags windows servertwo-factor authenticationwikid

More about etworkFedoraGatewayGatewayLinuxMicrosoftPAMRadiusRSASSH

Show Comments
[]