AuthLite Interactive Documentation
Home
Contents
CLOSE
AuthLite Interactive Documentation
Quick Start: Install and protect Domain Admins AuthLite Features Supported Tokens
How AuthLite uses YubiKeys
Installation and Upgrading
What platforms are supported? Prerequisites and Installation Linux systems MacOS machines
Configuration
Licensing AuthLite Set up User Groups
Configuring AuthLite to use your Group Pairs
Setting up the "Group for New Users"
Enforce 2-factor Logons
Use Group Policy to enforce 2-factor on Windows servers/workstations Secure Administrative Accounts with 2-factor Authentication Enforce 2-factor on File Shares using Access Control Lists (ACLs) Permit 1-factor Network Access to a Server Partial enforcement of a server (e.g. Exchange) with "Forced 2-factor Processes" Enforce non-Windows machines with "Forced 2-factor Computers" Enforce 2-factor logon to Office 365 with AuthLite LDAP logon support/enforcement
Extra Logon Restrictions Windows Workstation (Endpoint) Protection
Cached (Offline) Workstation logon with YubiKeys Cached (Offline) Workstation logon with OATH tokens Zero-client two-factor workstation logons Workstation Safe mode operations
Remote Desktop
2FA over Remote Desktop Protocol 2FA with Remote Desktop Gateway / RemoteApp / RDWeb / RD Web Client
Replay Windows to support RDP and other re-authenticating protocols Replay Behavior setting VPN and RADIUS Configuration
Using IAS/NPS for RADIUS with AuthLite Microsoft VPN Client settings Wireless 802.1x Authentication DirectAccess and NetMotion Mobility XE Configure Watchguard SSL VPN with AuthLite
2FA for File Shares Active Directory Deployment Notes Delegate access to Configuration settings
Token Management
First: Configure Token Settings Provisioning Tokens Administratively
YubiKeys (Soft) OATH Tokens (Hardware) OATH Tokens OnlyKeys
User Self-Service
"Enroll in AuthLite" Windows program SET UP the Self-Service Web Portal USING the Self-Service Web Portal
View/Edit Existing Tokens Delegate Token Management Recovery Tokens Multiple OTP Tokens for the Same User Multiple users with the same OTP Token Password Operations
How to Log In Troubleshooting
CLOSE

Using IAS/NPS for RADIUS with AuthLite

Procedure

  • Open the AuthLite Configuration application on the Domain Member Server you wish to set up as a RADIUS server. (Before version 2.0.62 it was a requirement to use a DC).

  • Under Service Configuration, select the "IAS/NPS Plugin" item

  • Select the "Enable IAS/NPS support on this server" checkbox

  • To allow more flexibility of RADIUS clients, you can select the "Permit requests that don't send the domain name."

  • Since Microsoft's IAS/NPS configuration dialogs are not AuthLite-aware, there is one additional setting you must select here. It controls how PAP requests will be processed.

    • One-factor (OTP in password field): In this mode, the server expects the username in the username field, and an OTP in the password field. This is the configuration you want to use if AuthLite is being used to validate only the OTP factor, and another process is being used to authenticate the user's name and password. For example, this is how Citrix and Juniper's two-factor authentication works.

    • Two-factor (OTP and Password both included): In this mode, the server expects to see both an OTP and a password included in the request. The OTP can be in the username field, or combined together with the plain text password in the password field1. This is the configuration you would use when you want IAS/NPS to authenticate both factors together.
    • Two-factor with separate Access-Challenge (VPN client must support): In this mode, the user enters username and password as usual in the initial dialog, and then the plugin makes NPS return a RADIUS "Access-Challenge" response. If your RADIUS peer and the user UI can support this, it should trigger a new dialog to the user to collect the one-time passcode. Not all systems that connect to NPS are able to show this dialog. Selecting this option will not make incompatible clients able to do it. You'll have to then use the above option instead (Two-factor).  
      Note: Unlike other PAP modes, the Access-Challenge setting requires changes to the machine's group policy to permit 1-factor Network Access by AuthLite Users. If you apply the typical domain-wide group policy it will interfere with this operation. Make a policy exception such that the NPS server's computer -> policies -> windows -> security -> local -> user rights assignment -> "Deny Access to this computer from the Network" setting does not contain the AuthLite 1-Factor Session Tag group. Authentication will still ultimately be 2-factor enforced, but in the "first pass" NPS needs to validate the password before the OTP is known, and if you don't make an exception than a typical group policy configuration would deny that as a 1-factor logon, thus preventing the connection too soon before the OTP can be requested.

  • Apply changes

  • Restart the AuthLite service and also the IAS/NPS service . Changes are only applied after the services restart.

Notes

  • You must set up an appropriate policy in IAS/NPS to allow connections from the RADIUS client of the proper authentication type.

  • You do not need to select between PAP and MS-CHAPv2 anywhere in the AuthLite interface, but the policy you configure on IAS/NPS will allow you to select between these settings.

---

1 The reason for this flexibility is that some VPN servers need to see the username in order to enforce their own policy independently of the RADIUS server, or to do their own logging. But if your server does not need to know the username, then your users can enter OTP/password into the VPN client and save effort.