How to enable MFA for VPN logins and RADIUS-supported endpoint logins

ADSelfService Plus' Endpoint MFA adds an extra step of authentication for VPN and endpoint logins that use RADIUS authentication (like Microsoft Remote Desktop Gateway and VMware Horizon View, etc.) for enhanced security.

ADSelfService Plus requires the usage of a Windows Network Policy Server (NPS) in the VPNs and endpoints. It comes bundled with a NPS extension, which should be installed in the NPS server. This extension facilitates communication between the NPS server and ADSelfService Plus for MFA during VPN and endpoint logins.

How it works:


Once the VPN or endpoint (Microsoft RD Gateway, VMware Horizon View, etc.) server is configured to use RADIUS authentication, and the NPS extension is installed in the RADIUS server, here is how the authentication process will work:

  1. A user tries to establish a connection by providing their username and password to the VPN or endpoint server.
  2. The server converts the request to a RADIUS Access-Request message and sends it to the NPS server where the ADSelfService Plus’ NPS extension is installed.
  3. If the username and password combination is correct, the NPS extension triggers a request for second-factor authentication with the ADSelfService Plus server.
  4. ADSelfService Plus performs the secondary authentication and sends the result to the NPS extension in the NPS server.
  5. If the authentication is successful, the NPS server sends a RADIUS Access-Accept message to the VPN or endpoint server.
  6. The user is granted access to the VPN or endpoint server and establishes an encrypted tunnel to the internal network.

Configuring MFA for VPN and RADIUS-supporting endpoints


Step 1: Enable the required authenticators

  1. Log into ADSelfService Plus as an admin.
  2. Go to Configuration → Self-Service → Multi-Factor Authentication → Authenticators

Authenticators supported for Endpoint VPN MFA can be classified into,

  1. One-way authenticators
    • Push notification Authentication
    • Fingerprint/Face ID Authentication

    These authenticators are applicable by default for all the endpoints providing RADIUS authentication.

    • When you enable Push Notification or Fingerprint/Face ID Authentication, make sure the ADSelfService Plus server is reachable by the users through the internet from their mobile devices.
    • RADIUS authentication timeout should be set to at least 60 seconds in the VPN server's RADIUS authentication configuration settings.
  2. Challenge-based authenticators
    • ADSelfService Plus TOTP Authentication
    • Google Authenticator
    • Microsoft Authenticator
    • Yubico OTP (hardware key authentication)
    • SMS verification and email verification
    • Zoho OneAuth TOTP

    Challenge-based authenticators are applicable only when:

    • PAP is configured for the RADIUS authentication method.
    • The RADIUS client (VPN or endpoint server) supports challenge-response that is, it has a way for prompting challenge (verification code) from the user and sending back the entered challenge.
    • When challenge-based authenticators are used, the RADIUS attributes that are configured in the Network Policy won't be forwarded to the RADIUS client (VPN or endpoint server). As a result, the VPN client might either have more access than you want it to have, or less access, or no access.

    Click on the respective links to learn how to enable these authentication methods.

Step 2: Enable MFA for VPN Logins in ADSelfService Plus

  1. Go to MFA for Endpoints.
  2. Select a policy from the Choose the Policy drop-down. This policy will determine the users for whom MFA for VPN and endpoint login will be enabled. To learn more about creating an OU or a group-based policy, click here.
  3. In the MFA for VPN Login section, select the checkbox next to Select the authenticators required. Choose the number of authentication factors to be enforced. Select the authentication methods to be used. The authentication methods listed can also be rearranged by dragging and dropping at the necessary position.
  4. Click Save Settings.

Step 3: Install the NPS extension

  1. Go to MFA for Endpoints.
  2. Download the NPS extension using the link provided in the Notes section.
  3. Copy the extension file ( to the Windows server, which you have configured as the RADIUS server. Extract the ZIP file’s content and save it in a location.
  4. Open Windows PowerShell as administrator and navigate to the folder where the extension files content are located.
  5. Execute the following command:
  6. PS C:\> .\setupNpsExtension.ps1 Install

    Note: If the NPS extension plugin has to be uninstalled or updated to newer versions and configuration data, enter Uninstall and Updated respectively instead of Install.
  7. After installation, you will be prompted to restart the NPS Windows service. Proceed with the restart.

Advanced settings

Refer to Advanced Settings to configure VPN MFA session limit and the options to bypass MFA if ADSelfService Plus is not reachable or the user is not enrolled.

Customizing the configuration of MFA for VPN and RADIUS-supported endpoints

You can customize the MFA configuration based on organizational requirements. To do so,

  1. Open the Registry Editor (type regedit in the Run dialog box).
  2. Go to the HKEY_LOCAL_MACHINE\SOFTWARE\ZOHO Corp\ADSelfService Plus NPS Extension.
  3. Note:
    • Take a backup of the registry key before editing it.
    • Only the built-in administrator group in the computer will have privilege to edit this key.
  4. You can customize the properties mentioned below according to your organizational requirements:
    • ServerName: Mention the HostName or IP address of the ADSelfService Plus web server.
    • ServerPortNo: Mention the TCP Port number for the ADSelfService Plus web server.
    • ServerContextPath: Mention the web server context (if changed)
    • MfaStatus: This can be set to true or false depending on whether you need MFA to be enforced or not.
    • ServerSSLValidation: This can be set to true or false. If set to true It verifies the SSL certificate and hostname when establishing an HTTPS connection from the NPS extension to ADSelfService Plus server. It is recommended that the property always be set to true for security reasons.
    • BypassMFAOnConnectionError (Optional): This property can be set to true and false depending on whether MFA can be bypassed if any connection issue is present during authentication.
    • CRPolicies (Optional): This property can be used to enforce MFA only for the user who falls under these connection request policies. Enter the connection request policy's names and if more than policy has to be mentioned, separate the policy names by semicolons (;).
    • NetworkPolicies (Optional): This property can be used to enforce MFA only for the user who falls under these network policies. Enter the network policy's names and if more than one policy has to be mentioned, separate the policy names by semicolons (;).
    • Note: When both CRPolicies and NetworkPolicies are configured, an authentication request will be considered for MFA only if both the CRPolicies and NetworkPolicies of the RADIUS request matches with the ones configured. If the policies are not configured, MFA will be enforced for all the successful RADIUS requests sent to the NPS server.
    • LogLevel (Optional): This property can be used to determine the intricacy of the logged information on the feature's functioning. The property will be set to Normal by default and can be changed to Debug to additionally log details that will aid with debugging. It is recommended that the property be set to Normal.
  5. Click OK.


Your request has been submitted to the ADSelfService Plus technical support team. Our technical support people will assist you at the earliest.


Need technical assistance?

  • Enter your email ID
  • Talk to experts
    By clicking 'Talk to experts', you agree to processing of personal data according to the Privacy Policy.

Copyright © 2023, ZOHO Corp. All Rights Reserved.