Pricing  Get Quote
 
 

Multi-factor authentication for VPN logins

Safeguard VPN access with adaptive MFA

Start free trial

The need to protect VPN access

VPNs allow users to access various resources while outside the office through a secure tunnel. While this facilitates an uninterrupted workflow for remote employees, it also exposes the organization's network to new cybersecurity concerns.

When a VPN is synced with an organization's AD environment, users are commonly authenticated using only their domain username and password—a method that has proven to be no longer secure. Verizon reports that 81% of data breaches can be linked to compromised passwords. Exposure of VPN credentials can put your entire network at risk of data exposure. Implementing additional layers of security through MFA is an effective way to prevent the dire consequences of credential exposure.

Secure your VPN access with ADSelfService Plus

ManageEngine ADSelfService Plus, an identity security solution, enables you to fortify VPN connections to your organization's networks using adaptive MFA. This involves implementing authentication methods like biometric authentication and one-time passwords (OTPs) during VPN logons in addition to the traditional username and password. Since passwords alone are not enough to log in to the network, ADSelfService Plus renders exposed credentials useless for unauthorized VPN access.

Supported VPN providers

ADSelfService Plus allows admins to secure all RADIUS-supported VPN providers with MFA including:

  1. Fortinet
  2. Cisco IPSec
  3. Cisco AnyConnect
  4. Windows native VPN
  5. SonicWall NetExtender
  6. Pulse
  1. Check Point Endpoint Connect
  2. SonicWall Global VPN
  3. OpenVPN Access Server
  4. Palo Alto
  5. Juniper

How MFA for VPNs works

To secure your VPNs using MFA, the VPN server needs to use a Windows Network Policy Server (NPS) to configure RADIUS authentication, and the ADSelfService Plus NPS extension has to be installed in the NPS. This extension mediates between the NPS and ADSelfService Plus to enable MFA during VPN connections. Once these requirements are fulfilled, the process shown below takes place during a VPN login:

Multi-factor authentication for VPN logins

  1. A user tries to establish a VPN connection by providing their username and password to the VPN server.
  2. The VPN server sends the authentication request to the NPS where the ADSelfService Plus’ NPS extension is installed.
  3. If the username and password combination is correct, the NPS extension contacts the ADSelfService Plus server and raises a request for a second factor of authentication.
  4. The user performs authentication through the method configured by the administrator. The result of the authentication is sent to the NPS extension in the NPS.
  5. If the authentication is successful, the NPS conveys this to the VPN server.

The user is now granted access to the VPN server and an encrypted tunnel is established with the internal network.

Supported VPN authentication methods

ADSelfService Plus provides 20 authenticators for VPN MFA and gives flexibility in configuration based on your organization's VPN setup. You can choose either VPN-client-based verification or SecureLink-based email verification for VPN MFA.

Client-based verification presents users with MFA prompts directly from the VPN client during the login process. The following are the authentication methods you can configure for client-based authentication:

  1. TOTP authentication
  2. Microsoft Authenticator
  3. YubiKey Authenticator
  4. Zoho OneAuth TOTP
  5. Push notification authentication
  6. Biometric authentication

SecureLink-based email verification sends a verification link to users' mailboxes that they need to click to verify their identity. This method supports all authenticators provided by ADSelfService Plus, including those not supported by client-based verification, such as FIDO passkeys and smart card authentication.

ADSelfService Plus enables hassle-free configuration and administration of VPN MFA through:

  • Granular configuration: Enable particular authentication methods for users belonging to specific domains, OUs, and groups.
  • Real-time audit reports: View detailed reports on VPN login attempts with information like login time and authentication failures.

Benefits of using VPN MFA with ADSelfService Plus

  •  

    Customizable configuration

    Apply different authenticators to different sets of users based on their privileges.

  •  

    Achieve regulatory compliance

    Meet NIST SP 800-63B, GDPR, HIPAA, NYCRR, FFIEC, and PCI DSS regulation requirements.

  •  

    Prevent credential-based cyberattacks

    Prohibit the use of weak passwords, which make your network vulnerable to cyberattacks.

  •  

    Secure endpoints

    Use MFA to secure not just VPN access, but also local and remote logins for Windows, macOS, and Linux machines for complete endpoint security.

Fortify your VPN access with multi-factor authentication.

Download Now  

ADSelfService Plus also supports

  •  

    Adaptive MFA

    Enable context-based MFA with 19 different authentication factors for endpoint and application logins.

    Learn more  
  •  

    Enterprise single sign-on

    Allow users to access all enterprise applications with a single, secure authentication flow.

    Learn more  
  •  

    Remote work enablement

    Enhance remote work with cached credential updates, secure logins, and mobile password management.

    Learn more  
  •  

    Powerful integrations

    Establish an efficient and secure IT environment through integration with SIEM, ITSM, and IAM tools.

    Learn more  
  •  

    Enterprise self-service

    Delegate profile updates and group subscriptions to end users and monitor these self-service actions with approval workflows.

    Learn more  
  •  

    Zero Trust

    Create a Zero Trust environment with advanced identity verification techniques and render your networks impenetrable to threats.

    Learn more  

ADSelfService Plus trusted by