This document describes how to integrate the Microsoft Windows Routing and Remote Access Service via Network Policy Server with the DualShield unified authentication platform in order to add two-factor authentication while access to the internal corporate network.
DualShield unified authentication platform includes a fully compliant RADIUS server – DualShield Radius Server. DualShield provides a wide selection of portable OTP tokens in a variety of form factors, ranging from hardware tokens, software tokens, and mobile tokens to USB tokens. These include:
- Deepnet SafeID
- Deepnet MobileID
- Deepnet GridID
- Deepnet CryptoKey
- RSA SecurID
- VASCO DigiPass Go
- OATH-compliant OTP tokens
In addition to support the one-time password, DualShield also supports on-demand password for RADIUS authentication. The produce that provides on-demand passwords in DualShield platform is Deepnet T-Pass. Deepnet T-Pass in an on-demand, token-less strong authentication that delivers logon passwords via SMS texts, phone calls, twitter direct messages or email messages.
The complete solution consists of the following components:
- DualShield Authentication Server
- DualShield Radius Server
- Microsoft Network Policy Server
- VPN Gateway
- VPN Client
Note: NPS cannot forward RADIUS requests to the same IP address as itself. Even if the software is listening on another port, or you configure 2 IP addresses on the same network card. NPS insists that the IP address of the remote RADIUS server is the same as it’s own IP address and ignores your configuration to forward the RADIUS requests. If you deploy DualShield Radius Server onto the same machine where NPS is running, please use loopback address 127.0.0.1 instead. Otherwise, you will get some error described in "Possible to configure NPS as RADIUS Proxy *and* run RADIUS server on same machine".