Although one of the main selling points of Always on VPN is a seamless user experience, for additional security organisations may wish to employ integration with some additional factor, such as a prompt on a phone authentication app before a connection is completed.
When connecting via a user tunnel, VPN connection requests are passed to a Network Policy Server for authorization. Typically a user requires the following to successfully connect:
- A username and password to log on to the device
- A valid internal user certificate; NPS will check for the presence of the user certificate on the device.
- If configured in the NPS policy, also a membership of an AD access group.
The use of certificates for connections is a good step e.g. if an attacker had all the VPN profile connection details and a username and password they would still need a user certificate belonging to the user, and certificate chain of trust deployed to their machine from the internal certificate authority to be able to connect.
But there is still a risk that if an attacker had possession of the device holding the user certificate and the users logon credentials (how many of us have seen a post it note stuck to the laptop!) they would be able to connect to the VPN, and be on to the corporate network.
Azure Multi Factor Authentication can be used as an additional factor in the authentication flow to help mitigate such situations, and works well. This is achieved by installing an Azure MFA extension on the NPS servers performing VPN authentication. A high level overview of the requirements:
- An Azure subscription and administrative access to it.
- Assuming a hybrid configuration, any user using Azure MFA for Always on VPN connections needs to be synced to Azure Active Directory.
- Azure MFA enabled and licensed for the VPN users (at the time of writing Microsoft state: The NPS Extension for Azure MFA is available to customers with licenses for Azure Multi-Factor Authentication (included with Azure AD Premium, EMS, or an MFA stand-alone license). Consumption-based licenses for Azure MFA such as per user or per authentication licenses are not compatible with the NPS extension.)
- Visibility of the Azure Active Directory “Directory ID” for configuration of the NPS extension
- Technically the minimum spec to install the NPS extension is Windows 2008 R2, although now out of extended support so we will say minimum 2012 R2 or later, ideally the latest version of Windows Server due to the security and lifecycle benefits it brings.
- Up to date Visual C++ packages and Azure AD modules on the NPS server for the extension.
- Turned off IE enhanced security settings on the server to allow the Azure AD sign on to appear during the extension install.
- NPS server access via port 80 and 443 to specific Microsoft URLs for communication.
- Rights to run a PowerShell configuration script as part of the extension configuration on the NPS server (which will prompt for the directory ID).
- Consider the type of Authentication being used on the VPN, if EAP as per the Microsoft guidance this supports mobile app and phone call verification only.
- A user account in Azure AD previously licensed and set up for using Azure MFA.
- A device for receiving authentication requests e.g. app verification prompts on mobile phone previously configured.
Some caution is required – when installing the NPS extension on an NPS server, from that point onwards NPS will require all authentication requests going through it to use MFA , so it should be installed on dedicated NPS servers. Also, if you have more than one NPS server servicing VPN connections the MFA extension needs to be installed on all of them.
Having verified my pre-requisites and installed the Azure MFA NPS extension I can attempt a VPN connection.
When my VPN s connecting I get a prompt on my phone:
I can also at the same time see in the NPS server logs I was authenticated via the NPS extension on my NPS server:
And I can see in Azure (Security > Multi Factor Authentication- Activity Report) my MFA logons via radius and phone app:
In summary Azure MFA is definitely worth considering to provide additional security – The advantages here if your users are synced to AAD, licensed and set up for Azure MFA on their phones already, then the NPS extension configuration can be done to add an extra factor in to the mix.