Home Knowledge Base SecureW2 Documentation Azure MFA VPN Integration Guide

Azure MFA VPN Integration Guide

Introduction

To safeguard access to data and applications, users can avail Azure AD multi-factor authentication (MFA) with SecureW2’s Cloud RADIUS and connect to a VPN.

This guide helps you connect a device to a VPN using token-based authentication and Azure MFA.

Prerequisites

You need to obtain a VPN license from: sales@securew2.com

Creating an Azure MFA Core Provider

To create an Azure MFA Core Provider:

  1. Navigate to Integration Hub > Core Platforms.
  2. Click Add.
  3. In the Name and Description fields, enter an appropriate name and description for the Core Provider.
  4. From the Type drop-down list, select Azure MFA.
  5. Click Save.
  6. Click the Configuration tab.
  7. In the Tenant ID field, enter the Directory (tenant) ID obtained from the Microsoft Azure portal. For more information on how to obtain the Tenant ID, refer to the Configuring Dynamic RADIUS with Azure to Support WPA2-Enterprise page.
  8. From the Identity drop-down list, select the certificate-based attribute.
  9. Click Update.
  10. For the newly added Core Provider, click the Edit icon.

  11. Navigate to the Configuration tab.

    a. Click the Download button to save the setup script file.

    NOTE: You need to run the Powerscript file to complete the setup. The PowerScript file is supported only in Windows.

Authorize SecureW2 to Access Azure

  1. On your Windows machine, click Start, type PowerShell, and select Run as administrator.
  2. On the command line, go to the location of the PowerScript file and run the following command: powershell -ExecutionPolicy Bypass -File “Azure MFA Authorization Script.ps1”
  3. You need to install certain packages, and you will be prompted with the following messages:
    1. The MSOnline module is not installed on the system. Automatically install it? – Type “Y”
    2. NuGet provider is required to continue. PowerShellGet requires NuGet provider version ‘2.8.5.201’ or newer to interact with NuGet-based repositories. The NuGet provider must be available in ‘C:\Program-Files\PackageManagement\ProviderAssemblies’ or ‘C:\Users\user\AppData\Local\PackageManagement \ProviderAssemblies’. You can also install the NuGet provider by running the Install-PackageProvider-Name NuGet -MinimumVersion 2.8.5.201 – Force the command. Do you want PowerShellGet to install and import the NuGet provider now? – Type “Y”
    3. This script will enable SecureW2 to access your Azure Strong Authentication Service in order to verify users in your Azure organization with Tenant ID < >. In order to do so, you will have to log in to Azure using an organization admin account. Continue? – Type “Y”
  4. The Azure sign-in window is displayed. Enter the organization admin account credentials and click Sign in.
    NOTE: You need to use the latest version of Firefox or Chrome as your default browser.

On successful authorization, the following message is displayed at the prompt: “Azure Strong Authentication Service OAuth credential registered successfully.

Creating a VPN Profile

To create a VPN profile:
  1. Navigate to Device Onboarding > Getting Started.
  2. On the Quickstart Network Profile generator page, from the Generate Profile for drop-down list, select Internal User Authentication.
  3. From the Profile Type drop-down list, select Virtual Private Network.
  4. In the Profile Name field, enter a suitable name for the VPN profile.
  5. From the VPN Vendor drop-down list, select a vendor.
    1. Global Protect VPN Client – Enter only the VPN Server Address.
    2. Native VPN Client – Enter both the VPN Server Address and VPN Shared Secret.
  6. From the RADIUS Vendor drop-down list, select a vendor. If you select a vendor other than the SecureW2 RADIUS server, ensure you have the Root or Intermediate CA that issued the RADIUS server certificates.
  7. Click the Choose file button to upload a profile logo.
  8. Click Create.
The newly created VPN profile will be available in the Profiles after it is published. NOTE: To edit the VPN Shared Secret and Server Address, go to Device Onboarding > Profiles. Click Edit on the VPN profile you created earlier, and then select the Advanced tab. NOTE: To obtain a VPN license for your organization, contact support@securew2.com

Mapping the VPN Profile

To map the VPN profile to the Core Provider for authentication:

  1. Navigate to Policy Management > Authentication.
  2. Click the Edit link of the newly created VPN profile policy.
  3. Select the Conditions tab and make sure that your network profile is displayed in the Profile field.
  4. Click the Settings tab, and from the Core Provider drop-down list, select the Azure MFA core provider you created earlier for authentication (refer to the Creating an Azure MFA Core Provider section).
  5. Select the Enable User Self Service checkbox if required.
  6. Click Update.

Creating a Policy Workflow

To create a Policy Workflow, perform the following steps:

    1. Navigate to Policy Management > Policy Workflows.
    2. Click Add Policy Workflow.
    3. In the Basic section, enter the name of the policy workflow in the Name field.
    4. In the Display Description field, enter a suitable description for the policy workflow.

    5. Click Save.
    6. The page refreshes, and the Conditions tab is displayed.
    7. Select the Conditions tab.
      1. From the Core Provider drop-down list, select the Azure MFA Core Provider created earlier in the Creating an Azure MFA Core Provider section.
    8. Click Update.

Configuring the VPN Profile

To configure the VPN profile for MFA:

  1. Navigate to Policy Management > Network.
  2. Click Add Network Policy.
  3. On the displayed screen, enter a name and description for the network policy in the corresponding fields.
  4. Click Save.
  5. The page refreshes, and the Conditions and Settings tabs appear.
  6. Select the Conditions tab.

    1. Click the Add rule and select the role you want to assign to this network policy. It is essential to select the appropriate policy workflow, as it triggers the network policy. This menu offers various rules that you can select based on your business requirements.

      NOTE: You can assign a network policy to multiple user roles.
  7. Select the Settings tab.
    1. From the Access drop-down list, select any one of the options to allow or deny authentication requests. The default value is “Allow”.
    2. To configure MFA, select the checkbox to enable MFA.
    3. From the Perform MFA Using drop-down list, select a Core Provider for MFA.
    4. Click Add Attribute.
      1. From the Dictionary drop-down list, select an option:
        • Radius: IETF This is what we will use for the following attributes, as we are using standard RADIUS attributes for VLAN assignment.
        • Custom: Used for any VSAs (Vendor-Specific Attributes).
    5. From the Attribute drop-down list, select an option.
      1. Framed-Protocol
      2. Framed-IP-Address
      3. Framed-IP-NetMask
      4. Framed-Routing
      5. Filter-Id
      6. Framed-MTU
      7. Framed-Compression
      8. Reply-Message
      9. Framed-Route
      10. Framed-IPX-Network
      11. State
      12. Class
      13. Session-Timeout
      14. Tunnel-Type
      15. Tunnel-Medium-Type
      16. Tunnel-Private-Group-ID
      17. Framed-Pool
      18. User-Name
    6. In the Value field, enter the appropriate value for the attribute.
    7. Click Save.
    8. Repeat for any other RADIUS attribute you would like to send. For reference, here is what is commonly required for VLAN Assignment:
      1. Tunnel-Medium-Type: IEE-802
      2. Tunnel-Private-Group-ID:  {VLAN Name} 
      3. Server
Tunnel-Type: VLAN
  8. Click Update.

Creating a Language Template for VPN

You can customize the Self Service Portal in any supported language so end users can easily download their credentials and configure the VPN.

To create a new language template for VPN settings:

  1. Navigate to Self Service > Templates.
  2. Click Add Template.
  3. In the Name field, type a name for the VPN template.
  4. In the Display description field, type a suitable description.
  5. In the Locale field, enter the required language (for example, for English type “en” and for Dutch, “nl”).
  6. Click Save.
  7. Click the VPN tab and enter appropriate values in the different fields.
  8. Click Save. Now, administrators can configure VPN on the Self Service Portal in the specified language.

Configuring VPN Settings

To customize settings for the VPN:

  1. Go to Self Service > Settings and click the VPN tab. The following screen is displayed.
  2. In the Basic section, select an option to set the Device Description input to mandatory, optional, or not to be displayed.
  3. Click Update. The following screen is displayed.
  4. To upload the required stylesheet, click Choose file and then click Upload.
  5. Click Update.

Since Cloud RADIUS supports token-based VPN authentication, RADIUS authentication events are displayed in Data and Monitoring > RADIUS Events.

Obtaining VPN Credentials

Once the VPN profile is published, administrators can share the VPN profile landing page link with end-users. When accessing the landing page, users can download their credentials and configure their devices for VPN using the following steps.

  1. Click the Sign In button on the VPN’s Landing Page. This opens the SAML portal configured by the Organization Administrator.
  2. Enter the appropriate username and password in the SAML portal. After successful SAML authentication, the VPN landing page is redirected.
  3. Enter the User Description, and click Next to download the VPN credentials.
  4. Click the VPN CREDENTIALS link to download the credentials.
  5. Click Next to configure the device for VPN access.
  6. Click the Internal Guide button to view the instructions for macOS or Windows.

macOS

  1. On your Mac, click the Apple logo > System Preferences > Network.
  2. Click the + button at the bottom of the left pane.
  3. In the pop-up menu, from the Interface drop-down list, select VPN.
  4. From the VPN Type drop-down list, select L2TP over IPSec.
  5. In the Service Name field, type a name for the service and then click Create.
  6. On the Network window, enter the Server Address and Account Name for the VPN connection in the respective fields. These values are available in the vpn-credentials.txt file downloaded from the SecureW2 Landing page.
  7. Click Authentication Settings. In the pop-up window, enter the password and shared secret in their respective fields. These values are available in the vpn-credentials.txt file downloaded from the SecureW2 Landing page. Click OK and then click Apply.
  8. Once the credentials are verified, you will receive an “Approve sign-in?” MFA prompt from Azure. Select Approve on the prompt on your MFA device.
  9. After multi-factor authentication (MFA) is approved, you will be connected to the VPN.

Windows

  1. Click Start, then go to Settings > Network & Internet > VPN.
  2. Click the + button to add a VPN connection.
  3. In the Add a VPN connection window:
    1. From the VPN provider drop-down list, select Windows (built-in).
    2. In the Connection name field, enter a VPN connection name (for example, My Personal VPN).
    3. In the Server name or address field, enter the VPN server’s IP address.
    4. From the VPN type drop-down list, choose L2TP/IPsec with pre-shared key.
    5. From the Type of sign-in info drop-down list, choose Username and password.
    6. In the Username (optional) and Password (optional) fields, enter the username and password and then click Save.
      Note: The Server IP, Username, Password, and Pre-shared key values are available in the VPN-credentials.txt file downloaded from the SecureW2 Landing page.
  4. On the VPN window, select the VPN connection you just created and click Connect.
  5. Once the credentials are verified, you will receive an “Approve sign-in?” MFA prompt from Azure. Select Approve on the prompt on your MFA device.

  6. After successful multi-factor authentication (MFA), you will be connected to the VPN.

More Microsoft Entra ID Explainers