Hello there!

Need Help? We are right here!

miniOrange Email Support

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com

2FA for VPN Login

miniOrange 2-factor authentication adds a 2nd layer of authentication when you are gaining access to protected resources through a VPN.This solution ensures that you are ready to roll out secure access to VPN to your employees within minutes.


If you are using a Virtual Private Network ( VPN ) to allow your users to connect over a public network, enhancing the security becomes a concern since users gain access to sensitive digital assets. miniOrange can be of great value here by providing 2-factor Authentication on top of VPN Authentication. This secures the access to protected resources instead of relying on only the VPN username / password.

What is RADIUS?

Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol that provides client authentication and authorization. It enables remote access servers to communicate with a server to authenticate users and authorize their access to the requested system or service.


The RADIUS client is typically a NAS ( Network Access Server ) which is responsible for passing user information to designated RADIUS servers, and then based on the response which is returned, authenticates or rejects login to the user.


RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to authenticate the user. A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.

Authentication Protocols

The RADIUS server checks that the information is correct using authentication schemes such as PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP, EAP-TLS, EAP-TTLS and EAP-PEAP.


Transactions between the client and RADIUS accounting server are authenticated through the use of a shared secret, which is never sent over the network.

Authentication Protocols and Password Compatibility

Clear-text NT hash(ntlm_auth) MD5 hash Salted MD5 hash SHA1 hash Salted SHA1 hash Unix Crypt
Cisco LEAP

miniOrange 2FA for VPN Login

miniOrange accomplishes this by acting as a RADIUS server, that accepts the username/password of the user entered as a RADIUS request, validates the user against the user store as Active Directory ( AD ), prompts him for the 2-factor authentication and either grants/revokes access based on the input by the user.

Types of 2FA Authentications with RADIUS

The 2-factor authentication can be of two types depending on the VPN clients.

Steps to configure your RADIUS Client with miniOrange

  • Step 1: Add the Radius Client in miniOrange

    1. Login to the admin dashboard.

    2. Navigate to Apps >> Manage Apps in the left navigation bar.

    2fa vpn

    3. Click on Configure Apps.

    2fa vpn

    4. Go to Radius applications tab and select Radius Server app. Click on Add App button.

    2fa vpn

    5. Enter the radius Client Name, Client IP and Shared Secret which you will need to configure in radius client as well.

    2fa vpn

    6. Click on Save button.

  • Step 2: Setup LDAP authentication

    1. Go to User Stores menu and click on Add User Store button.

    2fa vpn

    2fa vpn

    2. Configure your LDAP settings.

    2fa vpn

    3. Make sure to keep the below options enabled.

    2fa vpn

    4. Click on Save.

    5. After you save, click on Test Configuration to verify your LDAP settings

    2fa vpn

  • Step 3: Enable 2 factor authentication

    1. Go to Policies tab and click on App Authentication Policy.

    2fa vpn

    2. Go to Add Policy tab and add policy for application added in step 1.

    2fa vpn

  • Step 4: Configure RADIUS client

    You can configure your radius client with details below:

    Radius Server IP / Host : IP or domain name of server where you have installed miniOrange.

    Server Port : 1812

    Shared Secret : Configured in Step 1.

Steps to configure the miniOrange RADIUS Server with your RADIUS Client

The configuration at the RADIUS client's side depends on the VPN Client. OpenVPN has been demonstrated as an example here.

    1. Login to the OpenVPN admin dashboard.

    2fa vpn

    2. Navigate to Authentication >> General in the left navigation bar. Select RADIUS and save the settings.

    2fa vpn

    3. Navigate to Authentication >> RADIUS in the left navigation bar. Select PAP as the RADIUS authentication method.
    In the RADIUS Settings below, enter the Radius Server IP / Host as the IP or domain name of server where you have installed miniOrange, Server Port as 1812 and Shared Secret configured in the previous step.

    2fa vpn

    4. Click on Save Settings.

This is how the actual VPN login with 2FA works.

    1. Connect to OpenVPN by entering the hostname of the server.

    2fa vpn

    2. Enter your AD username & password and click on Connect.

    2fa vpn

    3. Now, you are prompted for the 2-factor authentication code. Enter the code and click on Continue.

    2fa vpn

    4. After successful validation, you are connected.

    2fa vpn

Popular RADIUS Clients miniOrange integrates with:

Other solutions we support:

Why Our Customers choose miniOrange Secure Identity Solutions ?

24/7 Support

miniOrange provides 24/7 support for all the Secure Identity Solutions. We ensure high quality support to meet your satisfaction.

Try Now

Affordable Pricing

miniorange provides most affordable Secure Identity Solutions for all type of use cases and offers different packages based on customer's requirement.

Request A Quote

We offer Secure Identity Solutions for Single Sign-On, Two Factor Authentication, Adaptive MFA, Provisioning, and much more. Please contact us at -

   +1 978 658 9387 (US)   ,   +91 97178 45846 (India)    |       info@xecurify.com