miniOrange 2FA for VPN Login
miniOrange accomplishes this by acting as a RADIUS server, that accepts the username/password of the user entered as a RADIUS request, validates the user against the user store as Active Directory ( AD ), prompts him for the 2-factor authentication and either grants/revokes access based on the input by the user.
Types of 2FA Authentications with RADIUS
The 2-factor authentication can be of two types depending on the VPN clients.
VPN Clients that support RADIUS Challenge.
In this case, there are two requests. The initial one is with the user's username/password that is validated against the credentials stored in Active Directory. After the first request sends a success response, a challenge request is sent to validate the 2-factor authentication of the user( for eg, in the case of OTP Over Email, an One Time Passcode is sent to the user's email ). The user validates the second factor after which he is granted access to the application.
Authentication methods that can be used:
- All Authentication methods supported by miniOrange. Software Token, Push Notification, OTP over Email to name a few.
RADIUS Clients that support this authentication type:
- OpenVPN
- Palo Alto
VPN Clients that do not support RADIUS Challenge.
Further down, there are two types of authentication in this:
1. The user enters the username + password and after validation, he is prompted for the 2-factor authentication code in the next screen.
2. The user is prompted for the 2-factor authentication in the initial login screen along with his username and password.
In both of the above cases, miniOrange accepts the request and validates the username/password first and then the 2-factor code entered by the user.
Authentication methods that can be used:
- Soft Token
- OUT OF BAND EMAIL
- OUT OF BAND SMS
RADIUS Clients that support this authentication type:
- AWS AD Connector
- Palo Alto
Steps to configure your RADIUS Client with miniOrange
Step 1: Add the Radius Client in miniOrange
1. Login to the admin dashboard.
2. Navigate to Apps >> Manage Apps in the left navigation bar.
3. Click on Configure Apps.
4. Go to Radius applications tab and select Radius Server app. Click on Add App button.
5. Enter the radius Client Name, Client IP and Shared Secret which you will need to configure in radius client as well.
6. Click on Save button.
Step 2: Setup LDAP authentication
1. Go to User Stores menu and click on Add User Store button.
2. Configure your LDAP settings.
3. Make sure to keep the below options enabled.
4. Click on Save.
5. After you save, click on Test Configuration to verify your LDAP settings
Step 3: Enable 2 factor authentication
1. Go to Policies tab and click on App Authentication Policy.
2. Go to Add Policy tab and add policy for application added in step 1.
Step 4: Configure RADIUS client
You can configure your radius client with details below:
Radius Server IP / Host : IP or domain name of server where you have installed miniOrange.
Server Port : 1812
Shared Secret : Configured in Step 1.
Steps to configure the miniOrange RADIUS Server with your RADIUS Client
The configuration at the RADIUS client's side depends on the VPN Client. OpenVPN has been demonstrated as an example here.
1. Login to the OpenVPN admin dashboard.
2. Navigate to Authentication >> General in the left navigation bar. Select RADIUS and save the settings.
3. Navigate to Authentication >> RADIUS in the left navigation bar. Select PAP as
the RADIUS authentication method.
In the RADIUS Settings below, enter the Radius Server
IP / Host as the IP or domain name of server where you have installed miniOrange, Server
Port as 1812 and Shared Secret configured in the previous step.
4. Click on Save Settings.
Demonstration of miniOrange 2FA for VPN Login
This is how the actual VPN login with 2FA works.
1. Connect to OpenVPN by entering the hostname of the server.
2. Enter your AD username & password and click on Connect.
3. Now, you are prompted for the 2-factor authentication code. Enter the code and click on Continue.
4. After successful validation, you are connected.
Popular RADIUS Clients miniOrange integrates with:
- Palo Alto
The users enter their AD credentials to log in to Palo Alto, the Radius Client, and after the username/password validation, an One Time Passcode is sent to the user's mobile number. The user enters the One Time passcode received, which is validated by miniOrange to gain/deny access to the user.
- OpenVPN
The users enter their AD credentials and the 2FA code ( Software Token ) to log in to OpenVPN, the Radius Client, and after the username/password validation, are prompted for the 2-factor authentication. Post validation of 2nd factor, users are logged in to OpenVPN.
- AWS AD Connector
- FortiNet
The users enter their AD credentials to log in to FortiNet, and after the username/password validation, an push notification is sent to the user's mobile, that he needs to accept to get logged in to AWS.
Other solutions we support:
- 2 Factor Authentication for Remote Desktop Service
- Windows Authentication for SSO into connected applications hosted cloud/on-premise
- Desktop single sign-on using LDAP Gateway
- LDAP Proxy
- Support for multiple Active Directories as user stores for the purpose of SSO
- Sync between external LDAP directory and miniOrange IdP
Please contact us at info@miniorange.com to for more details.