AuthLite Interactive Documentation
Home
Contents
CLOSE
AuthLite Interactive Documentation
Quick Start: Install and protect Domain Admins AuthLite Features Supported Tokens
How AuthLite uses YubiKeys
Installation and Upgrading
What platforms are supported? Prerequisites and Installation Linux systems MacOS machines
Configuration
Licensing AuthLite Set up User Groups
Configuring AuthLite to use your Group Pairs
Setting up the "Group for New Users"
Enforce 2-factor Logons
Use Group Policy to enforce 2-factor on Windows servers/workstations Secure Administrative Accounts with 2-factor Authentication Enforce 2-factor on File Shares using Access Control Lists (ACLs) Partial enforcement of a server (e.g. Exchange) with "Forced 2-factor Processes" Enforce non-Windows machines with "Forced 2-factor Computers" Enforce 2-factor logon to Office 365 with AuthLite LDAP logon support/enforcement
Windows Workstation (Endpoint) Protection
Offline Workstation logon with YubiKeys Offline Workstation logon with OATH tokens Zero-client two-factor workstation logons Workstation Safe mode operations
Remote Desktop
2FA over Remote Desktop Protocol 2FA with Remote Desktop Gateway / RemoteApp / RDWeb / RD Web Client
Replay Windows to support RDP and other re-authenticating protocols Replay Behavior setting VPN and RADIUS Configuration
Using IAS/NPS for RADIUS with AuthLite Microsoft VPN Client settings Wireless 802.1x Authentication DirectAccess and NetMotion Mobility XE Configure Watchguard SSL VPN with AuthLite
Active Directory Deployment Notes
Token Management
First: Configure Token Settings Provisioning Tokens Administratively
YubiKeys (Soft) OATH Tokens (Hardware) OATH Tokens OnlyKeys
User Self-Service
"Enroll in AuthLite" Windows program SET UP the Self-Service Web Portal USING the Self-Service Web Portal
View/Edit Existing Tokens Delegate Token Management Recovery Tokens Multiple OTP Tokens for the Same User Multiple users with the same OTP Token Password Operations
How to Log In
CLOSE

Using IAS/NPS for RADIUS with AuthLite

Beginning with AuthLite version 1.2, a plug-infor Microsoft's IAS (also called NPS) RADIUS service is available. Activating this plug-inautomatically makes IAS/NPS AuthLite-aware. Simply activate the plug-inand then use the IAS/NPS configuration panel to set up your connection policies.

Procedure

  • Open the AuthLite Configuration application on the Domain Member Server you wish to set up as a RADIUS server. (Before version 2.0.62 it was a requirement to use a DC).

  • Under Service Configuration, select the "IAS/NPS Plugin" item

  • Select the "Enable IAS/NPS support on this server" checkbox

  • To allow more flexibility of RADIUS clients, you can select the "Permit requests that don't send the domain name."

  • Since Microsoft's IAS/NPS configuration dialogs are not AuthLite-aware, there is one additional setting you must select here. It controls how PAP requests will be processed.

    • One-factor (OTP in password field): In this mode, the server expects the username in the username field, and an OTP in the password field. This is the configuration you want to use if AuthLite is being used to validate only the OTP factor, and another process is being used to authenticate the user's name and password. For example, this is how Citrix and Juniper's two-factor authentication works.

    • Two-factor (OTP and Password both included): In this mode, the server expects to see both an OTP and a password included in the request. The OTP can be in the username field, or combined together with the plain text password in the password field1. This is the configuration you would use when you want IAS/NPS to authenticate both factors together.

  • Apply changes

  • Restart the AuthLite service and also the IAS/NPS service. Changes are only applied after the services restart.

Notes

  • You must set up an appropriate policy in IAS/NPS to allow connections from the RADIUS client of the proper authentication type.

  • You do not need to select between PAP and MS-CHAPv2 anywhere in the AuthLite interface, but the policy you configure on IAS/NPS will allow you to select between these settings.

1   The reason for this flexibility is that some VPN servers need to see the username in order to enforce their own policy independently of the RADIUS server, or to do their own logging. But if your server does not need to know the username, then your users can enter OTP/password into the VPN client and save effort.