Using IAS/NPS for RADIUS with AuthLite
Beginning with AuthLite version 1.2, a plug-infor Microsoft's IAS (also called NPS) RADIUS service is available. Activating this plug-inautomatically makes IAS/NPS AuthLite-aware. Simply activate the plug-inand then use the IAS/NPS configuration panel to set up your connection policies.
Open the AuthLite Configuration application on the Domain Member Server you wish to set up as a RADIUS server. (Before version 2.0.62 it was a requirement to use a DC).
Under Service Configuration, select the "IAS/NPS Plugin" item
Select the "Enable IAS/NPS support on this server" checkbox
To allow more flexibility of RADIUS clients, you can select the "Permit requests that don't send the domain name."
Since Microsoft's IAS/NPS configuration dialogs are not AuthLite-aware, there is one additional setting you must select here. It controls how PAP requests will be processed.
One-factor (OTP in password field): In this mode, the server expects the username in the username field, and an OTP in the password field. This is the configuration you want to use if AuthLite is being used to validate only the OTP factor, and another process is being used to authenticate the user's name and password. For example, this is how Citrix and Juniper's two-factor authentication works.
Two-factor (OTP and Password both included): In this mode, the server expects to see both an OTP and a password included in the request. The OTP can be in the username field, or combined together with the plain text password in the password field1. This is the configuration you would use when you want IAS/NPS to authenticate both factors together.
Restart the AuthLite service and also the IAS/NPS service. Changes are only applied after the services restart.
You must set up an appropriate policy in IAS/NPS to allow connections from the RADIUS client of the proper authentication type.
You do not need to select between PAP and MS-CHAPv2 anywhere in the AuthLite interface, but the policy you configure on IAS/NPS will allow you to select between these settings.
1The reason for this flexibility is that some VPN servers need to see the username in order to enforce their own policy independently of the RADIUS server, or to do their own logging. But if your server does not need to know the username, then your users can enter OTP/password into the VPN client and save effort.