Enabling MFA on Microsoft SSTP VPN

User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active
 
Details
Category: Blog
Published: Saturday, 03 October 2020 15:37
Written by Lars Berntzon
Hits: 2755

By turning on MFA for the microsoft SSTP VPN solution you will greatly improve the security since it basically stops anyone on internet from trying to login, they will also need the second factor to get it. With O365 you can turn on MFA authentication for most services including VPN (for a fee of course).

First follow this page: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn

Note that the Microsoft link for downloading the extension does not work, it only gives you a download to a release-notes file. This is a working link at time of writing this: https://www.microsoft.com/en-in/download/details.aspx?id=54688

Also during the running the ps-script you must select "yes" for trusting untrusted repos.

Problems that can occur:

If the script  .\AzureMfaNpsExtnConfigSetup.ps1, fails complaining it can not connect to MSOOnline, try to test that separate step by running from powershell:

Connect-MsolService

If that fails complaining about not being able to connect to the powershell gallery, try the below:

 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Another problem often occuring on windows servers is that IE, that is as the default html browser, is locked down so hard it can't open any pages at all. I suggest turning this off temporary during installtion for administrators. This is done via server manager -> "Configure this local server" and there turn off "IE Enhanced Security Configuration".

Something that microsoft kind of not mention so much is that you MUST use the authenticator app, not not use one-time passwords, but allowing access by accepting via the app. I struggled for month to get this working when I realized that this was the problem.

Make sure you follow the steps below:

1. The NPS must be running on another server than the machine running the RRAS. This is because the plugin for NPS otherwise causes an infinite loop of authentications.

2. You need to create a firewall rule to allow UDP-port 1812 through. Microsoft does create such a rule when NPS is installed, but as is tradition with Microsoft tools - that rule does not work. To be sure, create also an outbount rule.

3. On windows 2019 and later you need to add some magical registry hacks on the RAS server to allow it to talk to the DHCP for getting addresses for its connecting clients:

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dhcp" /v RequiredPrivileges /d "SeChangeNotifyPrivilege"\0"SeCreateGlobalPrivilege"\0"SeImpersonatePrivilege"\0 /t REG_MULTI_SZ /f

NOTE! Restart the server after adding this regkey.