Avatar of jkeegan123
Flag for United States of America asked on

Google Authenticator + Windows NPS: Can they work together?


I was wondering if there was any way to combine Windows NPS and Google Authenticator, or any other open-source implementation of Time Based One-Time Password (TOTP) RFP?

What I really want to do is enable my Radius-Based VPN (which now uses NPS) to reach out to a provider of TOTP, OTP, or another similar protocol to enable 2-factor authentication without a subscription model.  I know there are a lot of providers that do this already, but they are all just implementing an RFP to accomplish this, so if I can do this and maintain it, I'd like to try without having a subscription.

Does anyone have any experience with any of this?
Network SecurityOS SecurityWindows OS

Avatar of undefined
Last Comment
Jason Fox

8/22/2022 - Mon

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Craig Beck

In addition to breadtan's post, you can forward OTP to a 3rd-party server using NPS - it's just a connection request policy.

@Craigbeck:  YES definitely this is what I want to do, and since it's an IETF standard (OTP and TOTP), I'd like to be able to forward to an open-source implementation of OTP or TOTP if it exists, and it seems that several implementations may exist, I'm just not sure if NPS can use it cleanly in a supported way, or if we have to use a separate RADIUS server that itself references Active Directory as an LDAP source.  

Thanks for the response.

@btan:  I will look into the solutions that you have mentioned.  I know the WICKED systems has a subscription cost per user, but I did not know that they have a community edition.  I am looking for this kind of alternative, since we already have everything else in place (Cisco ASA referencing NPS without OTP/TOTP) and since we have the expertise in-house to implement and maintain such a solution.
Craig Beck

I think it should be a nice, tidy solution.

The NPS could validate the AD credentials before it sends the request to the OTP server, so in the Connection Request Policy you could lock it down to only include users in a specific security group.  If the user isn't in that group it doesn't get asked for the OTP - it just fails.  If the user is validated you'd get asked for the second password - the OTP.
Your help has saved me hundreds of hours of internet surfing.

indeed if plugin in NPS is not avail, using NPS as the proxy authentication to OTP auth server is a good choice too as mentioned by Craigbeck. Here is one using NPS proxy to Wikid
The user generates a one-time passcode from their WiKID software token. They enter it into the SSH password field. The credentials are passed from the SSH gateway to NPS via radius. NPS validates that the user is active in AD and in the proper group. If so, it sends the username and one-time password to the WiKID Strong Authentication Server still using Radius. If the OTP is valid, the WiKID server responds to the NPS, which in turn responds to the SSH gateway server and the user is granted access.

Here is another on the remoteapps all Windows using Azure Multifactor Authentication (Azure MFA), NPS and RD Gateway, the example shared SMS but Google Authenticator is possible too..
1. User logs into RD Web Access and double clicks a RemoteApp (or desktop connection)

2. The user’ login credentials for the website are used to validate the user (Web SSO), so no need to give them again.

3. The user then gets an SMS text message on their smart device that provides them a 6 digit numeric code (the one-time password).

4. The user replies to the text message by inputting this 6 digit code and adding their unique pre-defined PIN to the end of the sequence – Azure MFA includes the option to require the user know a predefined unique PIN as well, so that replies to a text message have to come from the user.

5. The user is authenticated, and the RemoteApp (or desktop connection) opens.

If interested F5 shared the Authenticator codes (algorithm) as well (using their proxy/script (iRule), of course, do perform the OTP)
Google Authenticator token verification iRule
Google Authenticator token generation iRule
Jason Fox

This is a plugin for NPS, and is free ATM. http://www.wrightccs.com/support/documentation/