Google Authenticator + Windows NPS: Can they work together?


I was wondering if there was any way to combine Windows NPS and Google Authenticator, or any other open-source implementation of Time Based One-Time Password (TOTP) RFP?

What I really want to do is enable my Radius-Based VPN (which now uses NPS) to reach out to a provider of TOTP, OTP, or another similar protocol to enable 2-factor authentication without a subscription model.  I know there are a lot of providers that do this already, but they are all just implementing an RFP to accomplish this, so if I can do this and maintain it, I'd like to try without having a subscription.

Does anyone have any experience with any of this?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
I believe SecurID is still something Microsoft seems to come make it into its MSDN as seen here

Regardless, I am thinking there are one candidate AuthLite

It is using its plug-in installed into NPS and it acts as a service, and to since NPS configuration dialogs are not "AuthLite-aware", there is one additional setting for 2FA (OTP and password) to set server to expect for this to be passed from the OTP can be in username or with combined together with plain password. This is for VPN that requires username enforced as login criteria but if that is not needed, it can remain as single filed of OTP/password simply. May be simpler but AuthLite is still licensed which is on a per-user basis, not no of server or workstations. It can also support OATH TOTP which Google Authenticator is an instance.

See pdf (there is section talking about the using NPS and AuthLite, as well as OATH Token setup)

Other "common" can be

> OpenOTP - using its Radius Bridge but it is can flexible  for API integration. I did not drill into that but discussion has this not able to implemented too in NPS, so probably be wary ...!topic/rcdevs-technical/vOUoaf9s9-E

> Wikid - It  can have users logging into your application or VPN with their username and WiKID one-time passcode.
It has a community version which is attractive but RADIUS support is not part of it except its commercial version which is back to the typical seating based per user per year. it can be non attractive but it stated free 5 users which probably only their tech slae can better advice then if licence scheme still applies (likely it is)

Unless you are also thinking of a full fledged setup then maybe Mobile-OTP (free source) can be considered. It does need some hand holding and setup effort

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Craig BeckCommented:
In addition to breadtan's post, you can forward OTP to a 3rd-party server using NPS - it's just a connection request policy.
jkeegan123Author Commented:
@Craigbeck:  YES definitely this is what I want to do, and since it's an IETF standard (OTP and TOTP), I'd like to be able to forward to an open-source implementation of OTP or TOTP if it exists, and it seems that several implementations may exist, I'm just not sure if NPS can use it cleanly in a supported way, or if we have to use a separate RADIUS server that itself references Active Directory as an LDAP source.  

Thanks for the response.

@btan:  I will look into the solutions that you have mentioned.  I know the WICKED systems has a subscription cost per user, but I did not know that they have a community edition.  I am looking for this kind of alternative, since we already have everything else in place (Cisco ASA referencing NPS without OTP/TOTP) and since we have the expertise in-house to implement and maintain such a solution.
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Craig BeckCommented:
I think it should be a nice, tidy solution.

The NPS could validate the AD credentials before it sends the request to the OTP server, so in the Connection Request Policy you could lock it down to only include users in a specific security group.  If the user isn't in that group it doesn't get asked for the OTP - it just fails.  If the user is validated you'd get asked for the second password - the OTP.
btanExec ConsultantCommented:
indeed if plugin in NPS is not avail, using NPS as the proxy authentication to OTP auth server is a good choice too as mentioned by Craigbeck. Here is one using NPS proxy to Wikid
The user generates a one-time passcode from their WiKID software token. They enter it into the SSH password field. The credentials are passed from the SSH gateway to NPS via radius. NPS validates that the user is active in AD and in the proper group. If so, it sends the username and one-time password to the WiKID Strong Authentication Server still using Radius. If the OTP is valid, the WiKID server responds to the NPS, which in turn responds to the SSH gateway server and the user is granted access.

Here is another on the remoteapps all Windows using Azure Multifactor Authentication (Azure MFA), NPS and RD Gateway, the example shared SMS but Google Authenticator is possible too..
1. User logs into RD Web Access and double clicks a RemoteApp (or desktop connection)

2. The user’ login credentials for the website are used to validate the user (Web SSO), so no need to give them again.

3. The user then gets an SMS text message on their smart device that provides them a 6 digit numeric code (the one-time password).

4. The user replies to the text message by inputting this 6 digit code and adding their unique pre-defined PIN to the end of the sequence – Azure MFA includes the option to require the user know a predefined unique PIN as well, so that replies to a text message have to come from the user.

5. The user is authenticated, and the RemoteApp (or desktop connection) opens.

If interested F5 shared the Authenticator codes (algorithm) as well (using their proxy/script (iRule), of course, do perform the OTP)
Google Authenticator token verification iRule
Google Authenticator token generation iRule
Jason FoxCommented:
This is a plugin for NPS, and is free ATM.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.