Integrations/RADIUS Server/microsoft-nps
NPS · RRAS · Always On VPN

MFA for Microsoft NPS

Microsoft NPS is the RADIUS server most Windows shops already run — fronting RRAS, Always On VPN, RD Gateway, and 802.1X Wi-Fi, tied straight to Active Directory. It does primary auth well but has no native MFA. Authnull installs as an NPS extension that fires after the primary check, adding a phishing-resistant factor across everything NPS authenticates. You run the installer on the NPS server, register it, and your existing connection-request and network policies gain MFA without being rebuilt.

At a glance
VendorMicrosoft
Connects viaNPS extension
ProtectsVPN, RD Gateway & Wi-Fi
DeploymentAgentless
Setup time20 minutes
No rip-and-replace — sits in front of your existing setup
How Authnull connects

Microsoft NPS forwards the login; Authnull adds the factor.

Microsoft NPS
user connects
Authnull
NPS extension
Directory
AD / LDAP
User device
approve factor

NPS validates the credential against AD, then calls the Authnull extension, which challenges for the factor and returns the result before NPS issues Access-Accept. Because it hooks NPS itself, every policy that NPS serves is covered at once.

Setup

Configure MFA for Microsoft NPS

Real steps — the exact menus, fields, and values. Follow along in your console; the whole thing takes about 20 minutes.

1

Install the Authnull NPS extension

Download and run the Authnull NPS extension installer on each NPS server you want to protect.

PowerShell
msiexec /i AuthnullNpsExtension.msi /quiet
# then register with your tenant
.\AuthnullNpsConfig.ps1 -TenantId <id>
2

Register and restart NPS

Run the configuration script to bind the extension to your Authnull tenant, then restart the Network Policy Server service.

PowerShell
Restart-Service IAS
3

Confirm your network policy

Make sure the network policy that grants VPN/Wi-Fi access targets the correct AD group — the extension applies MFA to whatever that policy permits.

NPS → Policies → Network Policies
4

Test from a client

Connect through RRAS, Always On VPN, or RD Gateway with a test account and approve the factor. Check the NPS event log for the extension result.

Reference — connection values
IntegrationNPS extension
Runs afterPrimary AD auth
ScopeAll NPS policies
ServiceIAS

Closes the MFA gap auditors look for

Enforcing MFA on Microsoft NPS gives you evidence for the remote-access and privileged-access controls in SOC 2 and the access requirements under CCPA — with per-login logs you can hand straight to an assessor.

Related integrations

Browse all
Fortinet FortiGateVPN & FirewallCisco AnyConnectVPNPalo Alto GlobalProtectVPNSonicWallVPN & Firewall

Add MFA to Microsoft NPS — free to start.

Spin up Authnull, point Microsoft NPS at it, and enforce a factor on a pilot group today. No card, no rip-and-replace.

Get in touch