MFA on your VPN, firewalls, and Wi-Fi — over RADIUS.
Authnull drops in front of the RADIUS you already run — Cisco ISE, Microsoft NPS, or FreeRADIUS — and adds phishing-resistant MFA to every network logon. No rip-and-replace, no endpoint agents.
Built on the RADIUS servers you already trust.
Authnull speaks standard RADIUS, so it sits in front of — or alongside — the server you run today. Keep your policies; add the factor.
Cisco ISE
Layer MFA onto existing ISE policy sets for VPN, 802.1X, and TACACS+ device admin without re-architecting your deployment.
Cisco ISE setupMicrosoft NPS
Add MFA to the NPS extension path you already use for RRAS, Always On VPN, and RD Gateway — tied to your AD groups.
Microsoft NPS setupFreeRADIUS
Proxy realms through Authnull or call us from a policy module — the open-source path our team knows deepest.
FreeRADIUS setupOne factor in front of every network logon.
If it authenticates over RADIUS, Authnull can put MFA on it — from the remote-access VPN to the switch console in the closet.
VPNs & remote access
AnyConnect, GlobalProtect, FortiClient, OpenVPN — MFA on every remote session.
Firewalls
Admin and SSL-VPN logins on Palo Alto, Fortinet, SonicWall, and WatchGuard.
Switches & routers
MFA on device admin over RADIUS and TACACS+ — Cisco IOS, Juniper, Arista.
Wi-Fi (802.1X)
Certificate + factor for enterprise WPA2/3 on Meraki, Aruba, Ruckus, UniFi.
Network device admin
Protect privileged CLI and management-plane access across the fleet.
Anything that speaks RADIUS
Storage controllers, hypervisors, OOB/iDRAC — if it has a RADIUS client, it's covered.
Four steps from connect to challenge.
Authnull sits inline on the RADIUS exchange. The user's primary login is validated, then a second factor is requested over Access-Challenge — standard RADIUS, no client changes.
The user connects. The VPN or NAS forwards the username and password to Authnull as a standard RADIUS Access-Request.
Authnull validates the primary credentials against your directory — or hands off to your existing ISE/NPS policy — and confirms who's connecting.
A second factor is requested — push approval, TOTP, or a security key. The user approves on their device in seconds.
Factor verified, Authnull returns Access-Accept and the session is established. A denied or timed-out factor returns Access-Reject — logged for audit.
Step-by-step setup for the gear you run.
Every device below has a dedicated page with real configuration steps — the exact RADIUS settings, attributes, and screenshots.
Factors that travel over RADIUS Challenge.
Push and TOTP work inline on any RADIUS client; security keys and passkeys where the access device supports them.
RADIUS MFA, answered.
What is RADIUS MFA?
RADIUS MFA adds a second factor to any device that authenticates over the RADIUS protocol — VPNs, firewalls, switches, and Wi-Fi. Authnull validates the primary login, then requests the factor over a standard RADIUS Access-Challenge before returning Access-Accept, so no changes are needed on the access device.
Does Authnull work with Cisco ISE, Microsoft NPS, and FreeRADIUS?
Yes. Authnull speaks standard RADIUS and sits in front of — or alongside — Cisco ISE, Microsoft NPS, and FreeRADIUS. You keep your existing policy sets and AD group mappings; Authnull adds the second factor. It can also run as your RADIUS server outright if you'd rather not maintain one.
Can I add MFA to my VPN without replacing my RADIUS server?
Yes. Authnull proxies the RADIUS exchange, so your VPN keeps pointing at the same RADIUS endpoint and your server keeps doing primary auth. Nothing is ripped out — you're adding a factor inline, and you can roll it back just as easily.
Which VPNs, firewalls, and Wi-Fi controllers are supported?
Any RADIUS client works. We publish step-by-step guides for Cisco AnyConnect and ASA, Palo Alto GlobalProtect, Fortinet, SonicWall, WatchGuard, OpenVPN, Citrix, and 802.1X Wi-Fi on Meraki, Aruba, Juniper, and UniFi — with the exact attributes and settings.
Does it support inline OTP over Access-Challenge?
Yes. For clients that support it, Authnull prompts for an OTP inline using RADIUS Access-Challenge. Where a client can't display a prompt, push approval delivers the factor out-of-band — both return a clean Access-Accept on success.
How long does it take to set up?
Most teams add Authnull as a RADIUS target, point one VPN or test NAS at it, and enforce MFA on a pilot group the same afternoon — then widen device by device using the integration guides.
Put MFA in front of your network this week.
Start free and point a test VPN at Authnull, or have us map your RADIUS estate in 20 minutes.