Apply MFA for VPN

Secure VPN access with Multi-Factor Authentication (MFA). Connections can be protected for VPN servers compatible with RADIUS Challenge, or for VPN servers like Microsoft’s Routing and Remote Access Service (RRAS) with several configuration options.

Published October 28, 2025

Useful resources

Introduction

UserLock enforces MFA on VPN connections through its integration with the Microsoft Network Policy Server (NPS).

Two main configurations are possible, depending on your VPN environment:

VPNs supporting RADIUS Challenge:
MFA is applied directly through a standard RADIUS flow.
VPNs supporting RADIUS authentication and accounting:
Solutions like Microsoft’s Routing and Remote Access Service (RRAS) can use several methods to handle MFA, depending on your configuration and user experience goals. The most seamless approach is to use UserLock VPN Connect, a dedicated client that automatically manages MFA prompts for VPN connections.

The table below summarizes the available methods and their relative ease of use:

VPN environment	MFA method	User experience
VPN supporting RADIUS Challenge	MFA prompt appears after user credentials	✅ Simple setup and clear MFA prompt ⚠️ Users must be enrolled
Microsoft RRAS with UserLock VPN Connect	Dedicated UserLock VPN client handles MFA automatically	✅ Seamless experience ✅ Users can enroll through UserLock VPN Connect tool
Microsoft RRAS with MS-CHAPv2 authentication	MFA code entered in the `username` field	⚠️ Manual entry, risk of user error ⚠️ Users must be enrolled
Microsoft RRAS with PAP authentication	MFA code entered in the `password` field	⚠️ Manual entry, risk of user error ⚠️ Users must be enrolled

Note

L2TP, SSTP, and PPTP are VPN types supported by Microsoft RRAS.
When using PAP authentication, make sure the VPN tunnel is encrypted (e.g., with L2TP/IPSec or SSTP).
Avoid PPTP, which does not provide sufficient security.

Step 1. Install the NPS agent

In the UserLock console, go to Environment ▸ Machines.
Locate your NPS server, then click Install in the NPS agent column.
Restart both the RemoteAccess and IAS services on the NPS host.
Connect once to the VPN and confirm that the user’s VPN session appears in the Activity page in the UserLock console.

This confirms that the NPS agent is correctly installed and communicating with the UserLock service.

For more information, see the guide to install the NPS agent.

Step 2. Apply MFA to VPN sessions

Open the UserLock Console and go to Access Policies ▸ Add Policy.
Follow the general steps described in Configure an access policy until you reach the Policy type selection.
Choose Multi-factor authentication to open the MFA policy form.
Set MFA application to Enabled.
Choose configuration mode:
- All at once (same settings for all session types)
- Distinct setting per session type (recommended, so you can configure MFA separately for VPN connections).
Configure VPN session rules
- For Connection type, choose whether MFA applies to all VPN logons, only remote ones, or only from outside IPs.
- For MFA frequency, select how often MFA is required (at every logon, at first logon of the day, when connecting from a new IP, etc.).
Save the rules
The policy is now active and will enforce MFA on VPN connections.

Note

For the detailed meaning of the Connection type and MFA frequency options, see the MFA policies reference.

Method A. VPN supporting RADIUS Challenge

VPNs supporting RADIUS Challenge show a second MFA prompt after credentials.
Both RADIUS authentication and accounting must use the NPS server, with PAP authentication enabled.

Note

Supported VPNs include OpenVPN, Palo Alto, Fortinet, and Pulse Secure.
⚠️ For Push MFA, UserLock waits up to 5 minutes for validation. If no response, a challenge prompt appears for the user to enter an OTP code manually.

Configuration

In the UserLock console ▸ Server settings ▸ Advanced ▸ Multi-Factor Authentication, set: MFA VPN Challenge = True
Ensure your VPN server uses PAP as the authentication protocol.

User experience

The user connects to the VPN and enters credentials.
The VPN prompts for an OTP or Push confirmation.
Access is granted once MFA is successfully validated.

Method B. RRAS with VPN Connect

For Microsoft RRAS servers or VPN servers compatible with the Microsoft VPN client, you can use the UserLock VPN Connect app provides a seamless MFA workflow and enrollment.

Configuration

Deploy the VPN Connect app on client computers.
Install the UserLock MFA IIS module to allow remote enrollment.
Configure the RRAS server to use RADIUS authentication with your NPS server.

User experience

On the first VPN connection, the app detects missing enrollment and opens the UserLock MFA registration page (via UserLock MFA IIS module).
Users register and select their preferred authentication method (Push or OTP).
On subsequent logons, MFA is requested automatically, either via Push approval or OTP entry.

Method C. RRAS using MS-CHAPv2

When using MS-CHAPv2, users can append their MFA code directly to the username during authentication.

NPS Server configuration

Ensure a valid policy grants VPN access to the appropriate users.
Add the corresponding Active Directory group under Conditions.

VPN Client configuration

VPN type: Automatic
Authentication: MS-CHAPv2

User experience

At login, users must enter:

Username: DOMAIN\user,123456
Password: password

Note

✅ Separate the username and MFA code with a comma.
💡 Enter the MFA code last, as it changes periodically.
🔑 For TOTP/HOTP tokens, type the comma, then press the key to input the OTP.

Method 4. RRAS using PAP

If the VPN uses PAP, the MFA code must be added to the password field.

Note

⚠️ Use this method only when encryption is already applied (for example, L2TP/IPSec or SSTP).

❌ Do not use PAP with PPTP.

Server configuration

On the NPS server, select only Unencrypted authentication (PAP, SPAP).
In RRAS:
- Configure a pre-shared key for L2TP.
- Select PAP as the authentication method.

VPN client configuration

Connection type: L2TP with IPSec
Enter the pre-shared key.
Authentication: PAP

User experience

At login, users must enter:

Username: <Domain>\<username>
Password: <password>,<MFA code>

Note

✅ Separate the password and MFA code with a comma.
💡 Enter the MFA code last, as it changes periodically.
🔑 For TOTP/HOTP tokens, type the comma, then press the key to input the OTP.

RRAS Timeout configuration

When using MFA Push with VPN RRAS, both the VPN client timeout and the RADIUS server timeout must be longer than the MFA push timeout defined in UserLock.
This ensures the VPN connection remains active while the user validates the push notification.

VPN client timeout (Microsoft VPN)
On the client computer, adjust the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\MaxConfigure
- Type: REG_DWORD
- Value: Timeout in seconds (default: 10)
RADIUS server timeout (RRAS)
On the RRAS server, the RADIUS timeout can be configured in the RADIUS server settings.
Note
If the NPS server is installed locally it cannot be changed in the RRAS administration console.

Limitations and workarounds

After enabling MFA for VPN sessions, users may be prompted again for credentials when accessing shared folders over VPN.

To avoid this, if the client machine is member of the Active Directory :

On the client machine, open:
%USERPROFILE%\AppData\Roaming\Microsoft\Network\Connections\Pbk
Edit rasphone.pbk file.
Set this value in the section related to the VPN connection:
UseRasCredentials=0

Overview

UserLock enforces MFA on VPN connections by integrating with the Microsoft Network Policy Server (NPS).

Depending on your VPN setup, MFA can be applied in two ways:

RADIUS Challenge — The recommended option for VPN clients that support RADIUS Challenge. After entering credentials, users are prompted to verify with their OTP code.
RRAS method — For Microsoft VPN connections (L2TP, SSTP, PPTP). Users enter their MFA code directly in the username or password field.

Note

💡 To simplify user enrollment and authentication for RRAS, you can use the UserLock VPN Connect app, which provides a modern interface and automatic MFA handling.

Prerequisites

Before configuring MFA for VPN:

✅️ A Network Policy Server (NPS) with the latest UserLock NPS agent.
✅️ RADIUS Challenge: VPN connections must be managed by a VPN server that supports RADIUS Challenge, with RADIUS authentication and RADIUS accounting both configured to use the NPS server. The required authentication protocol is PAP.
✅️ Users must be enrolled for MFA before connecting (unless they use the VPN Connect app with RRAS).

Step 1. Install the NPS agent

Run the UserLock console.
In the Environment ▸ Machines page, go to the line of the NPS server. In the NPS agents columns, open the agent button and click on Install.
Restart RemoteAccess and IAS service on the NPS server (more information here)
Before enabling MFA, connect to the VPN and make sure the user’s VPN session is visible in the UserLock console.

Step 2. Apply MFA to VPN sessions

To enforce MFA on VPN connections, you need to create a new access policy.

👉️ Follow the general steps described in Configure an access policy until you reach the Policy type selection. At this step, choose Multi-factor authentication.

You will then arrive on the MFA rules form.

Set MFA application to Enabled.
Choose configuration mode:
- All at once (same settings for all session types)
- Distinct setting per session type (recommended, so you can configure MFA separately for VPN connections).
Configure VPN session rules
- For Connection type, choose whether MFA applies to all VPN logons, only remote ones, or only from outside IPs.
- For MFA frequency, select how often MFA is required (at every logon, at first logon of the day, when connecting from a new IP, etc.).
Save the rules
The policy is now active and will enforce MFA on VPN connections.

Note

For the detailed meaning of the Connection type and MFA frequency options, see the MFA policies reference.

Step 3. Configure for RADIUS Challenge

If your VPN solution supports RADIUS Challenge, this method provides the most user-friendly MFA experience.

Compatible VPN solutions (verified)

OpenVPN
Palo Alto
Fortinet
Pulse Secure Connect Secure SSL

Note

Check your VPN documentation to confirm RADIUS Challenge compatibility.

Configuration

In the UserLock console, go to Server settings ▸ Advanced Settings ▸Multi-Factor Authentication section.
Set MFA VPN challenge to True.
→ This applies RADIUS Challenge to all VPN connections protected by UserLock MFA.

Note

⚠️ For Push MFA, UserLock waits up to 5 minutes for validation. If no response, a challenge prompt appears for the user to enter an OTP code manually.

User experience

The user connects to the VPN and enters their credentials.
A second prompt requests the OTP code.
The VPN connection is established after successful MFA verification.

RRAS configuration

If you are using Microsoft’s Routing and Remote Access Service (RRAS) for your VPN server or a VPN not compatible with RADIUS Challenge,
the MFA one-time password (OTP) can be handled in two ways: manually (by adding it to the username or password field) or automatically (through the UserLock VPN Connect application).

Note

If you don't use RRAS, your VPN solution must be compatible with RADIUS authentication and RADIUS accounting both configured to use the NPS server.

Using the VPN Connect application

UserLock VPN Connect simplifies MFA authentication for RRAS connections.

When a user connects for the first time and MFA enrollment is required:

The application detects the missing enrollment and displays a registration window.
By clicking Register, the user is redirected to the UserLock MFA enrollment page (UserLock MFA IIS web page).
The user chooses their preferred authentication method (Push or TOTP).

Once enrolled, MFA prompts appear automatically during future VPN logons:

For Push, users approve the request directly.
For OTP, users enter the code displayed in their authenticator app.

🔗️ For detailed installation steps, see Install VPN Connect for MFA.

VPN using MS-CHAPv2 (MFA via username field)

Server configuration

On the NPS server:

Ensure a valid policy grants VPN access to the appropriate users.
Add the corresponding Active Directory group under Conditions.

Client configuration

On the VPN client:

VPN type: Automatic
Authentication: MS-CHAPv2

End-user authentication

Users must enter:

Username: <Domain>\<username>,<MFA code>
Password: <password>

✅️ Separate the username and MFA code with a comma.
💡️ Enter the MFA code last, as it changes periodically.
🔑️ For TOTP/HOTP tokens, type the comma, then press the key to input the OTP.

Alternative VPN using PAP (MFA via password field)

Use the Password Authentication Protocol (PAP) only when encryption is already applied (e.g., L2TP/IPSec or SSTP).

Note

❌ Do not use this method with PPTP.

Server configuration

On the NPS server, select only Unencrypted authentication (PAP, SPAP).
In RRAS:

Configure a pre-shared key for L2TP.
Select PAP as the authentication method.

Client configuration

On the VPN client:

Connection type: L2TP with IPSec
Enter the pre-shared key.
Authentication: PAP

End-user authentication

Username: <Domain>\<username>
Password: <password>,<MFA code>

Timeout configuration

Note

VPN client timeout (Microsoft VPN)
On the client computer, adjust the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\MaxConfigure
- Type: REG_DWORD
- Value: Timeout in seconds (default: 10)
RADIUS server timeout (RRAS)
On the RRAS server, the RADIUS timeout can be configured in the RADIUS server settings.
Note
If the NPS server is installed locally it cannot be changed in the RRAS administration console.