Pricing  Get Quote

MFA for VPN Logons

Multi-factor authentication for VPN logins

The many benefits of working remotely have led organizations to adopt this model for their workforce. Virtual private networks (VPNs) have become indispensable since they provide employees with secure and encrypted remote access to internal networks, and vital resources.

Why you need to protect VPN access

VPNs allow users to access various resources outside the office through a secure tunnel. While this facilitates an unperturbed workflow for remote employees, it also exposes the organization's network to new cybersecurity concerns.

Despite this secure remote network access, when the VPN is synced with the organization's Active Directory (AD) environment, users are commonly authenticated using only their domain usernames and passwords—a method that has proven to be no longer secure. Verizon reports that 81% of data breaches can be linked to compromised passwords. Exposure of VPN credentials can put your entire network at risk of data exposure. Implementing additional layers of security through multi-factor authentication (MFA) is an effective way to prevent the dire consequences of credential exposure.

Secure remote access to your VPN with ADSelfService Plus

ManageEngine ADSelfService Plus, an integrated self-service password management and single sign-on solution (SSO), enables you to fortify VPN connections to your organizations' networks using MFA. This involves implementing authentication methods like biometric authentication and one-time passwords (OTPs) during VPN logons in addition to the traditional username and password. Since passwords alone are not enough to log in to the network, ADSelfService Plus renders exposed credentials useless for unauthorized VPN access.

How to protect VPNs with MFA

To secure your VPNs using MFA, the VPN server should use a Windows Network Policy Server (NPS) to configure RADIUS authentication, and the ADSelfService Plus NPS extension has to be installed in the NPS. This extension mediates between the NPS and ADSelfService Plus to enable MFA during VPN connections. Once these requirements are fulfilled, the process shown below takes place during a VPN login:

Multi-factor authentication for VPN logins

  1. A user tries to establish a VPN connection by providing their username and password to the VPN server.
  2. The VPN server sends the authentication request to the NPS where the ADSelfService Plus’ NPS extension is installed.
  3. If the username and password combination is correct, the NPS extension contacts the ADSelfService Plus server and raises a request for second-factor authentication.
  4. The user performs authentication through the method configured by the administrator. The result of the authentication is sent to the NPS extension in the NPS.
  5. If the authentication is successful, the NPS conveys this to the VPN server.

The user is granted access to the VPN server and establishes an encrypted tunnel to the internal network.

Supported VPN providers

ADSelfService Plus allows admins to secure all RADIUS-supported VPN providers with MFA. Here are some of the top VPN providers supported by ADSelfService Plus:

  1. Fortinet
  2. Cisco IPSec
  3. Cisco AnyConnect
  4. Windows Native VPN
  5. SonicWall NetExtender
  6. Pulse
  1. Checkpoint EndPoint Connect
  2. SonicWall Global VPN
  3. OpenVPN Access Server
  4. Palo Alto
  5. Juniper

Supported VPN authentication methods

IT admins can configure any of the above methods according to their organization's requirements. ADSelfService Plus enables hassle-free configuration and administration of the feature through:

  • Granular configuration: Enable particular authentication methods for users belonging to specific AD domains, organizational units, and groups.
  • Real-time audit reports: View detailed reports on VPN logon attempts with information like the time of logon and authentication failures.

Benefits of using MFA with ADSelfService Plus

  • Customizable configuration: Apply different authenticators to different sets of users based on their privilege.
  • Achieve regulatory compliance: Meet NIST SP 800-63B, GDPR, HIPAA, NYCRR, FFIEC, and PCI DSS regulation requirements.
  • Prevent credential-based cyberattacks: Prohibit the reuse of passwords and weak passwords that make your network vulnerable to cyberattacks.
  • Secure endpoints: Use MFA to secure not just VPN access but also local and remote logins into Windows, macOS, and Linux machines for all-around endpoint security.

Fortify your VPN with Multi-factor Authentication

  • Please enter a business email id
By clicking 'Get Your Free Trial', you agree to processing of personal data according to the Privacy Policy.


Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here


Password self-service

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

One identity with Single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

Password/Account Expiry Notification

Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.

Password Synchronizer

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more. 

Password Policy Enforcer

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

Directory Self-UpdateCorporate Search

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.


ADSelfService Plus trusted by

A single pane of glass for complete self service password management