Hello,
I would like to use RSA SecurID Authentication Manager and Microsoft Network Policy Server to facilitate two-factor authentication for a Meraki client VPN on a Meraki MX-65 Secure Appliance. The Meraki client VPN will use a RADIUS server for authentication. In this scenario, there is an existing network, and do not want to use two factor authentication for local LAN devices and users. Potentially planning to use RSA SecurID software tokens on the VPN clients.
My questions are:
1. Should SecurID AM or Microsoft NPS be setup as the RADIUS server?
2. If using MS NPS as RADIUS Proxy for SecurID AM, can the scope be limited to VPN connections?
3. If SecurID AM is used as the RADIUS server, is there a best practices or how-to for MS NPS RADIUS integration?
Please let me know if I can provide any additional details.
Thank you,
Ivan
Hi Ivan,
While I have not specifically used MS NPS, the methodology should be somewhat similar to other RADIUS to RADIUS implementations (e.g. ClearPass). That said, since one of your requirements is to NOT implement MFA for local clients, I suggest the following:
1) MS NPS as the RADIUS server
2) Create the necessary policies and ACLs on MS NPS for external and internal VPN clients. The policy for external clients should be modified to send a RADIUS auth request to RSA Authentication Manager.
3) N/A