Hope you are well.
My Customer wants to use their current RSA SecurID infrastructure for two factor authentication in Windows 10 build 1709/1803 while establishing VPN connectivity through Windows 10 AlwaysOn VPN profile. This profile will be connecting Windows 10-based endpoint computers to the new Microsoft-based VPN server deployed on RRAS functionality in Windows Server 2016. However, Customer plans to use these protocols:
Based on the Customer description the whole scenario should look this way:
1) User starts his PC and logs in with his domain credentials cached on the same PC.
2) After user is logged in successfully, system automatically starts connection to the designated VPN server, providing domain credentials as the first authentication factor.
3) VPN server checks these credentials in Active Directory (through the Network Policy Server of course) and if they are OK - VPN server asks user for the second authentication factor.
4) User takes his RSA SecurID token (hardware key) and reads his OTP (One Time Password) on the screen, then puts it in the generated OTP message dialog created by Always On VPN profile.
5) VPN server gets this OTP value and sends this request one to the currently established RSA SecurID infrastructure through the NPS server (configures as RADIUS server). If OTP value is the correct one - user is allowed to connect and his PC establishes VPN session successfully.
So, my question is a very simple one:
Are RSA SecurID products supporting such kind of scenarios and deployments (I mean being used as 2-factor authentication solution for Always On VPN profiles in Windows 10 for Microsoft-based VPN servers)? As I've heard previously that Microsoft-based VPN connections are not fully supported by RSA products due to some architectural issues in Windows 10 and old solutions taken by product team in the past. Please advise.
Greatly appreciated for any tips, advises or hints!
Have a nice day!