Common VPN and RADIUS-based endpoints and the ADSelfService Plus authenticators they support

Common VPN and RADIUS-based endpoints and the ADSelfService Plus authenticators they support

ADSelfService Plus supports the following types of authenticators for VPN MFA:

  1. One-way authenticators

    • Push Notification Authentication

    • Fingerprint/Face ID Authentication

These authenticators are automatically applicable for all the endpoints providing RADIUS authentication.

  1. Challenge-based authenticators

    • ADSelfService Plus TOTP Authentication

    • Google Authenticator

    • Microsoft Authenticator

    • Yubico OTP (hardware key authentication)

    • SMS verification and email verification

    • Zoho OneAuth TOTP

Challenge-based authenticators are applicable only when:
    • PAP is configured for RADIUS authentication.

    • The RADIUS client (VPN or endpoint server) supports challenge-response; that is, it prompts a challenge (verification code) from the user and sends back the entered challenge.

While ADSelfService Plus provides MFA enablement for all RADIUS-based VPN providers, not all authenticators supported by the product are available in these providers. This article provides a list of popular VPN providers and other RADIUS-based clients and the authenticators supported by them. 

VPN and other RADIUS clients

Supports one-way authenticators provided in ADSelfService Plus?

Supports challenge-based authenticators provided in ADSelfService Plus?

Fortinet VPN

Yes
Yes

OpenVPN Access Server (AS)

Yes
Yes

Cisco ASA AnyConnect VPN

Yes
Yes

NetMotion Mobility VPN

Yes
No
Microsoft RDGateway
Yes
No
Microsoft Routing and Remote Access Service (RRAS)
Yes
No
Palo Alto VPN (GlobalProtect client)
Yes
Yes
WatchGuard VPN
Yes
No
Sonic Wall VPN
Yes
Yes
Pulse Secure VPN
Yes
Yes
Juniper
Yes
Yes
Checkpoint
Yes
Yes
VMWare Horizon
Yes
Yes
ForcePoint
Yes
Yes
Cisco Meraki
Yes
No
Citrix/NetScaler Gateway
Yes
No

 

Note: Status of authenticator availability may change in the future.

Disclaimer: While the VPN providers listed above have been officially tested and confirmed to support the authenticators mentioned, other VPN providers and endpoints employing RADIUS protocol for authentication can support these authenticators as well. Please contact the support team (support@adselfserviceplus.com) if you have trouble assessing whether the VPN provider used in your organization supports these authenticators.

                  New to ADSelfService Plus?

                    • Related Articles

                    • Configuring MFA for Cisco ASA SSL VPN using RADIUS

                      This guide provides steps for enabling multi-factor authentication (MFA) using RADIUS for Cisco's Adaptive Security Appliance (ASA) product using ManageEngine ADSelfService Plus' MFA for VPN feature. To enable RADIUS-based authentication for VPN ...
                    • Configuring MFA for FTD VPN using RADIUS

                      This guide provides steps for enabling multi-factor authentication (MFA) using RADIUS for Cisco's Firepower Threat Defense (FTD) product using ManageEngine ADSelfService Plus' MFA for VPN feature. To enable RADIUS-based authentication for Cisco FTD, ...
                    • How to enable offline MFA in ADSelfService Plus

                      ManageEngine ADSelfService Plus supports offline multi-factor authentication (MFA) for Windows machine logins, User Account Control (UAC) prompt elevation, and Remote Desktop Protocol (RDP) server authentication when the product server is ...
                    • Multi-factor authentication techniques in ADSelfService Plus

                      Let's take a look into the various authentication methods supported by ADSelfService Plus for enterprise multi-factor authentication (MFA). Why should you use MFA? Authentication based solely on usernames and passwords is no longer considered secure. ...
                    • Configuring MFA for ISE with RADIUS

                      This guide provides steps for enabling multi-factor authentication (MFA) using RADIUS for Cisco's Identity Services Engine (ISE) product using ManageEngine ADSelfService Plus' MFA for VPN feature. To enable RADIUS-based authentication for Cisco ISE, ...