RADIUS authentication for Entra ID users for Mikrotik L2TP VPN

Question

RADIUS authentication for Entra ID users for Mikrotik L2TP VPN

lmgmcg 130

Need to configure my Widows Radius server (NPS) to authenticate users from Entra ID to allow access to Mikrotik L2TP.

As per what I have learnt, the NPS extension with MFA is firstly authenticating the users on the on-premAD. The on -prem AD is not holding any user accounts right now as we have moved to Entra ID.

I need to totally authenticate users on my Entra ID with the Radius server on my local network.

Any help?

0 comments

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Goutam Pratti 6,215 Microsoft External Staff Moderator

Hello @lmgmcg ,

Thank you for reaching out Microsoft Q&A.

I understand you need to configure my Widows Radius server (NPS) to authenticate users from Entra ID to allow access to Mikrotik L2TP.

User's image

As you can see from the above diagram firstly the RADIUS request is first sent from the VPN server to the NPS (Network Policy Server), which uses Active Directory for primary authentication. Afterward, for secondary authentication, it passes the request to Azure MFA, and finally, the RADIUS response is sent back to the VPN server.

However, since your users have been migrated to Microsoft Entra ID, rather than relying on RADIUS and the Microsoft Entra NPS extension for Azure MFA, I recommend upgrading your VPN to use SAML. Directly federating your VPN with Microsoft Entra ID via SAML provides access to the full range of Microsoft Entra ID protections, including Conditional Access, multifactor authentication, device compliance, and Entra ID Protection.

For the additional information: https://learn.microsoft.com/en-us/entra/architecture/auth-radius

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Regards,
Goutam Pratti.

lmgmcg 130 Reputation points

2024-11-15T09:11:37.34+00:00

@Goutam Pratti , thank you for getting back.
I've seen the given suggestion to use SAML, but the thing is Mikrotik is not supporting SAML as well.
So I'm stucked right now. Is there any way that I could make vpns (L2TP/SSL) with Azure GW. (Like a work from home solution where users will be configured to dial to Azure GW and establish another Site to site between Azure GW and Mikrotik router to access office network.)

Any suggestions?
Goutam Pratti 6,215 Reputation points Microsoft External Staff Moderator

2024-11-19T10:54:16.3433333+00:00

Hello @lmgmcg ,

As per the design for RADIUS authentication, as shown in the provided screenshot, RADIUS relies on Active Directory to verify the primary authentication of users. Since your environment is entirely cloud-based and you are not managing authentication through Active Directory, it is not possible to configure your VPN to use the RADIUS protocol in this setup.
Goutam Pratti 6,215 Reputation points Microsoft External Staff Moderator

2024-11-21T03:18:27.3033333+00:00

Hello @lmgmcg ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
lmgmcg 130 Reputation points

2024-11-26T17:24:47.99+00:00

Hey Goutam,

I couldn't find a solution for this, instead I installed a Fortigate on a VM with Permanent trial and enabled SAML authentication for cloud users.

Thanks

Share via

RADIUS authentication for Entra ID users for Mikrotik L2TP VPN

0 additional answers

Your answer