Does IKEv2 mobile VPN always required NPS?

eichenadmin

We currently have a hybrid setup with onsite AD synced with Azure AD. We can use SSLVPN with MFA via Authpoint which is syncing user info from AAD.

Now we'd like to test MFA with IKEv2 VPN using Authpoint. It appears that we will need to setup an NPS server no matter what - either in Azure or on premises.
https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/AuthPoint/Azure-firebox-ikev2-vpn_authpoint.html
https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/AuthPoint/firebox-ikev2-vpn-radius_authpoint.html

If so, is one way easier (or cheaper over the course of a couple years) than the other?
Using the onsite NPS server configuration, it appears that an authpoint gateway is also required. Why is this not true if the NPS server is in Azure?

james.carson

I can't speak to if one is cheaper than the other -- I'm not sure what it costs to stand that role up in Azure.

I would personally prefer to keep NPS on premise as aside from the hashed password, RADIUS is clear text. If you already have an on-premise AD server, adding the NPS role doesn't cost anything aside from the small amount of CPU time it'll consume.

If you do decide to use it in the cloud, ensure that your RADIUS traffic is being sent across a Branch Office VPN and not via the internet unencrypted.

NPS is required in some instances as the firewall passes the authentication off to the AD server in order for the password to be verified. Microsoft provides a connector to do this via Authpoint in the cloud, whereas NPS is the only way to do this without tampering with the password on a local system.