Setting Up VPN MFA to Secure Remote Workers

Written by Zach DeMeyer on May 29, 2020

Share This Article

Virtual private networks (VPNs) are in high demand as working from home hits an all-time high and organizations look to secure remote access to network resources. Although an excellent place to start, VPN infrastructure by itself can still be compromised by targeted attacks. By adding multi-factor authentication (MFA/2FA) to VPN connections through RADIUS, IT admins can rest assured that their remote user access is secure.

Using VPNs to Promote Security

A VPN creates an encrypted tunnel used for securing access to a network. Many individuals and organizations use VPNs to protect internet access over a public network, but they’re often used by enterprises for guarding remote access to on-premises infrastructure. For organizations that leverage on-prem directory services, VPNs are critical.

In general, VPNs require a username and password combination along with a shared secret and/or certificate for authentication. Depending on how they’re implemented, however, the username/password pair may be a shared set of credentials across the organization, much like many have done for WiFi access. With a shared set of VPN credentials, organizations open themselves up to potential security risks.

With users working in environments outside of the IT department’s direct influence (e.g. their houses), end users and the shared credentials are more susceptible to attack. If for any reason that shared user identity is compromised, the VPN is subsequently compromised, as well as the connected services. Attacks range from a brute force attack carried out by bots to a phishing attack on an unsuspecting user.

As such, IT admins need solutions like RADIUS servers to improve their VPN security.

Adding RADIUS to VPNs

The Remote Access Dial-In User Service (RADIUS) protocol requires a unique set of credentials for access to a network, and can integrate with VPNs in the same way it does with on-prem networks. Although most RADIUS servers have on-board user directories, many are tied into an organization’s core directory service. This practice maintains identity continuity across multiple resources, meaning that the credentials used for RADIUS authentication can and should be made to meet organizational security requirements.

Adding RADIUS authentication to VPN access provides tighter security than just a shared password alone. But despite this, if a user’s credentials are compromised due to phishing or other attempts, an organization can still face the possibility of a breach. Additionally, RADIUS servers can be difficult to troubleshoot, so some organizations may have a harder time than others securing their VPNs.

Thankfully, IT admins can also enforce multi-factor authentication on their VPN connections through cloud-hosted RADIUS to ensure that their remote workers are as secure as possible.


MFA secures VPN even further by requiring a unique identifier beyond credentials upon login. Because this second authentication factor is unique to the end user (and often time sensitive), if that user’s identity is compromised for any reason, whether stolen or brute-forced, MFA prevents most attempts at taking over accounts

Depending on the solution used to implement MFA, a user’s additional authentication factor could range from TOTP or SMS codes to push notifications, U2F keys, or biometrics. For the purposes of securing VPN connections, IT organizations can employ a cloud directory service to enforce MFA using RADIUS-as-a-Service.

Using RADIUS-as-a-Service for VPN Security

RADIUS-as-a-Service, a component of the JumpCloud® Directory-as-a-Service® product, offers a cloud-hosted network of FreeRADIUS servers that are preconfigured to be used by organizations across the globe without having to implement a server themselves — regardless of whether users are in-office or working from home. Through RADIUS-as-a-Service, IT admins can integrate with many popular VPNs, syncing them with JumpCloud’s core user identities and safeguarding them with MFA

As a whole, Directory-as-a-Service connects users to virtually all of their IT resources using a single, centralized identity as the source of truth, propagating that identity to resources via RADIUS, LDAP, SAML, and OAuth. In essence, that means that, with JumpCloud, organizations can achieve secure access for remote workers to applications, infrastructure, and on-prem networks.

Try for Free

If you’re curious how a cloud directory service can help you secure and support your remote workers’ VPN access with MFA, consider trying Directory-as-a-Service today. Your JumpCloud account gives you access to the full product at no charge for up to 10 users, allowing you to quickly scale afterward to suit your organization’s needs.

Interested in more VPN best practices? Check out our guide for more information on VPNs and remote work.

Continue Learning with our Newsletter