Current state (VIP EG without EAP)

VIP Enterprise Gateway currently provides robust RADIUS-based authentication supporting PAP (Password Authentication Protocol). This works well for many authentication scenarios including VPN access, network devices, and web portals that support standard RADIUS PAP authentication.

Customer requirement (VPN/802.1X clients requiring RADIUS-EAP)

Modern authentication clients increasingly require EAP (Extensible Authentication Protocol) support, particularly:

• VPN clients configured for IKEv2
• Wireless networks using 802.1X authentication (WPA2-Enterprise, WPA3-Enterprise)
• Network Access Control (NAC) systems enforcing EAP-based authentication

These clients cannot authenticate using standard PAP and specifically require EAP methods tunneled through RADIUS.

Business impact

Without EAP support, customers face:

• Deployment blockers: Cannot deploy VIP authentication for new VPN or wireless infrastructure
• Security gaps: Forced to use less secure authentication methods or bypass VIP authentication entirely
• Limited modernization: Unable to adopt modern authentication frameworks that mandate EAP
• Competitive disadvantage: Customers may evaluate alternative authentication solutions that offer EAP support

Proposed Solutions - Summary

Feature Comparison                                   Solution 1: VIP EG with EAP Support                                                           Solution 2: Azure SAML Integration

MFA Support Limitation with EAP-TTLS/PAP

Testing with common VPN clients (FortiClient, Palo Alto GlobalProtect, FreeRADIUS) has revealed that Access-Challenge prompts for MFA are not supported within the EAP-TTLS/PAP framework. While VIP EG supports challenge flows, these clients cannot prompt users for additional input after the initial authentication. Therefore, only inline MFA methods are supported: Username + Password + OTP (e.g., Password123456) or Username + Password for PUSH authentication.

Solution#1: VIP Enterprise Gateway with EAP Support

Overview

VIP Enterprise Gateway is being enhanced to support EAP-TTLS authentication with inner authentication methods as PAP. This extends the existing RADIUS infrastructure to support modern authentication clients that require EAP.

Salient Features

• EAP-TTLS Protocol Support: Implements RFC 5281 compliant EAP-TTLS with TLS tunnel establishment
• Inner PAP Authentication: Username and password securely transmitted inside encrypted TLS tunnel
• VIP Integration: Supports VIP authentication methods viz., OTP and PUSH
• TLS Security: Certificate-based server authentication with configurable TLS versions (TLS 1.2+)
• Session Management: Efficient handling of concurrent EAP sessions with automatic cleanup
• Backward Compatible: Existing PAP authentication continues to work unchanged

Architecture Overview

The below diagram provides a brief overview on the architecture and flow for EAP enabled VPN clients using the enhanced VIP Enterprise Gateway for authentication.

Solution#2: Azure SAML Integration (Bypass RADIUS)

Overview

For customers with an active Azure AD tenant and VIP licensing, SAML-based authentication provides an alternative path that completely bypasses RADIUS infrastructure. This solution leverages Azure AD as an identity provider, enabling modern authentication protocols for supported clients.

Salient Features

• SAML 2.0 Protocol: Industry-standard federation protocol for web-based authentication
• VIP Federation: Azure AD federates to VIP Cloud for MFA enforcement
• No RADIUS Required: Eliminates RADIUS infrastructure dependency entirely
• Browser-Based Authentication: Native support for web applications and portals
• Modern MFA Support: Supports FIDO as well along with OTP, PUSH.
• Cloud-Native: Fully cloud-based solution with no on-premises components required

Prerequisites

• Active Azure AD tenant (P1 or P2 license recommended)
• Client application must support SAML 2.0 authentication

Architecture Overview

The following diagram depicts architectural flow using Microsoft Entra ID over SAML.