Let's start with "Why"

Couple weeks ago I was faced with a challenge that external suppliers and support personal were only able to perform MFA using eMail as employees neither had corporate mobile phones for modern (Verify, DUO) or old-school (text-message) authentication nor own an identity provider (AzureAD, Okta, etc) which I could federate against.

Workspace ONE Access (WS1A) already support a huge number of authentication providers but still there are some, which are not directly covered by a built-in provider natively. Luckily WS1A does support RADIUS which gives us the ability to extend the "skill-set" even further.

There is a free Microsoft Network Policy Server (aka RADIUS on Windows) extension called SMS2 (Download & Documentation: https://www.wrightccs.com)

This extension adds eMail, OATH (both HOTP, TOTP), SMS Gateway, PIN/TAN and other methods to RADIUS and therefore to Workspace ONE Access. I am using SMS2 over 5 years now without major issues and the best thing: It's free!

Setup and Configure

In this blog post I will focus on eMail as second factor of authentication, but feel free to use any other SMS2 methods as well.

Requirements:

• Workspace ONE Access Connector to communicate with the RADIUS server

• Network Policy and Access Services Role installed on a Windows Server accessible from your connector (can be hosted on the same box)

• Microsoft SQL Express or Windows Internal Database to store SMS2 Configurations and Tokens

• SMS2 Software (Download: https://www.wrightccs.com/support/download/)

• SMS2 License Key (https://www.wrightccs.com/why-does-sms2-have-a-one-year-license-code/)

Install all above components and make sure they can communicate.

Coming soon

I will update this blog post soon, wanted to share the idea/solution with the community. I will go through all the configuration steps in detail with screenshots.