Make sure to read System Requirements prior to proceeding
An NPS is typically installed if you install a Routing and Remote Access role on a server, but it can be installed on itself. An instruction on how to install an NPS server can be found on Microsoft Learn.
In order to utilize the NPS Plugin, you need a RADIUS client, typically it would be a VPN gateway. On that client, configure your NPS as RADIUS server. On the NPS, you can then configure the Connection Request Policies and Network Policies, according to you need. Microsoft Learn describes this setup in great detail.
Users typically provide their credentials on the VPN client, that forwards them to the VPN server that, in turn, queries the configured RADIUS server for further evaluation. The NPS, upon receiving a connection request, looks through the list of its Connection Request Policies to find a matching policy to process.
Once a match within the Connection Request Policies with "Authenticate on this server" action is made, SystoLOCK Plugin takes control. It then tries to find the user in the AD and checks if the user is SystoLOCK-provisioned. If either of these conditions fails, the plugin fails the authentication attempt. This behavior can further be tweaked.
Any password supplied with the reuest to NPS is ignored by SystoLOCK Plugin.
Please do not configure any challenge-repsonse mechanisms (such as MS-CHAP2) on the client side for authentication to suceeed, configure CHAP or PAP instead and supply a dummy value for the password if needed.
SystoLOCK Plugin only takes the user name as a parameter and further authentication takes place on SystoLOCK Companion via a push notification. The plugin will wait for users to response to the push notification before it signals back a failure.
There are some parameters you can provide to tweak the plugin's behavior. You control these parameters via the registry under
HKLM:\SOFTWARE\Systola\SystoLOCK\NPSPlugin. The key NPSPlugin is not created by default, you will have to create the key and the values if you want to alter them.
|Value name||Default Value||Description|
|PushResponseTimeout||90||Time in seconds the plugin waits for a response from the Companion App|
|RejectUnknownUsers||1||Set to 0 to ignore users not found in AD|
|RejectNonSystoLockUsers||1||Set to 0 to ignore users that are not provisioned for SystoLOCK|
If users are ignored by the plugin, the authentication result is further evaluated in NPS or other plugins, in case installed.
Due to the way NPS handles plugins, you need to reboot the server if you change the values for these parameters. It is not enough to restart NPS service.