Active Directory Federation Services, AD-FS, is the de facto identity provider in a Microsoft environment. Many organizations will be using it to authenticate Office 365 users to an on-premise Active Directory. Support amongst cloud service providers is growing, allowing you to authenticate not just O365 users but users of a variety of business applications.

In certain circumstances, you may want to require multi-factor authentication (MFA). Out the box, AD-FS only provides support for X.509 certificates. Thankfully there’s the concept of Authentication Adapters, allowing you to develop your own MFA plug-in. I’ve developed a quick RADIUS plugin that allows you to prompt users to enter a one-time PIN and send the response to a RADIUS server, along with the accounts userPrincipalName, for validation.

RADIUS Authentication Adapter

The software is open-source and licensed under the GPL and relies on the excellent Radius.Net library.


I strongly recommend compiling your own version rather than downloading a DLL and installing it into your AD FS servers. If you’re comfortable with the risks of that, you can download it from the links below.

Download Sourcecode (C#, 4.5)
Download Binaries (Version 1.0).


The below instructions cover installation into AD FS and make no attempt to document any RADIUS/NPS configuration.

  1. Extract the zip file to a convenient location and open install.ps1 in your favorite editor;
  2. Ammend the variables in install.ps1 to match your RADIUS server, shared key and any ports needed;
  3. From an elevated PowerShell prompt, run install.ps1
  4. Restart the AD FS service to complete registration
  5. If you have multiple AD FS servers in your farm, repeat the process on each but press CTRL-C when promtped to register the authentication adapter

Published by

Dave Hope

Dave works in IT for a leading UK based retirement developer, in his spare time he enjoys tinkering with technology and rock climbing.

10 thoughts on “Using RADIUS with AD FS MFA”

  1. Came across this very useful plug-in for AD FS – thank you! Probably a dumb question but I can’t seem to get AD FS to recognize any change to the FriendlyNames entry in AuthenticationAdapterMetadata.cs. No matter what I change the current value (“Use my VPN token”) to it always shows up in the AD FS MfA list as “Use my VPN token”.

    Any idea why I can’t seem to change how this is displayed in the AD FS Authentication Options page?

      1. Thanks for the response. After unregistering the MfA adapter in AD FS this is what I tried so far without any luck:

        [System.Reflection.Assembly]::Load(“System.EnterpriseServices, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”) | Out-Null
        $publish = New-Object System.EnterpriseServices.Internal.Publish

        Am I missing something?

        1. From memory that looks about right.

          I guess you’re chaning FriendlyNames() in AuthenticationAdapterMetadata.cs ? If so, can you zip and email me your assembly and I’ll test it my end. Email address is firstname at surname dot mx

  2. Thanks Dave for sharing this post. To start with I am not a developer, I tried using your binary but getting some error occurred message when I should be getting radius server OTP prompt. Also discovered that no request was sent to the radius server by the adapter. I’d appreciate your kind assistance

  3. Thank you for this. Simple but powerful.
    We however have a small issue, our radius server expects the user login as “samaccountname” but AD FS presents it with UPN(email).
    The IdentityClaims” registry setting is set to “”, but I’m not sure or/if/how this is supposed to work.
    It seems like this key/value is not doing anything.

    Is there any way to get this working without changing radius server configuration(that is running production already).

    Thank you in advance!


  4. Hi, is it possible to configure this plugin as a primary authentication method and not as a second factor?

  5. Hello, dose this adapter supports multiple simultaneous requests? Something like, two users trying at almost same time (in same second) to authenticate? Thank you

  6. Thank you for wonderful plugin.
    But when I look into the radius packet, it doesn’t contain infomation of NAS_IP_Address attribute (Radius attribute value 4) even I added the “NasAddress” in registry, Is there anyway to include this attribute in radius packet?
    Thanks in advance.

  7. Thank you for the useful plug-in. I haven’t tested it yet. Is there a way to uninstall the plugin after the test? I’m asking because I have to test it on our production server. Please understand that I’m in a very special situation. It has something to to with GCP SSO.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.