MFA with AD authentication?

Options
howtired
howtired Posts: 4  Freshman Member
First Anniversary Friend Collector First Comment
I am using a USG Flex500. Users login to SSL VPN with their AD credentials (setup via Auth. Method/AAA Server in object). However if I try to setup MFA for this users group, I don't get the "set up google authenticator screen" option. It seems this setup is only shown for local users. You can try this yourselves with the "ad-users" built-in groups.
How do I setup MFA for AD authenticated users?

Accepted Solution

All Replies

  • howtired
    howtired Posts: 4  Freshman Member
    First Anniversary Friend Collector First Comment
    Options
    Sorry: ATP500, not Flex.
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 799  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @howtired,
    Greeting Forum, MFA only support local user.
    For ext-user or ext-group-user, to implement MFA, please kindly use SMS/Email to replace.
    Thank you
    Kevin
  • howtired
    howtired Posts: 4  Freshman Member
    First Anniversary Friend Collector First Comment
    Options
    hi Kevin,
    Thanks for your answer.
    How would I setup MFA via SMS? I can tick the option but there's no instructions on how to add a phone number and which SMS service provider to use. Is there something on Zyxel KB documenting this?
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 799  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2023 Answer ✓
    Options
    Hi @howtired
    Please refer the following KB.
    How to set up two factor authentication for admin login by Email to SMS
    And please fill in the following mobile number in AD server.

    Thank you
    Kevin

  • howtired
    howtired Posts: 4  Freshman Member
    First Anniversary Friend Collector First Comment
    Options
    Hi @howtired
    Please refer the following KB.
    How to set up two factor authentication for admin login by Email to SMS
    And please fill in the following mobile number in AD server.

    Thank you
    Kevin

    Hi Kevin,
    This is working for AD users, although in a different way than described in the kb you linked.
    The SMS sent to the user does not contain a verification code, but instead a link to the public IP of the ATP500 (on the port configured for MFA). Here they need to click on the "activate" button to gain VPN access. Not a solution I like, since it forces me to open yet another port on the ATP, plus we don't have a public certificate so the user gets all the usual security warnings when clicking on the link.
    Anyway, thanks a lot for your help.

Security Highlight