MFA with AD authentication?

howtired
howtired Posts: 4
First Comment Friend Collector Fourth Anniversary
 Freshman Member
I am using a USG Flex500. Users login to SSL VPN with their AD credentials (setup via Auth. Method/AAA Server in object). However if I try to setup MFA for this users group, I don't get the "set up google authenticator screen" option. It seems this setup is only shown for local users. You can try this yourselves with the "ad-users" built-in groups.
How do I setup MFA for AD authenticated users?

Accepted Solution

All Replies

  • howtired
    howtired Posts: 4
    First Comment Friend Collector Fourth Anniversary
     Freshman Member
    Sorry: ATP500, not Flex.
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 304
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 25 Answers First Comment
     Master Member
    Hi @howtired,
    Greeting Forum, MFA only support local user.
    For ext-user or ext-group-user, to implement MFA, please kindly use SMS/Email to replace.
    Thank you
    Kevin
  • howtired
    howtired Posts: 4
    First Comment Friend Collector Fourth Anniversary
     Freshman Member
    hi Kevin,
    Thanks for your answer.
    How would I setup MFA via SMS? I can tick the option but there's no instructions on how to add a phone number and which SMS service provider to use. Is there something on Zyxel KB documenting this?
  • howtired
    howtired Posts: 4
    First Comment Friend Collector Fourth Anniversary
     Freshman Member
    Hi @howtired
    Please refer the following KB.
    How to set up two factor authentication for admin login by Email to SMS
    And please fill in the following mobile number in AD server.

    Thank you
    Kevin

    Hi Kevin,
    This is working for AD users, although in a different way than described in the kb you linked.
    The SMS sent to the user does not contain a verification code, but instead a link to the public IP of the ATP500 (on the port configured for MFA). Here they need to click on the "activate" button to gain VPN access. Not a solution I like, since it forces me to open yet another port on the ATP, plus we don't have a public certificate so the user gets all the usual security warnings when clicking on the link.
    Anyway, thanks a lot for your help.

Security Highlight