Flex500 MFA for SSL VPN - setup Authenticator from Remote

Options

Hello everyone,

we use a FLEX500 with latest firmware and several SSL VPN Logins for people that work at remote places. Out of security considerations we want to implement MFA (TOTP) for all remote workers but are having a hard time rolling it out without them coming to the office.

From what i read in the manual an from my experience, when setting a login to force MFA via Google Authenticator there is no way to allow that person in the remote workplace (homeoffice) to set up his/her authenticator, is that right?

I only found the solution to log in with an admin and let the user scan the QR Code with the authenticator app.

Is there any possibility to enable MFA via Authenticator for users that are far away without either 1) needing them to come to the office or 2) doing a remote teamviewer session with each and everyone?

From other products i am used to the possibility that, after the first login with MFA forced, the user can set up the Google AUthenticator himself either with a QR Code or a simple code.

Thanks in advance and best regards,

Dom

Accepted Solution

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,312  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2023 Answer ✓
    Options

    Hi @Gileraracer,

    In the current design, the user needs to set up the Google Authenticator by scanning the QR code on the administrator portal. We will move this request to idea section for future evaluation. Thanks for your suggestion.

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,312  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2023 Answer ✓
    Options

    Hi @Gileraracer,

    In the current design, the user needs to set up the Google Authenticator by scanning the QR code on the administrator portal. We will move this request to idea section for future evaluation. Thanks for your suggestion.

  • Gileraracer
    Options

    Hi and thanks for your reply.

    Unfortunately, for a large number of remote workers, this is very ill-conceived. I hope the idea will be implemented.

    I have now set up a test user and activated MFA. When he now logs in via SecuExtender he does not see a window where he can enter the code from the Google Authenticator. Should a window appear here? Or where does an end user enter the code?

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,312  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2023
    Options

    Hi @Gileraracer,

    Which type of SecuExtender are you using? Is it SSL VPN Client or IPSec VPN Client?

    If you use Zyxel VPN Client to establish VPN tunnel, it will pop up authentication page on browser automatically. For SSL VPN, you have to enter correct URL on browser manually. (e.g. https://YourDeviceIP:8080)

    You can find more information on page 599 in the handbook.
    How to Use Two Factor with Google Authenticator for VPN Access


Security Highlight