ATP + VPN + MFA
Ally Member
Hello,
We are currently testing an IPSec VPN for mobile. Right now we use the SSL VPN with our desktop clients. Anyway, we are wondering if it's possible to use MFA with both of these? I performed a search in the community and didn't find much information, at least for IPSec. I did find something that seemed to be for the SSL VPN but have struggled to implement it.
A similar question was posed here quite a while ago but it remains unanswered.
Is this something that is possible? If so, is there any documentation you can point me to? If not, is it possible that you guys will implement it? Or is there something else that we should be implementing?
Side note, I have MFA set up for Admin access to the firewall, so at least that is possible and works well.
Anyway, thanks for your help.
Edit: I was looking at the documentation for setting up the VPN on Android using StrongSwan. The note says, "The VPN settings for Non-SecuExtender IPSec VPN Clients do not support following features: Upload Bandwidth Limit, Spilt Tunnel, and Two-factor Authentication (Google Authenticator)". Is this correct?
Accepted Solution
-
Hi @NEP ,
For IPSec (IKEv2) VPN + Windows/macOS/Android StrongSwan client + Google Authenticator.
The VPN use need to open browser manually to the MFA URL, after VPN connected.
In this example, the URL is setup to LAN interface IP (192.168.10.1) of my ATP with default port 8008.
The MFA URL will be http://192.168.10.1:8008/
0
Master Member
All Replies
-
Hi @NEP ,
For IPSec (IKEv2) VPN + Windows/macOS/Android StrongSwan client + Google Authenticator.
The VPN use need to open browser manually to the MFA URL, after VPN connected.
In this example, the URL is setup to LAN interface IP (192.168.10.1) of my ATP with default port 8008.
The MFA URL will be http://192.168.10.1:8008/
0 -
I don't recall marking this as answered, but I do have it working with SecuExtender SSL and MS Authenticator. Thanks @zyman2008.
I had edited the original post about a note that I saw. Are you aware of Non-SecuExtender IPSec VPN Clients not supporting MFA? I would consider the SSL VPN to be one such client (based on name) and yet it works. However, I'm mainly thinking of the built-in Windows VPN and Android.
0 -
Windows built-in L2TP over IPSec can support with External RADIUS service that support 2FA.
All using external 2FA service. You don't need to enable 2FA settings on ZyWALL.
The password is in the format(Append second factor code after first factor user password): password,code
I had helped a client integrate ZyWALL with AD + Duo 2FA.
0
Categories
- All Categories
- 396 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 81 Nebula Status and Incidents
- 5.1K Security
- 86 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 916 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 211 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2K FAQ
- 912 Nebula FAQ
- 419 Security FAQ
- 237 Switch FAQ
- 207 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 139 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 62 Security Highlight
