USG FLEX H Series - Two-Factor Authentication for VPN

Zyxel_Richard
Zyxel_Richard Posts: 254  Zyxel Employee
Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Security
edited September 2024 in Other Topics

USG FLEX H Series - Enhancement on Authentication for VPN

Overview

The USG FLEX H Series firewalls now support several authentication types for VPN access:

  • Local User with Two-factor authentication (2FA)
  • External User on AD/LDAP Server

Local Users - Two-Factor Authentication for VPN Clients

How It Works

When a remote user connects to your firewall using an IPsec VPN client, they must enter their username and password. Upon successful authentication, they will be redirected to a portal to enter a six-digit code generated by their Google Authenticator app. This ensures that only users who have the 2FA code can access the network.

Configuration Steps

  • User Configuration:
    • Navigate to User & Authentication > User in the firewall web interface.
    • Select the user account that requires 2FA.
    • Enable the option for two-factor authentication for VPN access.
  • Global 2FA Settings:
    • Go to User & Authentication > Authentication in the firewall web interface.
    • Enable two-factor authentication for IPsec VPN.
    • Optionally, enable two-factor authentication for SSL VPN if needed.
  • Delivery Settings:
    • Configure the delivery settings for the authorization link URL address.
    • Choose the appropriate interface or IP address and specify the port (default is 8008).
  • Google Authenticator Setup:
    • When configuring a user for 2FA, a QR code will be generated.
    • Scan the QR code using the Google Authenticator app on the user’s mobile device.
    • The app will then generate time-based one-time passwords (TOTP) for the user.

Verifying 2FA in Event Logs

To ensure that 2FA is functioning correctly, you can check the event logs:

  • Successful Login:
    • Look for entries indicating successful user login and 2FA verification.
    • Example: User JohnDoe from IPsec VPN has logged in and authenticated successfully.

External Server - AD and LDAP Server Support

Configuration Steps

  • AD Server Configuration:
    • Navigate to User & Authentication > User Authentication.
    • Select AD Server and click Add.
    • Enter the AD server address and authentication details.
    • Use the Configuration Validation tool to verify connectivity and user existence.
  • LDAP Server Configuration:
    • Navigate to User & Authentication > User Authentication.
    • Select LDAP Server and click Add.
    • Enter the LDAP server address and authentication details.
    • Use the Configuration Validation tool to verify connectivity and user existence.

Conclusion

The introduction of authentication for VPN clients in the USG FLEX H Series provides enhanced security for remote access. Coupled with the new support for AD and LDAP servers, this update significantly improves user authentication capabilities, ensuring a more secure and flexible network environment.

Tagged:

Categories

EnglishTiếng ViệtРусскийไทย中文(台灣)