USG FLEX H Series - Two-Factor Authentication for VPN
USG FLEX H Series - Enhancement on Authentication for VPN
Overview
The USG FLEX H Series firewalls now support several authentication types for VPN access:
- Local User with Two-factor authentication (2FA)
- External User on AD/LDAP Server
Local Users - Two-Factor Authentication for VPN Clients
How It Works
When a remote user connects to your firewall using an IPsec VPN client, they must enter their username and password. Upon successful authentication, they will be redirected to a portal to enter a six-digit code generated by their Google Authenticator app. This ensures that only users who have the 2FA code can access the network.
Configuration Steps
- User Configuration:
- Navigate to User & Authentication > User in the firewall web interface.
- Select the user account that requires 2FA.
- Enable the option for two-factor authentication for VPN access.
- Global 2FA Settings:
- Go to User & Authentication > Authentication in the firewall web interface.
- Enable two-factor authentication for IPsec VPN.
- Optionally, enable two-factor authentication for SSL VPN if needed.
- Delivery Settings:
- Configure the delivery settings for the authorization link URL address.
- Choose the appropriate interface or IP address and specify the port (default is 8008).
- Google Authenticator Setup:
- When configuring a user for 2FA, a QR code will be generated.
- Scan the QR code using the Google Authenticator app on the user’s mobile device.
- The app will then generate time-based one-time passwords (TOTP) for the user.
Verifying 2FA in Event Logs
To ensure that 2FA is functioning correctly, you can check the event logs:
- Successful Login:
- Look for entries indicating successful user login and 2FA verification.
- Example: User JohnDoe from IPsec VPN has logged in and authenticated successfully.
External Server - AD and LDAP Server Support
Configuration Steps
- AD Server Configuration:
- Navigate to User & Authentication > User Authentication.
- Select AD Server and click Add.
- Enter the AD server address and authentication details.
- Use the Configuration Validation tool to verify connectivity and user existence.
- LDAP Server Configuration:
- Navigate to User & Authentication > User Authentication.
- Select LDAP Server and click Add.
- Enter the LDAP server address and authentication details.
- Use the Configuration Validation tool to verify connectivity and user existence.
Conclusion
The introduction of authentication for VPN clients in the USG FLEX H Series provides enhanced security for remote access. Coupled with the new support for AD and LDAP servers, this update significantly improves user authentication capabilities, ensuring a more secure and flexible network environment.
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight