USG20-VPN two factor authentication

kboroumand
kboroumand Posts: 8  Freshman Member
First Comment Friend Collector Fourth Anniversary
edited April 2021 in Security
I'm trying to activate 2 factor authentication via email for our SSL VPN users.
I've already setup SMTP mail settings and my device is able to send emails using the instructions below.
But I'm stuck on the final step. I've added email addresses to my users and enabled Two Factor Authentication and I'm choosing From Interface-->WAN as in picture below. I'm under the impression that when I try to connect with my Zywall Secuextender VPN client I should get an email with a link of some kind as the second factor authentication but I'm not getting anything.
Am I using the correct method to enable two factor authentication for a VPN client connection?


  1. Log in to the unit by entering its IP address and the credentials for an admin account (by default, username is “admin”, password is “1234”)
  2. Configure your L2TP / IPSec / SSL connection as desired
  3. Navigate to Configuration > Object User/Group > User to create or edit a user
  4. Take care to fill in a valid mail address to which the second auth. factor for this user will be sent
  5. Put this user into the allowed VPN users group in the tab “Group”
  6. Navigate to Configuration > System > Notification > Mail Server and fill in the credentials for a SMTP server (if you don´t own a mail server, you can use a free Gmail account for example)
  7. Navigate to Configuration > Object > Auth. Method > Two-factor Authentication to enable this feature for the desired VPN (SSL / L2TP / IPSec)
  8. Under “User/Group” you can select the users which should authenticate using 2 FA
  9. Under “Delivery Settings” enable “Email”
  10. Under “Authorize Link URL Address” you can chose “From Interface” and the respective interface or “User-Defined” to enter an IP address or (DynDNS-) domain name

Comments

  • udoc
    udoc Posts: 3  Freshman Member
    First Comment Third Anniversary

    hi,

    were you able to get this worked out. one note i saw in the guide was to make sure your device is registered.

    i have a slight different issue. i get the email but i am ABLE to access resources before the 2 factor. is this a firewall configuration issue i have?

  • fabiobizz
    fabiobizz Posts: 1  Freshman Member
    First Comment
    Ho fatto gli stessi passaggi, il client vpn mi apre il tunnel ma non mi funziona il two-factor mode... qlc puo aiutarmi??

  • LeoSoft
    LeoSoft Posts: 4  Freshman Member
    First Comment Third Anniversary
    fabiobizz said:
    Ho fatto gli stessi passaggi, il client vpn mi apre il tunnel ma non mi funziona il two-factor mode... qlc puo aiutarmi??

    Salve Fabio, ho lo stesso problema anche io con un ATP100, configurato tutto, il tunnel funziona ma non mi arriva l'email per l'autorizzazione. Lei è riuscito a risolvere?
  • udoc said:

    hi,

    were you able to get this worked out. one note i saw in the guide was to make sure your device is registered.

    i have a slight different issue. i get the email but i am ABLE to access resources before the 2 factor. is this a firewall configuration issue i have?

    I'm having the same problem. I get all of the emails, and have followed the instructions for both admin web login and ssl vpn. Admin web login works perfcetly, but the VPN client let's me connect single-factor (password only) but still sends me the email. 

    Having to guess, I think it's designed to only work with the new Zywall VPN client that you have to purchase separately, and that the original SecuExtender client is just broken and doesn't do 2FA. I don't know if that's true or not but if I find out that it is, the Zyxel's going on the garbage and I'm replacing it with another vendor solution. I primarily support enterprise firewalls and they don't charge money for their SSL VPN client software.
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    When 2FA for SSL VPN is enabled, SecuExtender SSL VPN client cannot access the LAN resource without 2FA authorization.
    Here is the video for your reference.
    Windows version of SecuExtender SSL VPN client SSL_VPN_Client_4.0.4.0 is used in this test. This is free version of SecuExtender SSL VPN software.
    https://www.dropbox.com/s/o2u2rdkw0gg2bcz/ssl_vpn_2FA.wmv?dl=0




     

Security Highlight