USG Flex 200 and Google Authenticator for vpn

valerio_vanni
valerio_vanni Posts: 80  Ally Member
First Answer First Comment Friend Collector Second Anniversary

I have this machine, with ipsec vpns, and I would like to setup 2FA with Google Authenticator

I saw this guide for USG Flex 500:

https://support.zyxel.eu/hc/en-us/articles/360018356680-Firewall-Configure-2FA-with-Google-Authenticator-for-Admin-Access

And in "step" 1 I see a page that shows "Google Authenticator".

Instead, in my Device when I open user properties I see this:

Am I missing something?

Accepted Solution

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,503  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula
    edited October 29 Answer ✓

    Hi there,

    Thank you for providing your remote access information.

    The root cause of the issue is that the vpn2 user was set as a "guest" user type. Please follow the steps outlined in the FAQ provided on the forum, and ensure the "user type" is set to "user."

    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!

    https://bit.ly/2024_Survey_Community

«1

All Replies

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,503  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @valerio_vanni ,

    The guide you found explains how to configure 2FA with Google Authenticator for Admin Access, not for VPN users.

    To configure 2FA with Google Authenticator for VPN users, please refer to the article below:

    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!

    https://bit.ly/2024_Survey_Community

  • valerio_vanni
    valerio_vanni Posts: 80  Ally Member
    First Answer First Comment Friend Collector Second Anniversary

    I now see this other guide, but I'm stuck at the same point: when I edit the user, I should see

    But instead, as I told in my first message, I see this:

    "Verify by SMS/Email" is not a button, it's simple text. In this page there's nothing to configure.

    If I go to "Auth. Method", I see this:

    And I don't find anything wrong.

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,503  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @valerio_vanni ,

    Please ensure that your USG FLEX 200 is running the latest firmware version, 5.39(ABUI.0)C0.

    If the issue persists, please check your community inbox for instructions on how to provide us with a remote session. We'll access your firewall directly to investigate further.

    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!

    https://bit.ly/2024_Survey_Community

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,503  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula
    edited October 29 Answer ✓

    Hi there,

    Thank you for providing your remote access information.

    The root cause of the issue is that the vpn2 user was set as a "guest" user type. Please follow the steps outlined in the FAQ provided on the forum, and ensure the "user type" is set to "user."

    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!

    https://bit.ly/2024_Survey_Community

  • valerio_vanni
    valerio_vanni Posts: 80  Ally Member
    First Answer First Comment Friend Collector Second Anniversary

    Thank you, I missed user type.

    So far, for vpn I used "guest" type (I choosed the minimum level needed).

  • valerio_vanni
    valerio_vanni Posts: 80  Ally Member
    First Answer First Comment Friend Collector Second Anniversary
    edited October 21

    With "user" type, configuration was successful and 2FA works.

    The only missing piece is automatic popup of auth page when tunnel builds up.

    In Secuextender configuration I don't find any setting about 2FA

    To make it appear, I had to use "when tunnel is opened" script. But shouldn't it appear automatically?

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,503  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @valerio_vanni ,

    Based on your description, it seems the authentication page popup appears after using the "when tunnel is opened" script. This behavior is intentional and designed to give users the flexibility to choose whether they want to use the authentication page popup.

    Please note that in addition to importing the script, you can also retrieve it using the "Get from Server" option.

    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!

    https://bit.ly/2024_Survey_Community

  • valerio_vanni
    valerio_vanni Posts: 80  Ally Member
    First Answer First Comment Friend Collector Second Anniversary

    I didn't import any script, I simply put the address https://LAN1IP:8008 in line.

    It's passed to Windows and then it's opened with default browser.

    I wrote my last message because I thought it was a workaround and that it should open by itself.

    About the "get from server" method: I usually configure clients by hand, but I'm curious: if I wanted to use it, where should I configure script options server side?

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,503  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @valerio_vanni ,

    To better assist you, please let us know:

    1. Which VPN client/software you are using
    2. Your SecuExtender version number

    Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!

    https://bit.ly/2024_Survey_Community

  • valerio_vanni
    valerio_vanni Posts: 80  Ally Member
    First Answer First Comment Friend Collector Second Anniversary

    I have a mix of software on clients. On most, it's Secuextender 3.8.204.61.32.

Security Highlight