USG Flex 200 and Google Authenticator for vpn

valerio_vanni

I have this machine, with ipsec vpns, and I would like to setup 2FA with Google Authenticator

I saw this guide for USG Flex 500:

https://support.zyxel.eu/hc/en-us/articles/360018356680-Firewall-Configure-2FA-with-Google-Authenticator-for-Admin-Access

And in "step" 1 I see a page that shows "Google Authenticator".

Instead, in my Device when I open user properties I see this:

Am I missing something?

Zyxel_Judy

Hi there,

Thank you for providing your remote access information.

The root cause of the issue is that the vpn2 user was set as a "guest" user type. Please follow the steps outlined in the FAQ provided on the forum, and ensure the "user type" is set to "user."

Zyxel_Judy

Hi @valerio_vanni ,

The guide you found explains how to configure 2FA with Google Authenticator for Admin Access, not for VPN users.

To configure 2FA with Google Authenticator for VPN users, please refer to the article below:

https://community.zyxel.com/en/discussion/12505/how-to-use-two-factor-with-google-authenticator-for-vpn-access

valerio_vanni

https://community.zyxel.com/en/discussion/comment/70628#Comment_70628

I now see this other guide, but I'm stuck at the same point: when I edit the user, I should see

But instead, as I told in my first message, I see this:

"Verify by SMS/Email" is not a button, it's simple text. In this page there's nothing to configure.

If I go to "Auth. Method", I see this:

And I don't find anything wrong.

Zyxel_Judy

Hi @valerio_vanni ,

Please ensure that your USG FLEX 200 is running the latest firmware version, 5.39(ABUI.0)C0.

If the issue persists, please check your community inbox for instructions on how to provide us with a remote session. We'll access your firewall directly to investigate further.

Zyxel_Judy

Hi there,

Thank you for providing your remote access information.

The root cause of the issue is that the vpn2 user was set as a "guest" user type. Please follow the steps outlined in the FAQ provided on the forum, and ensure the "user type" is set to "user."

valerio_vanni

Thank you, I missed user type.

So far, for vpn I used "guest" type (I choosed the minimum level needed).

valerio_vanni

With "user" type, configuration was successful and 2FA works.

The only missing piece is automatic popup of auth page when tunnel builds up.

In Secuextender configuration I don't find any setting about 2FA

To make it appear, I had to use "when tunnel is opened" script. But shouldn't it appear automatically?

Zyxel_Judy

Hi @valerio_vanni ,

Based on your description, it seems the authentication page popup appears after using the "when tunnel is opened" script. This behavior is intentional and designed to give users the flexibility to choose whether they want to use the authentication page popup.

Please note that in addition to importing the script, you can also retrieve it using the "Get from Server" option.

valerio_vanni

https://community.zyxel.com/en/discussion/comment/70978#Comment_70978

I didn't import any script, I simply put the address https://LAN1IP:8008 in line.

It's passed to Windows and then it's opened with default browser.

I wrote my last message because I thought it was a workaround and that it should open by itself.

About the "get from server" method: I usually configure clients by hand, but I'm curious: if I wanted to use it, where should I configure script options server side?

Zyxel_Judy

Hi @valerio_vanni ,

To better assist you, please let us know:

1. Which VPN client/software you are using
2. Your SecuExtender version number

valerio_vanni

I have a mix of software on clients. On most, it's Secuextender 3.8.204.61.32.