ZyWALL SecuExtender Two-Factor Authentication

Warley
Warley Posts: 8  Freshman Member
Zyxel Certified Network Administrator - Security First Comment

Good afternoon

I enabled the two-factor authentication method via Google Authenticator, but here we use ZyWALL SecuExtender to connect via VPN. When I log in, it goes straight in without requesting authentication via Google Authenticator, does anyone know what it could be?

Print

Log in through this software and do not ask for authentication.

«1

All Replies

  • PeterUK
    PeterUK Posts: 3,443  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    test by Email two-factor authentication method

  • valerio_vanni
    valerio_vanni Posts: 104  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    It's clear that you don't get 2FA page.

    But

    "it goes straight in without requesting authentication via Google Authenticator".

    Means "the tunnel goes up and then it's working" or "the tunnel goes up and then it's not working"?

    By "working" I mean "really working", traffic can flow.

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,526  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @Warley,

    Did you enable Two-factor Authentication for VPN Access?

    In addition, the SecuExtender for SSL VPN of your version doesn't support auto popout the authentication page. You need open it manually.

    Zyxel Melen


  • Warley
    Warley Posts: 8  Freshman Member
    Zyxel Certified Network Administrator - Security First Comment

    In this case, because of this software that I connect to the VPN, I wouldn't be able to use this feature? What else would you give?

    Below images, even with the settings connect without two-factor authentication.

  • valerio_vanni
    valerio_vanni Posts: 104  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    Connected, but does traffic flow?

  • Warley
    Warley Posts: 8  Freshman Member
    Zyxel Certified Network Administrator - Security First Comment

    In fact, it seems connected, but not flowing.

  • PeterUK
    PeterUK Posts: 3,443  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    You have to use the authorize link to enter a code which works when you get a Email but I have not been able to get it to work with google authenticator

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,526  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @Warley,

    In this case, because of this software that I connect to the VPN, I wouldn't be able to use this feature?

    You can use the 2FA authentication feature. Please also enable 2FA authentication for VPN access. The path is Menu > Configuration > Object > Auth. Method > Two-factor Authentication > VPN Access.

    Since your SSLVPN SecuExtender version doesn't support automatically popping out the authorized web page, you need to open your browser manually to access it.

    Once your setting is the same as above, you need to use the URL "https://<firewall WAN IP address>:<Authorized port>". For example, "https://10.20.48.254:8008"

    Zyxel Melen


  • valerio_vanni
    valerio_vanni Posts: 104  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    This, by itself, seems the correct state before 2FA process.

    Have you tried to open by hand, at that point, authorization page?

  • Warley
    Warley Posts: 8  Freshman Member
    Zyxel Certified Network Administrator - Security First Comment
    edited December 4

    Good afternoon

    As shown in the image below, accessing it via the web worked.


    I was able to use it by going to the web page and placing the code that was generated for the user.

    However, I found the method not very effective because the authorization codes run out and I will have to interfere later, as here some users connect all the time and I would need a faster check, perhaps because of email, but I was unable to configure it via email. Has anyone managed to get it to work via email?

Security Highlight