[USG FLEX H]How to Set Up 2FA with Google Authenticator for Remote Access VPN and SSL VPN

Zyxel_Kay
Zyxel_Kay Posts: 1,245  Zyxel Employee
Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
in VPN

Google Authenticator is a highly secure method for receiving verification codes for two-factor authentication (2FA). It generates a new code every 30 seconds, ensuring that each code remains valid for only a brief period. Additionally, Google Authenticator is free to download, easy to use, and functions without requiring an internet connection. This guide demonstrates how to configure Google Authenticator for both Remote Access VPN and SSL VPN.

1-scenario.jpeg

Note: All IP addresses and subnet masks used in this article are examples. Replace them with your actual network settings. This example was tested using USG FLEX 200H (Firmware Version: uOS 1.20).

Two-Factor Authentication with Google Authenticator Workflow

  1. Enable Google Authentication for a user.
  2. Set up Google Authenticator.
  3. Configure valid time and VPN types.

Step 1: Enable Google Authentication for a User

  1. Navigate to User & Authentication > User/Group.
  2. Select a local user account.
  3. Enable Two-Factor Authentication.
    2-enable-2fa.jpeg
  4. Click "Set up Google Authenticator" to begin the configuration on your mobile device.
    3-setup-ga-1.jpeg

Step 2: Set Up Google Authenticator

4-setup-ga-2.jpeg
  1. Download and install Google Authenticator on your mobile device.
    5-install-app.jpeg
  2. Open the Google Authenticator app and scan the barcode displayed on the Web GUI.
    6-register-acc.jpeg
  3. Enter the token code shown on the app into Step 3 on the Web GUI.
  4. Click "Verify Code and Finish".
    7-verify-code.jpeg
  5. After successful registration, backup codes will be displayed. Download these codes and store them securely for future use if you lose access to the app.
    8-backup-code.jpeg

Step 3: Configure Valid Time and VPN Service Types

  1. Enable Two-Factor Authentication for VPN access.
  2. Set the Valid Time, which specifies the time limit for entering the 2FA code (default is 3 minutes).
  3. Select the VPN types (e.g., Remote Access VPN or SSL VPN) requiring 2FA.
  4. After establishing the VPN tunnel, users will need to enter the token code via the Web GUI.
    9-service.jpeg

Testing the Configuration

Remote Access VPN (IKEv2)

  1. Open the Remote Access VPN tunnel using SecuExtender VPN Client.
    10-secuextender-vpn-client.jpeg
  2. When prompted, enter the verification code displayed on Google Authenticator or use a backup code.
    11-pop-up-browser-2fa.jpeg
  3. Log in with your username, password, and token code.
    12-2fa-success.jpeg
    13-log.jpeg

SSL VPN

  1. Open the SSL VPN tunnel using SecuExtender VPN Client.
    14-ssl-vpn.jpeg
  2. When prompted, enter the verification code displayed on Google Authenticator or use a backup code.
    15-ssl-pop-up-2fa.jpeg
  3. Log in with your username, password, and token code.
    16-ssl-2fa-success.jpeg
    17-ssl-log.jpeg

By following these steps, you can successfully enable and configure two-factor authentication with Google Authenticator for enhanced VPN security.

Kay

Untitled Image

See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

Categories

EnglishTiếng ViệtРусскийไทย中文(台灣)