Will H-series support 2FA via email for SSL VPN?






With previous ZLD-based firewalls, we were able to use 2FA via email method for SSL VPN. It was very simple for the end-users and fulfilled the 2FA requirement of most business cyber insurance policies.
On H-series with the free OpenVPN client, the end-user needs to manually open a web browser and navigate to the Authentication URL to input the TOTP code from an authenticator app. This is very confusing for non-technical end users and causes frustration…it is inconvenient.
Previously on ZLD-based firewall with 2FA via email, the user could simply click the link in the email to complete the authentication.
Are there any plans to add this capability back to the H-series?
All Replies
-
-
Thanks, I did not see this. I have put in my up-vote!
0 -
Hello,
As of now, Zyxel's H-Series firewalls using Nebula Control Center (NCC) or their newer architecture do not support 2FA via email for SSL VPN authentication in the same seamless way ZLD-based firewalls did. The H-Series currently prioritizes TOTP (Time-based One-Time Password) via authenticator apps like Google Authenticator or Microsoft Authenticator, which, as you've noted, can be less user-friendly for non-technical users. tollsbymailny com
Best Regards-1 -
I found a way to make the current 2FA process with OpenVPN a bit easier, I want to share it here so hopefully someone can benefit from it.
You can place a batch file in the same directory that holds the .ovpn connection profile, which will run after the VPN connection is established. This can be used to launch a web browser to the Authentication URL to make it easier for the end users. **It works with the 'OpenVPN GUI' client, but it does *NOT* seem to work with the newer 'OpenVPN Connect' client.
-Under Windows OS, the connection profile is stored in directory: %USERPROFILE%\OpenVPN\config
-The batch file needs to have the same name as the .ovpn profile. For example, if your profile file is named 'MyVpnConnect.ovpn', you would name your batch file 'MyVpnConnect_up.bat'
-Example 'MyVpnConnect_up.bat' file:
timeout /t 5 start https://ZYWALL_LAN_IP:8008 exit
-Now when user connects the VPN, the web browser will launch(after 5sec delay) and load the Authentication page on the router where they can enter the TOTP code
I hope this is helpful to somebody!
0 -
Thanks for your feedback, our product team is evaluating the function, and will enhance it in the future.
0 -
Assuming that yours users knows how to gather their PIN code, you can write a script or an app tool that send the PIN code of the user to the Zywall with a really simple http/post request like this
PIN=123456 IP=192.168.0.254 PORT=8008 URL="https://$IP:$PORT/api/twofa_auth/twofa_ga_vpn_verify.cgi" curl -q -s -o /dev/null --insecure -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "pincode=$PIN" $URL
A more advanced tool may launch the OpenVPN client, start the appropriate OpenVPN tunnel, wait for the vpn endpoint to be online, ask the user for the PIN code, send the PIN to the Zywall and wait until a known remote host is pingable.
0
Categories
- All Categories
- 431 Beta Program
- 2.6K Nebula
- 169 Nebula Ideas
- 113 Nebula Status and Incidents
- 6K Security
- 382 USG FLEX H Series
- 294 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.7K Consumer Product
- 267 Service & License
- 412 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.9K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 83 Security Highlight