How to implement IPSec Client VPN with Windows Native Client and MFA?

Options
tgusset
tgusset Posts: 7 image  Freshman Member
First Comment Friend Collector Fifth Anniversary
in Security

Hi
I would like to implement MFA on an already working IPSec client VPN access on USG FLEX 200.
Configuration of MFA is well documented.
As I understand the workflow is that in the first step the VPN connection is established using username/password. In the second step the MFA code must be entered via the web based authentication service offered by the USG on the WAN interface.

If one use e-mail MFA the mail contains a link to the authentication service. I guess, the user clicks to the link that also contains the code.
But how does this work with Google Authenticator? I tried to manually access the authentication service. There is a input field where you can enter the code. But this always ends up with an authentication error.

Any ideas?

Thanks in advance, Thomas

All Replies

  • PeterUK
    PeterUK Posts: 4,426 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited February 9

    The current problem with e-mail MFA is you can't check your Email when the VPN is connected and runs as gateway so you would have to use a phone to authenticate a PC/laptop.

    Google Authenticator works by the USG allowing access to the 2FA page down the VPN if your phone is setup with Google Authenticator you just have to enter the code quickly you can click to copy and paste one problem with that I see is you have to edit the code for the button to be clickable.

  • Zyxel_Tina
    Zyxel_Tina Posts: 701 image  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch 100 Answers 500 Comments

    Hi @tgusset,

    To help us investigate the "authentication error" further, could you please provide a screenshot of the error and share your MFA/VPN configuration? (PM me if it contains sensitive data)

    Also, please confirm that your system time and phone time are correct and aligned. Our MFA is time-based, so any mismatch can cause errors or failures.

    For complete 2FA/MFA settings and workflow details, you can also refer to our handbook (p. 599) under "How to Use Two Factor with Google Authenticator for VPN Access." It provides a clear example of how the process should work.

    Zyxel Tina

  • tgusset
    tgusset Posts: 7 image  Freshman Member
    First Comment Friend Collector Fifth Anniversary
    https://community.zyxel.com/en/discussion/comment/83492#Comment_83492

    Hi
    thanks for the answer. The handbook shows how to use MFA with the Zyxel VPN client.
    My question was if it is possible to use MFA with the Windows native VPN client. This client is not able to open the authentication page to enter the verification code automatically.

    To clarify my question: is it possible to access the authentication page manually (after establishing the VPN connection) and then enter the code or is there any reference to the user or the VPN session required, that might must be included in POST parameter?

    My tests with manual open the authentication page failed. I can see that the tunnel was established but there traffic forwarding is blocked.

    IPSec VPN works without MFA enabled.

    Thanks Thomas

  • Fred_77
    Fred_77 Posts: 147 image  Ally Member
    5 Answers First Comment Friend Collector Fifth Anniversary

    Hi @tgusset

    I confirm that the native Windows client is unable to automatically open the two-factor authentication page.

    To work around this limitation I created a scheduled task based on event 20280.

    Every time the event occurs, the web page pointing to 2FA opens.

    This obviously makes sense if you primarily use a single VPN connection. Otherwise, the page would attempt to open every time you try to connect to any VPN.

    Forgive the silly question: have you created a WAN to Zywall policy that allows traffic on the 2FA port? (8008 should be the default) otherwise 2FA page is unreachable

    Regards

    Lorenzo

  • Zyxel_Tina
    Zyxel_Tina Posts: 701 image  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch 100 Answers 500 Comments

    Hi @tgusset,

    Since your VPN establishment is working correctly, could you please send the following via PM to help us investigate further:

    • Firewall config file
    • Firewall IP address (so we can test VPN and reproduce your issue)

    Zyxel Tina

  • tgusset
    tgusset Posts: 7 image  Freshman Member
    First Comment Friend Collector Fifth Anniversary

    Hi

    in the meantime it works like expected. I recreated the google authenticator registration for the test user and since then MFA authentication works.

    Step 1: establish VPN connection with username and password → VPN tunnel is open, but traffic is blocked
    Step 2: manually open the URL on the USG (https://<your gateway>:8008/2FA-access.cgi) and enter the MFA code displayed in the Authenticator app

    Important: for step 2 the URL isn't accessed trough the tunnel (I'm not sure what happens if all traffic goes trough the tunnel (force tunnel mode))

    Thomas

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)