Nebula USG Flex Remote Access VPN and Two-Factor Authentication

jesse_it Posts: 8
edited July 2021 in Nebula
Remote clients can VPN using the latest version of SecuExtender IPSec client, but I don't know how to access / force them to access the Captive Portal to allow local network access.  How do I force the client to go to the captive portal, or what is the portal IP Address (I tried the first and last usable IP of the VPN Subnet without a response)?

I have configured the remote access VPN and can connect to the USG FLEX successfully.  When I do not have the "Two-factor authentication" option selected, my remote client can access network resources.  I am using the SecuExtender IPSec client version
When I enable the "Two-factor authentication" option, the remote client cannot access local network resources (as expected - the second factor is pending).  I can browse external sites while connected to the VPN.  
I've configured LAN 1, our internal network, to allow direct client access without authentication (USG Flex -> Configure -> Authentication Method).  I've set up a static route (USG Flex -> Configure -> Routing) to connect the Remote Access subnet to our LAN 1 subnet.
My Cloud Authentication (Organization-wide -> Configure -> Cloud authentication) user that I authenticate with has two-factor authentication enabled and the option to bypass two-factor authentication is not checked.

Remote Access VPN Configuration Settings:

Accepted Solution

  • Zyxel_Jonas
    Zyxel_Jonas Posts: 264  Zyxel Employee
    edited July 2021 Accepted Answer
    Hi @jesse_it,

    Based on the inquiry, please refer to this link, step 6 more likely is the CP page you would like to achieved.

    Hope it helps.


All Replies

  • jesse_it
    jesse_it Posts: 8
    Thank you, Jonas - Step 6 is what I was missing.  This works as expected now.

Nebula Tips & Tricks