MFA with AD authentication?

howtired
howtired Posts: 4  Freshman Member
First Comment Friend Collector Fourth Anniversary
in Security
I am using a USG Flex500. Users login to SSL VPN with their AD credentials (setup via Auth. Method/AAA Server in object). However if I try to setup MFA for this users group, I don't get the "set up google authenticator screen" option. It seems this setup is only shown for local users. You can try this yourselves with the "ad-users" built-in groups.
How do I setup MFA for AD authenticated users?

Accepted Solution

All Replies

  • howtired
    howtired Posts: 4  Freshman Member
    First Comment Friend Collector Fourth Anniversary
    Sorry: ATP500, not Flex.
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 903  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    Hi @howtired,
    Greeting Forum, MFA only support local user.
    For ext-user or ext-group-user, to implement MFA, please kindly use SMS/Email to replace.
    Thank you
    Kevin
  • howtired
    howtired Posts: 4  Freshman Member
    First Comment Friend Collector Fourth Anniversary
    hi Kevin,
    Thanks for your answer.
    How would I setup MFA via SMS? I can tick the option but there's no instructions on how to add a phone number and which SMS service provider to use. Is there something on Zyxel KB documenting this?
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 903  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    edited January 2023 Answer ✓
    Hi @howtired
    Please refer the following KB.
    How to set up two factor authentication for admin login by Email to SMS
    And please fill in the following mobile number in AD server.

    Thank you
    Kevin

  • howtired
    howtired Posts: 4  Freshman Member
    First Comment Friend Collector Fourth Anniversary
    Zyxel_Kevin said:
    Hi @howtired
    Please refer the following KB.
    How to set up two factor authentication for admin login by Email to SMS
    And please fill in the following mobile number in AD server.

    Thank you
    Kevin

    Hi Kevin,
    This is working for AD users, although in a different way than described in the kb you linked.
    The SMS sent to the user does not contain a verification code, but instead a link to the public IP of the ATP500 (on the port configured for MFA). Here they need to click on the "activate" button to gain VPN access. Not a solution I like, since it forces me to open yet another port on the ATP, plus we don't have a public certificate so the user gets all the usual security warnings when clicking on the link.
    Anyway, thanks a lot for your help.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)