Flex500 MFA for SSL VPN - setup Authenticator from Remote

Hello everyone,

we use a FLEX500 with latest firmware and several SSL VPN Logins for people that work at remote places. Out of security considerations we want to implement MFA (TOTP) for all remote workers but are having a hard time rolling it out without them coming to the office.

From what i read in the manual an from my experience, when setting a login to force MFA via Google Authenticator there is no way to allow that person in the remote workplace (homeoffice) to set up his/her authenticator, is that right?

I only found the solution to log in with an admin and let the user scan the QR Code with the authenticator app.

Is there any possibility to enable MFA via Authenticator for users that are far away without either 1) needing them to come to the office or 2) doing a remote teamviewer session with each and everyone?

From other products i am used to the possibility that, after the first login with MFA forced, the user can set up the Google AUthenticator himself either with a QR Code or a simple code.

Thanks in advance and best regards,

Dom

Accepted Solution

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,400  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    edited June 2023 Answer ✓

    Hi @Gileraracer,

    In the current design, the user needs to set up the Google Authenticator by scanning the QR code on the administrator portal. We will move this request to idea section for future evaluation. Thanks for your suggestion.

    See how you've made an impact in Zyxel Community this year!
    https://bit.ly/Your2024Moments_Community

  • Hi and thanks for your reply.

    Unfortunately, for a large number of remote workers, this is very ill-conceived. I hope the idea will be implemented.

    I have now set up a test user and activated MFA. When he now logs in via SecuExtender he does not see a window where he can enter the code from the Google Authenticator. Should a window appear here? Or where does an end user enter the code?

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,400  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    edited July 2023

    Hi @Gileraracer,

    Which type of SecuExtender are you using? Is it SSL VPN Client or IPSec VPN Client?

    If you use Zyxel VPN Client to establish VPN tunnel, it will pop up authentication page on browser automatically. For SSL VPN, you have to enter correct URL on browser manually. (e.g. https://YourDeviceIP:8080)

    You can find more information on page 599 in the handbook.
    How to Use Two Factor with Google Authenticator for VPN Access


    See how you've made an impact in Zyxel Community this year!
    https://bit.ly/Your2024Moments_Community

  • itariant
    itariant Posts: 18  Freshman Member
    First Comment Sixth Anniversary
    edited November 29

    A competing solution Sop*** initially allows authentication to the portal with credentials (user/password), then allows scanning of the QR for authentication apps (e.g. Google authenticator).
    The next connection to the Sop*** gui will require user and "password+token" and it will be possible to download the vpn configuration file to import into the client (multi-platform).

    I hope that this can also be done in the "USG Flex H" that I have already started to install!