ATP + VPN + MFA
Hello,
We are currently testing an IPSec VPN for mobile. Right now we use the SSL VPN with our desktop clients. Anyway, we are wondering if it's possible to use MFA with both of these? I performed a search in the community and didn't find much information, at least for IPSec. I did find something that seemed to be for the SSL VPN but have struggled to implement it.
A similar question was posed here quite a while ago but it remains unanswered.
Is this something that is possible? If so, is there any documentation you can point me to? If not, is it possible that you guys will implement it? Or is there something else that we should be implementing?
Side note, I have MFA set up for Admin access to the firewall, so at least that is possible and works well.
Anyway, thanks for your help.
Edit: I was looking at the documentation for setting up the VPN on Android using StrongSwan. The note says, "The VPN settings for Non-SecuExtender IPSec VPN Clients do not support following features: Upload Bandwidth Limit, Spilt Tunnel, and Two-factor Authentication (Google Authenticator)". Is this correct?
Accepted Solution
-
Hi @NEP ,
For IPSec (IKEv2) VPN + Windows/macOS/Android StrongSwan client + Google Authenticator.
The VPN use need to open browser manually to the MFA URL, after VPN connected.
In this example, the URL is setup to LAN interface IP (192.168.10.1) of my ATP with default port 8008.
The MFA URL will be http://192.168.10.1:8008/
0
All Replies
-
Hi @NEP ,
For IPSec (IKEv2) VPN + Windows/macOS/Android StrongSwan client + Google Authenticator.
The VPN use need to open browser manually to the MFA URL, after VPN connected.
In this example, the URL is setup to LAN interface IP (192.168.10.1) of my ATP with default port 8008.
The MFA URL will be http://192.168.10.1:8008/
0 -
I don't recall marking this as answered, but I do have it working with SecuExtender SSL and MS Authenticator. Thanks @zyman2008.
I had edited the original post about a note that I saw. Are you aware of Non-SecuExtender IPSec VPN Clients not supporting MFA? I would consider the SSL VPN to be one such client (based on name) and yet it works. However, I'm mainly thinking of the built-in Windows VPN and Android.
0 -
Windows built-in L2TP over IPSec can support with External RADIUS service that support 2FA.
All using external 2FA service. You don't need to enable 2FA settings on ZyWALL.
The password is in the format(Append second factor code after first factor user password): password,code
I had helped a client integrate ZyWALL with AD + Duo 2FA.
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight