USG Flex 200 and Google Authenticator for vpn

valerio_vanni · October 16

I have this machine, with ipsec vpns, and I would like to setup 2FA with Google Authenticator

I saw this guide for USG Flex 500:

https://support.zyxel.eu/hc/en-us/articles/360018356680-Firewall-Configure-2FA-with-Google-Authenticator-for-Admin-Access

And in "step" 1 I see a page that shows "Google Authenticator".

Instead, in my Device when I open user properties I see this:

Am I missing something?

Zyxel_Judy · October 18

Hi there,

Thank you for providing your remote access information.

The root cause of the issue is that the vpn2 user was set as a "guest" user type. Please follow the steps outlined in the FAQ provided on the forum, and ensure the "user type" is set to "user."

Zyxel_Judy · October 16

Hi @valerio_vanni ,

The guide you found explains how to configure 2FA with Google Authenticator for Admin Access, not for VPN users.

To configure 2FA with Google Authenticator for VPN users, please refer to the article below:

https://community.zyxel.com/en/discussion/12505/how-to-use-two-factor-with-google-authenticator-for-vpn-access

valerio_vanni · October 16

https://community.zyxel.com/en/discussion/comment/70628#Comment_70628

I now see this other guide, but I'm stuck at the same point: when I edit the user, I should see

But instead, as I told in my first message, I see this:

"Verify by SMS/Email" is not a button, it's simple text. In this page there's nothing to configure.

If I go to "Auth. Method", I see this:

And I don't find anything wrong.

Zyxel_Judy · October 17

Hi @valerio_vanni ,

Please ensure that your USG FLEX 200 is running the latest firmware version, 5.39(ABUI.0)C0.

If the issue persists, please check your community inbox for instructions on how to provide us with a remote session. We'll access your firewall directly to investigate further.

Zyxel_Judy · October 18

Hi there,

Thank you for providing your remote access information.

The root cause of the issue is that the vpn2 user was set as a "guest" user type. Please follow the steps outlined in the FAQ provided on the forum, and ensure the "user type" is set to "user."

valerio_vanni · October 18

Thank you, I missed user type.

So far, for vpn I used "guest" type (I choosed the minimum level needed).

valerio_vanni · October 21

With "user" type, configuration was successful and 2FA works.

The only missing piece is automatic popup of auth page when tunnel builds up.

In Secuextender configuration I don't find any setting about 2FA

To make it appear, I had to use "when tunnel is opened" script. But shouldn't it appear automatically?

Zyxel_Judy · October 24

Hi @valerio_vanni ,

Based on your description, it seems the authentication page popup appears after using the "when tunnel is opened" script. This behavior is intentional and designed to give users the flexibility to choose whether they want to use the authentication page popup.

Please note that in addition to importing the script, you can also retrieve it using the "Get from Server" option.

valerio_vanni · October 24

https://community.zyxel.com/en/discussion/comment/70978#Comment_70978

I didn't import any script, I simply put the address https://LAN1IP:8008 in line.

It's passed to Windows and then it's opened with default browser.

I wrote my last message because I thought it was a workaround and that it should open by itself.

About the "get from server" method: I usually configure clients by hand, but I'm curious: if I wanted to use it, where should I configure script options server side?

Zyxel_Judy · October 25

Hi @valerio_vanni ,

To better assist you, please let us know:

Which VPN client/software you are using
Your SecuExtender version number

valerio_vanni · October 25

I have a mix of software on clients. On most, it's Secuextender 3.8.204.61.32.

USG Flex 200 and Google Authenticator for vpn

Accepted Solution

All Replies

Categories

Security Highlight

Security Help Center