Activating or not the 2FA for the VPN user profiles does not make any difference
All Replies
-
Try to ask Zyxel support for get 2FA working.
But when it will work, you still won't get the popup.
Latest versions are not EOL, but they're more expensive than some year ago.
Once license was perpetual, now it's by subscription.
0 -
Mistery solved, when using the wizard- at the end it states in small text that the non-secuExtender clients do not support 2FA, split tunnel, and max. bandwidth.
Nevertheless- when 2FA is activated on the firewall for the VPN's, that does not make sense that some configurations can go around that.
0 -
I never used wizards, always set up vpn by hand, so I cannot read that small text.
But the way you are saying, it's false. Every client support 2FA, it's set server side. Those client don't support automatic 2FA popup. It's not the same.
When 2FA is set server side, no configuration can go around it.
Tunnel goes up, but traffic doesn't flow.
As long as 2FA confirmation comes, traffic starts to flow.
If nothing comes, tunnel remains unworkable (and after a timeout it's closed).
In your case, 2FA is not working, I hope that Zyxel support can help you with this issue.
0 -
There are several misunderstandings, I think :) from your answer.
I set 2FA for VPNUser1, and for ALL IPSec connections on the firewall itself. These settings are on the firewall, that means they are on the server side as you write as well. And no configurations should go around these settings, I agree.
The IPSec client configuration generated by the firewall itself goes around this principle of 2FA for IPSec. This is what the firewall wizard generates, configuration for an IPSec tunnel.
0 -
The wizard creates an IKE V2 IPSec VPN. The 2FA comes to action in IKE_AUTH Phase1 Step2:
first username + pwd /credentials, then
OTP via Google Auth
The server=firewall is set to use 2FA
The IPSec user is set to use 2FA, on the server=firewall.
The wizard creates a configuration which uses the IPSec user without the 2FA, and the IPSec tunnel without 2FA.
0 -
2FA enforcement requires proper integration at the user, gateway, and connection profile
IPSec GW on FW is set for 2FA
IPSec user on FW is set for 2FA
Connection profile based on the internal wizard states that it does not support 2FA, the clients created throught the wizard for different OS work fine without 2FA.
IPSec VPN connections manually set from android and other VPN apps also function without the 2FA settings on server=firewall as well. Basically, any IPSec connection can circumvent 2FA then?
Only the SecuExtender VPN client app seems to support 2FA then? If this is so, isn't this a big risk for many users who think they enabled 2FA and that is all-for-one-and-one-for-all rule, but it isn't?
0 -
Basically, any IPSec connection can circumvent 2FA then?
It shouldn't.
IPSec GW on FW is set for 2FA
OK
IPSec user on FW is set for 2FA
OK
Leave alone, for the moment, wizards.
Is 2FA enabled also in 2FA main page for "ipsec vpn"?
If this is true, no client configuration should be able to skip 2FA. Tunnel should not let traffic flow, until confirmation code is entered.
Again, every client supports 2FA. The point is only automatic popup.
0 -
Can you give a printscreen with what you mean with this?
Is 2FA enabled also in 2FA main page for "ipsec vpn"?
0 -
Hi @Zyxel_USG_User,
The note of this item means the non-SecuExtender client won't pop out the 2FA authentication webpage.
About your question, the difference between enabling/disabling 2FA, you cannot access anything except the firewall if you haven't passed 2FA authentication. For your case, may I know your security policy settings?
Zyxel Melen0 -
Go to configuration →Object → Auth method → Two-Factor Authentication - VPN Access
Two-factor Authentication for Services:
SSL - IPSec - L2TP
Make sure that the entries you use are selected here.
Just below, you find users/groups, and below "Deliver Authorize Link Method"
0
Ally Member
Freshman Member
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 276 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 74 Security Highlight
