Will H-series support 2FA via email for SSL VPN?

p4_greg · April 30

With previous ZLD-based firewalls, we were able to use 2FA via email method for SSL VPN. It was very simple for the end-users and fulfilled the 2FA requirement of most business cyber insurance policies.

On H-series with the free OpenVPN client, the end-user needs to manually open a web browser and navigate to the Authentication URL to input the TOTP code from an authenticator app. This is very confusing for non-technical end users and causes frustration…it is inconvenient.

Previously on ZLD-based firewall with 2FA via email, the user could simply click the link in the email to complete the authentication.

Are there any plans to add this capability back to the H-series?

PeterUK · May 1

vote here

2FA authentication by EMail — Zyxel Community

p4_greg · May 1

https://community.zyxel.com/en/discussion/comment/77129#Comment_77129

Thanks, I did not see this. I have put in my up-vote!

romen564 · May 2

Hello,

As of now, Zyxel's H-Series firewalls using Nebula Control Center (NCC) or their newer architecture do not support 2FA via email for SSL VPN authentication in the same seamless way ZLD-based firewalls did. The H-Series currently prioritizes TOTP (Time-based One-Time Password) via authenticator apps like Google Authenticator or Microsoft Authenticator, which, as you've noted, can be less user-friendly for non-technical users. tollsbymailny com

Best Regards

p4_greg · May 2

I found a way to make the current 2FA process with OpenVPN a bit easier, I want to share it here so hopefully someone can benefit from it.

You can place a batch file in the same directory that holds the .ovpn connection profile, which will run after the VPN connection is established. This can be used to launch a web browser to the Authentication URL to make it easier for the end users. **It works with the 'OpenVPN GUI' client, but it does *NOT* seem to work with the newer 'OpenVPN Connect' client.

-Under Windows OS, the connection profile is stored in directory: %USERPROFILE%\OpenVPN\config

-The batch file needs to have the same name as the .ovpn profile. For example, if your profile file is named 'MyVpnConnect.ovpn', you would name your batch file 'MyVpnConnect_up.bat'

-Example 'MyVpnConnect_up.bat' file:

timeout /t 5
start https://ZYWALL_LAN_IP:8008
exit

-Now when user connects the VPN, the web browser will launch(after 5sec delay) and load the Authentication page on the router where they can enter the TOTP code

I hope this is helpful to somebody!

Zyxel_James · May 15

Thanks for your feedback, our product team is evaluating the function, and will enhance it in the future.

laloutrejoyeuse · May 26

Assuming that yours users knows how to gather their PIN code, you can write a script or an app tool that send the PIN code of the user to the Zywall with a really simple http/post request like this

PIN=123456

IP=192.168.0.254
PORT=8008
URL="https://$IP:$PORT/api/twofa_auth/twofa_ga_vpn_verify.cgi"

curl -q -s -o /dev/null 
    --insecure 
    -X POST 
    -H "Content-Type: application/x-www-form-urlencoded" 
    -d "pincode=$PIN" $URL

A more advanced tool may launch the OpenVPN client, start the appropriate OpenVPN tunnel, wait for the vpn endpoint to be online, ask the user for the PIN code, send the PIN to the Zywall and wait until a known remote host is pingable.

Will H-series support 2FA via email for SSL VPN?

All Replies

Categories

Security Help Center