FLEX700H and IPSEC VPN with MFA via e-mail code
Freshman Member
I have a Flex700H and i have setup IPSEC VPN for remote users to connect.
When i turn on MFA for each user the only option that is available is Google Auth APP.
I prefer MFA with a authorize e-mail sent to that users e-mail to click auth
I do not user secure extender client due to cost and want to use the native IPSEC VPN with Windows and MAC
does someone know to turn on e-mail MFA for a user on the flex700H versus Google Auth
All Replies
-
USG FLEX H series doesn't support e-mail MFA, therefore, it is no way to turn this on.
The reason e-mail MFA is not supported is that receiving the MFA email requires an Internet connection. If you are using IPSec remote access VPN with full tunnel, you won't have Internet access before you pass MFA. Since the Google Auth is an MFA auth tool without Internet, it ensures the user can pass the MFA no matter which remote access VPN type they connect.
Zyxel Melen1 -
In other words to pass e-mail MFA you would have a PC or laptop for the VPN and a phone to get the Email and link to FLEX to authorize the VPN.
But one way to to allow VPN to pass authorization is to allow DNS and known EMail ports to get the Email as you authorize the VPN fully.
0 -
Zyxel Melen
MFA if turned on for the IPSEC VPN user with Google Auth setup for that user
The user connects to VPN via native Apple VPN not secure extender application
Once the VPN user is connected via IPSEC how does that user apply the Google code to get authorized?
The VPN shows connected … then what is next step to get authorized with Google Auth?
0 -
You enter in the browser your Authorize Link URL Address after you connect to the VPN
My LAN DNS point to 192.168.255.235 my LAN interface but externally point to my WAN IP
https://zyxel-router7.ddns.net:8008
This open up a page you enter the code
on another note it by nice if it could use the Certificate to not see click to view unsafe site
0 -
PeterUK
so after you make a successful IPSEC VPN connecting it then opens up the Authorize website on that persons computer were then can then enter the Google Auth code?
or does the user have to go to the authorize url themselves and type in domain or IP with :8008
0 -
With built in VPN client you have to go to the authorize url but I think with SecuExtender VPN Client you can make it run the url after connection.
0 -
Just like PeterUK mentioned, you need to set the delivery setting for users to enter the Google auth code. Additionally, since the Windows native VPN client's limitation, any user uses the Windows native VPN client to connect the VPN, they need to manually connect the Google auth code page.
Zyxel Melen0 -
we have to many users to have to purchase the SecuExtender VPN client… It is to expensive for us to use.
0 -
I'm in the same situation with the native Windows client. To get around the limitation, I use a scheduled task (opens the browser to the authentication code entry page) after VPN connection.
It's certainly not "THE" solution, but at least it saves the user the hassle of manually opening the browser every time.
Lorenzo
1
Guru Member
Ally Member
Categories
- All Categories
- 439 Beta Program
- 2.7K Nebula
- 191 Nebula Ideas
- 121 Nebula Status and Incidents
- 6.2K Security
- 469 USG FLEX H Series
- 308 Security Ideas
- 1.6K Switch
- 82 Switch Ideas
- 1.3K Wireless
- 44 Wireless Ideas
- 6.8K Consumer Product
- 281 Service & License
- 441 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 93 Security Highlight
