Remote vpn and mfa

Options
MarkoK
MarkoK Posts: 2 image  Freshman Member
in USG FLEX H Series

We made a Remote access VPN connection for the customer using the native Windows VPN client.
We also put a VPN on top of MFA.
MFA only supports local users.
The user needs Google Authenticator to use it.
Is the only way to get the user a QR code for the authenticator, that
the user logs in inside the firewall and scans the code there and enters
the verification code?

All Replies

  • Zyxel_Barry
    Zyxel_Barry Posts: 120 image  Zyxel Community Virtual Assistant
    5 Answers First Comment Friend Collector

    Hi @MarkoK,

    Thank you for reaching out to the Zyxel Community. I understand you're looking to configure Google Authenticator for MFA with your Remote Access VPN using a native Windows VPN client on your USG FLEX H Series.

    Yes, the process you described is the correct way to enroll a local user for Google Authenticator with your USG FLEX H Series firewall. The user needs to access the firewall's web interface to scan a QR code.

    Here's a step-by-step guide:

    • Enable Google Authentication for a User:

      • Navigate to User & Authentication > User/Group in the firewall's web interface.
      • Select the local user account that requires Two-Factor Authentication (2FA).
      • Enable the Two-Factor Authentication option.
      • Click "Set up Google Authenticator" to begin the configuration.

    • Set Up Google Authenticator on the User's Mobile Device:

      • The user needs to download and install the Google Authenticator app on their mobile device.
      • Open the Google Authenticator app and scan the QR code displayed on the firewall's web GUI.
      • The app will generate a time-based one-time password (TOTP).
      • Enter the token code shown on the app into the designated field on the web GUI and click "Verify Code and Finish."
      • After successful registration, backup codes will be displayed. Ensure the user downloads and stores these securely.

    • Configure VPN Types for 2FA:

      • Navigate to User & Authentication > Authentication in the firewall's web interface.
      • Enable two-factor authentication for IPsec VPN.
      • Set the Valid Time, which specifies the time limit for entering the 2FA code.
      • Select the VPN types (e.g., Remote Access VPN) requiring 2FA.

    When the user connects to the VPN, they will enter their username and password, and then be redirected to a portal to enter the six-digit code generated by their Google Authenticator app.

    To assist you further, please provide the following information:

    • Device Model: (e.g., USG FLEX 100H, USG FLEX 200H)
    • Firmware Version:
    • Screenshots: If you encounter any error messages during the setup process, please provide screenshots.

    This AI response aims to provide initial troubleshooting steps and identify information needed for further diagnosis. Feel free to share additional details based on the suggestions above — this will help community members offer more targeted assistance.
    If you have feedback or idea about this AI assistant, share them in Community Feedback.

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,497 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @MarkoK

    Yes, to enable two factor for local user, you need to access to the firewall's GUI.

    Additionally, there has an altinate way for two factor:

    💡Duo Security Authentication Integration Guide — Zyxel Community

    You may reference the post above first.

    Zyxel Melen


Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)