How to implement IPSec Client VPN with Windows Native Client and MFA?
Freshman Member
Hi
I would like to implement MFA on an already working IPSec client VPN access on USG FLEX 200.
Configuration of MFA is well documented.
As I understand the workflow is that in the first step the VPN connection is established using username/password. In the second step the MFA code must be entered via the web based authentication service offered by the USG on the WAN interface.
If one use e-mail MFA the mail contains a link to the authentication service. I guess, the user clicks to the link that also contains the code.
But how does this work with Google Authenticator? I tried to manually access the authentication service. There is a input field where you can enter the code. But this always ends up with an authentication error.
Any ideas?
Thanks in advance, Thomas
All Replies
-
The current problem with e-mail MFA is you can't check your Email when the VPN is connected and runs as gateway so you would have to use a phone to authenticate a PC/laptop.
Google Authenticator works by the USG allowing access to the 2FA page down the VPN if your phone is setup with Google Authenticator you just have to enter the code quickly you can click to copy and paste one problem with that I see is you have to edit the code for the button to be clickable.
0 -
Hi @tgusset,
To help us investigate the "authentication error" further, could you please provide a screenshot of the error and share your MFA/VPN configuration? (PM me if it contains sensitive data)
Also, please confirm that your system time and phone time are correct and aligned. Our MFA is time-based, so any mismatch can cause errors or failures.
For complete 2FA/MFA settings and workflow details, you can also refer to our handbook (p. 599) under "How to Use Two Factor with Google Authenticator for VPN Access." It provides a clear example of how the process should work.
Zyxel Tina
0 -
Hi
thanks for the answer. The handbook shows how to use MFA with the Zyxel VPN client.
My question was if it is possible to use MFA with the Windows native VPN client. This client is not able to open the authentication page to enter the verification code automatically.To clarify my question: is it possible to access the authentication page manually (after establishing the VPN connection) and then enter the code or is there any reference to the user or the VPN session required, that might must be included in POST parameter?
My tests with manual open the authentication page failed. I can see that the tunnel was established but there traffic forwarding is blocked.
IPSec VPN works without MFA enabled.
Thanks Thomas
0 -
Hi @tgusset
I confirm that the native Windows client is unable to automatically open the two-factor authentication page.
To work around this limitation I created a scheduled task based on event 20280.
Every time the event occurs, the web page pointing to 2FA opens.
This obviously makes sense if you primarily use a single VPN connection. Otherwise, the page would attempt to open every time you try to connect to any VPN.
Forgive the silly question: have you created a WAN to Zywall policy that allows traffic on the 2FA port? (8008 should be the default) otherwise 2FA page is unreachable
Regards
Lorenzo
0 -
Hi @tgusset,
Since your VPN establishment is working correctly, could you please send the following via PM to help us investigate further:
- Firewall config file
- Firewall IP address (so we can test VPN and reproduce your issue)
Zyxel Tina
0
Guru Member
Zyxel Employee
Ally Member
Categories
- All Categories
- 442 Beta Program
- 2.9K Nebula
- 219 Nebula Ideas
- 127 Nebula Status and Incidents
- 6.5K Security
- 588 USG FLEX H Series
- 344 Security Ideas
- 1.7K Switch
- 84 Switch Ideas
- 1.4K Wireless
- 52 Wireless Ideas
- 7K Consumer Product
- 298 Service & License
- 477 News and Release
- 91 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.8K FAQ
- 34 Documents
- 87 About Community
- 105 Security Highlight
