USG/ATP/VPN - VPN 2FA with SMS (eCall)

Created - Updated
Serhii Boiarynov
Idea generator
Great answers
Master (Platinum)
Print Friendly and PDF
Have more questions? Submit a request

The Zyxel firewall series offers the possibility of a 2FA authentication via SMS for VPN and admin access. Local firewall users can be used, as well as AD or Radius users. 

1. PORTAL eCall

2. Notification Server

3. Two-factor Authentication

4. Security Policy

5. HTTPS Einstellungen

6. VPN Gateway

 

1. ECALL PORTAL

An eCall account can be opened at https://portal.ecall-messaging.com/ecall/. The opening of the account is done in a short time.

Once the account has been opened, the sender address of the firewall can be entered under Interfaces > E-mail interface via the "Add address" button. In addition, the option "I allow messages to be sent via e-mail through my eCall account." must be activated.

Just so you know, no additional settings are required. 
mceclip0.png

Notification Server

Configuration > System > Notification

  • Mail Server

mceclip1.png

First, set up an e-mail server for sending mail. Usually, port 587 is used for sending as well as TLS security and STARTLS if necessary. For example, whether the mail server is set up correctly can be checked by sending a daily report.

  • SMS

The following settings can be used for eCall:                                       

Enable SMS 
 activate
Default country code for phone number: 41 for Switzerland
Provider Domain: sms.ecall.ch
Auto append to «mail to» activate
Mail Subject: +$mobile_number$
Mail from: The E-mail address is recorded in the eCall portal. Ideally, this is identical to the e-mail address in the mail server settings.
Mail To: +$mobile_number$

The default country code for phone number" can also be "0". However, the user's phone number must then be defined with the prefix "+xx", e.g. +41761234567.

  • User settings

Configuration > Object > User/Group > User

A mobile number in the format 0761234567 is added to the user.

mceclip0.png

In addition, 2FA is activated.

mceclip1.png

Two-factor Authentication

Configuration > Object > Auth. Method > Two-factor Authentication > VPN Access

mceclip2.png

The function must be switched on as a basic requirement. Subsequently, it is determined for whom, and which connection 2FA should be active. "Authorized Link URL" is the address defined in the SMS message. Access from the outside must be possible via the specified port from the outside. For eCall the option "Use Multilingual file" must be used.

The template file can be obtained and adapted via the download link.
The file can then be loaded back onto the firewall.

The file must contain the placeholder <url>.

The following placeholders can be used:

<url> Authorization Link URL Address

<user> User who has registered for 2FA

<host> name of the firewall (Configuration > System > Host Name)

<Time> Valid Time > Time in which the client can authenticate itself.

 

Security Policy

Configuration > Security Policy > Policy Control

A security policy must be created for authentication using 2FA

mceclip3.png

From:               wan

To:                   ZyWALL

Source:            can be restricted if necessary, e.g. to Switzerland

Service:           Wiz_2FA (port adjusts dynamically when changed in 2FA menu))

Action:            allow

HTTPS Einstellungen

Configuration > System > WWW > HTTPS > User Service Control

For "User Service Control", access from the "WAN" or "ALL" zone must be permitted.

mceclip4.png

VPN Gateway

Configuration > VPN > IPSec VPN > VPN Gateway

For IPSec VPN (L2TP/IKEv1/IKEv2), 2FA must be activated in the VPN gateway.
mceclip5.png

Articles in this section

See more
Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.