Two-Factor Authentication (per Mail) on Zywall/USG. Since USG / ZyWall firmware version 4.32, you can use Two-Factor authentication (2FA) to let your VPN clients authenticate. These steps will guide you through the setup of sending the second authentication factor per mail.
- Log in to the unit by entering its IP address and the credentials for an admin account (by default, username is “admin”, password is “1234”)
- Configure your L2TP / IPSec / SSL connection as desired
- Navigate to Configuration > Object User/Group > User to create or edit a user
- Take care to fill in a valid mail address to which the second auth. factor for this user will be sent
- Put this user into the allowed VPN users group in the tab “Group”
- Navigate to Configuration > System > Notification > Mail Server and fill in the credentials for an SMTP server (if you don´t own a mail server, you can use a free Gmail account for example)
- Navigate to Configuration > Object > Auth. Method > Two-factor Authentication to enable this feature for the desired VPN (SSL / L2TP / IPSec)
- Under “User/Group” you can select the users which should authenticate using 2FA
- Under “Delivery Settings” enable “Email”
- Under “Authorize Link URL Address” you can choose “From Interface” and the respective interface or “User-Defined” to enter an IP address or (DynDNS-) domain name
Now your USG can let your clients authenticate more secure using Two-factor authentication!
The user would have to connect to his VPN as usual and after entering his credentials, would receive a mail with a link that would forward him to your USG. There, he would have to click “Authorize” to activate his token and be allowed to access resources in the VPN.
Please note: Make sure that under “Authorize Link URL Address” you choose an interface / URL / IP accessible from the internet! Depending on your configuration you would also have to allow HTTP or HTTPS in your WAN-to-Device security policy.