Two-Factor Authentication (per Mail) on Zywall/USG. Since USG / ZyWall firmware version 4.32, you can use Two-Factor authentication (2FA) to let your VPN clients authenticate. These steps will guide you through the setup of sending the second authentication factor per mail.
Walkthrough Steps
- Log in to the unit by entering its IP address and the credentials for an admin account (by default, username is “admin”, password is “1234”)
- Configure your L2TP / IPSec / SSL connection as desired
- Navigate to Configuration > Object User/Group > User to create or edit a user
- Take care to fill in a valid mail address to which the second auth. factor for this user will be sent
- Put this user into the allowed VPN users group in the tab “Group”
- Navigate to Configuration > System > Notification > Mail Server and fill in the credentials for an SMTP server (if you don´t own a mail server, you can use a free Gmail account for example)
- Navigate to Configuration > Object > Auth. Method > Two-factor Authentication to enable this feature for the desired VPN (SSL / L2TP / IPSec)
- Under “User/Group” you can select the users which should authenticate using 2FA
- Under “Delivery Settings” enable “Email”
- Under “Authorize Link URL Address” you can choose “From Interface” and the respective interface or “User-Defined” to enter an IP address or (DynDNS-) domain name
Now your USG can let your clients authenticate more secure using Two-factor authentication!
The user would have to connect to his VPN as usual and after entering his credentials, would receive a mail with a link that would forward him to your USG. There, he would have to click “Authorize” to activate his token and be allowed to access resources in the VPN.
Please note: Make sure that under “Authorize Link URL Address” you choose an interface / URL / IP accessible from the internet! Depending on your configuration you would also have to allow HTTP or HTTPS in your WAN-to-Device security policy.
Comments
8 comments
I've followed all these instructions for enabling 2FA with email, but can't get it to work. I've enabled email notifications successfully (I get daily log emails), I've enabled IPSec VPN successfully as well, but configuring and enabling 2FA does nothing. No email goes out and I am still able to log in to IPSec without issues, so it is basically doing nothing. Any ideas?
Dear Zhewar,
since the details are yet to be clarified in your case, can you submit a request via our support portal support.zyxel.com? I assume, there we can facilitate a proper communication channel to rid out your issue.
We will however review the knowledgebase and identify any potential issue within it.
Thank you very much, have a nice day!
Phillipe Piris
Technical Support Engineer
Hi,
Does this also work if we have the Zyxel attached to ActiveDirectory and use a Security Group to Verifiy the users for Authentication?
Kind regards,
Steven
edit: With local User I got this working, nice :-)
Dear Steven,
we would kindly like to inform you that the following AAA servers are supported with this feature:
If you are encountering issues with a specific setup, we kindly like to invite you to raise a support ticket or give us a call: https://support.zyxel.eu/hc/en-us/articles/360001934693-Zyxel-Phone-Support-Where-can-I-find-the-hotline-number-
I am sure we are able to sort this out.
Thank you very much, have a nice day!
Lukas Bohnen
Technical Support Engineer
Will this two-factor authentication method work using ZyWall SecuExtender?
Dear Karim,
yes, of course.
If you are encountering issues, feel free to reach out to us.
Lukas Bohnen
Technical Support Engineer
Dear Lukas,
Thanks very much for your response.
I've followed your walk-through steps above and as far as I can tell all the configuration is on my device (USG-20 VPN).
But when I try and connect with my ZyWALL SecuExtender I never get an email for the two step verification.
How does this work? Should I be getting the email when I try to connect? Will the email contain a verification code? What do I do with the verification code?
Can you please explain the sign in procedure after the config is there?
Thanks very much for your time.
Dear Karim,
we have created a ticket for you and follow up via mail.
Lukas Bohnen
Technical Support Engineer
Please sign in to leave a comment.