Domain network security is more and more important for all users. Suppose another person hacks your personal data due to your account without any protection. Then this will hit you hard and your company.
The more we need additional authentication before accessing into a secured network, this will and can protect your data in the end. You can follow this procedure to set up Two-Factor Authentication with
your AD server. Then you can force all users to do additional authentication before accessing your network.
Scenario and Topology
The topology and the setup steps are shown below.
1. Public IP address on the USG
Step.1 Set Up AD authentication in AAA server
Go to CONFIGURATION > Object > AAA Server click Edit to setup AD authentication info.
Step.2 Add AD authentication into Auth. Method
Go to Configuration > Object > Auth. Method > Authentication Method > Click “Edit” button to change the default profile
Step.3 Enable Two-Factor Authentication on USG
Go to Configuration > Object > Auth. Method > Two-Factor Authentication
Step.4 Setup SMTP setting on USG
Go to Configuration > System > Notification > Mail Server
Step.5 Setup mail attribute on the AD server
Go to Start > Administrative Tools > Active Directory Users and Computers > Edit User’s Email in General table.
Step.6 Setup L2TP VPN tunnel rule on USG(by Wizard)
Go to Configuration and Click “Setup Wizard” button to create L2VPN
tunnel by wizard
(2) Select a VPN setting for L2TP VPN settings to create an L2TP VPN rule.
(3) Select L2TP VPN Gateway interface and Pre-Shared Key for your rule.
(4) Enter your L2TP Pool range which will assign to the client after established VPN tunnel. (the pool range can’t overlap to any interface IP subnet)
(5) After everything is done, you can review your L2TP setting summary and save
After setup these configurations on USG and your AD server. After the client established an L2TP VPN tunnel by AD account, USG will send “Two-factor Authentication” mail to the client. The traffic will work after the client click authorized button in the mail.