Zyxel USG FLEX H Firewall - How to Use Two Factor with Google Authenticator for Remote Access VPN and SSL VPN

Google Authenticator is the most secure method to receive a verification code for 2-factor authentication. Google Authenticator gives a new code every 30 seconds, so each code expires in just 30 seconds, which make it a secure option to generate codes for 2-step verification. Furthermore, Google Authenticator is free to download, easy to use, and is able to work without Internet. This example illustrates how to set up two-factor authentication with

Google Authenticator for Remote Access VPN and SSL VPN

Google Authenticator for Remote Access VPN and SSL VPN

Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG FLEX 200H 

Two-Factor with Google Authenticator Flow

  • Enable Google Authentication on a user. 
  • Set up Google Authenticator. 
  • Configure valid time and VPN types. 

Enable Google Authentication on a User Go to User & Authentication > User/Group. Select a local user and enable Two-factor authentication.  Click "Set up Google Authenticator" to start setting up Google Authenticator on your mobile phone. 

Two-Factor with Google Authenticator Flow

Set up Google Authenticator

Set up Google Authenticator
Download and install Google Authenticator on your mobile device. Register the user account to Google Authenticator. Open Google Authenticator App and scan the barcode on Web GUI. 
Download and install Google Authenticator on your mobile device.
Register the user account to Google Authenticator. Open Google Authenticator App and scan the barcode on Web GUI.

Enter the token code that displays on Google Authenticator to “Step 3” and click “Verify code and finish” to submit and verify the code. 

Verify code and finish

fteAr 2FA registration is set up successfully, there are backup codes on web GUI. The backup codes are for device login in the case you don't have access to the application on your mobile device. Download the backup codes and record them in a safe place. 

backup codes

Configure valid time and login service types

 Enable two-factor authentication for VPN access. Configure valid time and select which VPN type requires two-factor authentication for VPN users. The valid time is the deadline that user needs to submit the two-factor authentication code to get VPN access. The request is rejected if the code is submitted later than the valid time. By default, the valid time is 3 minutes. The authentication page is working on a specific service port. After building up the VPN tunnel, the user has to enter the code in the Web GUI. 

Configure valid time and login service types

Test the Result Remote Access VPN (IKEv2) 

Open the Remote Access VPN tunnel on the SecuExtender VPN Client

Test the Result Remote Access VPN (IKEv2)

The browser will pop up an authentication page to enter the verification code. You can also enter the backup code if you don’t have a mobile device on hand.

Note: Users connecting without the SecuExtender VPN Client (for example, by using a native VPN client or another compatible VPN client) are not automatically redirected to the authentication portal. In this case, they must manually open the authentication portal URL in a web browser and complete the authentication process.

 Enter the code shown on Google Authenticator and click "Verify". Authorize with username, password and the token code successfully. 
 Enter the code shown on Google Authenticator and click "Verify".
Authorize with username, password and the token code successfully.
Test the Result Remote Access VPN (IKEv2)

SSL VPN 

Open the SSL VPN tunnel on SecuExtender VPN Client. And do the same steps as in the previous example with Remote Access VPN (IKEv2)

Open the SSL VPN tunnel on SecuExtender VPN Client. And do the same steps as in the previous example with Remote Access VPN (IKEv2)
SSL VPN LOGS

 

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.