Google Authenticator is the most secure method to receive a verification code for 2-factor authentication. Google Authenticator gives a new code every 30 seconds, so each code expires in just 30 seconds, which make it a secure option to generate codes for 2-step verification. Furthermore, Google Authenticator is free to download, easy to use, and is able to work without Internet. This example illustrates how to set up two-factor authentication with
Google Authenticator for Remote Access VPN and SSL VPN
Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG FLEX 200H
Two-Factor with Google Authenticator Flow
- Enable Google Authentication on a user.
- Set up Google Authenticator.
- Configure valid time and VPN types.
Enable Google Authentication on a User Go to User & Authentication > User/Group. Select a local user and enable Two-factor authentication. Click "Set up Google Authenticator" to start setting up Google Authenticator on your mobile phone.
Set up Google Authenticator
| Download and install Google Authenticator on your mobile device. | Register the user account to Google Authenticator. Open Google Authenticator App and scan the barcode on Web GUI. |
Enter the token code that displays on Google Authenticator to “Step 3” and click “Verify code and finish” to submit and verify the code.
fteAr 2FA registration is set up successfully, there are backup codes on web GUI. The backup codes are for device login in the case you don't have access to the application on your mobile device. Download the backup codes and record them in a safe place.
Configure valid time and login service types
Enable two-factor authentication for VPN access. Configure valid time and select which VPN type requires two-factor authentication for VPN users. The valid time is the deadline that user needs to submit the two-factor authentication code to get VPN access. The request is rejected if the code is submitted later than the valid time. By default, the valid time is 3 minutes. The authentication page is working on a specific service port. After building up the VPN tunnel, the user has to enter the code in the Web GUI.
Test the Result Remote Access VPN (IKEv2)
Open the Remote Access VPN tunnel on the SecuExtender VPN Client
The browser will pop up an authentication page to enter the verification code. You can also enter the backup code if you don’t have a mobile device on hand.
Note: Users connecting without the SecuExtender VPN Client (for example, by using a native VPN client or another compatible VPN client) are not automatically redirected to the authentication portal. In this case, they must manually open the authentication portal URL in a web browser and complete the authentication process.
| Enter the code shown on Google Authenticator and click "Verify". | Authorize with username, password and the token code successfully. |
SSL VPN
Open the SSL VPN tunnel on SecuExtender VPN Client. And do the same steps as in the previous example with Remote Access VPN (IKEv2)

Comments
0 commentsPlease sign in to leave a comment.