Multi Factor Authentication with SonicWall VPN
SteveS Newbie ✭
in VPN Client
I understand that with SSL you can add a MFA to VPN connections using a radius server. I wasn't able to find info on the adding MFA to IPSec VPN using the Global VPN Client. Is this because IPSec uses the pre-shared key which is considered the second factor?
Category: VPN Client
Hey! You will be signed out in 60 seconds due to inactivity. Click here to continue using the site.
@SteveS you can use GVC with Radius Authentication, last time I checked Radius Challenge/Response wasn't working, can't tell if this has changed. Workaround was to use password+otp while logging in.
Would this be necessary with GVC? Wouldn't the pre-shared key be considered a factor so adding Radius Authentication would be adding a third factor.
@SteveS I personally wouldn't count the PSK as a factor, for me it starts with username/password and what comes afterwards.
So in my opinion to provide real Multi-Factor you need username + password + OTP. PSK is to static to be real factor, IMHO. Your ideology may vary :)
My ideology is significantly influenced by people like you who kindly answer my questions :-)
I don't disagree with you, just kind of thinking out loud here. If I were to use two factor authentication with Office 365, and when prompted, I click to state that I regularly log in to that computer, then MS save the second factor "token" on my machine so I don't need to enter it in the future. Is this different than GVC with the pre shared key being saved? If not then is it a bad idea to have my users click on the option that tells MS they regularly log in to that machine and force them to enter the second factor every time they access Outlook?
@SteveS that's probably the balance between security and convinience.
Of course it would be more secure to NOT skip entering token for a period of time, but it's probably annoying for the endusers.
When your PSK (it's shared and probably known to many) and your username/password gets compromised, access from external is possible, having an alternating Token saves your Bacon here. IMHO, VPN never without MFA.
My client wishes to have 2FA enabled for remote connections to a TZ-470 using GVC.
Is there a detailed document about how to implement this?
I have been reading multiple documents about using RSA SecurID .. but I am not sure what exactly the cost needs to implement this is, nor is it explicit about how to go about this.
We do this via a RADIUS to Azure AD sync to Microsoft Authenticator App process. It's not for everyone but if you are using O365 you can sync your on-site AD with Azure AD and then use the RADIUS server functionality on-site in combination with the 2fa/MFA functionality in O365 to have the GVC perform MFA VPN connections. It works very well once setup.
The following link is a guide for AFTER you already have the AD sync in place and are ready to do the RADIUS connectivity between the wall and your on-site AD and then the 2fa connection. The RADIUS setup/usage can be done before the AD sync if you are already using that for VPN logins.