Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Multi Factor Authentication with SonicWall VPN

Hi There,

I understand that with SSL you can add a MFA to VPN connections using a radius server. I wasn't able to find info on the adding MFA to IPSec VPN using the Global VPN Client. Is this because IPSec uses the pre-shared key which is considered the second factor?

Thanks,

Steve

Category: VPN Client
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @SteveS you can use GVC with Radius Authentication, last time I checked Radius Challenge/Response wasn't working, can't tell if this has changed. Workaround was to use password+otp while logging in.

    --Michael@BWC

  • SteveSSteveS Newbie ✭

    Thanks Michael,

    Would this be necessary with GVC? Wouldn't the pre-shared key be considered a factor so adding Radius Authentication would be adding a third factor.

    Steve

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @SteveS I personally wouldn't count the PSK as a factor, for me it starts with username/password and what comes afterwards.

    So in my opinion to provide real Multi-Factor you need username + password + OTP. PSK is to static to be real factor, IMHO. Your ideology may vary :)

    --Michael@BWC

  • SteveSSteveS Newbie ✭

    Thanks Michael,

    My ideology is significantly influenced by people like you who kindly answer my questions :-)

    I don't disagree with you, just kind of thinking out loud here. If I were to use two factor authentication with Office 365, and when prompted, I click to state that I regularly log in to that computer, then MS save the second factor "token" on my machine so I don't need to enter it in the future. Is this different than GVC with the pre shared key being saved? If not then is it a bad idea to have my users click on the option that tells MS they regularly log in to that machine and force them to enter the second factor every time they access Outlook?


    Thanks again,

    Steve

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @SteveS that's probably the balance between security and convinience.

    Of course it would be more secure to NOT skip entering token for a period of time, but it's probably annoying for the endusers.

    When your PSK (it's shared and probably known to many) and your username/password gets compromised, access from external is possible, having an alternating Token saves your Bacon here. IMHO, VPN never without MFA.

    --Michael@BWC

Sign In or Register to comment.