Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Multi Factor Authentication with SonicWall VPN

Hi There,

I understand that with SSL you can add a MFA to VPN connections using a radius server. I wasn't able to find info on the adding MFA to IPSec VPN using the Global VPN Client. Is this because IPSec uses the pre-shared key which is considered the second factor?

Thanks,

Steve

Category: VPN Client
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @SteveS you can use GVC with Radius Authentication, last time I checked Radius Challenge/Response wasn't working, can't tell if this has changed. Workaround was to use password+otp while logging in.

    --Michael@BWC

  • SteveSSteveS Newbie ✭

    Thanks Michael,

    Would this be necessary with GVC? Wouldn't the pre-shared key be considered a factor so adding Radius Authentication would be adding a third factor.

    Steve

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @SteveS I personally wouldn't count the PSK as a factor, for me it starts with username/password and what comes afterwards.

    So in my opinion to provide real Multi-Factor you need username + password + OTP. PSK is to static to be real factor, IMHO. Your ideology may vary :)

    --Michael@BWC

  • SteveSSteveS Newbie ✭

    Thanks Michael,

    My ideology is significantly influenced by people like you who kindly answer my questions :-)

    I don't disagree with you, just kind of thinking out loud here. If I were to use two factor authentication with Office 365, and when prompted, I click to state that I regularly log in to that computer, then MS save the second factor "token" on my machine so I don't need to enter it in the future. Is this different than GVC with the pre shared key being saved? If not then is it a bad idea to have my users click on the option that tells MS they regularly log in to that machine and force them to enter the second factor every time they access Outlook?


    Thanks again,

    Steve

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @SteveS that's probably the balance between security and convinience.

    Of course it would be more secure to NOT skip entering token for a period of time, but it's probably annoying for the endusers.

    When your PSK (it's shared and probably known to many) and your username/password gets compromised, access from external is possible, having an alternating Token saves your Bacon here. IMHO, VPN never without MFA.

    --Michael@BWC

  • EpictetusEpictetus Newbie ✭

    My client wishes to have 2FA enabled for remote connections to a TZ-470 using GVC.

    Is there a detailed document about how to implement this?

    I have been reading multiple documents about using RSA SecurID .. but I am not sure what exactly the cost needs to implement this is, nor is it explicit about how to go about this.

    Thanks

  • WorkforceITWorkforceIT Newbie ✭

    We do this via a RADIUS to Azure AD sync to Microsoft Authenticator App process. It's not for everyone but if you are using O365 you can sync your on-site AD with Azure AD and then use the RADIUS server functionality on-site in combination with the 2fa/MFA functionality in O365 to have the GVC perform MFA VPN connections. It works very well once setup.

    The following link is a guide for AFTER you already have the AD sync in place and are ready to do the RADIUS connectivity between the wall and your on-site AD and then the 2fa connection. The RADIUS setup/usage can be done before the AD sync if you are already using that for VPN logins.

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn

Sign In or Register to comment.