Issue with TOTP and SSL VPN with RADIUS
I am using a TZ500 firewall and want to enable TOTP for our SSL VPN with RADIUS setup. RADIUS authentication with NetExtender and the Virtual Office portal works just fine. However, when I enable TOTP the account cannot authenticate in NetExtender.
Here is what works:
TOTP enabled
The message to bind the account comes up
I login to Virtual Office portal and bind the account using DUO as the OTOP provider
I can successfully authentication to the Virtual Office portal
What doesnt work:
I switch to NetExtender
I enter the same credentials and get an authentication error.
Category: SSL VPN
0
Answers
does netextender work without TOTP enabled? what are the logs telling you?
Hi @sgadmins , if you are using a third part to do the 2FA via Radius, you do not need to enable the TOTP on the SonicWall as this is handled via the Radius & Duo
Yes, NetExtender connections work without TOTP enabled. RADIUS logs show successful connection and I'm able to connect to internal resources.
Can you clarify what you mean by third part to do 2FA with RADIUS?
Did some further testing. Created a local firewall account and enabled SSL VPN access for this account with TOTP. This is a non-domain account and no RADIUS authentication. This works. I got all the prompts as expected for TOTP binding and code entry.
I'm still trying to figure out why this cannot be accomplished on accounts that authenticate through our RADIUS server.
Hi @sgadmins
depending of your Radius Server Implementation you can do all the OTP Part in the Radius Authentication Protocol. In my experience Challange/Response did not worked at least until 6.5.4.x for GVC. It could be accomplished when Radius support password+otp single step instead of multi step.
I'am not familar with Duo, but if it's a endpoint only TOTP Authenticator (like Google, Microsoft etc.) you need TOTP enabled on the Firewall. If it can be centrally managed then Radius might be an option, like FreeRadius+LinOTP just to name a Open Source variant. I don't wanna make any advertising here for the commercial one I prefer.
--Michael@BWC
We use Microsoft NPS for our RADIUS implementation. So it would seem I need to look further into NPS and support for OTP?
Hi @sgadmins
correct, I'am more of a Linux guy, but NPS can be extended with OTP.
UPDATE:
It was SSL-VPN which had the trouble with the Radius Challange/Response, confused it with GVC above.
--Michael@BWC
Hi @sgadmins, I meant third party as in using the Duo auth service with Radius like you would with other Vendors like Vasco etc.. because if you are using the Duo auth paid service i.e. https://duo.com/docs/radius this works differently to how the SonicWall TOTP as this is usually doing the 2FA,
you can still use the Duo app on your phone though and add a new connection using the built in SonicWall TOTP
if you are not using the DUO auth service as mentioned above, why not just use LDAP(S) to connect to the server instead of RADIUS ?
I was able to resolve this. Setup the DUO Authentication Proxy: Duo Authentication Proxy Reference | Duo Security
Now i'm getting the push notification to authorize a connection.