Use Multi-Factor Authentication (MFA) with Mobile VPNs

For enhanced security, you can require mobile users to supply information in addition to a password to authenticate.

Multi-factor authentication (MFA) requires users to supply two or more pieces of information, known as factors, to authenticate:

  • First factor—Password associated with the user name
  • Additional factors—Push notification, one-time password (OTP), or other factors supported by your RADIUS server and MFA provider

Two-factor authentication (2FA) is a type of multi-factor authentication that requires users to supply exactly two pieces of information to authenticate—the password associated with the user name and another factor. Most third-party MFA solutions use two-factor authentication and one-time passwords through challenge-response requests.

This topic primarily applies to third-party solutions that use two-factor authentication and challenge-response requests.

For multi-factor authentication through AuthPoint, the WatchGuard MFA solution, see:

AuthPoint works with all WatchGuard mobile VPN methods.

Android users who connect through the strongSwan VPN client receive AuthPoint push notifications only if you configure strongSwan for split tunneling. When configured for full tunneling, strongSwan cannot receive AuthPoint push notifications. This limitation applies to local AuthPoint user accounts and LDAP user accounts. To configure split tunneling in strongSwan, see the documentation provided by strongSwan.

Configure Multi-Factor Authentication for Mobile VPNs

You must configure your RADIUS server, Firebox, and multi-factor authentication solution.

Configure the RADIUS Server

Configure multi-factor authentication on your RADIUS server:

  • Configure a group for the mobile VPN users, and add all Mobile VPN users who you want to authenticate to the RADIUS server to this group.
  • Configure multi-factor authentication for the mobile users on your RADIUS server.
  • Add the IP address of the Firebox to the RADIUS server to configure the Firebox as a RADIUS client.
  • For RADIUS, VASCO, or SecurID, make sure that the RADIUS server sends a Filter-Id attribute (RADIUS attribute 11) when a user successfully authenticates. This tells the Firebox what group the user is a member of. The value for the Filter-Id attribute must match the name of the Mobile VPN group as it appears in the Fireware RADIUS authentication server settings.

To complete these steps, see the documentation from your RADIUS server vendor.

Configure the Firebox

To use RADIUS server authentication for your mobile VPN users, you must complete these steps:

Configure the Multi-Factor Authentication Solution

To configure a third-party multi-factor or two-factor solution, see the documentation provided by your vendor.

How the Challenge-Response Method Works with the VPN Client

When a user authenticates from the VPN client, the VPN client sends the username and password to the Firebox. The Firebox sends the username and password to the RADIUS server. If the user and password are valid, and if multi-factor authentication is enabled for the user, the RADIUS server sends an access-challenge message to the Firebox to request the second factor. The Firebox uses information from the access-challenge to prompt the VPN client for the second authentication factor.

To authenticate a user, the VPN client, Firebox, and RADIUS server communicate as follows:

  1. The VPN client prompts the user for username and password credentials.
  2. The VPN client sends the credentials to the Firebox.
  3. The Firebox send a RADIUS Access-Request message, with the credentials, to the RADIUS server.
  4. The RADIUS server sends an Access-Challenge with a reply-message (Attribute 18) to the Firebox. This message includes text for the user about the second authentication method.
  5. The Firebox sends the reply-message attribute text to the VPN client.
  6. The VPN client displays the instructions to the user in a dialog box.
  7. The user types the one-time password or PIN in the dialog box.
  8. The VPN client sends the second factor to the Firebox.
  9. The Firebox sends the second factor to the RADIUS server with the username.
  10. If the second factor is valid, the RADIUS server sends an Access-Accept message and the Firebox allows the connection.

If any of these steps fail, the RADIUS server sends the Firebox an Access-Reject message, and authentication fails.

See Also

How RADIUS Server Authentication Works

About AuthPoint