Use Multi-Factor Authentication (MFA) with Mobile VPNs

For enhanced security, you can require mobile users to supply information in addition to a password to authenticate.

Multi-factor authentication (MFA) requires users to supply two or more pieces of information, known as factors, to authenticate:

  • First factor—Password associated with the user name
  • Additional factors—Push notification, one-time password (OTP), or other factors supported by your RADIUS server and MFA provider

Two-factor authentication (2FA) is a type of multi-factor authentication that requires users to supply exactly two pieces of information to authenticate—the password associated with the user name and another factor. Most third-party MFA solutions use two-factor authentication and one-time passwords through challenge-response requests.

To provide MFA to your mobile users, you can:

Configure AuthPoint

AuthPoint, the cloud-based MFA solution from WatchGuard, works with all WatchGuard mobile VPN methods.

Mobile VPN with IKEv2

For general information about Mobile VPN with IKEv2 user authentication, see About Mobile VPN with IKEv2 User Authentication. For general information about the AuthPoint MFA workflow for Mobile VPN with IKEv2, see Configure MFA for a Firebox. For configuration examples, see Firebox Mobile VPN with IKEv2 Integration with AuthPoint.

Mobile VPN with IKEv2 user authentication to Active Directory through AuthPoint supports push-based authentication only.

Android users who connect through the strongSwan VPN client receive AuthPoint push notifications only if you configure strongSwan for split tunneling. When configured for full tunneling, strongSwan cannot receive AuthPoint push notifications. This limitation applies to local AuthPoint user accounts and LDAP user accounts. To configure split tunneling in strongSwan, see the documentation provided by strongSwan.

Mobile VPN with SSL

For general information about Mobile VPN with SSL and AuthPoint, see Plan Your Mobile VPN with SSL Configuration. For configuration examples, see Firebox Mobile VPN with SSL Integration with AuthPoint.

For general information about the AuthPoint MFA workflow for Mobile VPN with SSL, see Configure MFA for a Firebox.

Mobile VPN with L2TP

For a configuration example, see Firebox Mobile VPN with L2TP Integration with AuthPoint

Mobile VPN with L2TP user authentication to Active Directory through RADIUS and AuthPoint supports push-based authentication only.

To authenticate mobile L2TP users through AuthPoint, you must have Fireware v12.5.3 or higher.

Mobile VPN with IPSec

For a configuration example, see Firebox Mobile VPN with IPSec Integration with AuthPoint

Configure a Third-Party MFA Solution

This section primarily applies to third-party solutions that use two-factor authentication and challenge-response requests.

You must configure your RADIUS server, Firebox, and multi-factor authentication solution.

Configure the RADIUS Server

Configure multi-factor authentication on your RADIUS server:

  • Configure a group for the mobile VPN users, and add all Mobile VPN users who you want to authenticate to the RADIUS server to this group.
  • Configure multi-factor authentication for the mobile users on your RADIUS server.
  • Add the IP address of the Firebox to the RADIUS server to configure the Firebox as a RADIUS client.
  • For RADIUS, VASCO, or SecurID, make sure that the RADIUS server sends a Filter-Id attribute (RADIUS attribute 11) when a user successfully authenticates. This tells the Firebox what group the user is a member of. The value for the Filter-Id attribute must match the name of the Mobile VPN group as it appears in the Fireware RADIUS authentication server settings.

To complete these steps, see the documentation from your RADIUS server vendor.

Configure the Firebox

To use RADIUS server authentication for your mobile VPN users, you must complete these steps:

Configure the Multi-Factor Authentication Solution

To configure a third-party multi-factor or two-factor solution, see the documentation provided by your vendor.

How the Challenge-Response Method Works with the VPN Client

When a user authenticates from the VPN client, the VPN client sends the username and password to the Firebox. The Firebox sends the username and password to the RADIUS server. If the user and password are valid, and if multi-factor authentication is enabled for the user, the RADIUS server sends an access-challenge message to the Firebox to request the second factor. The Firebox uses information from the access-challenge to prompt the VPN client for the second authentication factor.

To authenticate a user, the VPN client, Firebox, and RADIUS server communicate as follows:

  1. The VPN client prompts the user for username and password credentials.
  2. The VPN client sends the credentials to the Firebox.
  3. The Firebox send a RADIUS Access-Request message, with the credentials, to the RADIUS server.
  4. The RADIUS server sends an Access-Challenge with a reply-message (Attribute 18) to the Firebox. This message includes text for the user about the second authentication method.
  5. The Firebox sends the reply-message attribute text to the VPN client.
  6. The VPN client displays the instructions to the user in a dialog box.
  7. The user types the one-time password or PIN in the dialog box.
  8. The VPN client sends the second factor to the Firebox.
  9. The Firebox sends the second factor to the RADIUS server with the username.
  10. If the second factor is valid, the RADIUS server sends an Access-Accept message and the Firebox allows the connection.

If any of these steps fail, the RADIUS server sends the Firebox an Access-Reject message, and authentication fails.

See Also

How RADIUS Server Authentication Works

About AuthPoint