Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security
You have configured AuthPoint MFA for a Firebox with the Firebox resource type, but users are not prompted for MFA when they connect to Mobile VPN with SSL or IKEv2. The most common cause for this issue is that multiple authentication servers are configured on the Firebox and the Firebox is not configured to send authentication requests to AuthPoint.
Symptoms
When the your Firebox is not configured to use the correct authentication server, you might notice these symptoms:
- AuthPoint users can connect without MFA
Diagnostic Steps
- Verify the Mobile VPN with IKEv2 or SSL configuration includes the AuthPoint authentication server.
- Make sure the Mobile VPN with IKEv2 or SSL authentication servers are in the correct order and the user has authenticated to the correct server.
- Review your Zero Trust authentication policies.
Possible Causes and Solutions
| Possible Cause | Solution |
|---|---|
| Multiple authentication servers are configured and AuthPoint is not the default server. |
Make AuthPoint the default authentication server. For an authentication to Mobile VPN with IKEv2 or SSL, the Firebox only process the authentication against a single authentication server. Unless the user specifies a server, the Firebox uses the default authentication server. For this reason, if you want to have MFA we recommend that you configure AuthPoint as the default authentication server. If you do not want to configure AuthPoint as the default authentication server, users who require MFA must append AuthPoint \ before the user name. For example, AuthPoint\jsmith. You can also do this if you want to test MFA. |
| Your Firebox resource has a password only authentication policy. | Go to Configure >Zero Trust and edit your authentication policies so that each policy that includes the Firebox resource requires MFA. |