SONICWALL GLOBAL VPN 2FA HOW TO
This third and final article in our series on Two Factor Authentication using Sophos UTM takes you through configuring Sophos UTM for user self-enrolment of OTP, including how to revoke a token should the device be lost. The cost is obviously not limited to the price of the token, but also the time and administration required by both the Sophos UTM administrators and the users themselves. When choosing a Two Factor Authentication model, you should include the cost of user enrolment as well as token management and revocation.
SONICWALL GLOBAL VPN 2FA MANUAL
In the second article we moved through the steps required to enable Two Factor Authentication for Sophos UTM administration, using a manual process and specifying our own entropy.
SONICWALL GLOBAL VPN 2FA PASSWORD
If you are still unable to connect, contact ESET technical support.The first article in this series discussed concepts and considerations for Two Factor Authentication, and why One-time Password (OTP) with soft tokens make a lot of sense. Verify that there is no firewall blocking UDP 1812 between your VPN device and your RADIUS server. Select the check box next to Require XAUTH/RADIUS. In the Security Association field,select GroupVPN. Navigate to the VPN window in the administrative interface and select the Configure tab. Verify that RADIUS authentication is enabled on the SonicWall server: a. Run a smoke test against your RADIUS server, as described in the Verifying ESA RADIUS Functionality document. If this is a new SonicWall VPN setup, try logging in without a WiKID one-time password before adding in two-factor authentication. For example, if the user has an AD password of Esa123 and an OTP of, type in Esa Troubleshooting If you are unable to authenticate via the ESA RADIUS server, ensure that you have performed the following steps: 1. When prompted for a password, append the OTP generated by the Mobile Application to your AD password. Connect to your SSL-VPN using a user account that has been configured to use with Mobile Application 2FA using ESA. The domain will be added to the Domain Settings table. vii.optionally, add the details of a backup ESA RADIUS server.
Max retries: 2 vi.portal Layout Name: Select your portal layout. Secret Password: As shown in Figure 1 iv.radius Timeout: 30 seconds v. Radius server port: 1812 (or custom port if you are overriding). Radius Server Address: The IP address of your ESA RADIUS server. Under Primary Radius Server, enter the following details: i. Enter a descriptive name for the authentication domain in the Domain Name field, for example, ESA Radius. From the Authentication type drop-down menu, select Radius. Using a web browser, Log into the SonicWall administrative interface. Note that the check boxes next to Mobile Application, Compound Authentication and Active Directory passwords without OTPs must be selected and the IP Address is the internal address of your SonicWall appliance. The supported appliances are: E-Class SRA Series SRA Series RA Series (although interfaces may differ from this guide, the same concepts will apply) Figure 1 This screenshot shows The RADIUS client settings for your SonicWall VPN device. It is also recommended that you limit VPN access to a security group (for example VPNusers). Note: To prevent locking any existing, non-2fa enabled AD users out of your VPN, we recommend that you allow Active Directory passwords without OTPs during the transitioning phase. Prerequisites Configuring the VPN device for 2FA requires: A functional ESA RADIUS server that has your SonicWall SSL VPN device configured as a client, as shown in Figure 1. Overview This document describes how to enable ESET Secure Authentication (ESA) Two-Factor Authentication (2FA) for a SonicWall SRA VPN device.
0 kommentar(er)
