2FA (Factor Authentication) support for remote access VPN in locally managed SMB appliances

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk137732
Technical Level
Product	Quantum Spark Appliances
Version	R77.20, R80.20
OS	Gaia Embedded
Platform / Model	600, 700, 900, 1100, 1200R, 1400, 1500, 1600, 1800
Date Created	05-Oct-2018
Last Modified	16-May-2022

Solution

MFA (Multi Factor Authentication) / 2FA (Factor Authentication) for RA (Remote Access) users is supported in locally managed SMB appliances, either directly on the Quantum Spark appliance or with Active Directory / RADIUS acting as a relay.

Method #1: Directly on the Quantum Spark Appliance

In order to deploy MFA/2FA directly on the appliance, you will need to subscribe to a 3rd party SMS provider which uses HTTP / REST API. Once you have this, enable the service by navigating to VPN > Remote Access Blade Control and checking the "Require users to confirm their identity using two-factor authentication" box:

Next, click on "Configure..." and enter the details that were provided by the SMS provider:

Lastly, in Users & Objects > Users, you will need to configure your remote access users with the phone number or e-mail address that should receive the verification code. This phone number should include the country code:

Note: The DynamicID URL format can differ based on the SMS provider and user requirements, however a working example can look like the following:

https://sms.provider.com/messages/http/send?apiKey=<APIKEY>==&to=$PHONE&content=$MESSAGE&from=<PHONENUMBER>

From this example, you would replace <APIKEY> with the API Key and <PHONENUMBER> with the phone number that was provided by the SMS provider where the verification code will arrive from.

The $PHONE portion is dynamically populated with the phone number that was entered for each local user account and should be left as is.

Method #2: Active Directory or RADIUS acting as a relay

In order to deploy such a requirement, you will need to configure an authentication server, as well (AD 'Active Directory' or RADIUS), and then delegate the authentication procedure/requests to it and apply the MFA/2FA mechanism there.

Important note:

If you have the same username on both AD and RADIUS, then by design the match will happen first in the AD; once AD is configured, there is no way to change the search priority or even to stop the search.

Accordingly, MFA/2FA implementation through RADIUS once AD is configured and the same username exists in both entities (AD & RADIUS) is not supported by design.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating