@Clive_A 

Many thanks for getting back to me.

Products that use OpenVPN in their software based router/firewall solutions like Arista's Untangle and OPNsense have TOTP MFA configurable within their OpenVPN settings.

All that is needed is a radius server setup to be able to manage the TOTP MFA authentication, what can be configured within OpenVPN. Not sure if linking to competitors sites is allowed, but here are a few examples - ZenArmor/OPNSense, Arista Firewall, Ubiquity EdgeOS, OpenVPN Server (EDIT: Links not allowed, but easy to Google)

While we can use these other products as the "VPN server" for our customers, we do like the Omada software and the functionality it provides and would love to just use this one product. As mentioned, having TOTP/MFA as an option on the VPN for an extra layer of security would be a great addition to have, especially since alot of Cyber Insurance providers are wanting MFA on any VPN connections.

Morning @Clive_A!

So most of those services noted there are software based firewall which are traditionally installed on a "server" of sorts. OPNSense is open source software, but they do also provide preinstalled hardware much like Arista can do. The exception to that however is the EdgeOS as that is Ubiquiti's OS that they use in their business class routers.

I did a quick Google search on "mikrotik vpn 2fa", and it does appear to be something they offer.

But my question back to you and your development team would be - Why just aim to be just level with your competitors? Why not offer features that your competitors potentially do not? Rise above the crowd and stand out!

Hi @Clive_A,

Totally understand where you're coming from. The reason why we started using the Omada system was because we used a lot of the equipment way back when TP Link were mainly supplying good home products at a very reasonable price. We initially used Ubiquiti equipment for business class Wi-Fi installations, but this soon became cost prohibitive.

To back to the point in hand! From what I have seen, yes. Mikrotik offer what we are after. UBNT offer what we are after. CISCO offer what we are after (I know they are the "big boys" of networking, but their prices reflect this!)

For me personally as an IT tech, having 2 factor authentication on VPN connections is what I would consider a "core business feature". Especially for customers in the EU with cyber insurance policies / certification requiring this as a minimum requirement.

Thanks again!

  @DaveMcDave 

Omada SSL VPN has the option of a radius server, have you tried 2fa with Omada SSL VPN? I've actually had a couple of projects with Unifi OpenVPN and Cisco Anyconnect with 2fa via radius and it worked very well. I don't see any reason why it shouldn't work with Omada SSL VPN configured against a radius server.

Afternoon @MR.S !

Cheers for the suggestion!

That is true and whilst it is certainly a viable option, we would much rather use a built in 2FA system than having to setup our own RADIUS server for (potentially) every site/customer that we look after. As above I've seen this on other systems and as these are sold as "business class" routers, then to me having 2FA as a built in system is a must.

Dave

  @DaveMcDave 

yes, it would have been cool to have it on the controller, there is 2fa on local login on the controller, so it is not certain that it is that much work to get this 2fa on the built-in radius server.