11
Votes

2FA for VPN

 
11
Votes

2FA for VPN

32 Reply
RE:2FA for VPN
2024-09-23 01:56:08

Hi @utilsvcllc 

Thanks for posting in our business forum.

utilsvcllc wrote

  @Clive_A  I know they all have some type of MFA for access type VPNs, IKE tunnels they probably don't, since I don't think IKE/IKEv2 can even do that by protocol.

I looked up MFA or 2FA on Sonicwall on Google.

Sonicwall tends to use the RADIUS with SSL VPN. Rest of the other types of VPN don't seem to be possible with the 2FA or with RADIUS.

SSL VPN, we support the RADIUS as well.

OVPN supports LDAP.

Mikrotik is based on the RADIUS as well. Third-party vendors providing the MFA. I found third-party vendors article providng the LDAP/RADIUS MFA. I don't see it is built into the system.

Or if you have other ideas or correct me.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
#24
Options
Re:2FA for VPN
2024-09-29 14:41:18 - last edited 2024-09-29 14:42:01

  @DaveMcDave 

  @Clive_A 

I already asked about it in 2022, but still there is no solution.

https://community.tp-link.com/en/business/forum/topic/519816

 

2FA for VPN is essential for business.

Please develop it ASAP.

Thanks in advance

 

#25
Options
Re:2FA for VPN
2024-09-30 05:21:11
I think the reason these requested features have yet to be considered is the 'lack of interest or request' from the community. Unless, the majority of the community wants this 'badly', we have to wait.
Alex Kota Kinabalu, Sabah Malaysia
#26
Options
Re:2FA for VPN
2024-10-02 02:07:48

Hi @peter021 

Thanks for posting in our business forum.

peter021 wrote

  @DaveMcDave 

  @Clive_A 

I already asked about it in 2022, but still there is no solution.

https://community.tp-link.com/en/business/forum/topic/519816

 

2FA for VPN is essential for business.

Please develop it ASAP.

Thanks in advance

 

Have you tried RADIUS or LDAP? They are mature multi-factor auth.

Or does it have to be the 2FA like the MS or Google Authenticator?

Do you happen to know any vendors supporting this?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
#27
Options
Re:2FA for VPN
2024-10-02 08:13:58

  @Clive_A 

 

Yes we have looked at setting up a RADIUS server and even looking at different external system's for MFA like Duo, but if we are going to setup multiple servers/services then while we are at it we might aswell setup individual servers to deal with VPN, DHCP, DNS and MFA user control for the VPN. Then have lots of random individual Wireless Access points and switches made by different manufactures.

 

There are multiple other options in routers that will at least support TOTP MFA authentication using the Google Authenticator App with their VPN, of the top of my head I know that there are some SonicWall's Routers that support TOTP on their VPN aswell of the open source solutions like OPNSense and Untangle

 

The simple reason for asking for this feature is so we don't have to have a mismatch of different servers and hardware as if would just be nice to have everything in 1 place within the Omada control panel, or is that just too much to ask for.

 

While we are completely capable of setting up individual setups for all the different services, we just like the idea of all being in one place within the Omada Control Panel, if we didn't want a single solution to control everything then we would have just gone down the path of individual acesspoints/switches and use OPNSense for the router, as it would have ended up being a cheaper option.

#28
Options
Re:2FA for VPN
2024-10-02 08:43:43

  @Clive_A 

I work for a 15-person company; we do not have special servers for special purposes.

Google Authenticator would be perfect for this purpose.

2FA is already working for Omada cloud login with Google Authenticator. I would like to have the same solution for VPN for all colleagues for home office

Thanks

regards

Peter

#29
Options
Re:2FA for VPN
2024-10-04 03:51:04

Hi  @DaveMcDave 

DaveMcDave wrote

  @Clive_A 

 

Yes we have looked at setting up a RADIUS server and even looking at different external system's for MFA like Duo, but if we are going to setup multiple servers/services then while we are at it we might aswell setup individual servers to deal with VPN, DHCP, DNS and MFA user control for the VPN. Then have lots of random individual Wireless Access points and switches made by different manufactures.

 

There are multiple other options in routers that will at least support TOTP MFA authentication using the Google Authenticator App with their VPN, of the top of my head I know that there are some SonicWall's Routers that support TOTP on their VPN aswell of the open source solutions like OPNSense and Untangle

 

The simple reason for asking for this feature is so we don't have to have a mismatch of different servers and hardware as if would just be nice to have everything in 1 place within the Omada control panel, or is that just too much to ask for.

 

While we are completely capable of setting up individual setups for all the different services, we just like the idea of all being in one place within the Omada Control Panel, if we didn't want a single solution to control everything then we would have just gone down the path of individual acesspoints/switches and use OPNSense for the router, as it would have ended up being a cheaper option.

I am aware of the opensource platforms which you may install some kind of plug-ins to implement TOTP. But I looked it up but found many vendors are doing this by hosting a RADIUS. They are not natively supporting this feature.

That's why I kept asking if there is any guides for me to fill in the report to increase the confidence.

 

That's really important. If you can share a guide of the opensource guide on TOTP, I might take a look and see how they implement this. But as said previously, several points, the traditional vendors with the pre-built system are achieve the same 2FA by RADIUS. We follow the suit and we currently support it. Open source is not our target competitor. We simply did not support 2FA to the Google/MS authenticator.

 

I might not reply to this timely as I am taking holidays.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
#30
Options
Re:2FA for VPN
2024-10-15 04:58:35

  @DaveMcDave 

 

I completely agree with you. Having 2FA feature for VPN is a must these days due to security concerns and it solves all the problems in Omada ecosystem.

 

regards,

 

Narendra

 

DaveMcDave wrote

Good morning from the not so sunny UK!

 

We have several ER7206 (and a few ER605) based at different clients sites, and we would like to have the ability to add 2 factor authentication to the VPN setup please. This feature nowadays is a must have for cyber assurance purposes, so it seems daft to have to implement another VPN solution when you have 99% of it already built into the router. It's just missing that last option!

 

Even the OpenVPN server built into the ER7206 doesn't appear to have the option for 2FA, and to my knowledge this is standard option for the OpenVPN server.

 

This router fulfills all of our requirements and the Omada ecosystem as a whole is fantastic, it's just this one drawback!

 

Many thanks.

DaveMcDave wrote

Good morning from the not so sunny UK!

 

We have several ER7206 (and a few ER605) based at different clients sites, and we would like to have the ability to add 2 factor authentication to the VPN setup please. This feature nowadays is a must have for cyber assurance purposes, so it seems daft to have to implement another VPN solution when you have 99% of it already built into the router. It's just missing that last option!

 

Even the OpenVPN server built into the ER7206 doesn't appear to have the option for 2FA, and to my knowledge this is standard option for the OpenVPN server.

 

This router fulfills all of our requirements and the Omada ecosystem as a whole is fantastic, it's just this one drawback!

 

Many thanks.

Narendra

 

DaveMcDave wrote

Good morning from the not so sunny UK!

 

We have several ER7206 (and a few ER605) based at different clients sites, and we would like to have the ability to add 2 factor authentication to the VPN setup please. This feature nowadays is a must have for cyber assurance purposes, so it seems daft to have to implement another VPN solution when you have 99% of it already built into the router. It's just missing that last option!

 

Even the OpenVPN server built into the ER7206 doesn't appear to have the option for 2FA, and to my knowledge this is standard option for the OpenVPN server.

 

This router fulfills all of our requirements and the Omada ecosystem as a whole is fantastic, it's just this one drawback!

 

Many thanks.

DaveMcDave wrote

Good morning from the not so sunny UK!

 

We have several ER7206 (and a few ER605) based at different clients sites, and we would like to have the ability to add 2 factor authentication to the VPN setup please. This feature nowadays is a must have for cyber assurance purposes, so it seems daft to have to implement another VPN solution when you have 99% of it already built into the router. It's just missing that last option!

 

Even the OpenVPN server built into the ER7206 doesn't appear to have the option for 2FA, and to my knowledge this is standard option for the OpenVPN server.

 

This router fulfills all of our requirements and the Omada ecosystem as a whole is fantastic, it's just this one drawback!

 

Many thanks.

. Hope Tp link will come out with this feature in their next version

 

regards,

 

Narendra

 

#31
Options
RE:2FA for VPN
a week ago
a needed layer of security in the world we live in now
OC300 ER8411 T1600G-52TS V1 TL-SG1218MPE V5 TL-SG608E V6 TL-SG605E V5 EAP225 V3 (x3) EAP225-Outdoor V1 (x2) EAP235-Wall V1 (x2)
#32
Options
Re:2FA for VPN
a week ago

 

Hey,


I registered here just to respond (at least for now) to this topic. I have been working with Draytek for many years and recently I have been looking for another brand with a more accessible price/quality, for some customers who want a slightly more economical solution to Draytek. That's why I can guarantee that at least on the latest models, VPN authentication with TOTP (2FA) is possible. I even have VPN authentication via LDAP and TOTP (2FA) on many of my clients. So not only do I not have to worry about passwords, since the client can change the password whenever they want via Active Directory (I even have a AD policy to require changing the password every 90 days, forcing you to create a password with complexity and different from the last 30 passwords) but I also have the security that even the password for some reason is compromised, that there is 2-step authentication.

 

You can do a quick Google search on "Draytek vpn 2fa", and you will see what I'm talking about.

 

I confess that I was already considering TP-Link as a total alternative to Draytek. But as I didn't find this solution in the emulator, I did a little research and came across this topic. Unfortunately from what I've seen here, 2FA is not yet supported by TP-Link, so because this it's something of a "must have" for me so I can consider a alternative. For this reason, for now I will still stay with Draytek and wait for new developments.

 

Regards,

#33
Options