9
Votes

2FA for VPN

 
9
Votes

2FA for VPN

28 Reply
RE:2FA for VPN
2024-09-23 01:56:08

Hi @utilsvcllc 

Thanks for posting in our business forum.

utilsvcllc wrote

  @Clive_A  I know they all have some type of MFA for access type VPNs, IKE tunnels they probably don't, since I don't think IKE/IKEv2 can even do that by protocol.

I looked up MFA or 2FA on Sonicwall on Google.

Sonicwall tends to use the RADIUS with SSL VPN. Rest of the other types of VPN don't seem to be possible with the 2FA or with RADIUS.

SSL VPN, we support the RADIUS as well.

OVPN supports LDAP.

Mikrotik is based on the RADIUS as well. Third-party vendors providing the MFA. I found third-party vendors article providng the LDAP/RADIUS MFA. I don't see it is built into the system.

Or if you have other ideas or correct me.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
#24
Options
Re:2FA for VPN
2024-09-29 14:41:18 - last edited 2024-09-29 14:42:01

  @DaveMcDave 

  @Clive_A 

I already asked about it in 2022, but still there is no solution.

https://community.tp-link.com/en/business/forum/topic/519816

 

2FA for VPN is essential for business.

Please develop it ASAP.

Thanks in advance

 

#25
Options
Re:2FA for VPN
2024-09-30 05:21:11
I think the reason these requested features have yet to be considered is the 'lack of interest or request' from the community. Unless, the majority of the community wants this 'badly', we have to wait.
Alex Kota Kinabalu, Sabah Malaysia
#26
Options
Re:2FA for VPN
2024-10-02 02:07:48

Hi @peter021 

Thanks for posting in our business forum.

peter021 wrote

  @DaveMcDave 

  @Clive_A 

I already asked about it in 2022, but still there is no solution.

https://community.tp-link.com/en/business/forum/topic/519816

 

2FA for VPN is essential for business.

Please develop it ASAP.

Thanks in advance

 

Have you tried RADIUS or LDAP? They are mature multi-factor auth.

Or does it have to be the 2FA like the MS or Google Authenticator?

Do you happen to know any vendors supporting this?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
#27
Options
Re:2FA for VPN
2024-10-02 08:13:58

  @Clive_A 

 

Yes we have looked at setting up a RADIUS server and even looking at different external system's for MFA like Duo, but if we are going to setup multiple servers/services then while we are at it we might aswell setup individual servers to deal with VPN, DHCP, DNS and MFA user control for the VPN. Then have lots of random individual Wireless Access points and switches made by different manufactures.

 

There are multiple other options in routers that will at least support TOTP MFA authentication using the Google Authenticator App with their VPN, of the top of my head I know that there are some SonicWall's Routers that support TOTP on their VPN aswell of the open source solutions like OPNSense and Untangle

 

The simple reason for asking for this feature is so we don't have to have a mismatch of different servers and hardware as if would just be nice to have everything in 1 place within the Omada control panel, or is that just too much to ask for.

 

While we are completely capable of setting up individual setups for all the different services, we just like the idea of all being in one place within the Omada Control Panel, if we didn't want a single solution to control everything then we would have just gone down the path of individual acesspoints/switches and use OPNSense for the router, as it would have ended up being a cheaper option.

#28
Options
Re:2FA for VPN
2024-10-02 08:43:43

  @Clive_A 

I work for a 15-person company; we do not have special servers for special purposes.

Google Authenticator would be perfect for this purpose.

2FA is already working for Omada cloud login with Google Authenticator. I would like to have the same solution for VPN for all colleagues for home office

Thanks

regards

Peter

#29
Options
Re:2FA for VPN
2024-10-04 03:51:04

Hi  @DaveMcDave 

DaveMcDave wrote

  @Clive_A 

 

Yes we have looked at setting up a RADIUS server and even looking at different external system's for MFA like Duo, but if we are going to setup multiple servers/services then while we are at it we might aswell setup individual servers to deal with VPN, DHCP, DNS and MFA user control for the VPN. Then have lots of random individual Wireless Access points and switches made by different manufactures.

 

There are multiple other options in routers that will at least support TOTP MFA authentication using the Google Authenticator App with their VPN, of the top of my head I know that there are some SonicWall's Routers that support TOTP on their VPN aswell of the open source solutions like OPNSense and Untangle

 

The simple reason for asking for this feature is so we don't have to have a mismatch of different servers and hardware as if would just be nice to have everything in 1 place within the Omada control panel, or is that just too much to ask for.

 

While we are completely capable of setting up individual setups for all the different services, we just like the idea of all being in one place within the Omada Control Panel, if we didn't want a single solution to control everything then we would have just gone down the path of individual acesspoints/switches and use OPNSense for the router, as it would have ended up being a cheaper option.

I am aware of the opensource platforms which you may install some kind of plug-ins to implement TOTP. But I looked it up but found many vendors are doing this by hosting a RADIUS. They are not natively supporting this feature.

That's why I kept asking if there is any guides for me to fill in the report to increase the confidence.

 

That's really important. If you can share a guide of the opensource guide on TOTP, I might take a look and see how they implement this. But as said previously, several points, the traditional vendors with the pre-built system are achieve the same 2FA by RADIUS. We follow the suit and we currently support it. Open source is not our target competitor. We simply did not support 2FA to the Google/MS authenticator.

 

I might not reply to this timely as I am taking holidays.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
#30
Options
Re:2FA for VPN
3 weeks ago

  @DaveMcDave 

 

I completely agree with you. Having 2FA feature for VPN is a must these days due to security concerns and it solves all the problems in Omada ecosystem.

 

regards,

 

Narendra

 

DaveMcDave wrote

Good morning from the not so sunny UK!

 

We have several ER7206 (and a few ER605) based at different clients sites, and we would like to have the ability to add 2 factor authentication to the VPN setup please. This feature nowadays is a must have for cyber assurance purposes, so it seems daft to have to implement another VPN solution when you have 99% of it already built into the router. It's just missing that last option!

 

Even the OpenVPN server built into the ER7206 doesn't appear to have the option for 2FA, and to my knowledge this is standard option for the OpenVPN server.

 

This router fulfills all of our requirements and the Omada ecosystem as a whole is fantastic, it's just this one drawback!

 

Many thanks.

DaveMcDave wrote

Good morning from the not so sunny UK!

 

We have several ER7206 (and a few ER605) based at different clients sites, and we would like to have the ability to add 2 factor authentication to the VPN setup please. This feature nowadays is a must have for cyber assurance purposes, so it seems daft to have to implement another VPN solution when you have 99% of it already built into the router. It's just missing that last option!

 

Even the OpenVPN server built into the ER7206 doesn't appear to have the option for 2FA, and to my knowledge this is standard option for the OpenVPN server.

 

This router fulfills all of our requirements and the Omada ecosystem as a whole is fantastic, it's just this one drawback!

 

Many thanks.

Narendra

 

DaveMcDave wrote

Good morning from the not so sunny UK!

 

We have several ER7206 (and a few ER605) based at different clients sites, and we would like to have the ability to add 2 factor authentication to the VPN setup please. This feature nowadays is a must have for cyber assurance purposes, so it seems daft to have to implement another VPN solution when you have 99% of it already built into the router. It's just missing that last option!

 

Even the OpenVPN server built into the ER7206 doesn't appear to have the option for 2FA, and to my knowledge this is standard option for the OpenVPN server.

 

This router fulfills all of our requirements and the Omada ecosystem as a whole is fantastic, it's just this one drawback!

 

Many thanks.

DaveMcDave wrote

Good morning from the not so sunny UK!

 

We have several ER7206 (and a few ER605) based at different clients sites, and we would like to have the ability to add 2 factor authentication to the VPN setup please. This feature nowadays is a must have for cyber assurance purposes, so it seems daft to have to implement another VPN solution when you have 99% of it already built into the router. It's just missing that last option!

 

Even the OpenVPN server built into the ER7206 doesn't appear to have the option for 2FA, and to my knowledge this is standard option for the OpenVPN server.

 

This router fulfills all of our requirements and the Omada ecosystem as a whole is fantastic, it's just this one drawback!

 

Many thanks.

. Hope Tp link will come out with this feature in their next version

 

regards,

 

Narendra

 

#31
Options