15
Votes

2FA for VPN

 
15
Votes

2FA for VPN

2FA for VPN
2FA for VPN
2024-06-10 09:59:12 - last edited 2024-06-12 08:52:44
Model: ER7206 (TL-ER7206)  
Hardware Version:
Firmware Version:

Good morning from the not so sunny UK!

 

We have several ER7206 (and a few ER605) based at different clients sites, and we would like to have the ability to add 2 factor authentication to the VPN setup please. This feature nowadays is a must have for cyber assurance purposes, so it seems daft to have to implement another VPN solution when you have 99% of it already built into the router. It's just missing that last option!

 

Even the OpenVPN server built into the ER7206 doesn't appear to have the option for 2FA, and to my knowledge this is standard option for the OpenVPN server.

 

This router fulfills all of our requirements and the Omada ecosystem as a whole is fantastic, it's just this one drawback!

 

Many thanks.

#1
Options
37 Reply
Re:2FA for VPN
2024-06-11 03:58:12

Hi @DaveMcDave 

Thanks for posting in our business forum.

A great idea. Can you please let me know if there is any vendor on the market can do this?

Would be helpful for me to write the feedback report.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
#2
Options
Re:2FA for VPN
2024-06-11 08:35:18 - last edited 2024-06-11 08:35:50

  @Clive_A 

 

Many thanks for getting back to me.

 

Products that use OpenVPN in their software based router/firewall solutions like Arista's Untangle and OPNsense have TOTP MFA configurable within their OpenVPN settings.

 

All that is needed is a radius server setup to be able to manage the TOTP MFA authentication, what can be configured within OpenVPN. Not sure if linking to competitors sites is allowed, but here are a few examples - ZenArmor/OPNSense, Arista Firewall, Ubiquity EdgeOS, OpenVPN Server (EDIT: Links not allowed, but easy to Google)

 

While we can use these other products as the "VPN server" for our customers, we do like the Omada software and the functionality it provides and would love to just use this one product. As mentioned, having TOTP/MFA as an option on the VPN for an extra layer of security would be a great addition to have, especially since alot of Cyber Insurance providers are wanting MFA on any VPN connections.

#3
Options
Re:2FA for VPN
2024-06-12 07:38:17

Hi @DaveMcDave 

Thanks for posting in our business forum.

DaveMcDave wrote

  @Clive_A 

 

Many thanks for getting back to me.

 

Products that use OpenVPN in their software based router/firewall solutions like Arista's Untangle and OPNsense have TOTP MFA configurable within their OpenVPN settings.

 

All that is needed is a radius server setup to be able to manage the TOTP MFA authentication, what can be configured within OpenVPN. Not sure if linking to competitors sites is allowed, but here are a few examples - ZenArmor/OPNSense, Arista Firewall, Ubiquity EdgeOS, OpenVPN Server (EDIT: Links not allowed, but easy to Google)

 

While we can use these other products as the "VPN server" for our customers, we do like the Omada software and the functionality it provides and would love to just use this one product. As mentioned, having TOTP/MFA as an option on the VPN for an extra layer of security would be a great addition to have, especially since alot of Cyber Insurance providers are wanting MFA on any VPN connections.

I took a look at the brand you mentioned. It looks like a server instead of a traditional router. OPNsense, is that an open-source software?

Hmm. For the traditional networking track, UBNT, Mikrotik, or any vendors like them, are you aware of any that do this? Would be helpful as we consider them as our competitors.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
#4
Options
Re:2FA for VPN
2024-06-12 08:11:10

Morning @Clive_A!

 

So most of those services noted there are software based firewall which are traditionally installed on a "server" of sorts. OPNSense is open source software, but they do also provide preinstalled hardware much like Arista can do. The exception to that however is the EdgeOS as that is Ubiquiti's OS that they use in their business class routers.

 

I did a quick Google search on "mikrotik vpn 2fa", and it does appear to be something they offer.

 

But my question back to you and your development team would be - Why just aim to be just level with your competitors? Why not offer features that your competitors potentially do not? Rise above the crowd and stand out!

#5
Options
Re:2FA for VPN
2024-06-12 08:19:57

Hi @DaveMcDave 

Thanks for posting in our business forum.

DaveMcDave wrote

Morning @Clive_A!

 

So most of those services noted there are software based firewall which are traditionally installed on a "server" of sorts. OPNSense is open source software, but they do also provide preinstalled hardware much like Arista can do. The exception to that however is the EdgeOS as that is Ubiquiti's OS that they use in their business class routers.

 

I did a quick Google search on "mikrotik vpn 2fa", and it does appear to be something they offer.

 

But my question back to you and your development team would be - Why just aim to be just level with your competitors? Why not offer features that your competitors potentially do not? Rise above the crowd and stand out!

We start from home products and we are not deeply developed like the previous vendors who have much more experience in the field. We would like to know if they have implemented this or not to avoid focusing on the non-essential features. We are still implementing the core features for the business environment and making it more complete in this region.

I understand your perspective but we would follow the suit first before we actually stand out in this new region. We are developing multiple business product lines at the same time. ISP customized products, professional business products, and home and small business products. So, the importance and priority matter to us.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
#6
Options
Re:2FA for VPN
2024-06-12 08:46:33

Hi @Clive_A,

 

Totally understand where you're coming from. The reason why we started using the Omada system was because we used a lot of the equipment way back when TP Link were mainly supplying good home products at a very reasonable price. We initially used Ubiquiti equipment for business class Wi-Fi installations, but this soon became cost prohibitive.

 

To back to the point in hand! From what I have seen, yes. Mikrotik offer what we are after. UBNT offer what we are after. CISCO offer what we are after (I know they are the "big boys" of networking, but their prices reflect this!)

 

For me personally as an IT tech, having 2 factor authentication on VPN connections is what I would consider a "core business feature". Especially for customers in the EU with cyber insurance policies / certification requiring this as a minimum requirement.

 

Thanks again!

#7
Options
Re:2FA for VPN
2024-06-26 08:15:06

  @DaveMcDave 

 

Omada SSL VPN has the option of a radius server, have you tried 2fa with Omada SSL VPN? I've actually had a couple of projects with Unifi OpenVPN and Cisco Anyconnect with 2fa via radius and it worked very well. I don't see any reason why it shouldn't work with Omada SSL VPN configured against a radius server.

 

#8
Options
Re:2FA for VPN
2024-06-26 14:39:02

Afternoon @MR.S !

 

Cheers for the suggestion!

 

That is true and whilst it is certainly a viable option, we would much rather use a built in 2FA system than having to setup our own RADIUS server for (potentially) every site/customer that we look after. As above I've seen this on other systems and as these are sold as "business class" routers, then to me having 2FA as a built in system is a must.

 

Dave

#9
Options
Re:2FA for VPN
2024-06-26 15:06:43

  @DaveMcDave 

 

yes, it would have been cool to have it on the controller, there is 2fa on local login on the controller, so it is not certain that it is that much work to get this 2fa on the built-in radius server.

#10
Options
RE:2FA for VPN
2024-08-29 07:24:29
This feature is a MUST-HAVE since it is common nowadays.
Alex Kota Kinabalu, Sabah Malaysia
#11
Options