How do I configure 2FA for SSL VPN with LDAP and TOTP?
03/26/2020 287 8720
This article provides information on how to configure Multi-Factor Authentication (MFA) for SSL VPN using a 3rd-party TOTP App such as Google Authenticator, Microsoft Authenticator, Duo, Free-OTP, etc
SonicOS 184.108.40.206 or later provides additional layer of security with Time-Based One Time Password (TOTP), which is used for 2-Factor Authentication (2FA).
1. Create an LDAP group
- Log into the SonicWALL Appliance, navigate to Users | Local Users & Groups (The screenshots shown in this KB article are from Classic Navigation mode)
- Click on Add option
- Under the Settings tab, from the drop down list beside One-time password method, select TOTP
2. Download and install Google Authenticator App or any other App that supports TOTP such as Microsoft Authenticator, Duo or Free-OTP
NOTE: Trying to log in with SSL VPN client, NetExtender, would result in an error: "You need to bind your App for Time based One-Time password. Please go to portal login and bind it."
3. Log into SSL VPN portal, a.k.a. the Virtual Office (https://myfirewall:4433), to bind the Google Authenticator App
4. Post entering their username & password, they will be prompted with a QR code and an Emergency Scratch code
NOTE: Please store the Emergency Scratch Code as it is the only way to login if the mobile device is lost or reset.
5. Open the Google Authenticator App on the Mobile phone, then click on Begin
6. Select Scan a barcode to scan QR code
7. Once the QR code is scanned, the App will provide a 6-digit One-Time Password (OTP), then click Add Account. SNWL is added
8. Enter the OTP beside 2FA Code option on the pop up window with the QR code
9. Open NetExtender
- Enter Active Directory credentials. Then, a window will pop up asking to enter authentication code (password)
- On mobile phone, open Google Authenticator, go to SNWL account to get one-time password (OTP)
- On Authetication window, enter OTP in Password field , click OK to establish SSL VPN connection