MFA authentication

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
aqrchris
Posts: 1
Joined: Mon Mar 30, 2020 4:14 am

MFA authentication

Post by aqrchris » Mon Mar 30, 2020 5:22 am

Hi everyone,
Is anyway to integrate MFA(etc. Duo, Google Authenticator) to enhance login security. There is not too much reference on the internet......

Qoo
Posts: 1
Joined: Sun Mar 29, 2020 3:51 pm

Re: MFA authentication

Post by Qoo » Fri Apr 10, 2020 7:43 pm

aqrchris wrote:
Mon Mar 30, 2020 5:22 am
Hi everyone,
Is anyway to integrate MFA(etc. Duo, Google Authenticator) to enhance login security. There is not too much reference on the internet......
+1

opensrcguy
Posts: 5
Joined: Fri Jan 24, 2020 1:53 pm

Re: MFA authentication

Post by opensrcguy » Sat May 30, 2020 12:49 pm

+1

Can anyone know how can i integrate Google Authenticator code with SoftEther VPN ?

comateux
Posts: 1
Joined: Wed May 22, 2019 6:02 pm

Re: MFA authentication

Post by comateux » Sat Jun 06, 2020 6:50 am

Hello, I only know Duo integration is possible using the Duo authentication proxy via RADIUS.
Refer to the Duo documentation to setup the Duo auth proxy listening for RADIUS. Then configure SE server using RADIUS authentication which then points to your Duo auth proxy. The result is you may utilize the Duo push feature or manual inclusion of the 2FA code after the password such as password,123456. There are two limitations. First, a 10 second timeout which seems to be hardcoded as the retry interval in the SE Server. Let's hope a dev contributor can raise this limit as I would prefer at least a 30 to 60 second retry interval. The second involves the SE native client itself, which I would advise to disable auto reconnect to prevent automatic lockouts specifically in Duo.

SantoshkMishra
Posts: 1
Joined: Fri Dec 04, 2020 2:56 am

Re: MFA authentication

Post by SantoshkMishra » Fri Dec 04, 2020 3:01 am

Hi All

Thanks for your all input.
is there any one who can help us on this, keeping current situation in account, we must have to have 2FA for VPN. what is best way to get this done.

requirement is , after domain password there must be send factor of authentication.

How to Achieve this.

Thanks.

red
Posts: 6
Joined: Fri Sep 09, 2016 8:27 pm

Re: MFA authentication

Post by red » Sat Dec 12, 2020 12:25 am

Something as simple as:

1. keeping a phone number in the user notes for sms.
2. upon login the first time send a code and swap the code for the password in the db, disconnect.
3. logging in the 2nd time with the code instead of the original password, let them through and swap the password back in the db.

Simple enough that it would work for me.

gyarbrough
Posts: 1
Joined: Thu Dec 17, 2020 7:45 pm

Re: MFA authentication

Post by gyarbrough » Wed May 26, 2021 7:05 pm

Anybody have an update on how to achieve 2FA without using a radius server?

blazzelia
Posts: 7
Joined: Wed Nov 10, 2021 3:56 pm

Re: MFA authentication

Post by blazzelia » Sat Dec 25, 2021 2:39 pm

Hi,

Personally I hit the same roadblock but, eventually, after digging into the matter, I was able to successfully use Okta Radius (we have Okta as our identity management so that's a must for us) to authenticate the VPN user. The only problem is the bad end user experience. Because of the missing MFA support in the VPN client (I test on Windows and iPhone), the end user has to enter the username and the virtual hub name (if there are more than one virtual hub configured) and, in the password field, the password, the comma sign and the code from Okta Verify. Something like this:

username: user1@domain.com@virtual_hub_name
password: password_of_user1,okta_mfa_code

Well, for me, as a technical person, it wasn't a big deal, I was happy I make it work. But when regular users tried to connect ... well, that's when everybody's mood went down ...

Iphone native VPN client doesn't help much here as it presents the end user with a modal login window so you can't switch to Okta Verify app to copy the MFA code, you have to copy the code _before_ you try to connect so you have 30 seconds to complete all the login information and to connect before the MFA code expires.
OpenVPN Connect client was better, as it allowed to switch to Okta Verify app to copy the code, then switch back to the VPN client and paste the code, and then connect.

Bottom line is that, because of this end user bad experience, SoftEther won't work for us, which is unfortunate... I love this product.

Maybe someone else had any other experience and can share ...


B

Post Reply