VPN server that allows the user’s interaction with the VPN client
Before you begin
You should have a working AD or LDAP directory service.
This use case supports the following secondary factors:
Standard push notification
Third-party authenticator app as OTP device
Depending on the VPN server that you're using this use case may support email and in-line enrollments.
To support the in-line enrollment, your VPN server needs to render the authentication page where the user can select their preferred authentication second factor.
Configure MFA in the PacketFence UI
Follow these steps to enable communication between PacketFence Gateway and Akamai MFA and select secondary factors the users can use to authenticate.
Log in to the PacketFence UI.
In the navigation menu, select Configuration > Integration > Multi-Factor Authentication.
Click New MFA and select Akamai.
On the New Multi-Factor Authentication configuration page, enter these settings:
a. Name: Define the name of your integration.
b. App ID. Enter the Integration ID that you generated in the previous step.
c. Signing Key. Enter the Signing ID that you generated in the previous step.
d. Verifying Key. Enter the Verifying ID that you generated in the previous step.
e. Host. Enter the API Host copied from the Akamai MFA integration page. By default, it is
f. Radius OTP Method. Select Second Password Field to enable an additional password as your Radius OTP method.
g. Cache duration: Specify the amount of time PacketFence will store the MFA information of the user. By default, the cache duration is 60 seconds.
h. In Post MFA Validation Cache Duration, accept the default 5-second-long cache.
Associate the Authentication Source in the PacketFence UI
Follow this procedure to enable communication between PacketFence Gateway and your AD or LDAP user authentication source.
Log in to the PacketFence UI.
In the navigation menu, select Configuration > Policies and Access Control > Authentication Sources.
Click New Internal Source > and select AD or LDAP depending on your directory service.
On the New Authentication Source page, provide your directory service data to enable the directory's connection with PacketFence Gateway:
- Directory name and description
- Base DN
- Username attribute
- Bind DN
- Associate realms
To apply a conditional rule to your authentication source, click Add rule and enter the condition. For example, enter
memberof equals cn=otp_user,dc=acme,dc=comto check if a particular user is a member of a specific group.
Assign the authentication rule with the following actions:
Trigger Radius MFA. Select the MFA integration that you created in the previous step.
Role. Select any value, for example, default.
Access duration. Select any value, for example, 1 hour.
See the VPN Configuration Guide for more information on network equipment configuration steps.
Test your setup
When you try to access the VPN server, you’re prompted to authenticate with your VPN credentials.
The VPN authentication prompt contains the following input fields:
- second password
In the username and password fields, enter your VPN credentials.
In the second password field, enter the second factor that you want to authenticate with. Depending on your secondary authentication method, follow one of these steps:
To authenticate with a push notification, enter the word pushin the second password field. This sends a push notification to your trusted device. You can then tap Allow to acknowledge that the login is legitimate.
To authenticate with an SMS, enter the word sms in the second password field. This sends a verification passcode to your trusted mobile device. The first authentication challenge is rejected. In the second authentication attempt, the VPN client prompts you to enter your username, your password, and the verification code that you received via text message.
To authenticate with a push TOTP, third-party OTP device, bypass code, or hardware token, in the second password field enter the passcode that was generated by your authentication device or the bypass code that you received from your help desk.
To authenticate with one of the devices that you have enrolled, enter the authentication method and the index of this device in the second password field. For example, enter push2, which sends the authentication request to your second mobile device. You can then open the authentication prompt on this device and tap Allow to acknowledge that the login is legitimate.
To authenticate with a phone call, enter the word phone in the second password field. You receive a phone call on your trusted authentication device. During the call, you can hear the voice message with your verification passcode. The first authentication challenge is rejected. In the second authentication attempt, the VPN client prompts you for your username, your password, and the verification code that you received during the call.
Akamai MFA grants you access to the VPN server.
Updated over 1 year ago