VPN server that allows the user’s interaction with the VPN client

Before you begin

  • You should have a working AD or LDAP directory service.

  • This use case supports the following secondary factors:
    Bypass code
    Hardware token
    Phone call
    Push TOTP
    Standard push notification
    SMS
    Third-party authenticator app as OTP device

  • Depending on the VPN server that you're using this use case may support email and in-line enrollments.
    To support the in-line enrollment, your VPN server needs to render the authentication page where the user can select their preferred authentication second factor.

Configure MFA in the PacketFence UI

Follow these steps to enable communication between PacketFence Gateway and Akamai MFA and select secondary factors the users can use to authenticate.

  1. Log in to the PacketFence UI.

  2. In the navigation menu, select Configuration > Integration > Multi-Factor Authentication.

  3. Click New MFA and select ‚ÄčAkamai‚Äč.

  4. On the New Multi-Factor Authentication configuration page, enter these settings:
    a. Name: Define the name of your integration.
    b. App ID. Enter the Integration ID that you generated in the previous step.
    c. Signing Key. Enter the Signing ID that you generated in the previous step.
    d. Verifying Key. Enter the Verifying ID that you generated in the previous step.
    e. Host. Enter the API Host copied from the ‚ÄčAkamai MFA‚Äč integration page. By default, it is mfa.akamai.com.
    f. Radius OTP Method. Select Second Password Field to enable an additional password as your Radius OTP method.
    g. Cache duration: Specify the amount of time PacketFence will store the MFA information of the user. By default, the cache duration is 60 seconds.
    h. In Post MFA Validation Cache Duration, accept the default 5-second-long cache.

  5. Click Save.

Associate the Authentication Source in the PacketFence UI

Follow this procedure to enable communication between PacketFence Gateway and your AD or LDAP user authentication source.

  1. Log in to the PacketFence UI.

  2. In the navigation menu, select Configuration > Policies and Access Control > Authentication Sources.

  3. Click New Internal Source > and select AD or LDAP depending on your directory service.

  4. On the New Authentication Source page, provide your directory service data to enable the directory's connection with PacketFence Gateway:

    • Directory name and description
    • Host
    • Base DN
    • Username attribute
    • Bind DN
    • Associate realms
  5. To apply a conditional rule to your authentication source, click Add rule and enter the condition. For example, enter memberof equals cn=otp_user,dc=acme,dc=com to check if a particular user is a member of a specific group.

  6. Assign the authentication rule with the following actions:
    Trigger Radius MFA. Select the MFA integration that you created in the previous step.
    Role. Select any value, for example, default.
    Access duration. Select any value, for example, 1 hour.

  7. Click Save.

See the VPN Configuration Guide for more information on network equipment configuration steps.

Test your setup

  1. When you try to access the VPN server, you’re prompted to authenticate with your VPN credentials.
    The VPN authentication prompt contains the following input fields:

    • username
    • password
    • second password
  2. In the username and password fields, enter your VPN credentials.

  3. In the second password field, enter the second factor that you want to authenticate with. Depending on your secondary authentication method, follow one of these steps:

    • To authenticate with a push notification, enter the word pushin the second password field. This sends a push notification to your trusted device. You can then tap Allow to acknowledge that the login is legitimate.

    • To authenticate with an SMS, enter the word sms in the second password field. This sends a verification passcode to your trusted mobile device. The first authentication challenge is rejected. In the second authentication attempt, the VPN client prompts you to enter your username, your password, and the verification code that you received via text message.

    • To authenticate with a push TOTP, third-party OTP device, bypass code, or hardware token, in the second password field enter the passcode that was generated by your authentication device or the bypass code that you received from your help desk.

    • To authenticate with one of the devices that you have enrolled, enter the authentication method and the index of this device in the second password field. For example, enter push2, which sends the authentication request to your second mobile device. You can then open the authentication prompt on this device and tap Allow to acknowledge that the login is legitimate.

    • To authenticate with a phone call, enter the word phone in the second password field. You receive a phone call on your trusted authentication device. During the call, you can hear the voice message with your verification passcode. The first authentication challenge is rejected. In the second authentication attempt, the VPN client prompts you for your username, your password, and the verification code that you received during the call.

  4. ‚ÄčAkamai MFA‚Äč grants you access to the VPN server.