VPN server that supports an external login page or can use the PacketFence captive portal
This use case supports VPN servers that provide users with an external logon page.
On the external logon page, the end user can enroll their trusted device and select the preferred second factor.
Before you begin
-
When configuring your Connection Profile and associating it with your Internal Source, make sure that you enter a filter definition that matches the criteria of your captive portal solution.
For example, if the DNS should point to the captive portal domain, you can enter the following filter:
fqdn = portal.acme.com
. -
You should have a working AD or LDAP Directory Service.
-
This use case supports the following secondary factors:
Bypass code
Hardware token
Phone call
Push TOTP
Standard push notification
SMS
Third-party authenticator app as OTP device -
Depending on the VPN server that you're using this use case may support email and in-line enrollments.
To support the in-line enrollment, your VPN server needs to render the authentication page where the user can select their preferred authentication second factor.
Configure MFA in the PacketFence UI
Follow these steps to enable communication between PacketFence Gateway and Akamai MFA and select secondary factors the users can use to authenticate.
-
Log in to the PacketFence UI.
-
In the navigation menu, select Configuration > Integration > Multi-Factor Authentication.
-
Click New MFA and select Akamai.
-
On the New Multi-Factor Authentication configuration page, enter these settings:
a. Name: Define the name of your integration.
b. App ID. Enter the Integration ID that you generated in the previous step.
c. Signing Key. Enter the Signing ID that you generated in the previous step.
d. Verifying Key. Enter the Verifying ID that you generated in the previous step.
e. Host. Enter the API Host copied from the Akamai MFA integration page. By default, it ismfa.akamai.com
.
f. Callback URL. Enter the Callback URL copied from the Akamai MFA integration page to be redirected from Akamai MFA to PacketFence captive portal. This value should be the FQDN of the portal including/mfa
at the end. For example,https://portal.acme.com/mfa
.
Note that the host that you provide in the Callback URL field needs to match the filter that you specified in the Connection Profile configuration.
g. Cache duration: The amount of time PacketFence will store the MFA information of the user. By default, it’s 60 seconds.
h. In Post MFA Validation Cache Duration, accept the default 5-second-long cache. -
Click Save.
Associate the Authentication Source in the PacketFence UI
Follow this procedure to enable communication between PacketFence Gateway and your AD or LDAP user authentication source.
-
Log in to the PacketFence UI.
-
In the navigation menu, select Configuration > Policies and Access Control > Authentication Sources.
-
Click New Internal Source > and select AD or LDAP depending on your directory service.
-
On the New Authentication Source page, provide your directory service data to enable the directory's connection with PacketFence Gateway:
- Directory name and description
- Host
- Base DN
- Username attribute
- Bind DN
- Associate realms
-
To apply a conditional rule to your authentication source, click Add rule and enter the condition. For example, enter
memberof equals cn=otp_user,dc=acme,dc=com
to check if a particular user is a member of a specific group. -
Assign the authentication rule with the following actions:
a. Trigger Portal MFA. Select the MFA integration that you created in the previous step.
b. Role. Select any value, for example, default.
c. Access duration. Select any value, for example, 1 hour. -
Click Save.
See the VPN Configuration Guide for more information on network equipment configuration steps.
Test your setup
-
When you try to access your F5 VPN server, you’re prompted to authenticate with your username and password.
-
The authentication prompt contains the following input fields:
- username
- password
-
Authenticate with your F5 credentials using the F5 Big-IP Client.
-
Upon successful login with F5, you’re redirected to the Akamai MFA authentication prompt.
-
Select your preferred authentication method. For example, click Text me a Code to receive a verification code via SMS message that is sent to your enrolled authentication device.
-
Enter the code and hit Submit Code.
-
Akamai MFA displays a success message and grants you access to the VPN server.
Updated almost 3 years ago