This use case supports VPN servers that provide users with an external logon page.
On the external logon page, the end user can enroll their trusted device and select the preferred second factor.
When configuring your Connection Profile and associating it with your Internal Source, make sure that you enter a filter definition that matches the criteria of your captive portal solution.
For example, if the DNS should point to the captive portal domain, you can enter the following filter:
fqdn = portal.acme.com.
You should have a working AD or LDAP Directory Service.
This use case supports the following secondary factors:
Standard push notification
Third-party authenticator app as OTP device
Depending on the VPN server that you're using this use case may support email and in-line enrollments.
To support the in-line enrollment, your VPN server needs to render the authentication page where the user can select their preferred authentication second factor.
Follow these steps to enable communication between PacketFence Gateway and Akamai MFA and select secondary factors the users can use to authenticate.
Log in to the PacketFence UI.
In the navigation menu, select Configuration > Integration > Multi-Factor Authentication.
Click New MFA and select Akamai.
On the New Multi-Factor Authentication configuration page, enter these settings:
a. Name: Define the name of your integration.
b. App ID. Enter the Integration ID that you generated in the previous step.
c. Signing Key. Enter the Signing ID that you generated in the previous step.
d. Verifying Key. Enter the Verifying ID that you generated in the previous step.
e. Host. Enter the API Host copied from the Akamai MFA integration page. By default, it is
f. Callback URL. Enter the Callback URL copied from the Akamai MFA integration page to be redirected from Akamai MFA to PacketFence captive portal. This value should be the FQDN of the portal including
/mfaat the end. For example,
Note that the host that you provide in the Callback URL field needs to match the filter that you specified in the Connection Profile configuration.
g. Cache duration: The amount of time PacketFence will store the MFA information of the user. By default, it’s 60 seconds.
h. In Post MFA Validation Cache Duration, accept the default 5-second-long cache.
Follow this procedure to enable communication between PacketFence Gateway and your AD or LDAP user authentication source.
Log in to the PacketFence UI.
In the navigation menu, select Configuration > Policies and Access Control > Authentication Sources.
Click New Internal Source > and select AD or LDAP depending on your directory service.
On the New Authentication Source page, provide your directory service data to enable the directory's connection with PacketFence Gateway:
- Directory name and description
- Base DN
- Username attribute
- Bind DN
- Associate realms
To apply a conditional rule to your authentication source, click Add rule and enter the condition. For example, enter
memberof equals cn=otp_user,dc=acme,dc=comto check if a particular user is a member of a specific group.
Assign the authentication rule with the following actions:
a. Trigger Portal MFA. Select the MFA integration that you created in the previous step.
b. Role. Select any value, for example, default.
c. Access duration. Select any value, for example, 1 hour.
See the VPN Configuration Guide for more information on network equipment configuration steps.
When you try to access your F5 VPN server, you’re prompted to authenticate with your username and password.
The authentication prompt contains the following input fields:
Authenticate with your F5 credentials using the F5 Big-IP Client.
Upon successful login with F5, you’re redirected to the Akamai MFA authentication prompt.
Select your preferred authentication method. For example, click Text me a Code to receive a verification code via SMS message that is sent to your enrolled authentication device.
Enter the code and hit Submit Code.
Akamai MFA displays a success message and grants you access to the VPN server.
Updated about 1 year ago