VPN server that supports an external login page or can use the PacketFence captive portal

This use case supports VPN servers that provide users with an external logon page.
On the external logon page, the end user can enroll their trusted device and select the preferred second factor.

Before you begin

  • When configuring your Connection Profile and associating it with your Internal Source, make sure that you enter a filter definition that matches the criteria of your captive portal solution.
    For example, if the DNS should point to the captive portal domain, you can enter the following filter:
    fqdn = portal.acme.com.

  • You should have a working AD or LDAP Directory Service.

  • This use case supports the following secondary factors:
    Bypass code
    Hardware token
    Phone call
    Push TOTP
    Standard push notification
    Third-party authenticator app as OTP device

  • Depending on the VPN server that you're using this use case may support email and in-line enrollments.
    To support the in-line enrollment, your VPN server needs to render the authentication page where the user can select their preferred authentication second factor.

Configure MFA in the PacketFence UI

Follow these steps to enable communication between PacketFence Gateway and ‚ÄčAkamai MFA‚Äč and select secondary factors the users can use to authenticate.

  1. Log in to the PacketFence UI.

  2. In the navigation menu, select Configuration > Integration > Multi-Factor Authentication.

  3. Click New MFA and select ‚ÄčAkamai‚Äč.

  4. On the New Multi-Factor Authentication configuration page, enter these settings:
    a. Name: Define the name of your integration.
    b. App ID. Enter the Integration ID that you generated in the previous step.
    c. Signing Key. Enter the Signing ID that you generated in the previous step.
    d. Verifying Key. Enter the Verifying ID that you generated in the previous step.
    e. Host. Enter the API Host copied from the ‚ÄčAkamai MFA‚Äč integration page. By default, it is mfa.akamai.com.
    f. Callback URL. Enter the Callback URL copied from the ‚ÄčAkamai MFA‚Äč integration page to be redirected from ‚ÄčAkamai MFA‚Äč to PacketFence captive portal. This value should be the FQDN of the portal including /mfa at the end. For example, https://portal.acme.com/mfa.
    Note that the host that you provide in the Callback URL field needs to match the filter that you specified in the Connection Profile configuration.
    g. Cache duration: The amount of time PacketFence will store the MFA information of the user. By default, it’s 60 seconds.
    h. In Post MFA Validation Cache Duration, accept the default 5-second-long cache.

  5. Click Save.

Associate the Authentication Source in the PacketFence UI

Follow this procedure to enable communication between PacketFence Gateway and your AD or LDAP user authentication source.

  1. Log in to the PacketFence UI.

  2. In the navigation menu, select Configuration > Policies and Access Control > Authentication Sources.

  3. Click New Internal Source > and select AD or LDAP depending on your directory service.

  4. On the New Authentication Source page, provide your directory service data to enable the directory's connection with PacketFence Gateway:

    • Directory name and description
    • Host
    • Base DN
    • Username attribute
    • Bind DN
    • Associate realms
  5. To apply a conditional rule to your authentication source, click Add rule and enter the condition. For example, enter memberof equals cn=otp_user,dc=acme,dc=com to check if a particular user is a member of a specific group.

  6. Assign the authentication rule with the following actions:
    a. Trigger Portal MFA. Select the MFA integration that you created in the previous step.
    b. Role. Select any value, for example, default.
    c. Access duration. Select any value, for example, 1 hour.

  7. Click Save.

See the VPN Configuration Guide for more information on network equipment configuration steps.

Test your setup

  1. When you try to access your F5 VPN server, you’re prompted to authenticate with your username and password.

  2. The authentication prompt contains the following input fields:

    • username
    • password
  3. Authenticate with your F5 credentials using the F5 Big-IP Client.

  4. Upon successful login with F5, you‚Äôre redirected to the ‚ÄčAkamai MFA‚Äč authentication prompt.

  5. Select your preferred authentication method. For example, click Text me a Code to receive a verification code via SMS message that is sent to your enrolled authentication device.

  6. Enter the code and hit Submit Code.

  7. ‚ÄčAkamai MFA‚Äč displays a success message and grants you access to the VPN server.