VPN server configured as a Radius client only

Before you begin

  • When configuring your Connection Profile in PacketFence and associating it with your Internal Source, make sure that you’ve selected the following filter:
    Connexion type = VPN-Access as the filter.

  • You need to have a working AD or LDAP directory service.

  • This use case supports the use of the standard push notification.

  • This use case supports email enrollment.
    Users don't see the authentication prompt where they can select a second factor to authenticate. For this reason, when enrolling their trusted device, users need to specify push notification as their default authentication factor.

Configure MFA in the PacketFence UI

With these configuration steps, you enable communication between PacketFence Gateway and ​Akamai MFA​ and specify push notification ad the second factor.

  1. Log in to the PacketFence UI.

  2. In the navigation menu, select Configuration > Integration > Multi-Factor Authentication.

  3. Click New MFA and select ​Akamai​.

  4. On the New Multi-Factor Authentication page, enter these settings:
    a. Name: Define the name of your integration.
    b. App ID. Enter the Integration ID that you generated in the previous step.
    c. Signing Key. Enter the Signing ID that you generated in the previous step.
    d. Verifying Key. Enter the Verifying ID that you generated in the previous step.
    e. Host. Enter the API Host copied from the ​Akamai MFA​ integration page. By default, it is mfa.akamai.com.
    f. Radius OTP Method. Select Push to configure push notification as your Radius OTP method.
    g. Cache duration. Specify the amount of time PacketFence will store the MFA-related information of the user. By default, it’s 60 seconds.
    h. In Post MFA Validation Cache Duration, accept the default 5-second-long cache.

  5. Click Save.

Associate the Authentication Source in the PacketFence UI

Follow this procedure to enable communication between PacketFence Gateway and your AD or LDAP user authentication source.

  1. Log in to the PacketFence UI.

  2. In the navigation menu, select Configuration > Policies and Access Control > Authentication Sources.

  3. Click New Internal Source > and select AD or LDAP depending on your directory service.

  4. On the New Authentication Source page, provide your directory service data to enable the directory's connection with PacketFence Gateway:

    • Directory name and description
    • Host.
    • Base DN
    • Username attribute
    • Bind DN
    • Associate realms
  5. To apply a conditional rule to your authentication source, click Add rule and enter the condition. For example, enter memberof equals cn=otp_user,dc=acme,dc=com to check if a particular user is a member of a specific group.

  6. Assign the authentication rule with the following actions:
    a. Trigger Radius MFA. Select the MFA integration that you created in the previous step.
    b. Role. Select any value, for example, default.
    c. Access duration. Select any value, for example, 1 hour.

  7. Click Save.

Create Connection Profile in the PacketFence UI

Follow this procedure to enable PacketFence to validate the user's credentials against the AD or LDAP directory service.

  1. Log in to the PacketFence UI.

  2. In the navigation menu, select Configuration > Policies and Access Control > Connection Profiles > Standard Connection Profiles.

  3. Click New Connection Profile.

  4. Enter the name of the connection profile.

  5. Scroll down the page and click Add Filter.

  6. In Connection type, select VPN-Access.

  7. Scroll down the page and click Add Source.

  8. Select the AD or LDAP you created in the previous step.

  9. Click Create.

Register your VPN server in the PacketFence UI

  1. Log in to the PacketFence UI.

  2. In the navigation menu, select Configuration > Policies and Access Control > Network device > Switches.

  3. Click New Switch > default.

  4. In Host, enter the IP address of your VPN server.

  5. In Type, select OpenVPN.

  6. Enable the CLI Access Enabled setting by selecting Yes.

  7. Click the Radius tab and enter the VPN secret password.

  8. Click Create.

See the VPN Configuration Guide for more information on network equipment configuration steps.

Test your setup

  1. When you try to access the VPN server, you’re prompted to authenticate with your username and password.
    The VPN authentication prompt contains the following input fields:

    • username
    • password
  2. Enter your VPN credentials.

  3. You receive a push notification on your enrolled authentication device.

  4. Tap Allow to acknowledge the access.

  5. ​Akamai MFA​ grants you access to the VPN server.