Future Consideration 2FA for VPN
Good morning from the not so sunny UK!
We have several ER7206 (and a few ER605) based at different clients sites, and we would like to have the ability to add 2 factor authentication to the VPN setup please. This feature nowadays is a must have for cyber assurance purposes, so it seems daft to have to implement another VPN solution when you have 99% of it already built into the router. It's just missing that last option!
Even the OpenVPN server built into the ER7206 doesn't appear to have the option for 2FA, and to my knowledge this is standard option for the OpenVPN server.
This router fulfills all of our requirements and the Omada ecosystem as a whole is fantastic, it's just this one drawback!
Many thanks.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @utilsvcllc
Thanks for posting in our business forum.
utilsvcllc wrote
@Clive_A I know they all have some type of MFA for access type VPNs, IKE tunnels they probably don't, since I don't think IKE/IKEv2 can even do that by protocol.
I looked up MFA or 2FA on Sonicwall on Google.
Sonicwall tends to use the RADIUS with SSL VPN. Rest of the other types of VPN don't seem to be possible with the 2FA or with RADIUS.
SSL VPN, we support the RADIUS as well.
OVPN supports LDAP.
Mikrotik is based on the RADIUS as well. Third-party vendors providing the MFA. I found third-party vendors article providng the LDAP/RADIUS MFA. I don't see it is built into the system.
Or if you have other ideas or correct me.
- Copy Link
- Report Inappropriate Content
I already asked about it in 2022, but still there is no solution.
https://community.tp-link.com/en/business/forum/topic/519816
2FA for VPN is essential for business.
Please develop it ASAP.
Thanks in advance
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hi @peter021
Thanks for posting in our business forum.
peter021 wrote
I already asked about it in 2022, but still there is no solution.
https://community.tp-link.com/en/business/forum/topic/519816
2FA for VPN is essential for business.
Please develop it ASAP.
Thanks in advance
Have you tried RADIUS or LDAP? They are mature multi-factor auth.
Or does it have to be the 2FA like the MS or Google Authenticator?
Do you happen to know any vendors supporting this?
- Copy Link
- Report Inappropriate Content
Yes we have looked at setting up a RADIUS server and even looking at different external system's for MFA like Duo, but if we are going to setup multiple servers/services then while we are at it we might aswell setup individual servers to deal with VPN, DHCP, DNS and MFA user control for the VPN. Then have lots of random individual Wireless Access points and switches made by different manufactures.
There are multiple other options in routers that will at least support TOTP MFA authentication using the Google Authenticator App with their VPN, of the top of my head I know that there are some SonicWall's Routers that support TOTP on their VPN aswell of the open source solutions like OPNSense and Untangle
The simple reason for asking for this feature is so we don't have to have a mismatch of different servers and hardware as if would just be nice to have everything in 1 place within the Omada control panel, or is that just too much to ask for.
While we are completely capable of setting up individual setups for all the different services, we just like the idea of all being in one place within the Omada Control Panel, if we didn't want a single solution to control everything then we would have just gone down the path of individual acesspoints/switches and use OPNSense for the router, as it would have ended up being a cheaper option.
- Copy Link
- Report Inappropriate Content
I work for a 15-person company; we do not have special servers for special purposes.
Google Authenticator would be perfect for this purpose.
2FA is already working for Omada cloud login with Google Authenticator. I would like to have the same solution for VPN for all colleagues for home office
Thanks
regards
Peter
- Copy Link
- Report Inappropriate Content
Hi @DaveMcDave
DaveMcDave wrote
Yes we have looked at setting up a RADIUS server and even looking at different external system's for MFA like Duo, but if we are going to setup multiple servers/services then while we are at it we might aswell setup individual servers to deal with VPN, DHCP, DNS and MFA user control for the VPN. Then have lots of random individual Wireless Access points and switches made by different manufactures.
There are multiple other options in routers that will at least support TOTP MFA authentication using the Google Authenticator App with their VPN, of the top of my head I know that there are some SonicWall's Routers that support TOTP on their VPN aswell of the open source solutions like OPNSense and Untangle
The simple reason for asking for this feature is so we don't have to have a mismatch of different servers and hardware as if would just be nice to have everything in 1 place within the Omada control panel, or is that just too much to ask for.
While we are completely capable of setting up individual setups for all the different services, we just like the idea of all being in one place within the Omada Control Panel, if we didn't want a single solution to control everything then we would have just gone down the path of individual acesspoints/switches and use OPNSense for the router, as it would have ended up being a cheaper option.
I am aware of the opensource platforms which you may install some kind of plug-ins to implement TOTP. But I looked it up but found many vendors are doing this by hosting a RADIUS. They are not natively supporting this feature.
That's why I kept asking if there is any guides for me to fill in the report to increase the confidence.
That's really important. If you can share a guide of the opensource guide on TOTP, I might take a look and see how they implement this. But as said previously, several points, the traditional vendors with the pre-built system are achieve the same 2FA by RADIUS. We follow the suit and we currently support it. Open source is not our target competitor. We simply did not support 2FA to the Google/MS authenticator.
I might not reply to this timely as I am taking holidays.
- Copy Link
- Report Inappropriate Content
I completely agree with you. Having 2FA feature for VPN is a must these days due to security concerns and it solves all the problems in Omada ecosystem.
regards,
Narendra
DaveMcDave wrote
Good morning from the not so sunny UK!
We have several ER7206 (and a few ER605) based at different clients sites, and we would like to have the ability to add 2 factor authentication to the VPN setup please. This feature nowadays is a must have for cyber assurance purposes, so it seems daft to have to implement another VPN solution when you have 99% of it already built into the router. It's just missing that last option!
Even the OpenVPN server built into the ER7206 doesn't appear to have the option for 2FA, and to my knowledge this is standard option for the OpenVPN server.
This router fulfills all of our requirements and the Omada ecosystem as a whole is fantastic, it's just this one drawback!
Many thanks.
DaveMcDave wrote
Good morning from the not so sunny UK!
We have several ER7206 (and a few ER605) based at different clients sites, and we would like to have the ability to add 2 factor authentication to the VPN setup please. This feature nowadays is a must have for cyber assurance purposes, so it seems daft to have to implement another VPN solution when you have 99% of it already built into the router. It's just missing that last option!
Even the OpenVPN server built into the ER7206 doesn't appear to have the option for 2FA, and to my knowledge this is standard option for the OpenVPN server.
This router fulfills all of our requirements and the Omada ecosystem as a whole is fantastic, it's just this one drawback!
Many thanks.
Narendra
DaveMcDave wrote
Good morning from the not so sunny UK!
We have several ER7206 (and a few ER605) based at different clients sites, and we would like to have the ability to add 2 factor authentication to the VPN setup please. This feature nowadays is a must have for cyber assurance purposes, so it seems daft to have to implement another VPN solution when you have 99% of it already built into the router. It's just missing that last option!
Even the OpenVPN server built into the ER7206 doesn't appear to have the option for 2FA, and to my knowledge this is standard option for the OpenVPN server.
This router fulfills all of our requirements and the Omada ecosystem as a whole is fantastic, it's just this one drawback!
Many thanks.
DaveMcDave wrote
Good morning from the not so sunny UK!
We have several ER7206 (and a few ER605) based at different clients sites, and we would like to have the ability to add 2 factor authentication to the VPN setup please. This feature nowadays is a must have for cyber assurance purposes, so it seems daft to have to implement another VPN solution when you have 99% of it already built into the router. It's just missing that last option!
Even the OpenVPN server built into the ER7206 doesn't appear to have the option for 2FA, and to my knowledge this is standard option for the OpenVPN server.
This router fulfills all of our requirements and the Omada ecosystem as a whole is fantastic, it's just this one drawback!
Many thanks.
. Hope Tp link will come out with this feature in their next version
regards,
Narendra
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hey,
I registered here just to respond (at least for now) to this topic. I have been working with Draytek for many years and recently I have been looking for another brand with a more accessible price/quality, for some customers who want a slightly more economical solution to Draytek. That's why I can guarantee that at least on the latest models, VPN authentication with TOTP (2FA) is possible. I even have VPN authentication via LDAP and TOTP (2FA) on many of my clients. So not only do I not have to worry about passwords, since the client can change the password whenever they want via Active Directory (I even have a AD policy to require changing the password every 90 days, forcing you to create a password with complexity and different from the last 30 passwords) but I also have the security that even the password for some reason is compromised, that there is 2-step authentication.
You can do a quick Google search on "Draytek vpn 2fa", and you will see what I'm talking about.
I confess that I was already considering TP-Link as a total alternative to Draytek. But as I didn't find this solution in the emulator, I did a little research and came across this topic. Unfortunately from what I've seen here, 2FA is not yet supported by TP-Link, so because this it's something of a "must have" for me so I can consider a alternative. For this reason, for now I will still stay with Draytek and wait for new developments.
Regards,
- Copy Link
- Report Inappropriate Content
Information
Helpful: 11
Views: 1773
Replies: 32