Future Consideration 2FA for VPN
Good morning from the not so sunny UK!
We have several ER7206 (and a few ER605) based at different clients sites, and we would like to have the ability to add 2 factor authentication to the VPN setup please. This feature nowadays is a must have for cyber assurance purposes, so it seems daft to have to implement another VPN solution when you have 99% of it already built into the router. It's just missing that last option!
Even the OpenVPN server built into the ER7206 doesn't appear to have the option for 2FA, and to my knowledge this is standard option for the OpenVPN server.
This router fulfills all of our requirements and the Omada ecosystem as a whole is fantastic, it's just this one drawback!
Many thanks.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @utilsvcllc
Thanks for posting in our business forum.
utilsvcllc wrote
@Clive_A I know they all have some type of MFA for access type VPNs, IKE tunnels they probably don't, since I don't think IKE/IKEv2 can even do that by protocol.
I looked up MFA or 2FA on Sonicwall on Google.
Sonicwall tends to use the RADIUS with SSL VPN. Rest of the other types of VPN don't seem to be possible with the 2FA or with RADIUS.
SSL VPN, we support the RADIUS as well.
OVPN supports LDAP.
Mikrotik is based on the RADIUS as well. Third-party vendors providing the MFA. I found third-party vendors article providng the LDAP/RADIUS MFA. I don't see it is built into the system.
Or if you have other ideas or correct me.
- Copy Link
- Report Inappropriate Content
I already asked about it in 2022, but still there is no solution.
https://community.tp-link.com/en/business/forum/topic/519816
2FA for VPN is essential for business.
Please develop it ASAP.
Thanks in advance
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hi @peter021
Thanks for posting in our business forum.
peter021 wrote
I already asked about it in 2022, but still there is no solution.
https://community.tp-link.com/en/business/forum/topic/519816
2FA for VPN is essential for business.
Please develop it ASAP.
Thanks in advance
Have you tried RADIUS or LDAP? They are mature multi-factor auth.
Or does it have to be the 2FA like the MS or Google Authenticator?
Do you happen to know any vendors supporting this?
- Copy Link
- Report Inappropriate Content
Yes we have looked at setting up a RADIUS server and even looking at different external system's for MFA like Duo, but if we are going to setup multiple servers/services then while we are at it we might aswell setup individual servers to deal with VPN, DHCP, DNS and MFA user control for the VPN. Then have lots of random individual Wireless Access points and switches made by different manufactures.
There are multiple other options in routers that will at least support TOTP MFA authentication using the Google Authenticator App with their VPN, of the top of my head I know that there are some SonicWall's Routers that support TOTP on their VPN aswell of the open source solutions like OPNSense and Untangle
The simple reason for asking for this feature is so we don't have to have a mismatch of different servers and hardware as if would just be nice to have everything in 1 place within the Omada control panel, or is that just too much to ask for.
While we are completely capable of setting up individual setups for all the different services, we just like the idea of all being in one place within the Omada Control Panel, if we didn't want a single solution to control everything then we would have just gone down the path of individual acesspoints/switches and use OPNSense for the router, as it would have ended up being a cheaper option.
- Copy Link
- Report Inappropriate Content
I work for a 15-person company; we do not have special servers for special purposes.
Google Authenticator would be perfect for this purpose.
2FA is already working for Omada cloud login with Google Authenticator. I would like to have the same solution for VPN for all colleagues for home office
Thanks
regards
Peter
- Copy Link
- Report Inappropriate Content
Hi @DaveMcDave
DaveMcDave wrote
Yes we have looked at setting up a RADIUS server and even looking at different external system's for MFA like Duo, but if we are going to setup multiple servers/services then while we are at it we might aswell setup individual servers to deal with VPN, DHCP, DNS and MFA user control for the VPN. Then have lots of random individual Wireless Access points and switches made by different manufactures.
There are multiple other options in routers that will at least support TOTP MFA authentication using the Google Authenticator App with their VPN, of the top of my head I know that there are some SonicWall's Routers that support TOTP on their VPN aswell of the open source solutions like OPNSense and Untangle
The simple reason for asking for this feature is so we don't have to have a mismatch of different servers and hardware as if would just be nice to have everything in 1 place within the Omada control panel, or is that just too much to ask for.
While we are completely capable of setting up individual setups for all the different services, we just like the idea of all being in one place within the Omada Control Panel, if we didn't want a single solution to control everything then we would have just gone down the path of individual acesspoints/switches and use OPNSense for the router, as it would have ended up being a cheaper option.
I am aware of the opensource platforms which you may install some kind of plug-ins to implement TOTP. But I looked it up but found many vendors are doing this by hosting a RADIUS. They are not natively supporting this feature.
That's why I kept asking if there is any guides for me to fill in the report to increase the confidence.
That's really important. If you can share a guide of the opensource guide on TOTP, I might take a look and see how they implement this. But as said previously, several points, the traditional vendors with the pre-built system are achieve the same 2FA by RADIUS. We follow the suit and we currently support it. Open source is not our target competitor. We simply did not support 2FA to the Google/MS authenticator.
I might not reply to this timely as I am taking holidays.
- Copy Link
- Report Inappropriate Content
I completely agree with you. Having 2FA feature for VPN is a must these days due to security concerns and it solves all the problems in Omada ecosystem.
regards,
Narendra
DaveMcDave wrote
Good morning from the not so sunny UK!
We have several ER7206 (and a few ER605) based at different clients sites, and we would like to have the ability to add 2 factor authentication to the VPN setup please. This feature nowadays is a must have for cyber assurance purposes, so it seems daft to have to implement another VPN solution when you have 99% of it already built into the router. It's just missing that last option!
Even the OpenVPN server built into the ER7206 doesn't appear to have the option for 2FA, and to my knowledge this is standard option for the OpenVPN server.
This router fulfills all of our requirements and the Omada ecosystem as a whole is fantastic, it's just this one drawback!
Many thanks.
DaveMcDave wrote
Good morning from the not so sunny UK!
We have several ER7206 (and a few ER605) based at different clients sites, and we would like to have the ability to add 2 factor authentication to the VPN setup please. This feature nowadays is a must have for cyber assurance purposes, so it seems daft to have to implement another VPN solution when you have 99% of it already built into the router. It's just missing that last option!
Even the OpenVPN server built into the ER7206 doesn't appear to have the option for 2FA, and to my knowledge this is standard option for the OpenVPN server.
This router fulfills all of our requirements and the Omada ecosystem as a whole is fantastic, it's just this one drawback!
Many thanks.
Narendra
DaveMcDave wrote
Good morning from the not so sunny UK!
We have several ER7206 (and a few ER605) based at different clients sites, and we would like to have the ability to add 2 factor authentication to the VPN setup please. This feature nowadays is a must have for cyber assurance purposes, so it seems daft to have to implement another VPN solution when you have 99% of it already built into the router. It's just missing that last option!
Even the OpenVPN server built into the ER7206 doesn't appear to have the option for 2FA, and to my knowledge this is standard option for the OpenVPN server.
This router fulfills all of our requirements and the Omada ecosystem as a whole is fantastic, it's just this one drawback!
Many thanks.
DaveMcDave wrote
Good morning from the not so sunny UK!
We have several ER7206 (and a few ER605) based at different clients sites, and we would like to have the ability to add 2 factor authentication to the VPN setup please. This feature nowadays is a must have for cyber assurance purposes, so it seems daft to have to implement another VPN solution when you have 99% of it already built into the router. It's just missing that last option!
Even the OpenVPN server built into the ER7206 doesn't appear to have the option for 2FA, and to my knowledge this is standard option for the OpenVPN server.
This router fulfills all of our requirements and the Omada ecosystem as a whole is fantastic, it's just this one drawback!
Many thanks.
. Hope Tp link will come out with this feature in their next version
regards,
Narendra
- Copy Link
- Report Inappropriate Content
Information
Helpful: 9
Views: 1347
Replies: 28
Voters 9
