TZ270 MFA and the Global VPN client

Windows environment. Server 2012, Windows 10 and 11 clients. TZ270 7.XX. Currently using LDAP to authenticate as well as pre-shared key and want to implement MFA.

Changing the client from GVC to SSL or Netextender is not an option, way to difficult to change all the users client around. I have no experience with RADIUS and understand that is how its done.

Anybody implemented this? Can you share step by step of setting it up?

You can use the global VPN with radius authentication to get a 2fa prompt. We used Okta’s radius agent which allowed us to send push notifications to the users cell phone for 2fa verification.

Check out Okta’s radius agent as an option for you.

This seems to be what you’re looking for.

https://www.sonicwall.com/support/knowledge-base/configuring-one-time-passwords/170505594681886/

I did an dhad to drop the Global VPN client and move to NetExtender. As far as I have experieced GVC does not support MFA, I could not use google authenticator or another authenticator program with it. From the link that was already posted:
OTP cannot be configured for Global VPN Client (GVC) users.
You may have to switch over for MFA. There is this:
https://www.sonicwall.com/support/knowledge-base/two-factor-authentication-using-rsa-radius-and-securid-for-sonicwall-gvc-and-netextender-clients/170503789509355/

I don’t have an RSA server, so I can’t validate it. You may have to go over to NetExtender.

I put my SSLVPN Users group in the GVC “allowed users” list and it started popping up a prompt for “Password” which is the OTP from the Google Authenticator app we use for the SSLVPN users. (slowly shifting everyone)

EDIT: This is on a NSa2700 and a TZ670 and a few TZ470s. I will try it on my own TZ270 at home at some point to confirm though.

You can only do mfa iwth GVC if you have a radius server and configure the sonicwall to point to it. Otherwise, you need to move to SSL VPN. There is no other option besides the radius server option.

OK, just getting my head around the RADIUS thing. Why can I not use the RADIUS setting in the Network Policy app to do this? How does Okta fit into this? Again, I am using Server 2012 Standard.

Thanks, but that looks like it requires the SSL connection. We are using the Global VPN Client.

Did you do this under Advanced tab at the “User group for XAUTH users” dropdown? I was under the impression this is not possible with GVC.

Would you mind elaborating a little more on what you did? Thanks!

Will NPS give you the 2fa? Okta or any IdP will offer a 2fa option.

Radius gives give the firewall a true/false with the credentials entered. Okta or another identity provider can validate the user creds and add any other authentication mechanism as it wants. You can do a push notification (a prompt on user’s cell phone they have to approve) or a rotating code or sms text number, etc… once approved the radius agent sends the firewall a true response and the connection is permitted. I just did Okta so it is top of brain, but sure other can do it. The true requirement is that they have a radius agent that can help bridge the connection with the firewall.

OK, so I registered for an trial with Okta. All I get is a simple screen in the browser with Okta in the upper left and “My Apps”, “Notifications”, and “Add Apps”. None of the apps seem to have anything to do with MFA or 2FA.

Can you kick start me? I’m trying hard to not sound stupid here, but this is NOT intuitive…

Looking through a few KBs I would start here:

LDAP integration to Okta basic setup

Install and configure Okta Radius Agent

Use the top half of this article to configure the firewall.
https://www.sonicwall.com/support/knowledge-base/configuring-radius-authentication-for-global-vpn-clients-with-network-policy-and-access-server/170505788908370/

I hope these help point you in the right direction. You should have support with Okta for the trial, if you get stuck. The same with SonicWall though it is the easier of the two to setup. Good luck!