Configure VPN 2FA Support via RADIUS
You need to utilize PortalGuard to provide 2FA functionality for your VPN Users.
Enable the RADIUS feature within PortalGuard.
- PortalGuard currently only supports the PAP Protocol for RADIUS
- 2FA Methods must be enrolled prior to attempting 2FA Via RADIUS/VPN
- RADIUS does not support enrollment prompting. The user must have enrolled an allowed 2FA Method prior to RADIUS/VPN 2FA usage or else they will not be able to complete the authentication.
- FIDO, FIDO2, U2F, Biometrics, Contextual, and External Authentication methods are NOT supported for RADIUS/VPN
Enable RADIUS in PortalGuard
- Navigate to the PortalGuard server and open the PortalGuard Configuration Editor.
- Click on 'Edit Bootstrap.
- Navigate to the 'Services' -> 'RADIUS' tab and check the box labeled 'RADIUS Support Enabled?'.
- If prompted, set the RADIUS service to start automatically.
- Under the 'Runtime' tab, ensure the 'Authentication Port' value is set to 1812 and the 'Accounting Port' value is set to 1813
- Do not click the 'Start' button just yet - You will need to save the configuration at least once for the Service to switch to 'Automatic', at which point it will start. This can be verified in the next few steps.
- Navigate to the 'Client Configuration' tab and click the 'Create' button:
- Match the Client Configuration settings here to those configured on your VPN Server.
- These settings are going to e different for each environment.
- Important: Ensure the PAP protocol is supported before enabling any configuration!
- Click 'Save' to save the Client Configuration.
- Click 'Save' to save the overall RADIUS settings.
- To quickly confirm the RADIUS service has started, click on 'Edit Bootstrap' again and navigate to the 'Services' -> 'RADIUS' tab.
- If the 'Service Status' still says 'Stopped', click the 'Start' Button.
- If needed, Modify the Windows Firewall on the PortalGuard server to allow inbound access to Ports 1812 & 1813 over UDP.
Configure 2FA for Users when Using RADIUS/VPN Through PortalGuard
- Within the PortalGuard Configuration Editor, navigate to the 'Security Policies' tab and edit the policy that applies to VPN users.
- Navigate to the 'Actions' -> 'VPN' tab and ensure 'RADIUS/VPN' is set to Two-Factor (2FA):
- Ensure the 'Accepted OTP Methods' section has the appropriate methods enabled for your environment.
- If you wish to utilize a method that is greyed out, it must first be enabled in the 'Authentication Methods' tab.
- Ensure the 'Default OTP Method' drop down is set to a valid option.
- The 2FA Attempt via RADIUS/VPN will ALWAYS attempt the Default OTP Method. This means that uses MUST have this method enrolled. If they do not, the next time any user authenticates to PortalGuard directly, they will be forced to enroll this method. By selecting the 'Allow Users to Override' option, users can select a different default from the Account Management Page.
- Save all changes.
- Click on the 'Apply to PortalGuard Server' button and then 'Sync' to commit these changes.
REV. 03/2020 | PortalGuard