We have a NSA 3600 and have about 250 users connecting via ipsec VPN and the GVC client. What “Should” we be doing for VPNS . Net Extender? right now the username and pw is saved in the client so i just send it to the users. I need a better way.
DUO works well for this. Have AD sync with DUO and have sonicwall point to the DUO radius server.
Do you use Azure AD? You can do RADIUS with NPS and have your O365 Authenticator MFA be integrated. This is with NetExtender.
I believe Okta has a solution if you’re not using O365 and AAD.
What is your RADIUS? Or are these local users?
SSLVPN, RADIUS, Duo OR Microsoft MFA will push.
You could also set otp or totp via Sonicwall groups or local.
A Sonicwall SMA in HA confi with Radius pointed to DUO will work fine. Or your preferred flavor of MFA provider.
So the folks saying Duo and RADIUS are absolutely correct, that will absolutely work.
I would argue that the LDAP integration is a better solution since the Duo Proxy will pass group memberships all the way back to the SonicWall so any policies you have set based on an AD group take effect.
ProTip - ensure LDAPS (TCP636) is used and AD users can change their expired AD passwords behind 2FA while still offsite via NX! Definitely not as easy to accomplish with RADIUS, I’ve not successfully pulled of MS-CHAPv2 before.
Check out my comment that JPT pinned for how to make LDAPS go.
This might be the way to go if you have the right infrastructure for this.
Though I’m curious if it will support number matching for MFA
Local Users. I had it tied to our on PREM AD before COVID but it caused more problems. Now I create a local user and save thier PW for them on the laptop. I need a better solution.
Wow. Thank you for this.
Just use the built in TOTP.
I use ssl vpn and it works great there. Not sure if works with gvc.
https://www.sonicwall.com/support/knowledge-base/how-do-i-configure-2fa-for-ssl-vpn-with-totp/190829123329169/