The Zyxel firewall series offers the possibility of a 2FA authentication via SMS for VPN and admin access. Local firewall users can be used, as well as AD or Radius users.
1. PORTAL eCall
2. Notification Server
3. Two-factor Authentication
4. Security Policy
5. HTTPS Einstellungen
6. VPN Gateway
1. ECALL PORTAL
An eCall account can be opened at https://portal.ecall-messaging.com/ecall/. The opening of the account is done in a short time.
Once the account has been opened, the sender address of the firewall can be entered under Interfaces > E-mail interface via the "Add address" button. In addition, the option "I allow messages to be sent via e-mail through my eCall account." must be activated.
Just so you know, no additional settings are required.
Notification Server
Configuration > System > Notification
- Mail Server
First, set up an e-mail server for sending mail. Usually, port 587 is used for sending as well as TLS security and STARTLS if necessary. For example, whether the mail server is set up correctly can be checked by sending a daily report.
- SMS
The following settings can be used for eCall:
| Enable SMS |
activate |
| Default country code for phone number: | 41 for Switzerland |
| Provider Domain: | sms.ecall.ch |
| Auto append to «mail to» | activate |
| Mail Subject: | +$mobile_number$ |
| Mail from: | The E-mail address is recorded in the eCall portal. Ideally, this is identical to the e-mail address in the mail server settings. |
| Mail To: | +$mobile_number$ |
The default country code for phone number" can also be "0". However, the user's phone number must then be defined with the prefix "+xx", e.g. +41761234567.
- User settings
Configuration > Object > User/Group > User
A mobile number in the format 0761234567 is added to the user.
In addition, 2FA is activated.
Two-factor Authentication
Configuration > Object > Auth. Method > Two-factor Authentication > VPN Access
The function must be switched on as a basic requirement. Subsequently, it is determined for whom, and which connection 2FA should be active. "Authorized Link URL" is the address defined in the SMS message. Access from the outside must be possible via the specified port from the outside. For eCall the option "Use Multilingual file" must be used.
The template file can be obtained and adapted via the download link.
The file can then be loaded back onto the firewall.
The file must contain the placeholder <url>.
The following placeholders can be used:
<url> Authorization Link URL Address
<user> User who has registered for 2FA
<host> name of the firewall (Configuration > System > Host Name)
<Time> Valid Time > Time in which the client can authenticate itself.
Security Policy
Configuration > Security Policy > Policy Control
A security policy must be created for authentication using 2FA
From: wan
To: ZyWALL
Source: can be restricted if necessary, e.g. to Switzerland
Service: Wiz_2FA (port adjusts dynamically when changed in 2FA menu))
Action: allow
HTTPS Einstellungen
Configuration > System > WWW > HTTPS > User Service Control
For "User Service Control", access from the "WAN" or "ALL" zone must be permitted.
VPN Gateway
Configuration > VPN > IPSec VPN > VPN Gateway
For IPSec VPN (L2TP/IKEv1/IKEv2), 2FA must be activated in the VPN gateway.
Comments
0 comments
Please sign in to leave a comment.