I am trying to find the best solution for the following requirements:
Client VPN for Windows & macOS users
Preferably L2TP so employees don’t need to install additional software - but I’m open to other options
Supports 2FA (hosted RADIUS with 2FA support?)
Using Google Workspace as the identity provider and adding VPN users to a group in Google would be ideal (would rather not need to maintain two separate user databases)
I am planning to have a UDM-Pro installed at this location, but I don’t know that I want to use it for the Client VPN - I am thinking of having a separate VPN appliance - I was thinking of using pfSense - but I am open to any suggestions.
From the research I’ve done so far, it seems like the easiest way to implement 2FA is to use a hosted RADIUS service that supports 2FA. I also need this system to be easy to manage and maintain when new employees are onboarded.
Does anyone have any ideas of the best services available right now for this use case? Or can anyone share how they are implementing VPN service for large companies?
@neogrid The Cybersecurity Insurance company for my client is requiring them to have 2FA on their VPN connection back to their corporate office. From what I’m reading online, a certificate doesn’t count as 2FA. It would need to be user/pass/OTP based authentication.
Any advice on hooking into Google as IdP? Was looking at JumpCloud, Cloud RADIUS by SecureW2, Duo and Okta. Would love any feedback is anyone has any experience with any of these services.
I would look into Palo Alto Prisma Access. I have 6 POPs across the US and run IPSec tunnels back to my data center for corporate access. It’s an easy design that supports MFA across many identity providers.
VPN for large companies uses PKI (smartcards). This is a form of 2fa as it requires a pin + the smarcard. Does your current implementation use smartcards or certificate based auth?
OP, I will recommend what I have put in place where I work (Fortinet), but you might not like it.
-Firewall: Fortigate - handle the VPN connections (and certificate if you want - we are removing the certificate because we now use EMS which is much more flexible and you don’t need to redeploy cert every year)
-Radius: FortiAuthenticator that you can use your user database from Active Directory/LDAP or something else and you can specify to require 2FA when signing in.
-Firewall Client: FortiClient that is provided by your FortiEMS server which in turn let you setup Zero Trust (ZTNA) rules and block devices even before they reach your network.
Of course it is not cheap, but it is league more secure than standard setup - at the price also of more complexity.