Configuration

To configure 2FA for your VPN, you must first add your VPN appliance as a RADIUS client. To do so, follow the steps shown below:

1.In the ESA Web Console, navigate to Components > RADIUS, select a RADIUS server and click Create new RADIUS client.

2.Give the RADIUS client a memorable name for easy reference.

3.Configure the IP Address and Shared Secret for the Client so that they correspond to the configuration of your VPN appliance. The IP address is the internal IP address of your appliance. If your appliance communicates via IPv6, use that IP address along with the related scope ID (interface ID). The shared secret is the RADIUS shared secret for the external authenticator that you will configure on your appliance.

4.Select "Mobile Application" as an authentication method. The optimal authentication method depends on your VPN appliance make and model. See the appropriate ESA VPN Integration Guide for details. VPN integration guides are available on the ESET Knowledgebase.

5.Optionally, you can allow any non-2FA users to use the VPN.

note

Note

Allowing non-2FA users to log in to the VPN without restricting access to a security group will allow all users in the domain to log in using the VPN. Using this configuration is not recommended.

6.Optionally, restrict VPN access to an existing AD security group.

7.Select "Current AD domain" or "Current AD domain and domains in trust" from the Realm selection box to have the realm (domain) of the user be automatically registered when the user authenticates for the first time using VPN and 2FA. Alternatively, select a specific realm from the selection box to have all users be registered to the same realm..

8.Once you are finished making changes, click Save.

9.Re-start the RADIUS server.

a.Locate the ESA RADIUS Service in the Windows Services (under Control Panel - Administrative Tools - View Local Services).

b.Right-click the ESA Radius Service and select Restart from the context menu.

radiusclient

note

Note

If the Mobile Application Push authentication method is enabled, set the authentication expiration time of your VPN server to more than 2.5 minutes.

 

The following VPN Type options are available:

VPN does not validate AD user name and password

VPN validates AD user name and password

Use Access-Challenge feature of RADIUS

 

The following RADIUS clients support the RADIUS Access-Challenge feature:

Junos Pulse (VPN)

Linux PAM module

 

The following RADIUS clients should not be used with the Access-Challenge feature:

Microsoft RRAS

 

Additional attributes to be sent by ESA RADIUS

If your VPN client requires additional RADIUS attributes to be sent by ESA RADIUS, configure it in C:\Program Files\ESET Secure Authentication\EIP.Radius.WindowsService.exe.config by adding a code snippet similar to following:

<appSettings>

    <add key="Radius_Attribute_ID" value="any_value_expected_by_your_VPN_server" />

</appSettings>

If the <appSettings> tag is already present, do not duplicate it, just add the <add key.... > code below it.

Supported additional attributes: Filter-Id, Framed-IP-Address, Framed-IPv6-Prefix and Framed-Interface-Id.

Filter-Id bears a static value you configure in EIP.Radius.WindowsService.exe.config file. The value of other supported attributes can be configured in Active Directory Users and Computers (ADUC).

Supported attributes configurable in ADUC

EIP.Radius.WindowsService.exe.config key field value

value

RADIUS attribute

Value retrieved from AD user attribute

Where to configure in ADUC?

RadiusFilterIdValue

<any text>

Filter-ID

Remains the text defined in "value"


RadiusSendAttribute_Framed-IP-Address

true

Framed-IP-Address

msRADIUSFramedIPAddress

Dial-In tab > Assign Static IP Addresses > Assign a static IPv4 address

RadiusSendAttribute_Framed-IPv6-Prefix

true

Framed-IPv6-Address

msRADIUS-FramedIpv6Prefix

Dial-In tab > Assign Static IP Addresses -> Assign a static IPv6 address - Prefix

RadiusSendAttribute_Framed-Interface-Id

true

Framed-Interface-Id

msRADIUS-FramedInterfaceId

Dial-In tab > Assign Static IP Addresses > Assign a static IPv6 address - Interface ID

If you want ESA RADIUS to send the value of above mentioned attributes, add the following code snippet to EIP.Radius.WindowsService.exe.config between the <configuration> and </configuration> tags.

<appSettings>
    <add key="Filter-ID" value="any text you want" />
 <add key="RadiusSendAttribute_Framed-IP-Address" value="true" />
    <add key="RadiusSendAttribute_Framed-IPv6-Prefix" value="true" />
    <add key="RadiusSendAttribute_Framed-Interface-Id" value="true" />
</appSettings>