Google Authenticator or Microsoft Authenticator are authentication schemes using Time-Based One-Time Passwords (TOTP) generated by an app on your mobile device to authenticate the user. The app generates temporary six-digit numbers calculated from a shared secret and the current time. To be able to use this on the CloudGen Firewall, the Google Authenticator app must be enrolled by the user in a two-step process. To associate the Google/Microsoft Authenticator with a user and group information, a helper scheme such as MSAD or LDAP must be configured. Google/Microsoft Authenticator is supported for CudaLaunch and the SSL VPN web portal. For users to be able to self-enroll, they must be able to access the SSL VPN through an Access Control Policy that is not using Google/Microsoft Authenticator as an authentication method. After all users are enrolled, the admin can then switch to an Access Control Policy requiring Google/Microsoft Authenticator. To be able to share the linked accounts over managed firewalls in a single HA cluster, use a repository entry.
Enrolling Mobile Devices
- Create an SSL VPN Access Control Policy that allows users to log in without Google/Microsoft Authenticator.
- Instruct users to log into CudaLaunch or the SSL VPN web portal to enroll their devices. For more information, see Enroll your Mobile Device for use Time-Based One-Time Passwords (TOTP).
- Deactivate the original Access Control Policy and enable an Access Control Policy using Google/Microsoft Authenticator.
Before You Begin
- Enable SSL VPN. For more information, see How to Configure the SSL VPN Service.
- Configure an authentication scheme with user/group information such as MSAD or LDAP to be used as the User Info Helper Scheme. For more information, see Authentication.
Step 1. Enable Google Authenticator
- Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Authentication Service.
- In the left menu, click Google Authentication.
- Click Lock.
- From the Google Authentication Scheme drop-down list, select Yes.
- (optional) Set User Info Helper Scheme to MSAD if group information is required.
- Click Send Changes and Activate.
Step 2. Configure an MFA Access Control Policy for Google Authentication
Configure an Access Control Policy using Google Authentication as the secondary authentication scheme.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Service > VPN > SSL-VPN.
- In the left menu, click Access Control Policies.
- Click Lock.
- Click + to add an Access Control Policy. The Access Control Policies window opens.
- Enter the Name and click OK.
- In the Access Control Policy section, select the Active check box.
- (optional) Add Allowed Groups and Blocked Groups.
-
(optional) To use multi-factor authentication, add the primary authentication scheme:
-
Click + to add the primary authentication scheme to the Authentication Scheme table. The Authentication Scheme window opens.
-
From the Authentication Scheme drop-down list, select the primary authentication scheme. E.g., MS Active Directory, or LDAP
- Click OK.
-
Click + to add the primary authentication scheme to the Authentication Scheme table. The Authentication Scheme window opens.
-
Click + to add Google Authentication to the Authentication Scheme table. The Authentication Scheme window opens.
- In the Authentication Schemes window, set Authentication Scheme to GoogleAuth.
- Click OK.
- (optional) Click + to add NAC criteria to the Network Access Control Criteria table.
- Click OK.
- Click Send Changes and Activate.
Step 3. Activate Access Control Policy for Google Authentication
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN > SSL-VPN.
- In the left menu pane, click Login.
- Click Lock.
- In the Login section, click + and select the Access Control Policy created in Step 2.
- Click Send Changes and Activate.
Step 4. (Single HA Cluster only) Create a Repository Entry and Link
To be able to share the linked Google Authenticator accounts over managed firewalls in a high availability cluster, use a repository entry and create repository links. The primary and secondary firewall must use the repository entry.
- Log into the Control Center.
- Go to Your Managed Firewall > Infrastructure Services.
- Expand the configuration node, right-click Google Authenticator and click Copy To Repository. The Select Object window opens.
- Enter a Name for the new Object.
- Click OK.
- Right-click Google Authenticator again and click Lock
- Right-click Google Authenticator again and click Link From Repository.
- Select the Repository entry you just created.
- Click OK.
- Click Activate.
You can now link this repository entry to the secondary firewall in your HA cluster.