Multifactor authentication

This section explains some of the multifactor authentication solutions that you can use to set up SSL VPN tunnels with the SNS firewall. If you do not wish to use a multifactor authentication method, proceed to the next section.

General information on multifactor authentication

Multifactor authentication strengthens the authentication of users who set up SSL VPN tunnels with a second authentication factor.

The second factor is generally a one-time password, known as an OTP or TOTP, which the user must enter in addition to their password to set up the SSL VPN tunnel. Stormshield has its own TOTP solution.

An external solution can also be used with a RADIUS server or a third-party application to be installed on a trusted device. For example, the Trustbuilder solution (formerly inWebo) is compatible and allows users to generate OTPs or approve setting up connections (push notifications) in their application.

This document explains some of these solutions. Proceed accordingly.

NOTE
To configure the use of multifactor authentication on the Stormshield SSL VPN client, refer to the Stormshield SSL VPN client v5 user and configuration guide.

Using the Stormshield TOTP solution

Refer to the technical note Configuring and using the Stormshield TOTP solution, which explains how to configure and manage the TOTP solution on the SNS firewall, and presents the enrollment procedure for TOTP solution users.

Ensure that you follow the steps described in this technical note on using the Stormshield TOTP solution to set up SSL VPN tunnels with the SNS firewall.

Using a third-party solution with a RADIUS server

Configuring the third-party multifactor authentication solution

The chosen third-party multifactor authentication solution has to be configured and connected to your RADIUS server. If you need help with this configuration, refer to the documentation for your chosen solution.

Enabling the RADIUS method on the SNS firewall

Enable and configure the RADIUS method on the SNS firewall to connect it to your RADIUS server. To do so, go to Configuration > Users > Authentication, Available methods tab.

For more information, refer to the section Authentication > Available methods tab > RADIUS in the v4 user guide or v5 user guide, depending on the SNS version used.

Customizing the idle timeout allowed for the connection to the RADIUS server

The default idle timeout allowed for the connection to a RADIUS server is 3000 milliseconds (3 seconds).

If the chosen multifactor authentication solution involves the use of a third-party application to log in (push mode), the idle timeout has to be customized so that users have enough time to log in. To set a 30-second idle timeout, for example, use the following CLI/serverd commands:

CONFIG AUTH RADIUS timeout=30000 btimeout=30000
CONFIG AUTH ACTIVATE