FIDO2 - TOTPRadius VPN Portal - Easy and secure access to corporate VPN

FIDO VPN Portal

Starting from v0.2.5 TOTPRadius provides new ways of connecting to your corporate VPN systems based on L2TP, such as Meraki Client VPN or Fortinet VPN . The new web-based VPN portal allows logging in using additional methods, such as FIDO Security keys, both in Passwodless mode (if FIDO2 keys are used) and using the keys as the second factor (allowing to use legacy U2F FIDO hardware), as well as Azure AD (Microsoft Entra ID) SSO via OAuth2 protocol.


Any FIDO or FIDO2 keys can be used with this solution. We recommend using FIDO2 keys, including Token2's FIDO-certified hardware security keys.
VPN entries require no special VPN client, although T2VPN connection helper apps are recommended to minimize user actions. The VPN interface is based on a web server running on the same appliance as the TOTPRadius administration portal, but using a different port. This is done to isolate the administrative portal from the public internet facing user portal. As a general recommendation, the administrative web portal should be accessible only inside the network and protected by the firewall rules, limiting web and ssh access to IP addresses inside the network belonging to administrators' machines and RADIUS port (UDP 1812) to the VPN appliance only.

Demos

The videos below show the user experience when using FIDO2 VPN portal in different configuration modes:

2FA mode (without passwordless, makes legacy devices compatible with the solution)

Passwordless mode (only FIDO2 keys can be used)

The network setup and required firewall rules for different usage modes of TOTPRadius are described in this article. It is also important to set-up an FQDN and HTTPS web certificate for the VPN Web portal.

FIDO VPN Portal

Enable FIDO VPN portal in the Admin portal, General settings. The settings may look like shown below:

FIDO2 - TOTPRadius VPN Portal - Easy and secure access to corporate VPN

The settings shown on this example are explained in the table below:

Setting

Description and possible values

Allow FIDO2 Interface

Enables this functionality. If disabled, the FIDO2-VPN Web Interface will not function at all

FIDO-VPN enabled by default per user

If this setting is set to Enabled, any user in your database or Active Directory will have access to the portal and can use this method to generate VPN connection files

FIDO2 VPN Settings

A configuration file template used to generate the connection files. The one on the screenshot above is showing the connectivity for Meraki Client VPN

FIDO2 only

If this setting is enabled, TOTP-based VPN access will be denied. Please note that this does not restrict Oauth2 login functionality (it has to be controlled separately)


Advanced FIDO security keys settings

FIDO-VPN portal can support legacy FIDO devices (u2f) as well as Passwordless login if FIDO2 devices are used. FIDO2 offers full password-less authentication while FIDO U2F is designed to be used with a password as a traditional second factor only, therefore these settings cannot co-exist, only one of these options can be chosen. The settings are as shown below:

FIDO2 - TOTPRadius VPN Portal - Easy and secure access to corporate VPN

The settings shown on this example are explained in the table below:

Setting

Description and possible values

Allow legacy keys

Allow using legacy U2F FIDO keys. If enabled, Passwordless method cannot be enabled or used

Enable passwordless

Allow Passwordless login method. It Is not compatible with legacy U2F FIDO keys option enabled and only FIDO2 security keys can be used. The system will check if the security key is protected by a PIN code or a fingerprint and prompt to protect if it is not the case.


Once the settings are configured, you can test by visiting the configured FQDN. The interface is located in "fido2" folder (i.e. https://vpn-portal-fqdn/fido2/index.php)


Please note that versions prior to 0.3 allowed using only one FIDO2 key. More recent versions allow enrolling multiple keys per user.