MFA for SonicWall VPN

Secure your SonicWall VPN with MFA

SonicWall VPN, also known as SonicWall SSL VPN NetExtender, is a widely used VPN suite from SonicWall Inc. O rganizations depend on it t o grant remote employees with secured access to resources within their domain networks. However, relying solely on username and password authentication poses significant security risks. Passwords can be easily compromised through phishing attacks, brute force attacks, or simply by being weak or reused across multiple platforms. To mitigate these risks, it's best practice to implement MFA for securing VPN logins.

By requiring multiple forms of verification, MFA significantly reduces the likelihood of unauthorized access. Even if an attacker manages to obtain a user’s password, they would still need the additional factor(s) to successfully log in. ADSelfService Plus offers an advanced MFA feature that integrates seamlessly with the VPN infrastructure. It ensures compliance with industry standards like NIST SP 800-63B, the GDPR, HIPAA, and the PCI DSS by providing strong MFA measures and flexible authentication options, enabling organizations to choose the method that best fits their needs.

Explore advanced authenticators for SonicWall VPN

ADSelfService Plus supports the following authenticators for SonicWall VPN:

Enabling MFA for SonicWall VPN with ADSelfService Plus

ADSelfService Plus integrates with SonicWall VPN to provide robust MFA capabilities. Admins can configure specific MFA policies for SonicWall VPN users based on user roles, departments, domains, organizational units, and groups under particular conditions. Admins have the flexibility to select which authenticators users must use for MFA. This integration not only enhances security but also ensures compliance with regulatory requirements.

Here is how you can enable MFA for SonicWall VPN logins.

Prerequisites:

• Ensure you have a Professional edition license of ADSelfService Plus with Endpoint MFA enabled.
• Enable HTTPS in ADSelfService Plus by navigating to Admin > Product Settings > Connection.
  Note: If you are using an untrusted certificate in ADSelfService Plus for HTTPS, disable the Restrict User Access when there is an Invalid SSL Certificate option under Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Customization > Advanced.
• In ADSelfService Plus, the access URL configured under Admin > Product Settings > Connection > Configure Access URL will be used by the NPS extension to communicate with the ADSelfService Plus server. Ensure the access URL is updated before installing the NPS extension.
• In Active Directory, set the users’ Network Access Permission to Control access through NPS Network Policy in their dial-in properties.
• Configure your SonicWall VPN gateway to use RADIUS authentication.
• The RADIUS server must be a Windows Server (Windows Server 2008 R2 and above) with the NPS role enabled.
• On the Windows NPS server, set the authentication settings of the Connection Request Policy to authenticate requests on this sever.

Configure ADSelfService Plus for MFA:

Step 1: Enable the required authenticators

1. Log in to ADSelfService Plus as an admin.
2. Go to Configuration > Self-Service > Multi-Factor Authentication > Authenticators Setup.
3. Enable the required authenticators for the SonicWall VPN login.
4. Click Save.

Step 2: Enable MFA for VPN logins in ADSelfService Plus

1. Go to the MFA for Endpoints tab.
2. From the Choose the Policy drop-down menu, select a policy which will determine the users for whom MFA for VPN login will be enabled. To learn more about creating an OU or a group-based policy, click here.
3. In the MFA for VPN Login section, check the box and specify the number of authentication factor(s) for VPN logins from the drop-down menu. Choose the authenticators for VPN login MFA from the drop-down menu.
4. Click Save Settings.

Step 3: Install the NPS extension

Install the NPS extension and restart the NPS Window service.

The setup is complete. Users will be prompted for MFA when they login to SonicWall VPN to verify their identities using the chosen authentication methods.

Benefits of ADSelfService Plus' VPN MFA

• Flexible authentication methods: Choose from a wide range of authentication methods supported by ADSelfService Plus, including OTPs, biometrics, or hardware tokens, tailored to your security needs and preferences.
• Support for conditional access policies: Implement conditional access policies that allow for a more nuanced and adaptive security approach. These conditions include IP address, geolocation, device type, and time of access. Tailor the level of MFA based on the risk of an access attempt by analyzing factors such as user behavior, location, and device used.
• Comprehensive reporting: Gain deep visibility into MFA activity with robust reporting and auditing features. Administrators can generate reports to track the time of the MFA attempt, the device type used, the IP address, and the specific authenticator used. This enables organizations to identify swiftly and respond to potential security incidents.
• Enhanced user experience: Integrating ADSelfService Plus' MFA with SonicWall VPN offers a smooth, user-friendly authentication process, ensuring secure and hassle-free access to network resources from any location.

Supported VPN providers and non-VPN RADIUS endpoints: