I have a smallish bussines client that is going through a cyber security assessment from their primary vendor. One of the requirements we have to meet is that we enforce MultiFactor Authentication on our VPN connections. The client currently has four locations, the three remote sites each have a site-to-site ipsec vpn to the main location, all currently configured using TPLink routers. The main location has a second TPLink router that is used for an L2TP VPN for the various remote users to work from home. The TPLInk router doesn’t support any MFA for the VPN, so I need to find something to replace it.
I need something that is easy to configure and manage, as well as not being ridiculously expensive. I don’t wany anything that has to be configured via a command line interface. They currently have about 45 users that are setup to work remotely, but most of them rarely use it. Other than in the case of another pandemic, I would estimate that there are never more than 5-10 users connecting simulataneously.
Are there any good options out there?
I don’t wany anything that has to be configured via a command line interface, says /u/UncleChub on a sub for enterprise network professionals … what a world we live in!
While I don’t recommend SonicWALLs for large deployments their TZ series Firewall/Routers are perfect for SMB and their site-to-site VPN is solid. It has native support for TOTP.
I recently installed a few OPNsense routers and the requirement was MFA for all VPN access.
MFA for OpenVPN is built right into the would be my recommendation) your only cost is your time.
.
For a small company, SonicWall TZ or NSA series would work well for this. IPsec tunnels are very easy to set up on them, SSL VPN licenses are inexpensive, and they support MFA. They’re relatively easy to set up with the web GUI.
All watchguard firewalls do mfa
Any hypervisors onsite? If TPLink can talk Radius, you can try something similar to this
I would hate for him to deploy a solution that his client is able to manage themselves, especially for user adds/removes.
Or MS MFA if they like as well. Which they probably already have.
Their SMA lineup I’d say is better for MFA, you can slap on SAML auth and not have to deal with user management at all.
Agreed but they are much more expensive. As long as OP doesn’t need high throughput on the VPN, a TZ will work fine.