Configure Two Factor Authentication for Client VPN

Updated by jw@tier3.com on Aug 11, 2014
Article Code: kb/974

Creating two factor authentication is very easy to do with Client VPN Service. Here are the steps to take when needing to configure it:

WARNING: if you enable AD authentication, all existing users will need to re-download their VPN certificates as their existing certificates will no longer function. Modifying an exsisting LDAP configuration requires a support request.

  1. Go to Network > VPN from the Control Portal menu.

  2. From the VPN Configuration page, click the "edit settings" button. The VPN Settings popup will be displayed.

  3. In the VPN Settings popup, set the fields as follows

  • Max Connections - You are not billed by number of connections, so you may set to the maximum allowed if desired.
  • Primary DNS and Secondary DNS - Set this to the DNS Servers (usually your Active Directory servers). NOTE: these need to be in the isolated network provided to you.
  • AD Authentication - Make sure this is checked.
  • Domain Controller IP - Specify the domain controller to do authentication on.
  • Binding User DN - Specify the user to do the LDAP query for authentication. Example: CN=openvpn_user,CN=Users,DC=domainname,DC=local which will allow openvpn_user to do the authentication.
  • Binding Password - This is the password of the user used in the Binding User DN setting.
  • User Location DN - Location of the domain to do the query on. Example: DC=domainname,DC=local
  • User Group DN - This is the group location of the users to do the query on. Any user in this group will have access to logon to the VPN service. Example: CN=ManagedVPN,CN=Users,DC=domainname,DC=local