Configure MFA providers

  • 2 minute read
Prev Next

Configuring a multifactor authentication (MFA) provider enables a user to allow or restrict access to resources. Review the Before you start section before configuring MFA providers.

In the MFA Providers page (Identity > MFA Providers), you can edit the existing default providers or set up a new MFA provider.

Default providers

Default time-based OTP provider

Refer to the Multi-factor authentication section for more details about the OTP implementation in AppGate ZTNA.

To edit the default time-based OTP provider, select it from the MFA Providers page and complete the following fields:

  • Pin Entry Type. Select from the following:

    • Masked. Hides the PIN entry as it is entered.

    • Numeric (6 digits). Uses a numeric keypad to validate the entry.

    • Text. Allows any type of alphanumeric entry.

Default FIDO2 provider

Refer to the Multifactor authentication section for more details about the FIDO2 implementation in AppGate ZTNA.

New providers

Select +Add in the MFA Providers page and complete the following fields to configure a new MFA provider:

  • Name. Enter a name for the provider.

  • Notes. Optional. Enter any notes for the provider.

  • Tags. Click +Add to add tags to the provider.

  • Hostnames or IP Addresses. Select +Add to enter hostnames or IP addresses for the RADIUS server. You can enter more than one host in this field. When you do this, each time AppGate ZTNA needs to speak to a RADIUS MFA server it will choose one at random.

NOTE

While the AppGate ZTNA system ensures that a process started with one RADIUS server will finish it will the same server, there remains a chance that it may finish with another and a message will be lost. Ensure that RADIUS server settings are used to mitigate this scenario.

  • Port. Enter the port number of the RADIUS server.

  • Timeout (seconds). The time in seconds for which the AppGate ZTNA system waits for a response.

  • Authentication Protocol. Select the authentication protocol used to log in to the RADIUS server. Options are CHAP or PAP. Use CHAP if you are able. Depending on the option selected, you can send a fixed text string or the user's password back to the RADIUS server in the access-request user-password field. Refer to the Multifactor authentication section for more information.

  • Shared Secret. Enter the shared secret for the RADIUS server.

  • Authentication mode. Select the authentication mode from the following options:

    • Appgate SDP Pre-emptive MFA. The user is asked for an OTP and the RADIUS server validates it.

    • RADIUS server MFA. Also referred to as push OTP. AppGate ZTNA requests that the RADIUS server validate the user, and the RADIUS server asks the user for an OTP.

      • User Password. If checked, the User-Password field of the RADIUS request will contain the user's password.

      • User Shared Secret. Will be used as the User-Password field of the RADIUS request.

    • Appgate SDP Challenge-Response MFA. AppGate ZTNA requests that the RADIUS server validate the user, then the RADIUS server requests that AppGate ZTNA ask the user for an OTP.

      • User Password. If checked, the User-Password field of the RADIUS request will contain the user's password.

      • User Shared Secret. Will be used as the User-Password field of the RADIUS request.

  • Pin Entry Type. Select from the following:

    • Masked. Hides the PIN entry as it is entered.

    • Numeric (6 digits). Uses a numeric keypad to validate the entry.

    • Text. Allows any type of alphanumeric entry.

Related articles