OAuth2- TOTPRadius VPN Portal - Easy and secure access to corporate VPN
Starting from v0.2.5 TOTPRadius provides new ways of connecting to your corporate VPN systems based on L2TP, such as Meraki Client VPN or Fortinet VPN . The new web-based VPN portal allows logging in using additional methods, such as FIDO Security keys, both in Passwodless mode (if FIDO2 keys are used) and using the keys as the second factor (allowing to use legacy U2F FIDO hardware), as well as Azure AD (Microsoft Entra ID) SSO via OAuth2 protocol. VPN entries require no special VPN client, although T2VPN connection helper apps are recommended to minimize user actions. The VPN interface is based on a web server running on the same appliance as the TOTPRadius administration portal, but using a different port. This is done to isolate the administrative portal from the public internet facing user portal. As a general recommendation, the administrative web portal should be accessible only inside the network and protected by the firewall rules, limiting web and ssh access to IP addresses inside the network belonging to administrators' machines and RADIUS port (UDP 1812) to the VPN appliance only.
The video below show the user experience when using Oauth2 VPN portal. There is no user login procedure shown as the user account used in this demo has already logged on to Office 365 web interface, therefore SSO is used.
The network setup and required firewall rules for different usage modes of TOTPRadius are described in this article. It is also important to set-up an FQDN and HTTPS web certificate for the VPN Web portal.
This guide describes how to configure TOTPRadius VPN Web portal as an OAuth Resource and Azure AD (Microsoft Entra ID) as an External OAuth Authorization Server to facilitate secure access to the VPN resources connected to TOTPRadius. Important to mention that the account security in this configuration mode fully relies on Azure AD (Microsoft Entra ID) Configuration, therefore it is highly recommended that you have MFA or Passwordless enabled for accounts allowed to access this resource.
Configure the OAuth Resource in Azure AD (Microsoft Entra ID)
1. Navigate to the Microsoft Azure Portal and authenticate.
2. Navigate to Azure Active Directory.
3. Click on App Registrations.
4. Click on New Registration.
In the New Registration dialog, fill the form as shown on the example below, and click on “Register” to complete the action
After the App Registration is done, the Overview of the object will be shown (see example below).
Note down the 2 IDs shown on this page (this can be retrieved at a later stage as well):
- Application (client) ID
- Directory (tenant) ID
These values will be entered later into the TOTPRadius configuration settings.
In the next step we will create a Client secret.
1. Click on Certificates & secrets and then New client secret.
2. Add a description of the secret.
3. Select never expire. For testing purposes, select secrets that never expire.
After the Client secret is created, copy its value and note down. This will also be used in TOTPRadius configuration.
Configure the OAuth2 Settings in TOTPRadius
Log in to TOTPRadius admin portal and navigate to General Settings section. Scroll down to Oauth2 VPN Portal settings section and fill the values as illustrated below:
The settings shown on this example are explained in the table below:
Description and possible values
Enable or disables Azure AD (Microsoft Entra ID) Oauth2 SSO interface for VPN Portal
Oauth2 VPN settings
A configuration file template used to generate the connection files. The one on the screenshot above is showing the connectivity for Meraki Client VPN
If this setting is enabled, TOTP-based VPN access will be denied. Please note that this does not restrict FIDO2 login functionality (it has to be controlled separately)
Oauth2 client id
Client ID as recorded when creating App Registration with Azure
Oauth2 tenant id
Tenant ID as recorded when creating App Registration with Azure
Oauth2 client secret
Client Secret as recorded when creating App Registration with Azure
Oauth2 redirect URI
The URL of oauth.php script. Should match the URL specified in App Registration
Once the settings are configured, you can test by visiting the configured FQDN. The OAuth2 interface is located in "oauth" folder (i.e. https://vpn-portal-fqdn/oauth/index.php)
As mentioned before, restricting users to access the OAuth2 VPN portal can be done via Azure AD (Microsoft Entra ID) App Registrations settings. The Users and Groups settings are located in a different interface and can be accessed by clicking on the App's link under "Managed application in local directory"
Navigate to Properties, then set "User assignment required?" to "Yes"
From the Application management interface, choose Users and Groups and add the users allowed to access this interface. Please note that groups are only available for assignment with Azure AD (Microsoft Entra ID) Premium P2 or EM+S E5 Licenses. With lower plans you can assign individual users to the application.
- Installation and initial configuration
- Network configuration
- Migrating from older versions
- LDAP Configuration
- Azure AD Configuration
- Self-service enrollment portal
- Web and LDAPS Certificates
- Syslog configuration
- Single-factor authentication exceptions
- Slave appliance mode
- Dynamic RADIUS Attributes
Bitwarden's latest upgrade introduces passkeys, such as FIDO2 keys and platform authenticators, enhancing both security and user convenience for vault encryption and decryption tasks with PRF capabilities.
We're excited to introduce Token2 PIN+ Release 2, our latest FIDO2 Key that boasts an unmatched advantage: the ability to store up to 300 passkeys (aka resident keys or discoverable credentials). This significant capacity provides unparalleled flexibility and convenience for managing your online accounts securely.
In response to a glaring gap in the market, we are thrilled to introduce the first standalone FIDO2.1 Passkey Management Tool for Windows. Fueled by the necessity for a user-friendly solution, our tool addresses the discomfort users face with command line tools and Chromium-based methods.