Configuring a connection between the BlackBerry 2FA server and a VPN gateway
BlackBerry 2FAserver and a VPN gateway
On your VPN server, the
BlackBerry 2FAserver must be configured as a RADIUS server to which authentication requests are forwarded. The
BlackBerry 2FAserver completes the following tasks to authenticate users so that they can connect to a VPN gateway:
- Authenticates the user's device or one-time password (OTP)
- Acts as a proxy for password authentication
- Combines the two results to determine whether authentication is successful
You must also configure a VPN client profile or client that permits users to select
BlackBerry 2FAwhen they log in to VPN from their computers.
BlackBerry 2FAserver in your environment, the RADIUS server must have the following options:
- IP address or FQDN of the computer that hosts theBlackBerry 2FAserver
- Timeout between 60 and 90 seconds for the connection between the VPN server and theBlackBerry 2FAserver
- Unique shared secret
- Authentication port set to 1812
- Depending on the available authentication options, one of PAP, MS-CHAP v1, MS-CHAP v2, or EAP-MSCHAP
The VPN client profile must have the timeout set between 30 and 60 seconds for the connection between the VPN client on user’s computers and the VPN server.
For instructions on how to configure a RADIUS server or VPN client profile, see the documentation for the VPN server that you are using.
For a list of supported VPN servers, see the
BlackBerry 2FAserver compatibility matrix content.