Configuring a connection between the 

BlackBerry 2FA

 server and a VPN gateway

On your VPN server, the 

BlackBerry 2FA

 server must be configured as a RADIUS server to which authentication requests are forwarded. The 

BlackBerry 2FA

 server completes the following tasks to authenticate users so that they can connect to a VPN gateway:

Authenticates the user's device or one-time password (OTP)
Acts as a proxy for password authentication
Combines the two results to determine whether authentication is successful

You must also configure a VPN client profile or client that permits users to select 

BlackBerry 2FA

 when they log in to VPN from their computers.

For each 

BlackBerry 2FA

 server in your environment, the RADIUS server must have the following options:

IP address or FQDN of the computer that hosts the 
BlackBerry 2FA
 server 
Timeout between 60 and 90 seconds for the connection between the VPN server and the 
BlackBerry 2FA
 server
Unique shared secret 
Authentication port set to 1812
Depending on the available authentication options, one of PAP, MS-CHAP v1, MS-CHAP v2, or EAP-MSCHAP

The VPN client profile must have the timeout set between 30 and 60 seconds for the connection between the VPN client on user’s computers and the VPN server. 

For instructions on how to configure a RADIUS server or VPN client profile, see the documentation for the VPN server that you are using.

For a list of supported VPN servers, see the 

BlackBerry 2FA

 server compatibility matrix content.