Skip Navigation

Configuring a connection between the 
BlackBerry 2FA
 server and a VPN gateway

On your VPN server, the 
BlackBerry 2FA
 server must be configured as a RADIUS server to which authentication requests are forwarded. The 
BlackBerry 2FA
 server completes the following tasks to authenticate users so that they can connect to a VPN gateway:
  • Authenticates the user's device or one-time password (OTP)
  • Acts as a proxy for password authentication
  • Combines the two results to determine whether authentication is successful
You must also configure a VPN client profile or client that permits users to select 
BlackBerry 2FA
 when they log in to VPN from their computers.
For each 
BlackBerry 2FA
 server in your environment, the RADIUS server must have the following options:
  • IP address or FQDN of the computer that hosts the 
    BlackBerry 2FA
     server 
  • Timeout between 60 and 90 seconds for the connection between the VPN server and the 
    BlackBerry 2FA
     server
  • Unique shared secret 
  • Authentication port set to 1812
  • Depending on the available authentication options, one of PAP, MS-CHAP v1, MS-CHAP v2, or EAP-MSCHAP
The VPN client profile must have the timeout set between 30 and 60 seconds for the connection between the VPN client on user’s computers and the VPN server. 
For instructions on how to configure a RADIUS server or VPN client profile, see the documentation for the VPN server that you are using.
For a list of supported VPN servers, see the 
BlackBerry 2FA
 server compatibility matrix content
.