Steps to configure the BlackBerry 2FA server
Configuring a connection between the BlackBerry 2FA server and a VPN gateway
Configure the connection to the REST API endpoint
- Configuring REST API endpoint connectivity
Create a REST API client in the BlackBerry 2FA server
Enable MS-CHAP authentication for users in a domain
Configure the BlackBerry 2FA app
Assign a VPN gateway or REST client configuration to a user group
Installing the BlackBerry 2FA app on devices
Architecture: BlackBerry 2FA high availability
- Configuring the BlackBerry 2FA server for high availability
Logging and reporting
- Auditing authentication requests
- Centralize logging or auditing using syslog
Authentication options
Usernames, passwords, and directories
REST API endpoint
VPN gateways
Glossary

Supported authentication protocols for each authentication option

The following table shows the authentication protocols that are available for each authentication option that

BlackBerry 2FA

supports.

If your users are authenticating with one-time password (OTP) tokens, the VPN server must be configured to authenticate them using PAP. OTPs are not supported using MSCHAPv1, MSCHAPv2 or EAP-MSCHAP.

Authentication option	Supported authentication protocols
Two-factor authentication with passive device password	PAP
Two-factor authentication with active device password	PAP
Two-factor authentication with enterprise password	MS-CHAP v1, MS-CHAP v2, PAP, EAP-MSCHAP
Single factor authentication with enterprise password	MS-CHAP v1, MS-CHAP v2, PAP, EAP-MSCHAP

Section:

Configuring a connection between the BlackBerry 2FA server and a VPN gateway