To address these gaps, TOKEN2 has introduced an additional feature, called VPN Portal, as a part of its TOTPRadius solution, to provide VPN access beyond in the classic TOTP authentication: FIDO Security keys and Azure AD OAuth2 based Single Sign On (SSO) .
The FIDO VPN Portal solution will work with both FIDO2 and FIDO keys (WebAuthn implementation with fallback to U2F for older keys), with a possibility to enable Passwordless method (FIDO2 only) and will work via modern web-browsers supporting FIDO keys authentication.
The OAuth2 Portal will leverage Azure AD OAuth2 SSO option and will allow extending the login procedures the users are already familiar with, to the VPN connectivity procedures. If users have previously logged on to any M365 resource using the same Azure AD Account, the OAuth2 login will be automatic and will not ask to re-login again to use the VPN Portal.
If you wish to implement FIDO2/Passwordless or Azure AD Oauth2/SSO VPN access for your users (available starting from v0.2.5), there is an additional configuration required in your network layout. The web portal is running as a separate web server on the same virtual appliance, instead of standard https port (443) used for admin interface, the VPN web portal responds on port 9443. This port cannot be used directly for technical reasons, so has to be NATted to port 443. More information about this network layout is available here.
For obvious reasons, this portal has to be exposed to the public network. We understand the potential risks of making a web application accessible to the whole planet, therefore to ensure the security of the VPN Portal is at the highest level, we have contracted an independent security institution to conduct a full penetration testing against this web application and produce a report. The outcomes of this test are available here.