Authenticating to a VPN with a second factor beyond username and password requires interaction with the user. There are certain settings that you should review and adjust to give the user an optimal user experience when authenticating with LoginTC. Some of these settings include:
- Connection and authentication timeout values
- Number of connection attempts
- Auto reconnect after lost VPN connection
- VPN session lengths
The following recommendations apply to the VPN device as well as your end-user VPN clients. If your VPN software supports it, distribute a VPN connection profile that instructs the VPN clients how to behave.
Set appropriate connection and authentication timeouts to ensure that VPN clients have enough time to authenticate using their second factor authentication.
- Set the LoginTC Request timeout on the LoginTC RADIUS Connector to 60 seconds
- Set the RADIUS authentication server on your VPN to 70 seconds
- Set the VPN client connection/authentication timeout to 80 seconds
Note: not all VPN clients allow for adequate authentication/connection timeout values. If this is the case for your VPN software, consider using One-Time Passwords (OTPs) and the Challenge authentication mode in the LoginTC RADIUS Connector.
Set auto reconnection attempts to one so that the VPN client does not continuously try to connect to the VPN if the user is not able to authenticate in time. It's better for the VPN client to abort the connection and give the user an opportunity to attempt to reconnect on their own than to automatically keep trying to connect needlessly.
Disable auto reconnection to ensure that VPN clients do not automatically reconnect after being disconnected from the VPN. If a user leaves their workstation or roams with their laptop to another location and gets disconnected from the VPN, having the VPN automatically reconnect will cause the LoginTC RADIUS Connector to receive an access request which will trigger either an ACCESS-Challenge response or a LoginTC request notification. In both cases the user will not know to react and this will use resources unnecessarily. Timeouts for session re-establishment should be maximized to limit need for auto-reconnections.
Maximum VPN Session Length
Increase the maximum session length to 8 hours or longer. Some VPNs require the user to reestablish their connection and reauthenticate after a certain amount of time has elapsed. Prior to using LoginTC this may have happened automatically (with saved passwords) and you and your end-users didn't even notice. Now that two-factor authentication is required, you don't want to force your users to reauthenticate every hour or so.
Note: For IPsec VPNs you must also set the Phase 1 key lifetime to a larger value as the default is often as low as 1 hour.
Challenge Authentication Mode
Challenge authentication mode presents the user with a challenge with instructions on how to proceed after successfully entering their username and password. This is a good way to remind your users on how to authenticate with LoginTC. See the Challenge Mode Authentication article for details.