Using Token2 hardware tokens for SonicWall NGFW

SonicWall next-generation firewalls (NGFW) provide the security, control, and visibility you need to maintain an effective cybersecurity posture.
Multi-Factor Authentication (MFA) is an extra layer of security for your appliance.
After you enable MFA, you will be asked to authenticate yourself with an extra step whenever you try to log in to SSL VPN portal.
SonicWall NGFW allows using Token2 programmable tokens for two-step verification.
In this article, we will show the procedures required to configure Multi-Factor Authentication (MFA) for SSL VPN using Token2 programmable TOTP tokens (as a replacement for the Authenticator App).

Requirements:

• A SonicWall NGWF
• A Token2 programmable token
• An iPhone or Android device with NFC* - this is needed for the enrollment only, subsequent logins will only require the hardware token
[* Android and Windows versions are available for all models, but this guide will use the iPhone app as an example. iPhone apps are compatible with "-i" models only]

Step 1. Enable an MFA method

Create a new user or group

1)Log into the SonicWall appliance, change the trigger value to the Configuration mode. This lets you make changes to the configuration.




2)Go to Device->Users->Local Users & Groups.

3)Select the Add User option.

4)Under the Settings tab, from the drop-down list beside the One-time password method, select TOTP.




5) Under the Groups tab, add the user to the default SSLVPN Services group, which gives privileges for logging to SSLVPN.




6)Access the SSL VPN portal. Remote clients have to login by typing firewall public IP followed by port number 4433
in the browser URL (https://myfirewall:4433).




7) After entering your username & password, you will be prompted with a QR code that you will scan using one of the provisioning tools in the next step.




Step 2. Provision the token




  • Launch the NFC burner app on your Android device and hit the "QR" button



  • Point the camera to the QR code shown on the account page. Upon a successful QR scan, the camera window should disappear
  • Turn on the token and touch it with your phone (make sure it is overlapped by the NFC antenna) and click "Connect" on the app
  • Upon successful connection, click the "Burn seed" button. If NFC link is established and the code is correctly scanned, you should see a status window showing "Burning..." and eventually (in a second or two), "burn seed successful.." message in the log window




Follow the steps below to perform setting the seed for your token using Windows App.

1. Launch the exe file, then select the NFC device from the drop-down list and click on "Connect". You should see a message box notifying about a successful operation.

Token2 NFC Burner app for Windows


2. Enter or paste the seed in base32 format, or use one of the QR scanning methods to populate this field

3. Place the token onto the NFC module and wait for its serial number to appear

Token2 NFC Burner app for Windows

4. Click on "Burn seed" button. A log entry with the serial number and "Successful operation" text will be logged in the log window.

Token2 NFC Burner app for Windows


  • Launch the NFC burner app on your iPhone device and hit the "scan QR" button



  • Point the camera to the QR code shown on the account page. Upon a successful QR scan, the camera window should disappear and the seed field will be populated with the hex value of the seed
  • Touch the Burn button, then turn on the token and touch the top of your iPhone with the token
  • Check the results of the process in the Results log field




Please note that the procedures above are shown only as examples and are valid to single profile TOTP tokens only. The procedure for multi-profile and USB-programmable devices are similar but slightly different

Step 3. Verify the OTP

After the token provisioning is done, turn the token off and back on. Enter the OTP generated by the hardware token and click "OK".
A window similar to the following appears, and you are prompted that the code has been verified. Do not forget to write out the emergency scratch code and keep it in a safe location.
It is the only way to log in if you lose your hardware token.




Click "Continue", and you will be able to log in to the SSLVPN portal.