Has anyone been successful on setting up a VPN connection 2fa with a YubiKey?
2fa with email or even text doesn’t really work in my situation as not everyone has a company phone, so not everyone has access to their company email outside of the organization.
AFAIK, Sonicwall does not support the FIDO protocol.
Yubikey’s are all FIDO2, IIRC.
Which leads your options to either some hardware TOTP (like an RSA token) or third party (like Duo, if you can get it to work) or integrated with another system, something like tying it to a RADIUS server that will perform independent 2FA…
Otherwise, you’re looking at switching VPN platforms to get this to work. I wouldn’t be surprised if someone has a guide out there on getting FIDO2 (Yubikey) working on Windows VPN and SSTP; which is pretty equivalent to NetExtender in terms of form/function, plus it’s integrated into windows already.
I’m sure there’s a solution to the problem, I’m just not sure it’s coming from Sonicwall.
What’s wrong with TOTP codes?
We use Authlite with Yubikeys for Windows logins. We have LDAP connected on the Sonicwall. Authlite uses the Yubikey as the username and it does process through fine when logging into the Sonicwall.
We found this accidentally and never tried to lock it down where the normal username would get blocked, so I can’t guarentee you could enforce Yubikey only this way.
It’s possible with radius. Setup some Freeradius servers with the yubico PAM module.
Using LDAP it pulls the yubikey id from AD (added a field to our schema). Also tested using another field with Azure Active Directory Domain Services (their DC-Lite cloud option), since you can’t modify that schema
Yubico actually has an authenticator app that can be installed on iOS, Android, Windows, etc. It can be used for OTP. So it’s on my list of stuff to play with.
Just trying to do a physical key for users vs an authenticator app for 2fa/mfa. Have it working with Microsoft365 and would love for it to work with the VPN as well.
Do you not need to use an authenticator app/program for this? If so, then like I said in my original statement, most users in our situation don’t have company issued cell phones. Hence the want/need for a physical device like a YubiKey
I’m fairly certain duo has a physical key that’s totp and should work.
Haven’t tried it with sonicwall VPN though. YMMV.
Just trying to give you options that are not an app.
No, you said people don’t have access to their company email. Authenticator apps you can run on personal devices, too. Or even on the company issued computer.
Unfortunately I am in the camp of not letting people use personal devices for company related things, so I won’t have them install anything on a personal device.
I do see that Yubico has a Windows (and linux) based authenticator program. Just trying to figure out how to set that up with TOTP. Does this only work for SSL VPN and not L2TP/IPsec VPN’s?
There are hardware totp tokens. For example Token2
That camp is ok 
I’ve not used Yubikey for TOTP, but if Yubikey’s authenticator can register and provide TOTP codes, then setting it up should be straightforward.
Sadly SonicWall SSLVPN only.
I will check that out!
Yay! More licensing purchases! /s
I’ll mess with it some more. If I do find anything I’ll try to remember to come back and update my post here with a tutorial or something