ZTNA-Client Passkeys Authentication

ZTNA connection agents (or OpenVPN-compatible clients) can use Passkeys (FIDO2) as a second-factor authentication when connecting via RADIUS.

Prerequisites

• Genian agent or OpenVPN-compatible client

• Platform authenticators such as Windows Hello or external FIDO2 authenticators (USB/NFC/BLE)

• HTTPS and proper server configuration

• ZTNA-Client configuration (see: ZTNA-Client)

Authentication modes

1st factor Password and 2nd factor Passkeys

• When connecting the ZTNA client, complete the 1st factor authentication (password or primary authentication) then use Passkeys as the 2nd factor.

• If Passkeys are already registered, connection can use Passkeys for the 2nd factor.

• If not registered, the system may request Passkeys registration during the connection flow.

Note

ZTNA-Client using Passkeys requires RADIUS server configuration that accepts Passkeys as a 2nd factor.

Configuration

1. Go to Policy > RADIUS Policy > Task > Create

2. Configure the condition (user group etc.) to match the users and set detailed RADIUS options: - attribute: User-Name - condition: user is one of the User Group - value: USER-ALL

3. In the policy Preferences, set the 2nd factor to Passkeys and configure RADIUS to accept Passkeys.

Related documents

• Passkeys Authentication

• ZTNA-Client

• 2-Step Authentication