When multi-factor authentication (MFA) is enabled for VPN accounts, users can choose to receive MFA codes through SMS on their phones. In order for this to work, the country code must precede the user's phone number or else the user will not receive the MFA code.

You can verify that the phone number includes the country code by checking the VPN Users configuration in the Cato Management Application.

VPN Users Created Through LDAP Sync

The failure to receive an MFA code over SMS is mostly seen when VPN users are imported from LDAP. As part of the LDAP sync, Cato imports the VPN user's phone number from one of two attributes:

• mobile
• telephoneNumber (if the mobile attribute does not exist)

It's important to populate these attributes with a phone number that includes the country code for MFA to work with SMS.

If the phone number is incorrect, fix the number in LDAP and then run another LDAP sync in the Cato Management Application. Once the LDAP sync is complete, the VPN user should start receiving MFA.

Go to Global Settings > Directory Services and click the Sync Now button to update an LDAP VPN user's phone number.

Manually Created VPN Users

If the VPN account is manually created, end users have control over the phone number that the MFA code is sent to through the Cato User Portal (https://myvpn.catonetworks.com). If these users are not receiving MFA codes and their number is incorrect in the Cato Management Application, direct them to the Cato User Portal to change their phone number.

After logging in, users can find the "View/Change 2FA Settings" link at the bottom of the page.

Clicking that will take them to another page where they can click the "(Change Settings)" link next to 2 Factor Authentication. A pop-up window will then guide them through changing their phone number.

The phone number that the user inputs is validated and forces them to choose the country, automatically populating the country code.