Skip to main content

Tutorial: Turn on TOTP multi-factor authentication

Abstract

Enable TOTP multi-factor authentication to increase the security of Access Server VPN client connections.

Overview

You have the option of adding another security layer for users signing in to Access Server with Time-based One-Time Passwords (TOTP). This is a standard that many devices and applications support for Multi-Factor Authentication (MFA). It is designed so that users will need to have their credentials as well as a device or app that generates temporary MFA codes required to complete the login process. This documentation provides you with:

  1. How to enable TOTP MFA from the Admin Web UI.

  2. Some restrictions on the use of TOTP MFA in Access Server.

  3. How to manage TOTP MFA for auto-login profiles.

For details about how TOTP MFA works on Access Server, refer to the MFA topic.

Prerequisites

  • A TOTP MFA application such as Google Authenticator, Microsoft Authenticator, Yubikey Authenticator, Gnome Authenticator, Free OTDP, andOTP, etc. There are also standalone hardware devices that support this and work with Access Server, such as the Protectimus Slim NFC token.

  • An installed Access Server.

    Tip

    We recommend using Access Server 2.11.1 and newer, where you can enable TOTP MFA for individual users and groups from the Admin Web UI as well as for all users globally.

  • Supported authentication methods: local, PAM, LDAP, and RADIUs.

Important

If you use SAML as your authentication method, ensure you set up MFA with your SAML IdP and not by enabling the TOTP MFA toggles in the Admin Web UI.

Option 1: How to enable TOTP MFA for all users

  1. Sign in to the Admin Web UI.

  2. Click Authentication > Settings.

  3. Set Enable TOTP Multi-Factor Authentication to Yes.

  5. Instruct users to sign in on the Client Web UI to enroll:

    1. Sign in to the Client Web UI.

    2. The next screen displays the MFA shared key in QR code and plaintext.

    3. Scan the QR code or enter the key manually into the TOTP app or device.

    4. Enter the six-digit one-time password provided by the TOTP app or device.

    5. Click Confirm Code.

    Tip

    If a user doesn’t see the enrollment screen and only sees the one-time password prompt, you must generate a new MFA from the command line. Refer to this tutorial.

Option 2: How to enable TOTP MFA for a user group

On Access Server 2.11.1 and newer, you can enable TOTP MFA for individual users and groups from the Admin Web UI.

  1. Sign in to your Admin Web UI.

  2. Click User Management > Group Permissions.

  3. Click More Settings for the desired group.

  4. Click the radio button to enable TOTP-based Multi-Factor Authentication for the group.

  6. Instruct users to sign in on the Client Web UI to enroll:

    1. Sign in to the Client Web UI.

    2. The next screen displays the MFA shared key in QR code and plaintext.

    3. Scan the QR code or enter the key manually into the TOTP app or device.

    4. Enter the six-digit one-time password provided by the TOTP app or device.

    5. Click Confirm Code.

Option 3: How to enable TOTP MFA for a user

On Access Server 2.11.1 and newer, you can enable TOTP MFA for individual users and groups from the Admin Web UI.

  1. Sign in to your Admin Web UI.

  2. Click User Management > User Permissions.

  3. Click More Settings for the desired user.

  4. Click the radio button to enable TOTP-based Multi-Factor Authentication for the user.

  6. Instruct users to sign in on the Client Web UI to enroll:

    1. Sign in to the Client Web UI.

    2. The next screen displays the MFA shared key in QR code and plaintext.

    3. Scan the QR code or enter the key manually into the TOTP app or device.

    4. Enter the six-digit one-time password provided by the TOTP app or device.

    5. Click Confirm Code.

    Warning

    If you use MFA added by post-auth script, enabling TOTP MFA will break user authentication. Ensure that no other MFA is enabled when enabling TOTP MFA.

Auto-login profiles and MFA

Server-locked and user-locked profiles both adhere to the requirement for multi-factor authentication. However, by default, auto-login profiles don’t adhere to this requirement. Typically, unattended devices—such as servers in data centers establishing connections automatically—use auto-login profiles.

To enable MFA on an auto-login profile:

  1. Create a user with auto-login privileges.

  2. Install the auto-login profile on the VPN client.

  3. Ensure the VPN client is a modern VPN client such as OpenVPN Connect v3.3 or newer.

  4. Turn on MFA globally, for the group, or for the user.

  5. Connect to the Access Server console with root privileges and run the following commands to set the auto-login parameter to true:

    cd /usr/local/openvpn_as/scripts/
./sacli --user <USER_OR_GROUP> --key "prop_google_auth_autologin" --value "true" UserPropPut
./sacli start

    • The user account must now enroll in MFA and comply with the TOTP MFA requirement.

Restrictions on TOTP MFA in Access Server

If you are using a post-auth script to enhance or replace your authentication process in the Access Server, you can't implement MFA in the post-auth script alongside Access Server's built-in TOTP MFA function. You have to choose to use either the built-in MFA method or implement one yourself in the post-auth script.

Access Server's built-in TOTP MFA function doesn't support users authenticating via SAML. To include MFA with SAML authentication, you must implement this with the IdP or another option such as DUO.

On Access Server 2.9 and older, the bootstrap administrative accounts, as defined in the as.conf configuration file, bypass the MFA requirement and password lockout policy. We recommend that you upgrade your Access Server so that any MFA requirement and password lockout policy will also apply to these accounts. There is more information on the bootstrap accounts and MFA below.

In this section: