Skip to main content

Tutorial: Turn On TOTP Multi-Factor Authentication

Abstract

Enable TOTP multi-factor authentication to increase the security of Access Server VPN client connections.

Overview

You can add a security layer for users signing in to Access Server with Time-based One-Time Passwords (TOTP). This is a standard that many devices and applications support for Multi-Factor Authentication (MFA). It is designed so that users will need their credentials and a device or app that generates temporary MFA codes required to complete the login process. This documentation provides you with:

  1. How to enable TOTP MFA from the Admin Web UI.

  2. Some restrictions on the use of TOTP MFA in Access Server.

  3. How to manage TOTP MFA for auto-login profiles.

For details on how TOTP MFA works on Access Server, refer to the MFA topic.

Prerequisites

  • A TOTP MFA application such as Google Authenticator, Microsoft Authenticator, Yubikey Authenticator, Gnome Authenticator, Free OTP, etc. There are also standalone hardware devices that support this and work with Access Server, such as the Protectimus Slim NFC token.

  • An installed Access Server.

  • Supported authentication methods: local, PAM, LDAP, and RADIUS.

Important

If you use SAML as your authentication method, ensure that you set up MFA with your SAML IdP, rather than enabling the TOTP MFA toggles in the Admin Web UI.

Option 1: How to enable TOTP MFA for all users

  1. Sign in to the Admin Web UI.

  2. Click Authentication.

  3. Set Require MFA to On from the General Settings tab.

  4. Slick Save and Restart.

  5. Instruct users to sign in on the Client Web UI to enroll:

    1. Sign in to the Client Web UI.

    2. The next screen displays the MFA shared key in QR code and plaintext.

    3. Scan the QR code or enter the key manually into the TOTP app or device.

    4. Enter the six-digit one-time password provided by the TOTP app or device.

    5. Click Confirm Code.

    Tip

    If a user doesn’t see the enrollment screen and only sees the one-time password prompt, you must generate a new MFA from the command line. Refer to this tutorial.

Option 2: How to enable TOTP MFA for a user group

  1. Sign in to the Admin Web UI.

  2. Click Groups.

  3. Click on the desired group.

  4. Set Require MFA to Enabled under Authentication on the Group Settings tab.

  5. Click Save and Restart.

  6. Instruct users to sign in on the Client Web UI to enroll:

    1. Sign in to the Client Web UI.

    2. The next screen displays the MFA shared key in QR code and plaintext.

    3. Scan the QR code or enter the key manually into the TOTP app or device.

    4. Enter the six-digit one-time password provided by the TOTP app or device.

    5. Click Confirm Code.

Option 3: How to enable TOTP MFA for a user

  1. Sign in to the Admin Web UI.

  2. Click Users.

  3. Click on the desired user.

  4. Set Require MFA to Enabled under Authentication on the User Settings tab.

  5. Click Save and Restart.

  6. Instruct users to sign in on the Client Web UI to enroll:

    1. Sign in to the Client Web UI.

    2. The next screen displays the MFA shared key in QR code and plaintext.

    3. Scan the QR code or enter the key manually into the TOTP app or device.

    4. Enter the six-digit one-time password provided by the TOTP app or device.

    5. Click Confirm Code.

      Warning

      If you use MFA added by post-auth script, enabling TOTP MFA will break user authentication. Ensure that no other MFA is enabled when enabling TOTP MFA.

Auto-login profiles and MFA

Server-locked and user-locked profiles both adhere to the requirement for multi-factor authentication. However, by default, auto-login profiles don’t adhere to this requirement. Typically, unattended devices—such as servers in data centers establishing connections automatically—use auto-login profiles.

To enable MFA on an auto-login profile:

  1. Create a user with auto-login privileges.

  2. Install the auto-login profile on the VPN client.

  3. Ensure the VPN client is a modern VPN client such as OpenVPN Connect v3.3 or newer.

  4. Turn on MFA globally, for the group, or for the user.

  5. Connect to the Access Server console and get root privileges and run the following commands to set the auto-login parameter to true:

    sacli --user <USER_OR_GROUP> --key "prop_google_auth_autologin" --value "true" UserPropPut
sacli start

    • The user account must now enroll in MFA and comply with the TOTP MFA requirement.

Restrictions on TOTP MFA in Access Server

If you are using a post-auth script to enhance or replace your authentication process in the Access Server, you can't implement MFA in the post-auth script alongside Access Server's built-in TOTP MFA function. You have to choose to use either the built-in MFA method or implement one yourself in the post-auth script.

Access Server's built-in TOTP MFA function doesn't support users authenticating via SAML. To include MFA with SAML authentication, you must implement this with the IdP or another option such as DUO.

In this section: