Jump to:navigation, search
Wiki

OTP - One-Time-Password

From Securepoint Wiki
























































































De.png
En.png
Fr.png









Important notes when using the OTP method

Last adaptation to the version: 14.0.0

New:
notempty
This article refers to a Resellerpreview
Access: Authentication User


Preliminary remarks

If the OTP method is activated, login is only possible by entering a correct OTP.

notempty
If the OTP method is active for the admin web interface and SSH console, each administrator must have this token to access the device. Exception on user basis is not possible!



SSL-VPN:
Since SSL VPN re-authenticates every hour, a new OTP must also be entered every hour.

Renegotiation can be increased or completely disabled in the VPN SSL-VPN menu in the settings of a connection in the General tab under Renegotiation.
Of course, disabling is not recommended. A change is transmitted by the UTM to the SSL VPN clients.

Saving the password in the SSL VPN client is not possible because the password that is passed is composed of the static user password and the OTP.

In case of malfunction of the OTP generator (smartphone or hardware token), the OTP can only be generated if there is access to the QR code or the secret code.
This can be found under Authentication User OTP Codes.

notempty
If the OTP generator for administrator access fails, a printed version of the QR code is required.
If this is not available, access to the UTM is only possible with physical access directly at the device (keyboard and monitor at the UTM).


Printout of this code for the administrators as described in OTP Secret. File in the documentation.

  • Since the OTP method is time-based, care must be taken to ensure that the time server in the UTM runs synchronously with the hardware or software token.
    The time of the UTM system can be checked in three ways:
    • Using the administration web interface: The time is shown in the widget selection if it is not expanded or in the menu Network server settings  Area Time settings
    • Using the CLI with the command system date get
    • Using the root console with the command date

    The system time can then be set using the following options:
    • Using the administration web interface in the menu Network Server settings  Area Time settings
    • Using the CLI with the command system date set date then seperated with spaces the current date and time in the format YYYY-MM-DD hh:mm:ss


    OTP - One-Time-Password

    Das One-Time-Password ist ein zusätzlicher Authentifizierungs-Mechanismus der für zusätzliche Sicherheit bei der Anmeldung eines Benutzers sorgt.
    In der UTM wird das Zeit-Basierte-Verfahren verwendet (TOTP: Time-based One Time Password). Hierbei wird aus dem Sharedsecret Code und der aktuellen Uhrzeit alle 30 Sekunden ein neuer OTP errechnet.
    Um diese sechs-stellige Passwort zu generieren, gibt es verschiedene Möglichkeiten:

    • Smartphone App: Es kann eine Smartphone App genutzt werden, die das Passwort berechnet. Zum Beispiel der Google Authenticator, diesen gibt es für Android und iOS, oder aber auch andere Apps wie bspw. FreeOTP+ für Android, diese bieten ggf. sogar einen größeren Leistungsumfang wie Export der Tokens, bessere Hash-Algorithmen usw.
    • Passwortmanager für den PC: Es kann ein Passwortmanager für den PC verwendet werden, welcher OTPs erzeugen kann bspw. KeepassXC.
    • Hardware Token: Es gibt Hardware Tokens die einzig für die Generierung von OTPs zuständig sind.


    Set up OTP

    Activation procedure

    Servereinstellungen UTMuser@firewall.name.fqdnNetzwerk UTM v14.0.0 OTP Zeit ueberpruefen-en.png
    Fig.1
    • Sicherstellen, dass die Uhrzeit der UTM und des Tokens synchron läuft
    OTP UTMuser@firewall.name.fqdnAuthentifizierung UTM v14.0.0 OTP aktivieren-en.png
    Fig.2
    • Aktivieren des OTP-Verfahrens auf der UTM
    UTM v14.0.0 OTP derzeit kein OTP zugewiesen-en.png
    notempty
    Neuer Dialog
     Abb.3
    • Falls Benutzer existieren, für die kein OTP konfiguriert ist, werden diese hier aufgelistet
    • Mit Nein wird der Speichervorgang abgebrochen
    • Mit Ja werden automatisch OTP Konfigurationen für alle Benutzer vorgenommen, anschließend wird der Code für den aktuellen Benutzer angezeigt
    UTM v14.0.0 OTP generierter OTP-en.png
    notempty
    Neuer Dialog
     Abb.4
    • Anzeige des automatisch konfigurierten OTP Codes für den aktuellen Benutzer
    notempty
    Dieser muss umbedingt notiert werden, da ohne diesen das Anmelden mit diesem Benutzer nicht möglich ist!













    Configure OTP User

    First, the users are created under Authentication Users as usual.
    See also Benutzerverwaltung.
    The OTP code for this user can only be displayed after the user's entries have been saved.
    Display or change by clicking on the edit button in the user row in the tab OTP on the right side.

    The code can be created automatically by the Securepoint UTM and is available in two formats.
    On the one hand as a QR code, which can simply be photographed with the smartphone app, and on the other hand in text form to be entered using the keyboard.

    OTP Configuration
    Caption Value Description Edit User UTMuser@firewall.name.fqdnAuthentifizierungUser UTM v12.6.1 Authentifizierung Benutzer OTP-en.pngOTP user
    Input format: base32 encoded Default setting, base32 encoded, 16 characters length
    base64 encoded base64 encoded, length 16 - 168 characters (in blocks of 4), manual input
    HEX encoded HEX coded, valid characters: A-F, a-f and 0-9 / length 10-128 pairs, manual input
    Hash algorithm: sha1
    Default    		 The hash algorithm can be selected
    sha256 notempty
    Not every authenticator app supports every hash algorithm! Some of these apps do not support sha256, or sha512.
    When using these apps, the default value may have to be retained.

  • Example: The Google Authenticator and Microsoft Authenticator apps only supports the hash algorithm sha1.
    • sha512
    Interval: 30Link= The interval should be set to 30 seconds
    Code: DQUZGDQS3UM2KOKL Gives the code in text form.
    It is also possible to enter a code manually, e.g. a hardware token.
    Creates a new code with the default settings (base32 coded, interval 30 seconds)
    Resulting Code
    Secret: DQUZGDQS3UM2KOKL Gives the code in text format
    Check OTP code:     An OTP code generated with a corresponding OTP generator can be entered here to check whether the OTP generator has been set up correctly.


    OTP Secret

    UTM v12.4 OTP PDF Drucken.png
    OTP PDF document

    For distribution to the users there is a possibility to print the created codes.
    OTP Codes
    A document in PDF format will then be generated as follows:



    Setting up an Authenticator

    First, the Google Authenticator must be downloaded from the App Store, installed and opened.
    The first window contains an overview of the two steps for authentication with Google Account:     		OTP Einrichten des Google Authenticator für OTP-en.png
    Generate OTP with the Google Authenticator
    Set up with QR code:
    • Choose Add account button / + or similar, if applicable
    • Scan QR code button or click on QR code symbol
    • at the latest now: Allow access to camera
    • An account is created with the name of the firewall and the user name
    • Immediately or by tapping on the entry, a valid OTP code is displayed that can be checked
    Set up with setup key:
    • Enter account name
    • Enter Key / Secret
      • Key type: Time based / TOTP
      • Digits: 6
      • Algorithm: SHA1
      • Interval 30 seconds
    • An account is created with the specified account name
    • A valid OTP code is displayed immediately or by tapping on the entry, which can be verified


    Use of a hardware token

    The use of a hardware token is also possible.
    This should be a RFC 6238 compatible password generator.
    Securepoint currently supports the Feitian OTP c200.
    A download link for the HEX code is sent by the supplier for this purpose, which must be registered with the user as described above.
    The following parameters must be used:

    • SHA algorithm: SHA1
    • Time interval: 30 seconds
    • Optional: SEED programming


    notempty
    Be sure to enter the token key and not the token ID.
    The ID is a serial number of the token and the key is a 32 to 40 character code.


    notempty
    Attention: The OTP seed can be read by LDAP if it is stored in the user attributes in AD.


    Assign OTP to applications

    Under Authentication OTP one can select for which applications the users should additionally authenticate themselves with the one-time password.

    Webinterfaces
         		OTP UTMuser@firewall.name.fqdnAuthentifizierung UTM v12.7.3 OTP Authentifizierung OTP-en.pngOTP applications
    Off Admin Web Interface
    Off User web interface

    VPN
     (Roadwarrior connection)
    Off IPSec
    notempty
    As of v12.7.3:
    .

    Firewall
    Off SSH (console)
    notempty
    If the OTP generator for administrator access fails, a printed version of the QR code is required.
    If this is not available, access to the UTM is only possible with physical access directly at the device (keyboard and monitor at the UTM).


    Use OTP

    Webinterface

    UTM v12.6.1 UI Login OTP-en.png
    OTP Login

    When logging in to the administration or user web interface, there is now an additional authentication field for the OT code.
    Here, in addition to the user name and password, the generated code is entered.



    VPN

    In the SSL-VPN Client, you can set whether the OTP code is to be requested separately. A more detailed explanation can be found here.
    If the remote terminal allows a separate transmission of the OTP password, the following procedure can be followed:
    Start the SSL VPN connection on the client (on Windows: double-click the lock icon in the taskbar).
    Establish the connection by clicking on SSL-VPN-v2 Verbindung-aufbauen.png The connection is established in three steps:

    SSL-VPN-v2 Benutzername-en.png
    Enter username: User
    SSL-VPN-v2 Kennwort-en.png
    Enter password: insecure
    SSL-VPN-v2 OTP-en.png
    Enter OTP: 123456
    SSL-VPN-v2 Verbunden-en.png
    Connected












    notempty
    Scenario: Remote terminal does not allow separate transmission of the OTP code:
    If OTP is used in combination with an SSL VPN or Xauth VPN connection and the remote terminal does not support the separate transmission of the OTP code, the OTP code must be entered directly after the user password without spaces during the password query.
    SSL-VPN-v2 Benutzername-en.png
    Enter username: User
    SSL-VPN-v2 OTP-en.png
    Enter password and OTP: insecure123456













    Example:

    Password: insecure Saving the password in the SSL VPN client is not possible because the password that is passed is composed of the static user password and the alwys changing OTP.
    OTP: 123456
    password: insecure123456


    SSH connection

    If access is used with an SSH console and OTP, the OTP code is requested in a separate row Pin.

    notempty
    VPN with UTM if the remote station does not allow separate transmission of the OTP password:


    UTMv11-7 SSH-Login.png
    SSH login with OTP under PuTTY and v11.7.15

    When accessing with an SSH console and OTP, and the counterpart does not allow separate transmission of the OTP code, the OTP code is entered without spaces directly after the user password.
    Example

    Password in UTM: insecure
    OTP: 123456
    Password: insecure123456

    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/AUTH/OTP&oldid=93828"