OTP with AD connection

If the OTP method is activated, login is only possible by entering a correct OTP.

An exception on a per-user basis is not possible. This also applies to authentication at the user web interface and to SSL-VPN and IPSec-Xauth.

SSL-VPN:
Since re-authentication takes place every hour with the SSL-VPN, a new OTP must also be entered every hour.

Renegotiation can be increased accordingly or disabled completely.
Disabling it is, of course, not recommended. A change is made on the UTM for all SSL-VPN clients of this instance.
After the change, the SSL-VPN service is restarted automatically.

Saving the password in the SSL-VPN client is not possible because the password to be passed is composed of the static user password and the OTP.

It is recommended to print this code for the administrators and file it to the documentation as described in OTP Secret.

Attributes in Active Directory

The UTM is connected to the Active Directory. Instructions for this can be found in this Wiki article Active Directory Connection. An unused attribute in the Active Directory schema is required. The secret code is stored in it.	AD advanced settings
A list of attributes can be found in the Active Directory under Active Directory Users and Computers. But for this it is necessary to activate the menu item Advanced Features under View.
Open "Properties" for the desired user. Switch to the tab Attribute Editor. There is the list with the attributes.	AD Attribut-Editor
In this example the attributes extensionAttribute1 - 15 are available. Select one of these attributes by storing the OTP secret code for the user.
notempty New attributes can also be created. However, this is an intervention in the AD scheme which leads to the fact that the AD can no longer be used.

Enter attribute in the UTM

The attribute of the AD with the OTP secret code must be entered into the UTM. In the menu Authentication AD/LDAP Authentication switch to the area Extended.
Caption	Value	Description	AD/LDAP Authentication UTMuser@firewall.name.fqdnAuthentication Assistent AD OTP attribute
OTP-Attribute:	extensionAttribute10	The attribute selected in AD is entered. The value entered there is simply overwritten.

Generate OTP secret code

Since the AD attribute extensionAttribute10 should now contain a 16-digit base32 key code, this must be generated somehow. This can be done by the UTM.	User UTMuser@firewall.name.fqdnAuthentication Dummy user for OTP key
Simply create a user under Authentication User - here with the name otp_dummy_user. This user does not have to belong to a group and does not need any permissions.
If this user is edited again, OTP is located on the right side. On the one hand, a secret code created by random generator is already located in the area OTP , on the other hand also a QR code created from this. A new secret code is generated with the button.	Edit user UTMuser@firewall.name.fqdnAuthenticationUser Generate OTP key
notempty Not every authenticator app supports every hash algorithm! Some of these apps do not support SHA256, or SHA512. When using these apps, the default value may have to be retained.
Example: The Google Authenticator and Microsoft Authenticator apps only support the hash algorithm SHA1
The secret code can simply be copied and pasted into the Active Directory attribute. This of course also applies to a 40-digit HEX(60) key of a hardware token.	Insert key code into attribute (Google Authenticator)
Please note: When using a hardware token, the prefix (e.g. hex(60) )must be specified in the AD attribute before the PSK.	Insert key code into attribute (hardware token)
The syntax of the OTP secret code is as follows: ${HASH_ALGO}:${CODING}(${INTERVAL})${SECRET} ${HASH_ALGO}: the hash algorithm, i.e. whether sha1, sha256, or sha512 If this is not specified, the default is sha1 ${CODING}: the input format, i.e. base32(b32), base64(b64). or hex ${INTERVAL}: the interval that must' be in brackets ${Secret}: the secret code generated above
Example: sha256 with base32 and 30 second interval → sha256:b32(30)1234567ABCD123
The QR code can be saved as an image simply by clicking the right mouse button, and then send it to the user in a suitable way. Instructions on how to set this up in a software token such as Google Authenticator can be found here.	Edit user UTMuser@firewall.name.fqdnAuthenticationUser Save QR code as an image
Of course, each user should get his own OTP key. A new randomly generated key and QR code is created simply by clicking the button.

Create a group for AD authentication

The users in question must be grouped in the Active Directory, as individual users cannot be detected by the UTM.	Add group UTMuser@firewall.name.fqdnAuthenticationUser Create user group
Finally, a user group must be created on the UTM that controls the permissions of the OTP-AD group on the UTM.
This in turn is then linked to the Active Directory group in question.	Link AD group with UTM user group
Now the user can log on to the service of the UTM with his Windows domain name, password and the additional OTP password, which he receives via the OTP token, without having to be additionally entered as a local user on the UTM.