Jump to:navigation, search
Wiki





























De.png
En.png
Fr.png






Important notes when using the OTP method
Last adaptation to the version: 12.6.1
New:
  • Updated to Redesign of the webinterface
notempty
This article refers to a Resellerpreview

12.5 12.3 11.8.8 11.8 11.7

Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115
Authentication User


Preliminary remarks

If the OTP method is activated, login is only possible by entering a correct OTP.

notempty
If the OTP method is active for the admin web interface and SSH console, each administrator must have this token to access the device. Exception on user basis is not possible!



SSL-VPN:
Since SSL VPN re-authenticates every hour, a new OTP must also be entered every hour.

Renegotiation can be increased or completely disabled in the VPN SSL-VPN menu in the settings of a connection in the General tab under Renegotiation.
Of course, disabling is not recommended. A change is transmitted by the UTM to the SSL VPN clients.

Saving the password in the SSL VPN client is not possible because the password that is passed is composed of the static user password and the OTP.

In case of malfunction of the OTP generator (smartphone or hardware token), the OTP can only be generated if there is access to the QR code or the secret code.
This can be found under Authentication User OTP Codes.

notempty
If the OTP generator for administrator access fails, a printed version of the QR code is required.
If this is not available, access to the UTM is only possible with physical access directly at the device (keyboard and monitor at the UTM).


Printout of this code for the administrators as described in OTP Secret. File in the documentation.

  • Since the OTP method is time-based, care must be taken to ensure that the time server in the UTM runs synchronously with the hardware or software token.
    The time of the UTM system can be checked in three ways:
  • Using the administration web interface: The time is shown in the widget selection if it is not expanded or in the menu Network server settings  Area Time settings
    • Using the CLI with the command system date get
    • Using the root console with the command date

    The system time can then be set using the following options:
    • Using the administration web interface in the menu Network Server settings  Area Time settings
    • Using the CLI with the command system date set date then seperated with spaces the current date and time in the format YYYY-MM-DD hh:mm:ss



    OTP - One-Time-Password

    The One-Time-Password is an additional authentication mechanism that provides extra security when a user logs in.
    In the UTM the time-based method is being used (TOTP: Time-based One Time Password). A new OTP is calculated every 30 seconds based on the shared secret code and the current time.
    To generate this 6-digit password, a smartphone app is used as the token, such as the Google Authenticator. This is available for Android, as well as for iOS devices.
    Other apps, such as FreeOTP for Android, are also possible.



    Set up OTP

    Activation procedure

    1. Ensure that the time of the UTM and the token runs synchronously
    2. Transmission of the secret code to the token
    3. Activating the OTP method on the UTM
    4. Testing the login, before the current session has ended
    notempty
    If the method is activated, each user of the selected applications must additionally log in via OTP. Exceptions are not possible.


    Configure OTP User

    First, the users are created under Authentication Users as usual.
    See also Benutzerverwaltung.
    The OTP code for this user can only be displayed after the user's entries have been saved.
    Display or change by clicking on the edit button in the user row in the tab OTP on the right side.

    The code can be created automatically by the Securepoint UTM and is available in two formats.
    On the one hand as a QR code, which can simply be photographed with the smartphone app, and on the other hand in text form to be entered using the keyboard.

    OTP Configuration
    Caption Value Description Edit User UTMuser@firewall.name.fqdnAuthenticationUser UTM v12.6.1 Authentifizierung Benutzer OTP-en.pngOTP user
    Input format: base32 encoded Default setting, base32 encoded, 16 characters length
    Codes less than 26 characters in length may be flagged as insecure by OTP apps
      
    base64 encoded base64 encoded, length 16 - 168 characters (in blocks of 4), manual input
    HEX encoded HEX coded, valid characters: A-F, a-f and 0-9 / length 10-128 pairs, manual input
    Hash algorithm: sha1
    Default
    The hash algorithm can be selected
    sha256 notempty
    Not every authenticator app supports every hash algorithm! Some of these apps do not support sha256, or sha512.
    When using these apps, the default value may have to be retained.


  • Example: The Google Authenticator and Microsoft Authenticator apps only supports the hash algorithm sha1.
  • sha512
    Interval: 30Link= The interval should be set to 30 seconds
    If a hardware token is used, its value must be adopted.
    OTP apps are often optimized to update the token every 30 seconds.
      
    Code: DQUZGDQS3UM2KOKL Gives the code in text form.
    It is also possible to enter a code manually, e.g. a hardware token.
    Creates a new code with the default settings (base32 coded, interval 30 seconds)
    Resulting Code
    Secret: DQUZGDQS3UM2KOKL Gives the code in text format
    Check OTP code:     An OTP code generated with a corresponding OTP generator can be entered here to check whether the OTP generator has been set up correctly.


    OTP Secret

    UTM v12.4 OTP PDF Drucken.png
    OTP PDF document

    For distribution to the users there is a possibility to print the created codes.
    OTP Codes
    A document in PDF format will then be generated as follows:




    Setting up an Authenticator

    First, the Google Authenticator must be downloaded from the App Store, installed and opened.
    The first window contains an overview of the two steps for authentication with Google Account:
    OTP Einrichten des Google Authenticator für OTP-en.png
    Generate OTP with the Google Authenticator
    Set up with QR code:
    • Choose Add account button / + or similar, if applicable
    • Scan QR code button or click on QR code symbol
    • at the latest now: Allow access to camera
    • An account is created with the name of the firewall and the user name
    • Immediately or by tapping on the entry, a valid OTP code is displayed that can be checked
    Set up with setup key:
    • Enter account name
    • Enter Key / Secret
      • Key type: Time based / TOTP
      • Digits: 6
      • Algorithm: SHA1
      • Interval 30 seconds
    • An account is created with the specified account name
    • A valid OTP code is displayed immediately or by tapping on the entry, which can be verified


    Use of a hardware token

    The use of a hardware token is also possible.
    This should be a RFC 6238 compatible password generator.
    Securepoint currently supports the Feitian OTP c200.
    A download link for the HEX code is sent by the supplier for this purpose, which must be registered with the user as described above.
    The following parameters must be used:

    • SHA algorithm: SHA1
    • Time interval: 30 seconds
    • Optional: SEED programming
      Background on SEED programming: In case the token happens to be created in in non-trustworthy countries and you want to make sure that it does not already contain malicious code or is otherwise compromised upon delivery, i.e. Mtrix will reprogram it for a small amount.
        


    notempty
    Be sure to enter the token key and not the token ID.
    The ID is a serial number of the token and the key is a 32 to 40 character code.


    notempty
    Attention: The OTP seed can be read by LDAP if it is stored in the user attributes in AD.


    Assign OTP to applications

    Under Authentication OTP one can select for which applications the users should additionally authenticate themselves with the one-time password.

    Webinterfaces
    OTP UTMuser@firewall.name.fqdnAuthentication UTM v12.6.1 Authentifizierung OTP-en.pngOTP applications
    Off Admin Web Interface
    The CLI command to enable OTP for the admin interface is: extc global set variable GLOB_AI_OTP_AUTH value 1
      
    Off User web interface
    he CLI command to enable OTP for the user interface is: extc global set variable GLOB_UI_OTP_AUTH value 1
      

    VPN
    (Roadwarrior connection)
    Off IPSec
    The cli command for IPSec is: extc value set application ipsec variable USE_OTP value 1
      
    Off SSL-VPN
    The cli command for SSL VPN is: extc value set application openvpn variable USE_OTP value 1
      

    Firewall
    Off SSH (console) SSL-VPN
    The cli command for SSH is: extc value set application sshd variable USE_OTP value 1
      
    notempty
    If the OTP generator for administrator access fails, a printed version of the QR code is required.
    If this is not available, access to the UTM is only possible with physical access directly at the device (keyboard and monitor at the UTM).


    Use OTP

    Webinterface

    UTM v12.6.1 UI Login OTP-en.png
    OTP Login

    When logging in to the administration or user web interface, there is now an additional authentication field for the OT code.
    Here, in addition to the user name and password, the generated code is entered.



    VPN

    In the SSL-VPN Client, you can set whether the OTP code is to be requested separately. A more detailed explanation can be found here.
    If the remote terminal allows a separate transmission of the OTP password, the following procedure can be followed:
    Start the SSL VPN connection on the client (on Windows: double-click the lock icon in the taskbar).
    Establish the connection by clicking on SSL-VPN-v2 Verbindung-aufbauen.png The connection is established in three steps:

    SSL-VPN-v2 Benutzername-en.png
    Enter username: User
    SSL-VPN-v2 Kennwort-en.png
    Enter password: insecure
    SSL-VPN-v2 OTP-en.png
    Enter OTP: 123456
    SSL-VPN-v2 Verbunden-en.png
    Connected












    notempty
    Scenario: Remote terminal does not allow separate transmission of the OTP code:
    If OTP is used in combination with an SSL VPN or Xauth VPN connection and the remote terminal does not support the separate transmission of the OTP code, the OTP code must be entered directly after the user password without spaces during the password query.
    SSL-VPN-v2 Benutzername-en.png
    Enter username: User
    SSL-VPN-v2 OTP-en.png
    Enter password and OTP: insecure123456













    Example:

    Password: insecure Saving the password in the SSL VPN client is not possible because the password that is passed is composed of the static user password and the alwys changing OTP.
    OTP: 123456
    password: insecure123456


    SSH connection

    If access is used with an SSH console and OTP, the OTP code is requested in a separate row Pin.

    notempty
    VPN with UTM if the remote station does not allow separate transmission of the OTP password:


    UTMv11-7 SSH-Login.png
    SSH login with OTP under PuTTY and v11.7.15

    When accessing with an SSH console and OTP, and the counterpart does not allow separate transmission of the OTP code, the OTP code is entered without spaces directly after the user password.
    Example

    Password in UTM: insecure
    OTP: 123456
    Password: insecure123456