OTP v12.1

If the OTP method is activated, login is only possible by entering a correct OTP.

Hint:

If the OTP method is active for the admin web interface and SSH console, each administrator must have this token to access the device.

Exception on user basis is not possible

SSL-VPN:
Since SSL VPN re-authenticates every hour, a new OTP must also be entered every hour.

Renegotiation can be increased or completely disabled in the → VPN →SSL-VPN menu in the settings of a connection in the General tab under Renegotiation.
Of course, disabling is not recommended. A change is transmitted by the UTM to the SSL VPN clients.

An adjustment in the clients has been necessary only up to version 11.8.

  

Saving the password in the SSL VPN client is not possible because the password that is passed is composed of the static user password and the OTP.

In case of malfunction of the OTP generator (smartphone or hardware token), the OTP can only be generated if there is access to the QR code or the secret code. This can be found under → Authentication →User OTP Codes.

If the OTP generator for administrator access fails, you require a printed version of the QR code.
If this is not available, access to the UTM is only possible with physical access directly at the device (keyboard and monitor at the UTM).

Printout of this code for the administrators as described in OTP Secret. File in the documentation.

Since the OTP method is time-based, care must be taken to ensure that the time server in the UTM runs synchronously with the hardware or software token.

The time of the UTM system can be checked in three ways:

• Using the administration web interface: The time is shown in the widget selection if it is not expanded or in the network menu under server settings in the time settings section.
• Using the CLI with the command system date get
• Using the root console with the command date

The system time can then be set using the following options:

• Using the administration web interface in the network menu under the menu item server settings in the section time settings
• Using the CLI with the command system date set date then seperated with spaces the current date and time in the format YYYY-MM-DD hh:mm:ss

The One-Time-Password (OTP) is an additional authentication mechanism that provides extra security when a user logs in.
In the UTM the time-based method is being used (TOTP = Time-based One Time Password). A new OTP is calculated every 30 seconds based on the shared secret code and the current time.

To generate this 6-digit password, a smartphone app is used as the token, such as the Google Authenticator. This is available for Android, as well as for iOS devices.
Other apps, such as FreeOTP for Android, are also possible.

Activation procedure

First, the users are created under → Authentication →Users as usual.
See also Benutzerverwaltung.
The OTP code for this user can only be displayed after the user's entries have been saved.
Display or change by clicking on the edit button in the user row in the tab OTP on the right side.

The code can be created automatically by the Securepoint UTM and is available in two formats.
On the one hand as a QR code, which can simply be photographed with the smartphone app, and on the other hand in text form to be entered using the keyboard.

OTP PDF document

For distribution to the users there is a possibility to print the created codes.
OTP Codes
A document in PDF format will then be generated as follows:

Optional: SEED programming

  

The ID is a serial number of the token and the key is a 32 to 40 character code as shown in the figure.

Attention: The OTP seed can be read by LDAP if it is stored in the user attributes in AD.

OTP applications

Under → Authentication →OTP you can select for which applications the users should additionally authenticate themselves with the one-time password.

Web interfaces
Off	Admin Web Interface	If the OTP generator for administrator access fails, you require a printed version of the QR code. If this is not available, access to the UTM is only possible with physical access directly at the device (keyboard and monitor at the UTM).
Off	User web interface
VPN (Roadwarrior connection)
Off	IPSec
Off	SSL-VPN
Firewall
Off	SSH (console)

Login with OTP

When logging in to the administration or user web interface, there is now an additional authentication field for the OT code.

Here, in addition to the user name and password, the generated code is entered.

In the SSL-VPN Client, you can set whether the OTP code is to be requested separately. A more detailed explanation can be found here.

If the remote terminal allows a separate transmission of the OTP password (UTM from version 11.8), the following procedure can be followed:
Start the SSL VPN connection on the client (on Windows: double-click the lock icon in the taskbar).
Establish the connection by clicking on

The connection is established in three steps:

Scenario: Remote terminal does not allow separate transmission of the OTP code:

Example:

Password:	insecure	Saving the password in the SSL VPN client is not possible because the password that is passed is composed of the static user password and the alwys changing OTP.
OTP:	123456
password	insecure123456

If access is used with an SSH console and OTP, the OTP code is requested in a separate row Pin.

VPN with UTM if the remote station does not allow separate transmission of the OTP password:

SSH login with OTP under PuTTY and v11.7.15

When accessing with an SSH console and OTP, and the counterpart does not allow separate transmission of the OTP code, the OTP code is entered without spaces directly after the user password.

This option is not available in UTM versions 11.8.0 to 11.8.3.4.

Example:

Password in UTM:	insecure
OTP	123456
Password	insecure123456