Jump to:navigation, search
Wiki































De.png
En.png
Fr.png






Configuration of a one-time password (OTP) with AD connection
Last adaptation to the version: 12.6.0
New:
Last updated: 
11.2023
notempty
This article refers to a Resellerpreview

12.3.6 11.7

Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115
Authentication AD/LDAP Authentication  Area Extended

Introduction

If the OTP method is activated, login is only possible by entering a correct OTP.

notempty
If the OTP method is active for the admin web interface and SSH console, every administrator must have this token to access the device.

An exception on a per-user basis is not possible. This also applies to authentication at the user web interface and to SSL-VPN and IPSec-Xauth.

SSL-VPN:
Since re-authentication takes place every hour with the SSL-VPN, a new OTP must also be entered every hour.

Renegotiation can be increased accordingly or disabled completely.
Disabling it is, of course, not recommended. A change is made on the UTM for all SSL-VPN clients of this instance.
After the change, the SSL-VPN service is restarted automatically.

Saving the password in the SSL-VPN client is not possible because the password to be passed is composed of the static user password and the OTP.

notempty
If the OTP generator for administrator access fails, you require a printed version of the QR code.
If this is not available, access to the UTM is only possible with physical access directly at the device (keyboard and monitor at the UTM).

It is recommended to print this code for the administrators and file it to the documentation as described in OTP Secret.

  • Since the OTP method is time-based, care must be taken to ensure that the time server in the UTM runs synchronously with the hardware or software token.
  • The time of the UTM system can be checked in three ways:

    • Through the administration web interface: the time is in the widget selection if it is not expanded, or in the Network menu under the Server Settings menu item in the Time settings section.
    • Using the CLI with the command system date get
    • Using the root console with the command date

    The system time can then be set using the following options:

    • Via the administration web interface in the Network menu under the Server settings section in the Time settings section.
    • Via the CLI with the command system date set date then with space separated the current date and time in the format YYYY-MM-DD hh:mm:ss

    User authentication via the UTM with Active Directory via OTP

    Attributes in Active Directory

    The UTM is connected to the Active Directory. Instructions for this can be found in this Wiki article Active Directory Connection. An unused attribute in the Active Directory schema is required. The secret code is stored in it. WIN2012 AD BuGerw.png
    AD advanced settings
    A list of attributes can be found in the Active Directory under Active Directory Users and Computers.
    But for this it is necessary to activate the menu item Advanced Features under View.
    Open "Properties" for the desired user. Switch to the tab Attribute Editor. There is the list with the attributes. WIN2012 AD EuserAE.png
    AD Attribut-Editor
    In this example the attributes extensionAttribute1 - 15 are available. Select one of these attributes by storing the OTP secret code for the user.
    notempty
    New attributes can also be created. However, this is an intervention in the AD scheme which leads to the fact that the AD can no longer be used.

    Enter attribute in the UTM

    The attribute of the AD with the OTP secret code must be entered into the UTM.
    In the menu Authentication AD/LDAP Authentication switch to the area Extended.
    Caption Value Description AD/LDAP Authentication UTMuser@firewall.name.fqdnAuthentication Assistent UTM v12.6 Auth AD-LDAP Erweitert OTP-Attribute-en.pngAD OTP attribute
    OTP-Attribute: extensionAttribute10 The attribute selected in AD is entered. The value entered there is simply overwritten.

    Generate OTP secret code

    Since the AD attribute extensionAttribute10 should now contain a 16-digit base32 key code, this must be generated somehow. This can be done by the UTM. User UTMuser@firewall.name.fqdnAuthentication UTM v12.6 Auth Benutzer-en.pngDummy user for OTP key
    Simply create a user under Authentication User - here with the name otp_dummy_user. This user does not have to belong to a group and does not need any permissions.
    If this user is edited again, OTP is located on the right side.
    On the one hand, a secret code created by random generator is already located in the area
    OTP
    , on the other hand also a QR code created from this.
    A new secret code is generated with the button.
    Edit user UTMuser@firewall.name.fqdnAuthenticationUser UTM v12.6 Auth Benutzer OTP-en.pngGenerate OTP key
    notempty
    Not every authenticator app supports every hash algorithm! Some of these apps do not support SHA256, or SHA512.
    When using these apps, the default value may have to be retained.
  • Example: The Google Authenticator and Microsoft Authenticator apps only support the hash algorithm SHA1
  • The secret code can simply be copied and pasted into the Active Directory attribute.
    This of course also applies to a 40-digit HEX(60) key of a hardware token.
    WIN2012 AD EUAcode hinz google.png
    Insert key code into attribute (Google Authenticator)
    Please note:
    When using a hardware token, the prefix (e.g. hex(60) )must be specified in the AD attribute before the PSK.
    WIN2012 AD EUAcode hinz hardware token.png
    Insert key code into attribute (hardware token)
    The syntax of the OTP secret code is as follows:
    ${HASH_ALGO}:${CODING}(${INTERVAL})${SECRET}
    • ${HASH_ALGO}: the hash algorithm, i.e. whether sha1, sha256, or sha512
      • If this is not specified, the default is sha1
    • ${CODING}: the input format, i.e. base32(b32), base64(b64). or hex
    • ${INTERVAL}: the interval that must' be in brackets
    • ${Secret}: the secret code generated above
    Example: sha256 with base32 and 30 second interval → sha256:b32(30)1234567ABCD123
    The QR code can be saved as an image simply by clicking the right mouse button, and then send it to the user in a suitable way. Instructions on how to set this up in a software token such as Google Authenticator can be found here. Edit user UTMuser@firewall.name.fqdnAuthenticationUser UTM v12.6 Auth Benutzer OTP speichern-en.pngSave QR code as an image
    Of course, each user should get his own OTP key.
    A new randomly generated key and QR code is created simply by clicking the button.

    Create a group for AD authentication

    The users in question must be grouped in the Active Directory, as individual users cannot be detected by the UTM. Add group UTMuser@firewall.name.fqdnAuthenticationUser UTM v12.6 Auth Gruppe Berechtigungen-en.pngCreate user group
    Finally, a user group must be created on the UTM that controls the permissions of the OTP-AD group on the UTM.
    This in turn is then linked to the Active Directory group in question. UTM v12.6 Auth Gruppe Verzeichnis-Dienst-en.png
    Link AD group with UTM user group
    Now the user can log on to the service of the UTM with his Windows domain name, password and the additional OTP password, which he receives via the OTP token, without having to be additionally entered as a local user on the UTM.