Description: You can use standalone hardware tokens such as YubiKey 5 NFC, Protectimus Slim NFC token, and Token2 for multi-factor authentication (MFA) with Access Server using time-based one-time passwords (TOTP).
This guide covers configuring TOTP MFA on our Access Server and setting up a hardware token to serve as a TOTP authenticator.
Prerequisites
- A hardware token with TOTP/OTP support.
- We use YubiKey 5 NFC in this guide.
- Yubico Authenticator installed on your Windows, macOS, iOS, or Android device.
- Refer to the Yubico site: Yubico Authenticator.
Note: We will use Yubikey as the hardware token. If you're using another one, such as Protectimus or Token2, refer to vendor documentation for instructions on using their software authenticator.
Step 1: Enable TOTP MFA on Access Server
TOTP multi-factor authentication isn’t enabled by default for OpenVPN Access Server. You can enable it globally (all users), by specific groups, or by individual users.
- To turn on TOTP MFA from the Admin Web UI, follow the steps in this tutorial: Tutorial: Turn on TOTP Multi-Factor Authentication.
- You can also use the command line: Tutorial: How to Manage TOTP MFA from the Command Line.
Note: You can use TOTP MFA with the following authentication methods: local, RADIUS, LDAP, or PAM. You can't use it for SAML or PAS-only.
Step 2: Enroll from the Client Web UI
- Sign in to the Client Web UI.
- The next screen displays the QR code and enrollment code. The enrollment code is below the QR code.
- Open the Yubico Authenticator.
- Plug your hardware token (YubiKey) into your PC so the Yubico Authenticator detects it.
- Click Add account.
- Scan the QR code as explained below, or add the enrollment code manually.
- After entering the code, account information populates.
- Click Save.
- The VPN user is enrolled with the Yubikey.
- Enter the six-digit one-time password provided by the Yubico Authenticator.
- Click Confirm Code.
Step 3: Test your setup
- Download a connection profile for the enrolled user and import it into OpenVPN Connect.
- You can also use an already imported profile if you have one.
-
Click or tap the profile toggle to connect.
- The TOTP MFA prompt appears.
- Enter the six-digit one-time password provided by the Yubico Authenticator.
- After a successful connection, OpenVPN Connect displays connection statistics.
If you have additional questions, please submit a ticket.
Comments
0 comments
Please sign in to leave a comment.