Documents in OpenOTP Server

OpenOTP Servers Sizing according to the Number of Users

1. Introduction In this how-to, we will present you how to size your servers according to the number of users in your organization that will use OpenOTP. 2. Recommendations for 500 Users 1 dedicated server or Virtual machine with Linux (2 for High Availability). Server configuration: 3GHz processor (4 cores). 8GB RAM memory. 200MB disk space for installation files. 10GB disk space for log files and DB. Optionally 1 YubiHSM for hardware crypto.

Configure Push Login with OpenOTP

1. Background This document describes how to set up Push Login infrastructure, using WebADM, OpenOTP Push Server and optionally WAProxy. OpenOTP is the RCDevs MFA Service running on top of the RCDevs WebADM platform. OpenOTP itself is composed of several server applications and components that provide secure and reliable authentication of users connecting to applications, online services, intranet, extranet just to name a few. OpenOTP relies on proven technologies and open standards, such as OATH (the initiative for open authentication), HOTP / TOTP / OCRA, Radius, LDAP.

How to Configure RCDevs License Server

1. Introduction In this short How-To, we will explain how to configure RCDevs License Server. The license server is now the default RCDevs model for licensing. This documentation is addressed to every new customer who is subscribing for an enterprise license. For others, the license server can be used with at least WebADM 1.6.8-2. IMPORTANT NOTE Once the license server is configured with WebADM, a license cache is available for 10 days.

Read-Only Active Directory with WebADM

How To Configure WebADM with a Read-Only Active Directory Important Note An entreprise license is mandatory for that setup since WebADM 1.6.6 In some circumstances, we can not write in the LDAP backend. In that case, we need to store some configurations in a local LDAP database and users extra information in a SQL database. In this example, we will start with a WebADM server running with a local MariaDB and RCDevs Directory Server.

Feitian c100 - c200 Tokens with OpenOTP

How To use Feitian c100/c200 Tokens with OpenOTP OpenOTP supports Feitian c100 & c200 Token series. Feitian c100 are OATH-HOTP (event-based) and c200 are OATH-TOTP (time-based). The Tokens are provided with a PSKC import file by Feitian. The file includes the Token secret key in an encrypted or cleartext format. If it is encrypted, the PSKC decryption key should have been provided to you by Feitian. To register a Token with a PSKC file, edit a user account in WebADM and go to the OTP Server Actions.

Vasco Digipass GO6 Tokens with OpenOTP

How To use Vasco Digipass GO6 Tokens with OpenOTP OpenOTP supports Vasco Digipass GO6 Hardware Tokens. Digipass GO6 works with OATH-HOTP (event-based) and OATH-TOTP (time-based). If you know the type of your token and the secret seed, you can register an individual token directly to a user with “Manual Registration” in WebADM or Self-Desk. To register a Vasco GO6 Token with a serial number, you must import them into the WebADM inventory.

Active Directory with WebADM

1. Installation Packages Firstly, we have to install OpenOTP and WebADM packages available through RCDevs Repository or on RCDevs Website. In this how-to, we will install all required packages through the RCDevs repository. So, your servers should have internet access to download every package. 1.1 For Redhat/CentOS On a RedHat, Centos or Fedora system, you can use our repository, which simplifies updates. Add the repository on your server(s) who will host WebADM/OpenOTP:

Utilities and Command Line Tools for OpenOTP

1. Introduction In this HowTo, we will demonstrate some useful scripts available for OpenOTP and how to use them. 2. OpenOTP Utilities and Scripts Some scripts are available in: [root@webadm]# cd /opt/webadm/websrvs/openotp/bin [root@webadm bin]# ll total 44 -rwxr-xr-x 1 root root 4588 8 oct. 11:01 authtest -rwxr-xr-x 1 root root 4927 8 oct. 11:01 pskc2invrcdevs -rwxr-xr-x 1 root root 11384 8 oct. 11:01 report -rwxr-xr-x 1 root root 3887 8 oct.

ADFS & OpenOTP

Simple Login Push Login 1. Product Documentation This document is an installation guide for the OpenOTP Authentication Provider for AD FS 3.0 / 4.0. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides to WebADM refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs’ online documentation library.

proxy_user rights on Active Directory

How to configure proxy_user rights for Active Directory There are two things to be considered in order to implement fine-grained LDAP permission for WebADM and its applications. WebADM Proxy user permissions: This system user is used by WebADM to access and manipulate the required LDAP resources without an administrator login, for example, to increase the false authentication counter, register token metadata on the user account… Administrator users permissions: These accounts login to the Admin portal in order to manage LDAP resources and registered applications.

Token Registration

1. Overview In this how-to, we will demonstrate the possible ways to enroll a hardware token or a software token on your mobile. For software token registration, you must have a token application installed on your phone like OpenOTP Token or Google Authenticator. OpenOTP Token is the recommended one to enjoy all features offered by OpenOTP server (like push login, phishing protection…). 2. Admin Enrollment through the WebADM Admin GUI A token enrollment can be done by a super_admin or other_admin user through the WebADM admin GUI.

super_admin rights on Active Directory

How To configure super_admin rights for Active Directory There are two things to be considered in order to implement fine-grained LDAP permission for WebADM and its applications. WebADM Proxy user permissions: This system user is used by WebADM to access and manipulate the required LDAP resources without an administrator login, for example, to increase the false authentication counter. Administrator users permissions: These accounts login to the Admin portal in order to manage LDAP resources and registered applications.

How to migrate from a third party 2FA software to OpenOTP

1. Overview In this how-to, we will demonstrate how to easily migrate from a third party 2FA software to OpenOTP. In this documentation, we assume that you are already running WebADM, OpenOTP and Radius Bridge. To understand what will be done here, we will describe the steps: Have a WebADM, OpenOTP and Radius Bridge installed and configured, Activate every users who will require 2FA authentication at the WebADM level, Import your third-party hardware Tokens into WebADM.

MFAVPN

1. Overview This document is an installation guide for the MFA VPN provided by RCDevs. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides of WebADM and OpenOTP, please refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs online documentation Website. 2. Installation of MFA VPN RCDevs MFA VPN package is available at the following link.

Windows Local Users and Computers Out Of Domain

1. Overview This tutorial will explain to you how to configure WebADM/OpenOTP servers and OpenOTP Credential Provider for Windows to authenticate local users using 2-factor authentication. We will also explain how to authenticate your users with OpenOTP and OpenOTP Credential Provider for Windows on a computer out of the domain. Both scenarios require an LDAP server to store user metadata (Token metadata needs to be stored on a user account in WebADM even for local account authentication).

What's Wrong??

What’s Wrong?? Here we describe how to fix some common errors easily. The first thing to do when a login failed for an unknown reason is to check the log file /opt/webadm/log/webadm.log and find the right log. 1. Invalid Username or Password [2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] New openotpSimpleLogin SOAP request [2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] > Username: john@my.company [2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] > Password: xxxxxx [2017-07-21 09:13:16] [127.0.0.1] [OpenOTP:MKRVHYLX] > Client ID: RadTest [2017-07-21 09:13:16] [127.

User Activation

How To Activate Users An activated user is a user which is counted in the license and which is able to authenticate with OpenOTP. There are several ways to activate users. 1. Activate One User Graphically In WebADM, we select the user in the LDAP tree and click on Activate Now!: Then, we complete all mandatory attributes and click on Proceed: We click on Extend Object: Now, the user is activated.

Authentication

Test Double Authentication with a User 1. User Activation Once WebADM is installed and configured, we can connect to it with a web browser. We select the user to activate in the LDAP tree on the left, for example, Admin, or we create a new user by clicking on Create. Once the user is selected, we click on Activate Now!: If present, we fill mandatory attributes and Proceed: We click on Extend Object:

Client Policies

How To Create a Client Policy This documentation will explain how to configure a client policy on WebADM. 1. What is Client Policy? A Client Policy provides per-client application access control and customized configurations. The Client Policy objects are also used to customize the behavior of a client application (ex. a VPN server using OpenOTP Authentication Server). You can create a client policy object having the name of a Web Service’s client ID.

OpenOTP API WSDL

OpenOTP API Description The OpenOTP authentication service is implemented over the SOAP/XML and RADIUS APIs. The SOAP/XML API is provided with a SOAP WSDL service description listed below. The OpenOTP API is very simple and provides 4 methods: 1. openotpNormalLogin and openotpSimpleLogin These methods are used to send an authentication request. The request contains the following attributes: username: User login name (mandatory). domain: User login domain (optional if OpenOTP as a default domain setting set).

pfSense & OpenOTP

How To Enable OpenOTP Authentication on pfSense This document explains how to enable OpenOTP authentication with Radius Bridge and pfSense. 1. WebADM/OpenOTP/Radius Bridge For this recipe, you will need to have WebADM/OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual to do it. You have also to install our Radius Bridge product on your WebADM server(s). 2. Register your pfSense in RadiusBridge On your OpenOTP RadiusBridge server, edit the /opt/radiusd/conf/clients.

How to use your Yubikey with RCDevs

1. Overview In this How-To, we will demonstrate how to reprogram your Yubikey with the Yubikey Personalization Tool, to generate an inventory file through Yubico tool to import the Yubikey in WebADM inventory and how to assign and use your Yubikey with OpenOTP. For this recipe, you will need to have WebADM and OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual. 2. Yubico Personalization Tool Once Yubico Personalization Tool is installed, open it.

OpenOTP & U2F Keys

Overview OpenOTP v1.2 supports both OTP and the newer FIDO-U2F standard from the FIDO Alliance for user authentication. If you intend to use OpenOTP with FIDO U2F, please read this document which explains how to enable and use U2F with your application integrations and WebADM self-services. FIDO Universal 2nd Factor (U2F) is a new authentication standard created by the FIDO Alliance which simplifies and strengthens two-factor authentication for businesses and consumers.

Microsoft Remote Desktop Services & OpenOTP

How To Configure MS Remote Desktop Services and RDWeb portal with OpenOTP Note OpenOTP plugin for Remote Desktop Services works for Windows Server 2012 & 2016. If you have an older version, you have to update your RDS infrastructure. 1. Prerequisites 1.1 Remote Desktop Services Infrastructure In this post, we will assume an existing Remote Desktop Services infrastructure installed and available. This post will not cover how to set up RDS.

WLAN EAP Authentication Radius

1. WebADM/OpenOTP/Radius Bridge For this recipe, you will need to have WebADM/OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual to do so. You have also to install our Radius Bridge product on your WebADM server(s). For authentication, you have two possible mechanisms. Username and password authentication using EAP-TTLS Certificate authentication using EAP-TLS (Supported from WebADM 1.6.8 & Radius Bridge 1.3.6) The WLAN protocol used does not support challenge-response, so only Login Mode LDAP or LDAP + Simple Push authentication is supported.

ASA SSL VPN

1. WebADM/OpenOTP/Radius Bridge For this recipe, you will need to have WebADM/OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual to do it. You have also to install our Radius Bridge product on your WebADM server(s). Another documentation on that setup is provided by Cisco at this link 2. Register your ASA SSL VPN in RadiusBridge On your OpenOTP RadiusBridge server, edit the /opt/radiusd/conf/clients.conf and add a RADIUS client (with IP address and RADIUS secret) for your ASA SSL VPN server.

F5 BIG-IP APM

1. WebADM/OpenOTP/Radius Bridge For this recipe, you will need to have WebADM/OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual to do it. You have also to install our Radius Bridge product on your WebADM server(s). 2. Register your F5 VPN in RadiusBridge On your OpenOTP RadiusBridge server, edit the /opt/radiusd/conf/clients.conf and add a RADIUS client (with IP address and RADIUS secret) for your F5 VPN server.

Swift Alliance Access and OpenOTP

1. Overview In this documentation, we will demonstrate how to integrate OpenOTP with Swift Alliance Access 7.2 (AA). LDAP and Radius protocols can be used to integrate AA with OpenOTP. Here, we will demonstrate the Radius integration. This guide has been written with the help of the official Swift Alliance Access 7.2 Administrator Guide. So here, we will use RADIUS one-time passwords authentication method and not the embedded two-factor authentication module implemented in AA.

Juniper-Pulse

How To Enable OpenOTP Authentication On Juniper-Pulse Secure This document explains how to enable OpenOTP authentication with Radius Bridge and Juniper SSL VPN. 1. WebADM/OpenOTP/Radius Bridge For this recipe, you will need to have WebADM/OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual to do it. You have also to install our Radius Bridge product on your WebADM server(s). 2. Register Your Juniper VPN In RadiusBridge On your OpenOTP RadiusBridge server, edit the /opt/radiusd/conf/clients.

Palo Alto

How To Enable OpenOTP Authentication in Palo Alto SSL VPN This document explains how to enable OpenOTP authentication in Palo Alto SSL VPN. 1. Register your Palo Alto VPN in RadiusBridge On your OpenOTP RadiusBridge server, edit the /opt/radiusd/conf/clients.conf and add a RADIUS client (with IP address and RADIUS secret) for your Palo Alto VPN server. Example: client <VPN Server IP> { secret = testing123 shortname = PaloAlto-VPN } 2.

NetIQ

1. WebADM/OpenOTP/Radius Bridge For this recipe, you will need to have WebADM/OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual to do it. 2. NetIQ Installation and Initial Configuration We used the NetIQ appliance version 4.3 downloaded from the Microfocus website (trial version). ISO file name: AM_43_AccessManagerAppliance_Eval-0831.iso It’s SUSE Linux: netiqam:~ # cat /etc/SuSE-release SUSE Linux Enterprise Server 11 (x86_64) VERSION = 11 PATCHLEVEL = 4 NetIQ Access Manager Appliance 4.