Ukraine flag

We stand with our friends and colleagues in Ukraine. To support Ukraine in their time of need visit this page

Cisco Meraki Client VPN 2FA

Integrating Protectimus’s multi-factor authentication solution enables a straightforward setup for Cisco Meraki Client VPN two-factor authentication (2FA), requiring just a few minutes to configure. By implementing MFA as an extra security layer, the Cisco Meraki Client VPN system ensures that only authorized users can access it, significantly enhancing protection against potential cyber threats.

In the current era of widespread remote work, establishing a secure remote access system is of paramount importance. Protectimus offers a multifactor authentication solution for Cisco Meraki Client VPN, guaranteeing that even if a user’s login credentials are compromised, their access to the VPN remains safeguarded. Two-factor authentication serves as a strong defense against various cyber threats, including phishing, brute force, social engineering, MITM, and data spoofing attacks, thereby ensuring the security of your organization’s data and resources.

Protectimus allows secure access to your Cisco Meraki Client VPN by providing multi-factor authentication (MFA) using the Protectimus RADIUS server.

The scheme of work of the Protectimus solution for Cisco Meraki Client VPN two-factor authentication is presented below.

Cisco Meraki Client VPN two-factor authentication via RADIUS

1. How Cisco Meraki Client VPN 2FA Works

Protectimus’ Two-Factor Authentication Solution for Cisco Meraki Client VPN adds an additional layer of security, effectively thwarting unauthorized access attempts to your VPN.

Upon enabling two-factor authentication (2FA) on your Cisco Meraki Client VPN server, users will be required to provide two separate authentication factors to access their accounts.

When implementing 2FA/MFA for Cisco Meraki VPN, users will need to provide:
  1. The first factor, which is their username and password (something the user knows);
  2. The second factor, which is a one-time password generated using a hardware OTP token, 2FA chatbot or a smartphone app (something the user possesses).

To compromise a Cisco Meraki Client VPN protected by two-factor authentication (2FA/MFA), a hacker would need to obtain both a standard password and a one-time password simultaneously, with only a 30-second window to intercept the latter. This nearly impossible task highlights the remarkable effectiveness of two-factor authentication against most hacking attempts.

2. How to Enable 2FA for Cisco Meraki Client VPN

You can set up multi-factor authentication (2FA) for Cisco Meraki with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Add Protectimus as RADIUS Server for Cisco Meraki Client VPN.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Cisco Meraki VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for Cisco Meraki VPN MFA

  1. In the Cisco Meraki Dashboard, navigate to Security & SD-WAN, and then select the Client VPN option.

 Cisco Meraki Client VPN two-factor authentication (2FA) setup - Step 1

  1. Choose AnyConnect Settings, proceed to the Authentication and Access section, and configure the following:
    • Authentication Type: RADIUS.
    • RADIUS servers: The subsequent step will explain how to add a RADIUS server.
    • RADIUS timeout: 60 seconds.

 Cisco Meraki Client VPN two-factor authentication (2FA) setup - Step 2

  1. Within the RADIUS servers section, proceed to click on Add a RADIUS server and configure the following:
    • Host: Enter the IP of server where the Protectimus RADIUS Server component is installed.
    • Port: Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
    • Secret: Enter the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.

Cisco Meraki Client VPN two-factor authentication (2FA) setup - Step 3

Integration of two-factor authentication (2FA/MFA) for your Cisco Meraki VPN is now complete. If you have other questions, contact Protectimus customer support service.

How to Change Passwords in Ad Through the Protectimus Self-Service Portal

IMPORTANT NOTE:
  1. Changing the password in AD using the self-service portal works only via LDAPS (SSL) connection; it does not work via LDAP.
  2. The option to change passwords in AD using the self-service portal is available exclusively for users synchronized from AD; it is not applicable to DSPA users.

1. Update the Protectimus On-Premise Platform

You can update the Protectimus On-Premise Platform using a Docker image on any operating system.

However, if you initially installed the Platform on Windows, you may follow the instructions for Windows users below.

1.1. Updating Platform Using a Docker Image

You have two options for updating the Protectimus On-Premise Platform with a Docker image: We’ll walk you through both methods, allowing you to choose the one that best suits your preferences.

1.1.1. Updating via Git Repository Cloning

  1. Use this command to copy the repository containing Docker Compose files to your local computer, where the Protectimus On-Premise Platform is installed.

    git clone 
    https://github.com/protectimus/platform

    The contents of the archive will be as follows:

    .
    └── platform
        ├── platform
        │   ├── docker-compose.yaml
        │   ├── .env
        │   ├── platform_data
        │   │   ├── autogenerated-keystore.jks
        │   │   └── protectimus.platform.properties
        │   └── postgres_data
        ├── radius
        │   ├── config
        │   │   ├── radius.all.yml
        │   │   └── radius.yml
        │   ├── docker-compose.yaml
        │   └── .env
        └── unifi-guest-portal
            ├── config
            │   ├── fragments.html
            │   ├── guest-portal.all.yml
            │   └── guest-portal.yml
            ├── docker-compose.yaml
            └── .env

  1. Go to the platform directory:

    cd platform/platform

  1. Run the application using Docker Compose.

    This command will start all the containers required for your application in the background (-d):

    docker-compose up -d

  1. Stop running containers using this command:

    docker-compose down

  1. Make a backup of your database. The data is located in the postgres_data directory.

  1. Get latest changes from Git repository.

    This command will update your local repository to the latest version that you have uploaded to Git.

    Resolve any configuration conflicts if necessary.

    git pull

  1. Download the updated images. This command will download the updated Docker images from your Docker registry:

    docker-compose pull

  1. Restart containers with new images.

    This command will restart the containers using the updated images in the background mode (-d):

    docker-compose up -d

1.1.2. Manual Update from Github

  1. Download the latest version of the archive with the Protectimus Platform from Github and extract it:
    https://github.com/protectimus/platform/releases

    The contents of the archive will be as follows:

    .
    └── platform
        ├── platform
        │   ├── docker-compose.yaml
        │   ├── .env
        │   ├── platform_data
        │   │   ├── autogenerated-keystore.jks
        │   │   └── protectimus.platform.properties
        │   └── postgres_data
        ├── radius
        │   ├── config
        │   │   ├── radius.all.yml
        │   │   └── radius.yml
        │   ├── docker-compose.yaml
        │   └── .env
        └── unifi-guest-portal
            ├── config
            │   ├── fragments.html
            │   ├── guest-portal.all.yml
            │   └── guest-portal.yml
            ├── docker-compose.yaml
            └── .env

  1. Go to the platform directory:

    cd platform/platform

  1. Run the application using Docker Compose.

    This command will start all the containers required for your application in the background (-d):

    docker-compose up -d

  1. Stop running containers using this command:

    docker-compose down

  1. Make a backup of your database. The data is located in the postgres_data directory.

  1. Change the component version to the latest in the .env file.

  1. Download the updated images. This command will download the updated Docker images from your Docker registry:

    docker-compose pull

  1. Restart containers with new images.

    This command will restart the containers using the updated images in the background mode (-d):

    docker-compose up -d

1.2. Updating Platform on Windows

1.2.1. Before updating the platform, stop the platform in services. Stop the Protectimus On-Premise Platform - Step 1 Stop the Protectimus On-Premise Platform - Step 2 Stop the Protectimus On-Premise Platform - Step 3

1.2.2. Install the new version of the Protectimus On-Premise Platform, and when selecting a database, choose the one used in the old version of the Protectimus platform.
  1. Choose the necessary components.
Install the new version of the Protectimus On-Premise Platform - Step 1

  1. Click Next.
Install the new version of the Protectimus On-Premise Platform - Step 2

  1. Click Next.
Install the new version of the Protectimus On-Premise Platform - Step 3

  1. Use your username and password to log in to the PostgreSQL database you created during the first platform installation and click LogIn.
Install the new version of the Protectimus On-Premise Platform - Step 4

  1. Enter the name of the database you used in the old version of the Protectimus platform and click Select.
    You can click the List button to see the list of available databases if you don’t remember the exact name of the necessary database.
Install the new version of the Protectimus On-Premise Platform - Step 5

  1. Preferably, use the same destination folder as previously.
Install the new version of the Protectimus On-Premise Platform - Step 6

  1. Once the platform is installed, you will see the changelog describing recent updates; close it.
Install the new version of the Protectimus On-Premise Platform - Step 7

  1. Then click OK to finish the installation.
Install the new version of the Protectimus On-Premise Platform - Step 8

2. Set Up the Protectimus User’s Self-Service Portal

  1. Open the Protectimus Platform, which is available at http://localhost:8080, and log in to your account. Then, go to the Resources tab, click on the resource name, and navigate to the Self-Service tab.
Set Up the Protectimus User's Self-Service Portal - Step 1 Set Up the Protectimus User's Self-Service Portal - Step 2

  1. If you haven’t enabled the Self-Service Portal for your users yet, click on Enable User’s Self-Service for your resource, and specify the address at which your users will access the Self-Service Portal.
Set Up the Protectimus User's Self-Service Portal - Step 3 Set Up the Protectimus User's Self-Service Portal - Step 4

  1. Now, choose the authentication methods your users will use to log into the Self-Service Portal and specify the actions that will be available to them.

    All these access methods can be enabled simultaneously without conflicts. If both Federated Auth and Password Auth are enabled, users can log into the Self-Service Portal using either the AD password or the Platform password; both will be valid:
    • Federated Auth: Users log into the Self-Service Portal using their password from Active Directory (AD). If enabled, setting the user’s password within the Protectimus Platform is not required.
    • Auth via Security Questions: Users log into the Self-Service Portal by answering secret questions.
    • Password Auth: Users log into the Self-Service Portal using the password set in the Users’ settings within the Protectimus Platform.
    • Email Auth: Users log into the Self-Service Portal using a one-time code sent to the email specified in the Users’ settings within the Protectimus Platform.

    • Password Policy: This feature allows you to set policies for users, enabling them to change/create a password themselves after logging into the Self-Service Portal.
    • Change Federated Password: By enabling this feature, you grant users permission to change their AD password through the Self-Service Portal. To change the AD password, they will need to specify both the old and new AD passwords.
    • Reset Federated Password: Enabling this feature grants users permission to reset the AD password through the Self-Service Portal, requiring only the specification of the new password.
Set Up the Protectimus User's Self-Service Portal - Step 5

3. Give Your Users Access to Protectimus User’s Self-Service Portal

To log into the Self-Service Portal, your users will need:
  1. Either a password or an email registered in the Protectimus platform.
    Users with both a password and a registered email address will use the password. For those with only an email, a verification code will be sent to the registered email address. If necessary, you can add passwords or emails in User settings.
Edin Protectimus Users Settings

  1. The link specified when enabling the Self-Service Portal.
Protectimus User's Seld Service link

Users should follow this link, log into their Self-Service Portal account, and they will see the Change Federated Password button and any other activated buttons. Then they should click the respective button and follow the required sequence of steps to perform the chosen action. How to Change Passwords in Ad Through the Protectimus Self-Service Portal

NOTE:
  1. Changing the password in AD using the Self-Service Portal works only via LDAPS (SSL) connection; it does not work via LDAP.
  2. The option to change passwords in AD using the Self-Service Portal is available exclusively for users synchronized from AD; it is not applicable to DSPA users.

Forcepoint VPN 2FA

You can easily set up Forcepoint VPN two-factor authentication (2FA) with Protectimus’s seamless integration process, which takes only a few minutes to configure. By incorporating MFA as an additional layer of security, the Forcepoint VPN system allows only authorized users to gain access, providing a stronger defense against potential cyber threats.

In today’s world, where remote work is becoming increasingly common, it’s critical to have a secure remote access system. Protectimus multifactor authentication solution for Forcepoint VPN ensures that even if a user’s login credentials are compromised, their access to the Forcepoint VPN remains protected. Two-factor authentication provides a robust defense against potential cyber threats incuding phishing, bruteforce, social engineering, MITM and data spoofing attacks, ensuring your organization’s data and resources are kept secure.

Protectimus allows secure access to your Forcepoint VPN by providing multi-factor authentication (MFA) using the Protectimus RADIUS server.

The scheme of work of the Protectimus solution for Worcepoint VPN two-factor authentication is presented below.

Forcepoint VPN two-factor authentication via RADIUS

1. How Forcepoint VPN 2FA Works

Protectimus Two-Factor Authentication Solution for Forcepoint VPN provides an extra layer of security to prevent unauthorized access to your Forcepoint VPN.

Once you enable two-factor authentication (2FA) on your Forcepoint server, your users will use two different authentication factors to get access to their accounts.

When you add 2FA/MFA for WatchGuard Mobile VPN, your users will use two different authentication factors to get access to their accounts.
  1. The first factor is username and password (something the user knows);
  2. The second factor is a one-time password generated with the help of a hardware OTP token or an app on the smartphone (something the user owns).

To hack a Forcepoint VPN protected with two-factor authentication (2FA/MFA), a hacker needs to get a standard password and a one-time password at once. And they only have 30 seconds to intercept a one-time password. It is almost impossible, which makes two-factor authentication so effective against most hacking attacks.

2. How to Enable 2FA for Forcepoint VPN

You can set up multi-factor authentication (2FA) for Forcepoint VPN with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Add Protectimus as RADIUS Server for Forcepoint VPN.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Forcepoint VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for Forcepoint VPN MFA

  1. Navigate to the Forcepoint Server Admin Dashboard.
  2. From the Configuration menu, select User Authentication.
  3. Right-click on the Servers section and choose New –> RADIUS Authentication Server.
  4. Next, proceed to the General tab and configure the following settings.
NameCome up with a name for your RADIUS server, e.g. Protectimus RADIUS Server.
IP AddressEnter the IP of server where the Protectimus RADIUS Server component is installed.
ResolveThe IP address of the server will be automatically resolved from a domain name entered into the Name field.
LocationIf there is a NAT device between the server and other SMC components, this field specifies the location of the server.
Contact Addresses1. Default — This option is used by default when a component belonging to another location connects to the server.
2. Exceptions — Selecting this option will open the Exceptions dialog box.
PortIndicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Shared SecretIndicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Number of RetriesThis setting specifies the number of times that Firewalls attempt to connect to the RADIUS authentication server in the event of a failed connection.
TimeoutThis setting specifies the time (in seconds) that Firewalls will wait for a reply from the RADIUS authentication server. Set to 60 seconds.
Tools ProfileYou can add custom commands to the server’s right-click menu. Click Select and select a Tools Profile element.

  1. To configure the authentication methods, go to the Authentication Methods tab and adjust the following settings:
NameThis field displays the name of the Authentication Method.
TypeThis field displays the authentication type. In this case:
RADIUS — The RADIUS protocol is used.
CommentTo enter a comment, double-click on the cell.
AddClicking this option opens the Select Element dialog box, which allows you to add the selected authentication method to the Authentication Methods list.
EditSelecting this option opens the Properties dialog box for the chosen authentication method.
RemoveSelecting this option removes the chosen authentication method.

  1. Click OK.

  1. After clicking OK, you can proceed to configure the RADIUS authentication server to accept connections from your Firewall engines by following these steps:
    • Ensure that the shared secret is identical on both the Management Client and RADIUS authentication server.
    • The Firewall’s identity that is presented to the server is the IP address of the interface chosen as the value for the IPv4 Identity for Authentication Requests, IPv6 Identity for Authentication Requests, or IPv6 Identity for Authentication Requests in the Firewall’s Interface Options.
    Please note! The IP address used as the identity is merely a name, and the interface and IP address used for authentication-related connections are selected based on the Firewall’s routing information, like any other connection.

Integration of two-factor authentication (2FA/MFA) for your Forcepoint VPN is now complete. If you have other questions, contact Protectimus customer support service.

2FA app Protectimus Smart OTP

Protectimus Smart OTP is a free 2FA authenticator app with cloud backup support that is available for both Android and iOS devices. This guide will show you how to use the Protectimus MFA app to enhance the security of your online accounts.

How Does Protectimus Smart 2FA App Work

Protectimus Smart OTP is a two-factor authentication app that provides an additional layer of security to your online accounts. With the Protectimus Smart OTP 2FA authenticator, you can generate one-time passwords (OTPs) on your mobile device that can be used as the second factor in the authentication process on any website that supports MFA.

The Protectimus Smart 2FA authenticator offers many advantages, including:
  • Encrypted cloud backup;
  • Ability to transfer tokens to a new phone;
  • Ability to import tokens from Google Authenticator;
  • PIN and biometric authentication protection (Touch ID and Face ID);
  • Support for all OATH one-time password generation algorithms (HOTP, TOTP, and OCRA);
  • Delivery of two-factor push notifications;
  • Data signature function (Confirm What You See) to better control your operations with funds;
  • 6 and 8 digit one-time passwords;
  • Multiple language support: English, French, German, Spanish, Russian, and Ukrainian;
  • Convenient distribution of OTP tokens by folders;
  • Customization of tokens with different emojis and descriptions.

1. Getting Started With the Protectimus Smart 2FA Authenticator

  1. Download and install the Protectimus Smart OTP two-factor authentication app from the App Store or Google Play.
 
  •         

  1. You will see a welcome screen. Tap Continue.
 
MFA application Protectimus Smart OTP setup - Step 1
 
  1. On the next step, you will be asked to Activate Cloud Backup.

    We strongly recommend using this feature to ensure that you do not lose your OTP tokens in case you lose or damage your phone, or accidentally delete the 2FA app. To activate cloud backup, select the option and press Continue.

    Please note! If you already have a cloud backup saved, all the tokens from your backup will be added to the 2FA app after you activate cloud backup at this stage.

2FA application Protectimus Smart OTP setup - Step 2

  1. Now you can add a new token or import your 2FA tokens from Google Authenticator.

    For instructions on how to import tokens from Google Authenticator, please refer to the detailed guide here.

    For instructions on how to add new tokens, please refer to the detailed guide here.

MFA application Protectimus Smart OTP setup - Step 3

2. Adding Tokens

  1. To add a new token, open the Protectimus Smart OTP two-factor auth app and tap on the plus sign in the upper left corner.

Adding tokens to MFA app Protectimus Smart OTP - Step 1

  1. You can choose to add the token by scanning a QR code or by entering the secret key manually.

    If you choose to Scan QR code, simply point your smartphone’s camera at the code on the security settings page of the website you want to protect with two-factor authentication. The app will automatically scan the QR code and create a token.

Adding tokens to MFA app Protectimus Smart OTP - Step 2 - Scanning the QR code

  1. If you choose to Add token manually, you’ll need to enter the token name (Login), the secret key (Token key), choose the OTP generation algorithm (OTP Type), the one-time passwords length, and lifetime. Then save the changes tapping the Add token button in the right upper corner.

    Note that if you’re using a two-factor authentication system other than Protectimus, you should uncheck the Protectimus checksum checkbox.

Adding tokens to MFA app Protectimus Smart OTP - Step 3 - Adding tokens manually

3. Editing and Deleting Tokens

  1. To edit or delete a token, long-press on its name and choose the desired action. Alternatively, you can open the Edit Token menu by tapping the pen icon in the upper-right corner and selecting the token you want to modify.

How to edit tokens in the 2FA app Protectimus Smart OTP

  1. Once you’re in the Edit Token menu, you can customize the token by:
    • changing its emoji,
    • setting the issuer,
    • updating its name (Login),
    • adding a description (Additional information),
    • adjusting the OTP length,
    • assigning it to a folder.
    If you need to remove the token entirely, there’s an option to delete it.

    Once you’ve made your changes, click Save and close in the upper-right corner to confirm.

How to edit tokens in the 2FA app Protectimus Smart OTP - Edit token menu

4. Grouping Tokens by Folders

  1. To keep your tokens organized, you can group them into folders.

    To add a token to a folder, simply long-press its name and select Add to folder.

2FA application Protectimus Smart OTP - how to add tokens to folders

  1. You’ll be taken to the folder settings menu, where you can either choose an existing folder or create a new one. If you want to create a new folder, click on the icon in the top right corner.

2FA application Protectimus Smart OTP - how to add tokens to folders - create folder

  1. To manage your folders, click on the gear icon in the upper right corner to go to the Settings page.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Select Folder Settings.

2FA application Protectimus Smart OTP - Folder Settings

  1. From here, you can edit, delete, and create new folders, as well as edit tokens in any folder.

2FA application Protectimus Smart OTP - Folder Settings

5. Changing the Order of Tokens

You can customize the order of your tokens to suit your needs. With this feature, you can quickly access your most frequently used tokens.
  1. To do so, open the Edit Token menu by tapping the pen icon in the upper-right corner.

2FA app Protectimus Smart OTP - Changing the Order of Tokens - Step 1

  1. From there, simply drag the tokens to rearrange them in the desired order. Save the changes by clicking on the checkmark in the upper right corner.

2FA app Protectimus Smart OTP - Changing the Order of Tokens - Step 2

6. Cloud Backup

To safeguard your OTP tokens in case of device loss or accidental deletion of the 2FA app, we strongly recommend using the Cloud Backup feature. Additionally, we strongly advise protecting the backup file with a password for added security.

To manage your backup files, simply navigate to the Backup page where you can activate, update, restore or delete your backups.

By utilizing this feature, you can ensure that your OTP tokens are always available and secure, even in unexpected circumstances.

  1. Go to Settings.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Tap Backup in cloud.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 2

  1. If the backup function is not activated yet, enable it.

2FA app Protectimus Smart OTP - Cloud backup activation

  1. If the backup function has been activated and you have made any changes, you can Restore the previous version or Update the backup file. Tap the Upload button to upload the latest changes to the cloud.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 3

  1. You will see the allert message. If you are sure that you want to upload current OTP tokens in the cloud, tap Update. Please note that this will erase previous backups.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 4

Please note! To secure you backup file, we recommend adding a password, use the Add backup file password button.

Protectimus Smart OTP 2FA application - Add Cloud Backup Password

7. App Security (PIN and Biometric Authentication)

For optimal security, it is highly recommended that you safeguard access to the Protectimus Smart OTP two-factor authentication application with either a PIN or biometric authentication.

To enable PIN or biometric authentication with fingerprint or face ID, follow these steps:

  1. Go to the Settings menu.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Select App security.

2FA authenticator Protectimus Smart - Security Settings

  1. Create a unique PIN for the application.

2FA authenticator Protectimus Smart - PIN setup

  1. The app will prompt you to allow biometric authentication for easier access.

2FA authenticator Protectimus Smart - Biometric authentication setup

  1. Once both PIN and biometric protection are enabled, you can manage your PIN, and turn biometric authentication on or off from the App security page.

2FA authenticator Protectimus Smart - App Security Settings Page

By taking these simple steps, you can ensure that your Protectimus Smart OTP two-factor authentication application is as secure as possible.

8. Transferring Tokens to a New Phone

Protectimus Smart OTP authenticator offers a convenient Data Transfer feature that enables you to effortlessly move your tokens from one phone to another or doenload and store the backup file in the place you like. With this feature, you can export your data into an encrypted file with password protection for added security.

  1. To get started, simply navigate to the Settings menu.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Tap on the Data transfer option.

Two-factor authentication app Protectimus Smart OTP - Data transfer feature

  1. If you want to transfer tokens from your current device to another, choose Export tokens. Alternatively, if you want to import saved data onto your device, select Import tokens.

Two-factor authentication app Protectimus Smart OTP - Data transfer feature - Export tokens

  1. If you choose to export tokens, create a strong password and click on Continue to generate the file containing all your data.

Two-factor authentication app Protectimus Smart OTP - Data transfer feature - Export tokens

  1. Remember to save this file so you can import your tokens onto the new device later.

Two-factor authentication app Protectimus Smart OTP - Data transfer feature - Export tokens

9. Importing from Google Authenticator

You can easily transfer your tokens from Google Authenticator 2FA app to the Protectimus Smart OTP.

To get started, open your Google Authenticator application and:
  • tap the menu button located at the top-right corner;
  • select Transfer accounts;
  • then choose Export accounts;
  • select the tokens you wish to transfer to Protectimus Smart OTP;
  • tap Next, and you will see a QR code, scan this QR code using the Protectimus Smart OTP app.

In the Protectimus Smart OTP app:
  1. Go to Settings.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Select Import from Google Authenticator, scan the QR code generated by Google Authenticator and wait for the import process to complete.

Two-factor authentication app Protectimus Smart OTP - Import from Google Authenticator

10. Data Signature Method (CWYS)

Protectimus Data Signature, also known as CWYS (Confirm What You See), is a powerful tool that safeguards against phishing, data spoofing, man-in-the-middle attacks, and similar hacking techniques. 2FA app Protectimus Smart - Data signature method

Based on the OCRA algorithm, Protectimus Data Signature allows users to verify key details of financial transactions before confirming them.

To use this feature, you will need to enter a challenge code into the app to generate a one-time password. You can enter the code manually or scan a QR code. 2FA app Protectimus Smart - Data signature method

To set your preferred method for entering a challenge code:

  1. Go to Settings.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Select the Data Signature method.

2FA app Protectimus Smart - Data signature method

  1. Choose your desired option, and click Save and go back.

2FA app Protectimus Smart - Data signature method

11. Push Tokens

Two-factor authentication app Protectimus Smart OTP offers push notifications as a convenient way to confirm transactions and streamline the login process for end-users, providing additional protection against transaction data replacement.

This feature is available exclusively for services that use Protectimus 2FA solution as their two-factor authentication system backend.

To add, use, or delete push tokens, follow the steps outlined in the next paragraph.

Please note!
  1. You cannon receive push notification if your phone is offline.
  2. Push tokens cannot be edited, backed up, or transferred to another device.

11.1. How to Add Push Tokens

  1. Open the Protectimus Smart OTP MFA app and tap on the plus sign in the upper left corner.

Adding tokens to MFA app Protectimus Smart OTP - Step 1

  1. Choose to Scan QR code and scan the QR code on the service where you plan to use this push token.

Adding tokens to MFA app Protectimus Smart OTP - Step 2 - Scanning the QR code

  1. To proceed, save the public key to your device by tapping the Continue button.

Adding push tokens to MFA app Protectimus Smart OTP - Step 3

  1. You’re all set! The push token has been created, and you’ll receive a notification confirming its successful creation.

Adding push tokens to MFA app Protectimus Smart OTP - Step 4

Important! To receive push notifications from the Protectimus Smart OTP 2FA app, you must enable notifications in your app settings. Please ensure that notifications from the Protectimus Smart OTP app are allowed.

Adding push tokens to MFA app Protectimus Smart OTP - Step 5

11.2. How 2FA Push Notifications Work

This advanced two-factor authentication feature provides additional protection against data spoofing and transaction data replacement.

Note! The device must be online to receive the push notification.
  1. When making a transaction or attempting to log in to a two-factor authentication-protected service, a push notification will be sent to your phone.

Push tokens in the Protectimus Smart OTP 2FA app - Step 1

  1. You’ll need to open the app to view and confirm the details of the transaction.

Push tokens in the Protectimus Smart OTP 2FA app -  Confirm transaction

  1. Or to view and confirm the location of the login attempt.

Push tokens in the Protectimus Smart OTP 2FA app -  Confirm location

11.3. How to Delete Push Tokens

Please note! Please note that push tokens cannot be edited, backed up, or transferred to another device. Deleting the push token is irreversible, and there is no way to restore it. This means that you may lose access to the account associated with the token if it is deleted.
  1. To delete a push token, go to Settings.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Go to Push tokens.

Deleting push tokens to MFA app Protectimus Smart OTP - Step 2

  1. Tap the three dots next to the token you wish to delete, and select Delete token.

Deleting push tokens to MFA app Protectimus Smart OTP - Step 3

  1. A confirmation message will appear, and you should only proceed if you are certain that deleting the token will not result in the loss of access to the account protected by it.

Deleting push tokens to MFA app Protectimus Smart OTP - Step 4

12. Time Correction

If you see the message “The one-time code is invalid” when attempting to enter a one-time password, it may be due to a time drift between your token and the two-factor authentication server. To resolve this issue, a time correction may be necessary.

To synchronize your Protectimus Smart OTP app’s internal clock with Protectimus servers:
  1. Navigate to Settings.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Select the Time correction option.

2FA app Protectimus Smart - Time correction

  1. If everything is in order, you will see a message confirming that the time is already correct.

2FA app Protectimus Smart - Time correction

13. Additional Settings

The Protectimus Smart OTP settings page provides additional options for customization, such as selecting your preferred language for the interface, enabling or disabling Screen Capture Access, and choosing between a dark or bright appearance to suit your preferences.

Protectimus Smart OTP addotional settings

12.1. Application Language

Currently, the Protectimus Smart OTP authenticator is available in English, French, German, Spanish, Russian, and Ukrainian.

Protectimus Smart OTP 2FA app language settings

12.2. Screen Capture Access

To enhance your security, we advise against enabling screen capture access.

Protectimus Smart OTP 2FA app - screen capture access

If you have any questions, please, contact Protectimus customer support service.

CentOS 2FA

With Protectimus multi-factor authentication (MFA) solution, you can set up CentOS two-factor authentication (2FA) in a few steps.

1. How CentOS Two-Factor Authentication (2FA) Works

After you enable CentOS 2FA, your users will need to use two authentication passwords to get access to their CentOS accounts:


  1. The first is a standard password (something the user keeps in memory);
  2. The second is a one-time password valid only for 30 or 60 seconds (the one-time password is generated with the help of a hardware OTP token or a 2FA app on a user’s phone – something that the user owns and has to carry with them).

This way, the CentOS account becomes protected with two different authentication factors. Even if the hacker steals the users’s password using phishing, brute force, social engineering, data spoofing, or any other attack, they can’t access the CentOS account without the one-time password from a user’s 2FA token.


This guide shows how you can set up CentOS two-factor authentication (2FA) using Protectimus RADIUS 2FA component for the integration with Protectimus Cloud 2FA service or Protectimus On-Premise MFA Platform.


CentOS 2FA (two-factor authentication) setup scheme

2. How to Enable CentOS Two-Factor Authentication (2FA)

You can set up CentOS two-factor authentication (2FA) with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS 2FA Service or On-Premise 2FA Platform and configure basic settings.
  2. Install Protectimus PAM module for CentOS 2FA
  3. Install and configure Protectimus RADIUS Server module.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2.2. Install Protectimus PAM module for CentOS 2FA

yum -y install epel-release
yum -y install pam_radius
 

2.3. Install and configure Protectimus RADIUS Server

  1. Install protectimus-radius

git clone https://github.com/protectimus/platform-linux.git
cd platform-linux/radius
edit config/radius.yml
docker compose up -d

  1. Configure radius.yml file.

    Configure Protectimus RADIUS Server settings in the radius.yml file. It must be located in the same directory as the executable.

    You will find detailed instructions on available properties that you can add to the radius.yml file here.

    The example of radius.yml file configuration:

radius:
  secret: secret
  auth-port: 1812

auth:
  #  Could be :
  #  - LDAP
  #  - PROTECTIMUS_PASSWORD
  #  - PROTECTIMUS_OTP
  #  - PROTECTIMUS_PUSH
  providers:
    - PROTECTIMUS_OTP

protectimus-api:
  login: [email protected]
  api-key: aslkjdljsdlaskmWpXjT5K0xqLXkd3
  url: https://api.protectimus.com/
  resource-name: radius
  resource-id: 723

  1. Edit pam_radius config, configure secret

    /etc/pam_radius.conf

# server[:port] shared_secret      timeout (s)
127.0.0.1       secret             1

  1. Configure SSH to use challenge response

    /etc/ssh/sshd_config

ChallengeResponseAuthentication yes

  1. Execute the command systemctl restart sshd

  1. Configure PAM for SSH to use RADIUS

    Add auth required pam_radius_auth.so after auth substack password-auth into /etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_sepermit.so
# protectimus pam radius
auth       substack     password-auth
auth       required     pam_radius_auth.so
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare


CentOS multi-factor authentication setup is now complete. If you have other questions, contact our customer support service.

VMware Horizon View 2FA

This guide shows how you can set up VMware Horizon View two-factor authentication (2FA) via RADIUS using the Protectimus multi-factor authentication system.

Protectimus two-factor authentication system integrates with VMware Horizon View via RADIUS authentication protocol. In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform takes the role of a RADIUS server via a special connector Protectimus RADIUS Server, and the VMware Horizon View performs as a RADIUS client.

The Protectimus RADIUS Server connector transfers authentication requests from the VMware Horizon View to the Protectimus multi-factor authentication (MFA) server and returns the answer permitting or denying access.

Below is an example of integration of the Protectimus 2FA solution with VMware Horizon View.

Protectimus VMware Horizon View 2FA integration via RADIUS - scheme

1. How to Enable Two-Factor Authentication for VMware Horizon View

You can set up multi-factor authentication (2FA) for VMware Horizon View with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Add Protectimus as RADIUS Server for VMware Horizon View.

2. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.
 

3. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for VMware Horizon View two-factor authentication using RADIUS are available here.

4. Add Protectimus as RADIUS Server for VMware Horizon View 2FA

  1. Log into the VMware Horizon View admin panel.
  2. Navigate to Settings and then click Servers.
  3. Select the Connection Servers tab.

How to set up VMware Horizon 2FA via RADIUS -  step1
  1. Select the necessary connection server, and after that click the Edit button.

How to enable VMware Horizon View 2FA via RADIUS -  step1
  1. Navigate to the Authentication tab.
  2. Then go to the Advanced Authentication section and select RADIUS in the 2-factor authentication dropdown.
  3. Check the box Enforce 2-factor and Windows user name matching.
  4. Find the Authenticator dropdown, and select Create New Authenticator.

How to enable VMware Horizon View MFA via RADIUS - step 3
  1. You will see an Add RADIUS Authenticator form. Navigate to the Client Customization page and enter any name for your new RADIUS server (e. g. Protectimus). Then click Next.
  2. On the Primary Authentication Server page, fill in the required information referring to the table and image below.

Hostname/AddressEnter the IP of server where the Protectimus RADIUS Server component is installed.
Authentication PortIndicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Accounting PortLeave the default value.
Authentication TypePAP.
Shared SecretIndicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
Server TimeoutSet to 60.
Max AttemptsSet to 5.

How to enable VMware Horizon View two-factor authentication via RADIUS -  step 4
  1. For all other fields, leave the default values. Then click Next.
  2. Add a Secondary Authentication Server if you wish (it is optional), and click Finish to complete creating the RADIUS server.
  3. We recommend you review the Advanced Authentication section:
    • check if the RADIUS server you have just created (Protectimus) is selected in the Authenticator dropdown;
    • make sure that you have checked the box Enforce 2-factor and Windows user name matching.

How to set up VMware Horizon multi-factor authentication via RADIUS -  step1
Integration of two-factor authentication (2FA/MFA) for your VMware Horizon View 2FA is now complete. If you have other questions, contact Protectimus customer support service.

F5 BIG-IP APM VPN 2FA

This guide shows how to enable multi-factor authentication (MFA / 2FA) for F5 BIG-IP APM VPN with the help of the Protectimus two-factor authentication system.

Protectimus two-factor authentication system integrates with F5 BIG-IP APM VPN via RADIUS authentication protocol. In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform takes the role of a RADIUS server, and the F5 BIG-IP VPN performs of a RADIUS client.

The scheme of work of the Protectimus solution for F5 BIG-IP APM VPN 2FA is presented below.

F5 BIG-IP APM VPN 2FA setup via RADIUS

1. How F5 BIG-IP APM VPN Two-Factor Authentication Works

Protectimus Two-Factor Authentication Solution for F5 BIG-IP APM VPN allows you to add an extra layer of security to your F5 BIG-IP VPN logins.

When you add 2FA/MFA for F5 VPN, your users will use two different authentication factors to get access to their accounts.
  1. The first factor is login and password (something the user knows);
  2. The second factor is a one-time password generated with the help of a hardware OTP token or an app on the smartphone (something the user owns).

To hack an F5 BIG-IP APM VPN protected with two-factor authentication, a hacker needs to get a standard password and a one-time password at once. And they only have 30 seconds to hack a one-time password. It is almost impossible, which makes two-factor authentication so effective against brute force, data spoofing, keyloggers, phishing, man-in-the-middle attacks, social engineering, and similar hacking attacks.

2. How to Enable 2FA for F5 BIG-IP APM VPN

You can set up multi-factor authentication (2FA) for F5 BIG-IP VPN with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Add Protectimus as RADIUS Server for F5 BIG-IP APM VPN.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.
 

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for F5 BIG-IP APM VPN two-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for F5 BIG-IP APM VPN 2FA

  1. Log into the F5 BIG-IP administrator dashboard.
  2. Navigate to Access –> Authentication –> RADIUS.

How to add two-factor authentication to F5 BIG-IP APM
  1. Click the Create… button to add a new RADIUS server.
  2. Then fill in the form referring to the table and image below, and click Finished to save your settings.
NameType any name for your RADIUS server – enter Protectimus_RADIUS_Server or any other name you wish.
ModeAuthentication
Server ConnectionDirect
Server AddressEnter the IP of server where the Protectimus RADIUS Server component is installed.
Authentication Service PortIndicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
SecretIndicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Confirm SecretConfirn the shared secret.
TimeoutSet to 180 seconds.
RetriesSet to 3.
Character SetSet to UTF-8.
Service TypeDefault.

How to add multi-factor authentication to F5 BIG-IP APM - step 2

2.4. Modify the F5 BIG-IP APM Access Policy

  1. Navigate to Access –> Profiles/Policies –> Access Profiles (Per-Session Policies).

How to set up F5 BIG-IP APM 2FA - step 3
  1. Click Edit… to modify your F5 BIG-IP APM access policy.

How to set up F5 BIG-IP APM MFA - step 4
  1. You will see the Access Policy editor. Click + (Plus) on the arrow to the right of the Logon Page.

How to set up F5 BIG-IP APM two-factor auth - step 5
  1. In a new window, select the Authentication tab. The select RADIUS Auth and click the Add Item button.

How to set up F5 BIG-IP APM two-factor authentication - step 6
  1. In the AAA Server dropdown, select Protectimus_RADIUS_Server – the server you have created previously. Then click Save to save the changes.

How to set up F5 BIG-IP APM 2FA - step 7
PLEASE NOTE!
If you have a former authentication method (e.g. Active Directory) you can either remove it or keep it.
You can keep your former authentication method and use Protectimus after or before that authentication method.
To remove it, click X, select Connect previous node to Successful branch, and click Delete.
  1. Click Close to return to the Access Profiles page. Check your profile and click Apply. The status flag next to your profile should change to green.

Integration of two-factor authentication (2FA/MFA) for your F5 BIG-IP APM VPN 2FA is now complete. If you have other questions, contact Protectimus customer support service.

Array AG SSL VPN 2FA

This guide shows how to enable two-factor authentication (2FA / MFA) for Array AG SSL VPN with the help of the Protectimus multi-factor authentication system.

Protectimus multi-factor authentication system integrates with Array AG SSL VPN via RADIUS authentication protocol. In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform performs as a RADIUS server, and the Array VPN takes the role of a RADIUS client.

The scheme of work of the Protectimus solution for Array VPN 2FA is presented below.

Array VPN 2FA setup via RADIUS

1. How Array VPN Two-Factor Authentication Works

Protectimus Two-Factor Authentication Solution for Array AG SSL VPN allows you to add an extra layer of security to your Array VPN logins.

When you add 2FA/MFA for Array VPN, your users will use two different authentication factors to get access to their accounts.
  1. The first factor is login and password (something the user knows);
  2. The second factor is a one-time password generated with the help of a hardware OTP token or an app on the smartphone (something the user owns).

To hack a Array VPN protected with two-factor authentication, a hacker needs to get a standard password and a one-time password at once. And they only have 30 seconds to hack a one-time password. It is almost impossible, which makes two-factor authentication so effective against brute force, data spoofing, keyloggers, phishing, man-in-the-middle attacks, social engineering, and similar hacking attacks.

2. How to Enable 2FA for Array AG SSL VPN

You can set up multi-factor authentication (2FA) for Array VPN with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Add Protectimus as RADIUS Server for Array AG SSL VPN.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Array VPN two-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for Array VPN 2FA

  1. Login to the Array VPN administration panel.
  2. Change the mode to Config.
  3. Navigate to the Virtual Site using the dropdown in the upper left corner.
  4. Find the Site Configuration menu on the left and click on AAA.
  5. Open the General tab and check Enable AAA.

Array VPN 2FA setup via RADIUS - step 1
  1. Navigate to the Server tab and click RADIUS.
  2. Enter the Server Name (e.g. Protectimus RADIUS Server). You can also add a Description. Then click Add.

Array VPN MFA setup via RADIUS - step 1
  1. The newly added server will appear on the list of servers. Open Advanced RADIUS Server Configuration by double-clicking the name of your RADIUS server.
  2. Click Add RADIUS Server on the Advanced RADIUS Server Configuration page. Fill in the form referring to the table and image below, and click Save.
Server IPEnter the IP of server where the Protectimus RADIUS Server component is installed.
Server PortIndicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Secret PasswordIndicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
TimeoutSet to 180 seconds.
Redundancy OrderSet to 1 if this is your first RADIUS server.
RetriesSet to 3.
Accounting PortSet to 1813.

Array VPN two-factor authentication setup via RADIUS - step 3
  1. Go to the Method tab and click Add Method.
  2. Enter the Method Name (e.g. Protectimus) and Method Description (e.g. Protectimus RADIUS Server). Then select the AAA server in Authentication. The AAA server is the server you created earlier (Protectimus RADIUS Server).
  3. Click Save. The method you just created will appear in the table on the Method tab.

Array VPN 2-factor authentication setup via RADIUS - step 4
  1. Find the AAA Method for Mobile VPN Clients dropdown and select the method you created (Protectimus).

Array VPN multi-factor authentication setup via RADIUS - step 4
  1. Go to the top right corner of the Array VPN administration panel and click Save Configuration.

Array AG SSL VPN 2FA setup via RADIUS - step 6
Integration of two-factor authentication (2FA/MFA) for your Array AG SSL VPN is now complete. If you have other questions, contact Protectimus customer support service.

WatchGuard Mobile VPN 2FA

This guide shows how to enable multi-factor authentication (2FA / MFA) for WatchGuard Mobile VPN with the help of the Protectimus two-factor authentication solution.

Protectimus multi-factor authentication system integrates with WatchGuard Mobile VPN via RADIUS authentication protocol.

In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform performs as a RADIUS server, and the WatchGuard Mobile VPN takes the role of a RADIUS client.

The scheme of work of the Protectimus solution for WatchGuard Mobile VPN two-factor authentication is presented below.

WatchGuard Mobile VPN 2FA setup via RADIUS

1. How WatchGuard Mobile VPN 2FA Works

Protectimus Two-Factor Authentication Solution for WatchGuard Mobile VPN allows you to add an extra layer of security to your WatchGuard VPN logins.

Protectimus WatchGuard Mobile VPN 2FA Solution enables 2-factor authentication during WatchGuard connections via IPSec and SSL.

When you add 2FA/MFA for WatchGuard Mobile VPN, your users will use two different authentication factors to get access to their accounts.
  1. The first factor is login and password (something the user knows);
  2. The second factor is a one-time password generated with the help of a hardware OTP token or an app on the smartphone (something the user owns).

To hack a WatchGuard Mobile VPN protected with two-factor authentication, a hacker needs to get a standard password and a one-time password at once. And they only have 30 seconds to intercept a one-time password. It is almost impossible, which makes two-factor authentication so effective against brute force, data spoofing, keyloggers, phishing, man-in-the-middle attacks, social engineering, and similar hacking attacks.

2. How to Enable 2FA for WatchGuard Mobile VPN

You can set up multi-factor authentication (2FA) for WatchGuard Mobile VPN with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Add Protectimus as RADIUS Server for WatchGuard Mobile VPN MFA.
  4. Configure WatchGuard Mobile VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for WatchGuard Mobile VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for WatchGuard Mobile VPN MFA

  1. Log in to the WatchGuard Firebox Admin Panel (Fireware Web UI).
  2. Navigate to Authentication –> Servers –> RADIUS.
WatchGuard Mobile VPN 2FA setup via RADIUS - step 1
  1. Click Add.
WatchGuard Mobile VPN MFA setup via RADIUS - step 2
  1. Fill in the required fields in the Primary Server Settings tab. Please refer to the following table and image.
Domain NameCome up with a name for your RADIUS domain, e.g. Protectimus RADIUS Server. Note that You cannot change the Domain Name after you save the settings.
Enable RADIUS ServerCheck the box.
IP AddressEnter the IP of server where the Protectimus RADIUS Server component is installed.
PortIndicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Shared SecretIndicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Confirm SecretReenter the shared secret
TimeoutSet to 60 seconds.
RetriesSet to 3.
Dead TimeSet to 10 minutes.
Group AttributeSet to 11.
WatchGuard Mobile VPN two-factor authentication setup via RADIUS - step 3
  1. Click Save to save your settings.

2.4. Configure WatchGuard Mobile VPN with SSL or IPSec

  1. In the WatchGuard Firebox Admin Panel left pane, click VPN –> Mobile VPN.
  2. Then navigate to the SSL or IPSec section, whichever method suits you best, and follow the instructions below.
WatchGuard Mobile VPN 2FA setup via RADIUS - step 4

2.4.1. Configure WatchGuard Mobile VPN with SSL

PLEASE NOTE! To enable 2FA for SSL Mobile VPN, you need to manually add all your users to WatchGuard VPN and then allow them to use SSL VPN.
  1. Go to Authentication –> Users and Groups. Then click ADD to add a new user.
How to Configure WatchGuard Mobile VPN with SSL - step 1
  1. In Add User or Group, enter the name of the user and select the Authentication Server. Refer to the following table and image.
TypeUser
NameEnter the username.
DescriptionOptional, you can enter a description of the user if you want.
Authentication ServerSelect the server you have created before (Protectimus RADIUS Server).

How to Configure WatchGuard Mobile VPN with SSL - step 2
  1. Other options are optional. Click OK and then click Save in the main list of all groups and users to confirm the new user.
PLEASE NOTE! You need to do the above three steps for every user you want to allow to use Mobile VPN with SSL.

  1. After you add all your users, click VPN –> Mobile VPN. Then, go to the SSL section and click CONFIGURE.
How to Configure WatchGuard Mobile VPN with SSL - step 4
  1. Select the Authentication tab.
  2. In AUTHENTICATION SERVERS, select the server you have created before (Protectimus RADIUS Server) and click ADD.
  3. Then, select it on the list of authentication servers and click MOVE UP to make it default.
How to Configure WatchGuard Mobile VPN with SSL - step 5
  1. In Users and Groups, select the groups and users you want to allow to use SSL VPN.
  2. Click SAVE to confirm and save your settings.

2.4.2. Configure WatchGuard Mobile VPN with IPSec

  1. Navigate to VPN –> Mobile VPN. Then, go to the IPSec section and click CONFIGURE.
How to Configure WatchGuard Mobile VPN with IPSec - step 1
  1. In the Groups section, select your profile and click EDIT.
How to Configure WatchGuard Mobile VPN with IPSec - step 2
  1. Select the General tab.
  2. In the Authentication Server dropdown, the server you have created before (Protectimus RADIUS Server). It has the Domain Name you set when configuring Protectimus as RADIUS Server.
How to Configure WatchGuard Mobile VPN with IPSec - step 3
  1. Click SAVE to confirm and save your settings.

Integration of two-factor authentication (2FA/MFA) for your WatchGuard Mobile VPN is now complete. If you have other questions, contact Protectimus customer support service.

Pulse Connect Secure SSL VPN 2FA

This guide shows how to enable multi-factor authentication (2FA / MFA) for users logging in to Pulse Connect Secure SSL VPN with the help of the Protectimus two-factor authentication solution for Pulse Connect Secure SSL VPN.

Protectimus’s two-factor authentication system integrates with Pulse Connect Secure SSL VPN via RADIUS authentication protocol.

In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform performs as a RADIUS server, and the Pulse Connect Secure SSL VPN takes the role of a RADIUS client.

You will find the scheme of work of the Protectimus solution for Pulse Connect Secure SSL VPN two-factor authentication below.

2FA/MFA for Pulse Connect Secure SSL VPN via RADIUS

1. How 2FA for Pulse Connect Secure SSL VPN Works

Two-factor authentication (2FA / MFA) protects the Pulse Connect Secure SSL VPN user accounts from phishing, brute force, keyloggers, man-in-the-middle attacks, data spoofing, social engineering, and other similar hacking tricks.

When you enable 2FA/MFA for Pulse Connect Secure SSL VPN, Pulse Secure VPN users will use two different authentication factors to get access to their accounts.
  1. The first factor is username and password (something they know);
  2. The second factor is a one-time password generated with the help of a hardware OTP token or a 2FA app (something they own).

To hack a Pulse Connect Secure SSL VPN user account protected with two-factor authentication, a hacker needs both passwords at once. Moreover, a hacker has only 30 seconds to crack and use a time-based one-time password. It is almost impossible to fulfill these conditions, which makes two-factor authentication so effective.

2. How to Enable 2FA for Pulse Connect Secure SSL VPN

You can set up two-factor authentication (2FA) for Pulse Connect Secure SSL VPN with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Configure Pulse Connect Secure SSL VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Pulse Connect Secure SSL VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for Pulse Connect Secure SSL VPN

  1. Log into the Pulse Secure administration panel.
  2. Navigate to Authentication –> Auth. Servers.
How to set up 2FA/MFA for Pulse Connect Secure SSL VPN - step 2
  1. Select RADIUS Server in the dropdown, and click New Server….
How to set up MFA for Pulse Connect Secure SSL VPN - step 3
  1. Fill in the required fields in the Settings tab. Please refer to the following table and image.
NameCome up with a name for your RADIUS server, e.g. Protectimus Server.
RADIUS ServerEnter the IP of server where the Protectimus RADIUS Server component is installed.
Authentication PortIndicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Shared SecretIndicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
TimeoutSet to 180 seconds.
RetriesSet to 3.
How to set up two-factor authentication for Pulse Connect Secure SSL VPN - step 4
  1. Keep default values of all other fields and click Save Changes.
  2. Navigate to Users –> User Realms –> New User Realm….
How to set up 2-factor authentication for Pulse Connect Secure SSL VPN - step 6
  1. Come up with a Name for your new realm, e.g. Protectimus Server.
  2. Select the previously created authentication server (Protectimus Server) in the Authentication dropdown.
  3. Click Save Changes.
How to set up multi-factor authentication for Pulse Connect Secure SSL VPN - step 7
  1. Navigate to Authentication Policy –> Password.
  2. Select Allow all users (passwords of any length) and click Save Changes.
How to set up multi-factor auth for Pulse Connect Secure SSL VPN - step 10
  1. Go to the Role Mapping tab and click New Rule….
How to set up  two-factor auth for Pulse Connect Secure SSL VPN - step 12
  1. Come up with the name for a new rule, e.g. Protectimus Rule.
  2. Set Rule:If username… to is *.
  3. Assign a Users role. Select Users on the Available Roles list and click Add –>.
  4. Click Save Changes.
How to set up  2FA for Pulse Connect Secure SSL VPN - step 13
  1. Navigate to Authentication –> Signing In –> Sign-in Policies.
How to set up  MFA for Pulse Connect Secure SSL VPN - step 17
  1. Click the */ URL in the User URLs table.
  2. Select User picks from a list of authentication realms and select the Protectimus Server realm you have created before. To do this, just select Protectimus Server on the Available realms list and click Add –>.
  3. Click Save Changes.
How to set up two-factor authentication for Pulse Connect Secure SSL VPN - step 19

Integration of multi-factor authentication for Pulse Connect Secure SSL VPN is now complete. If you have other questions, contact Protectimus customer support service.