Author: Anna Korobkyna

This guide shows how to set up two-factor authentication for Aruba switches. This requires Aruba ClearPass to be integrated with Protectimus’ Multi-Factor Authentication (MFA) solution. You can use the Protectimus Cloud MFA Service or the Protectimus On-Prem MFA platform, which should be installed in the client’s environment or private cloud.

The Protectimus Two-Factor Authentication Server communicates with Aruba network equipment using the RADIUS authentication protocol. The Protectimus RADIUS Server component acts as a RADIUS server:

1. It accepts an incoming RADIUS authentication request.
2. Then, it accesses the user store (Active Directory, etc.) to confirm the user’s login and password.
3. The next step is to check the one-time password. To do this, Protectimus RADIUS Server contacts the Protectimus two-factor authentication server.
4. If both authentication factors are correct, Protectimus RADIUS Server allows the user to connect to the Aruba switch.

The diagram below shows how the Protectimus two-factor authentication solution for Aruba network equipment works.

1. How Aruba Switches Two-Factor Authentication (2FA) Works

Two-factor authentication (2FA / MFA) protects user accounts from attacks such as brute force, phishing, keyloggers, man-in-the-middle, social engineering, data spoofing, etc.

After you set up two-factor authentication for Aruba switches to connect to Aruba networking equipment, users will use two different authentication factors.

1. The first factor is login and password (what the user knows);
2. The second factor is a one-time password generated using a hardware OTP token or a smartphone (which belongs to the user).

To hack a user account, an attacker must get access to two passwords at once, which is almost impossible. At the same time, the attacker has only 30 seconds to crack and use one of these passwords.

2. How to Enable MFA for Aruba Switch

You can set up Aruba Switch two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for your Aruba Switch.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Aruba switches 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for your Aruba Switch

There are two options to configure multi-factor authentication for Aruba switch via RADIUS:

• WebUI configuration. Available for the older versions of Aruba ClearPass.
• CLI configuration. Newer versions of Aruba switches can be configured only through the configuration console.

Follow only the steps of the method you choose.

How to configure MFA for Aruba switch via WebUI

1. In the Aruba Networks ClearPass WebUI Console, go to Configuration –> Security –> Authentication –> Servers.
2. Select RADIUS Server to display the RADIUS Server List.
3. Provide a Name for the new server, e.g. Protectimus, and click Add.
4. Select the name to configure the parameters, such as IP Address; and then check Mode to activate the server.
5. Click Apply.
6. Select Server Group to display the Server Group List.
7. Provide a Name for the new server group, e.g. corp_radius, and click Add.
8. Select the name to configure the parameters.
9. Under Servers, select New to add a server to the group.
10. Select the server (i.e. Protectimus) from the dropdown menu and click Add Server.
11. Click Apply.
12. Go to Configuration –> Management –> Administration.
13. Under Management Authentication Servers, select a management role, e.g. root, for the Default Role.
14. Check Mode to activate.
15. For the Server Group, select the newly created group, i.e. corp_radius.
16. Click Apply.

How to configure MFA for Aruba switch via CLI

How to Add New RADIUS Server

aaa authentication-server radius Protectimus
  host <ipaddr>
  enable

How to Add New Server Group

aaa server-group corp_radius
  auth-server Protectimus

How to Define Role for Server Group

aaa authentication mgmt
  default-role root
  enable
  server-group corp_radius

Integration of two-factor authentication (2FA/MFA) for your Aruba ClearPass is now complete. If you have other questions, contact Protectimus customer support service.

This Barracuda SSL VPN 2FA guide shows how to enable two-factor authentication (2FA / MFA) for Barracuda SSL VPN using the Protectimus Cloud 2FA Service or On-Premise 2FA Platform.

Protectimus integrates with Barracuda SSL VPN via RADIUS authentication protocol to add two-factor authentication (2FA) to Barracuda SSL VPN logins.

In this scenario, the Protectimus two-factor authentication solution for Barracuda VPN 2FA performs as a RADIUS server, and the Barracuda SSL VPN takes the role of a RADIUS client. You will find the scheme of work of the Protectimus solution for Barracuda SSL VPN two-factor authentication below.

1. How Barracuda SSL VPN Two-Factor Authentication (2FA) Works

Setting up two-factor authentication for Barracuda SSL VPN means that your users will have to enter two different factors of authentication when they get access to their accounts.

1. The first 2FA factor is a username and password (something the user knows);
2. The second 2FA factor is a time-based one-time password generated with the help of an OTP token or an app on a phone (something the user owns). A one-time passwords remains valid only for 30 seconds.

It is too hard to get unauthorized access to the Barracuda SSL VPN account protected with multi-factor authentication. A hacker has to get two passwords of different natures and use them simultaneously. Moreover, he has only 30 seconds to hack and use a one-time passcode, which complicates the task умут further and makes it almost impossible.

Tho-factor authentication (2FA / MFA) is an effective protection measure against such cybersecurity threats like phishing, keylogging, social emgeneering, brute force, MITM attacks, data spoofing, etc.

2. How to Enable Barracuda SSL VPN 2FA

You can set up Barracuda SSL VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure Barracuda SSL VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Barracuda SSL VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for your Barracuda SSL VPN

1. Log in to Barracuda VPN interface.
2. Navigate to Users –> External Authentication.

3. Select RADIUS and configure the following RADIUS settings to add a RADIUS Server. After that, click Save to save the changes.

Server Address	IP of server where the Protectimus RADIUS Server component is installed.
Server Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Server Key	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
Group Attribute	Keep the default value.
Group Attribute Delimiter	Keep the default value.
NAS ID	If your RADIUS server requires NAS credentials to be set, enter the NAS identifier.
NAS IP Address	If your RADIUS server requires NAS credentials to be set, enter the NAS IP Address.
NAS IP Port	If your RADIUS server requires NAS credentials to be set, enter the NAS IP Port.
Group Information From	Set to blank/empty.

4. Navigate to VPN –> SSL VPN.

5. Go to the Authentication section. Select RADIUS in User Authentication. Click Save.

Integration of two-factor authentication (2FA/MFA) for your Barracuda SSL VPN is now complete. If you have other questions, contact Protectimus customer support service.

This guide describes how to enable Protectimus Two-Factor Authentication (2FA) for users connecting to MikroTik VPN.

The Protectimus two-factor authentication system can be integrated with MikroTik VPN via RADIUS authentication protocol. For this purpose, you need to install an on-premise Protectimus RADIUS Server component and configure the MikroTik VPN to refer to the Protectimus RADIUS Server for user authentication.

See how Protectimus two-factor authentication solution works for MikroTik VPN in the scheme below.

1. How MikroTik VPN Two-Factor Authentication (2FA) Works

After integrating MikroTik VPN with the Protectimus MFA system, your users will need to pass two stages of authentication to connect to MikroTik VPN:

1. Enter their username and password.
2. Enter the one-time passcode, which is only valid for 30 seconds.

To generate one-time passcodes, the following types of two-factor authentication tokens will be available to your users:

• Classic and programmable hardware OTP tokens that look like keyfobs and plastic cards;
• 2-factor authentication app Protectimus SMART OTP on iOS and Android;
• Any other 2-factor authentication apps that support TOTP auth standard, including Google Authenticator;
• Delivery of one-time passwords using chatbots in Telegram, Messenger, or Viber;
• SMS authentication;
• Delivery of one-time passwords via email.

It is a challenging task for the intruder to hack two authentication factors that differ in their nature (something the user knows and owns) and use them simultaneously within 30 seconds (the time when the one-time password remains active). That is why two-factor authentication is one of the best security measures for MikroTik VPN.

2. How to Enable MikroTik VPN 2FA

You can set up MikroTik VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure MikroTik VPN Client.
4. Configure Windows VPN.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for MikroTik VPN 2-factor authentication using RADIUS are available here.

2.3. Configure MikroTik VPN Client

1. Open Webfig.
2. Navigate to the menu on the left, and select the RADIUS tab.
3. Click Add New to configure your Protectimus RADIUS Server as a RADIUS server.
4. Check ppp and ipsec in the Service section.
5. Check login in the Service section.
6. Indicate the IP of the server where the Protectimus RADIUS Server is installed.
7. Set Protocol to udp.
8. Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property).
9. Change the default timeout to 30000 ms or higher.
10. Click OK to save your settings.

11. Navigate to the menu on the left, and select the PPP tab.
12. Select the Interface tab and then click PPTP Server, SSTP Server, L2TP Server, or OVPN Server depending on which one you are using.
13. Check pap and uncheck every other checkbox in Authentication. Click OK.
14. Select the Secrets tab, and click the PPP Authentication & Accounting button.

15. Check Use Radius, and click OK to finish the configuration and enable Protectimus two-factor authentica in your VPN.

2.4. Configure Windows VPN

1. On your Windows operating system, go to Settings –> Network & Internet –> VPN and select Add a VPN connection.
2. Fill in the form and click Save. Refer to the following image and table.

VPN Provider	Windows (in-built)
Connection name	MikroTik
Server name or address	Enter the IP address of your server
VPN type	Select your VPN Type. We chose L2TP/IPsec with pre-shared key, but you have to select the one you use in MikroTik.
Pre-shared key	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Type of sign-in info	User name and password
User name (optional)	Your user name
Password (optional)	Your password

3. Go to Control Panel → Network and Sharing Center and select Change adapter options.
4. Right-click your newly-created MikroTik connection and select Properties.
5. Select the Security tab.
6. Select Allow these protocols and then check the Unencrypted password (PAP) checkbox.
7. Then click OK to save the changes.

Integration of two-factor authentication (2FA/MFA) for your MikroTik VPN is now complete. If you have other questions, contact Protectimus customer support service.

We suggest using TOTP hardware tokens for Electronic Visit Verification (EVV). Protectimus EVV solution based on the TOTP algorithm allows identifying the exact time of visits using one-time passwords from TOTP tokens.

TOTP tokens for Electronic Visit Verification (EVV) are a super easy and effective EVV method both for homecare personnel and people receiving help at home.

Hardware TOTP tokens for EVV look like keyfobs and don’t require installation, internet connection, or electricity to work. It’s enough to give the TOTP token device to the care receiver and ask the homecare worker to write down one-time codes from the EVV TOTP token at the beginning and the end of their visits. Then the one-time codes are transferred to the Protectimus EVV solution via API, and Protectimus returns the precise time when every OTP code was generated.

This guide shows how to integrate the Protectimus EVV solution with your Electronic Visit Verification system.

1. How the Protectimus TOTP Tokens Work for Electronic Visit Verification (EVV)

The Time-Based One-Time Password generation algorithm (TOTP) allows us to calculate the time when every one-time code was generated with an accuracy of 30 or 60 seconds, depending on the type of TOTP token you choose. We highly recommend using TOTP tokens with 60 second time step for EVV because of the problem of matching OTPs that occurs with 30-second time step tokens. We’ll describe this issue in detail below.

The TOTP algorithm for EVV works like this:

• The patient gets the hardware TOTP token. The EVV TOTP token has a built-in clock and a unique pre-programmed shared secret.
• The same shared secret is known to the Protectimusr EVV system, which verifies the one-time passwords and calculates the time when these OTPs were generated.

So the scenario of using Protectimus TOTP tokens for Electronic Visit Verification (EVV) looks like this:

1. The caregiver visits the patient and writes down two one-time passwords from the OTP token: before and after the visit.
2. Then the caregiver enters these one-time codes into the Electronic Visit Verification System to confirm they conducted the visit.
3. The Electronic Visit Verification System turns to the Protectimus EVV server to calculate the time of the visit.
4. Knowing the shared secret, the Protectimusr EVV server generates one-time passwords for the previous day/week/month and calculates the time of generation of certain OTPs. This way, we find out when the caregiver visited the patient.

2. The Problem of Coinciding One-Time Passwords in EVV

PLEASE NOTE! We recommend 8-digit TOTP tokens with 60 seconds time steps for Electronic Visit Verification (EVV).

There is a limit to the number of combinations consisting of 6 digits. And this limit is not very large.

Over a long period (a week or a month), the numeric values of one-time passwords will inevitably repeat. Two one-time passwords generated at different times will match. It may complicate the recognition of the exact time of OTP generation.

To reduce this problem, it is better to use TOTP tokens with a larger number of characters and larger time intervals. We recommend 8-digit TOTP tokens with 60 seconds time steps for Electronic Visit Verification (EVV).

3. How to Integrate Protectimus EVV with Your Electronic Visit Verification System

3.1. Get Registered and Add Tokens to the Protectimus Cloud Service or On-Prem Platform

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform.
2. Add Tokens. To do this, log into your account in Protectimus SAAS Service or On-Premise Platform and go to the Tokens page.

 

3. Click the Add Token button.

 

4. Select the Token Protectimus Two

 

5. Upload the file that will be sent to you after you order the TOTP tokens for EVV.

3.2. Use Protectimus API to Integrate Protectimus with Your Electronic Visit Verification System

PLEASE NOTE! You can use our Postman Collection for quicker integration. A Postman Collection is available upon request. Please, contact our support team.

Protectimus API’s design is based on the REST principles. Data is transmitted in the XML format or the JSON format. Parameter values are identical in these formats. By default, responses are transmitted in the XML format.

Detailed API Integration Instructions are available here.

3.2.1. Authorization

The Protectimus API is only accessible to authorized users. Our solution uses Basic authentication. The login (username) of the administrator that submits a request is used as the username, and an authentication token is used as the password.

An authentication token is the hash of a string that consists of the following elements:

<ApiKey>:<YYYYMMDD>:<HH>

Where:

• ApiKey is an API key, which is unique for each administrator; it is provided and may be changed on the profile management page https://service.protectimus.com/profile
• YYYYMMDD is the current date in the specified format
• НН is the UTC time in the HH format (only hours in the 24-hour format, without minutes or seconds)

Example:

The administrator’s profile contains the following information: 
ApiKey – MySecureApiKey; Date - 30 January 2014; Time - 17:42 (UTC).

String for hash: MySecureApiKey:20140130:17

Hash SHA256 for this text: 62704fb3a9dcf7b5b3cf7bda6ac9d0b0aa37c6fce8d0fae6b466c91ba68894f5

3.2.2. Request Submission

The protocol for transmitting all requests to the Protectimus API is HTTPS.

Request Format:

<НТТР-method>
https://service.protectimus.com/multipass-web-api/v<API_version>/<API_section>/<API_method>.<respo
nse_format>

The parameters specified above have the following values:

• НТТР-method is the method typical for the current request.
• API_version is the API version that you want to use. Currently, only the first version is available; therefore, this part of the request will look like this: “v1”.
• API_section is the section to which the method you are calling belongs. The following sections are available: auth-service, resource-service, token-service, and user-service. The API methods’ descriptions are divided into the sections to which these methods belong.
• API_method is the method you are calling.
• response_format is the format in which you want to receive a response: XML or JSON. By default, XML is the selected format.

If an error occurs, the processing of a request is terminated, and an error message is returned. A list of errors and descriptions of errors are given in the Error Message section of the Protectimus API Integration Instructions.

3.2.3. Protectimus EVV API Method

Use this API Method to get the time when the one-time password was generated.

Option 1. CURL

curl --request POST 'https://api.protectimus.com/api/v1/token-service/otp-time' \

--header 'Authorization: Basic ZGFueWxvLmRlaW5la29AZ21haWwuY29tOmNTI=' \

--header 'Content-Type: application/x-www-form-urlencoded' \



--data-urlencode 'tokenId=123' \

--data-urlencode 'otp=825043'

Option 2. HTTP

POST /api/v1/token-service/otp-time HTTP/1.1
Host: api.protectimus.com
Authorization: Basic ZGFueWxvLmRlaW5la29AZ21haWwuY29tOmNTI=
Content-Type: application/x-www-form-urlencoded
Content-Length: 22


tokenId=123&otp=825043

If you have any questions, please, contact Protectimus customer support service.

This Juniper VPN 2FA guide shows how to enable two-factor authentication (2FA / MFA) for Juniper Secure Access SSL VPN using the Protectimus Cloud 2FA Service or On-Premise 2FA Platform.

Protectimus integrates with Juniper Secure Access SSL VPN via RADIUS authentication protocol to add two-factor authentication (2FA) to VPN logins.

In this scenario, the Protectimus two-factor authentication solution for Juniper VPN 2FA performs as a RADIUS server, and the Juniper Secure Access SSL VPN takes the role of a RADIUS client. You will find the scheme of work of the Protectimus solution for Juniper VPN two-factor authentication below.

1. How Two-Factor Authentication (2FA) Works for Juniper VPN

Two-factor authentication (2FA), also known as multi-factor authentication (MFA), is a must-have security measure for Juniper Secure Access SSL VPN. 2FA will protect Juniper VPN logins from such threats as phishing, brute force, data spoofing, social engineering, keyloggers, man-in-the-middle attacks, etc.

And this is how two-factor authentication for Juniper Secure Access SSL VPN works:

1. When a user initiates login to the Juniper VPN protected with two-factor authentication, first of all, they will enter the first authentication factor – their standard password and login (something they know).


2. Then they will be asked to enter a second authentication factor – a one-time passcode from the two-factor authentication token (a 2FA token is something the user has – usually, it is a smartphone or a physical OTP token looking like a keyfob).

This way, to get access to the Juniper Secure Access SSL VPN account protected with two-factor authentication, the fraudster has to get access to two authentication factors that differ in their nature. That is quite a challenging task. Moreover, a time-based one-time password remains active only for 30 seconds, which makes hacking way more complecated and almost impossible.

2. How to Enable Juniper VPN 2FA (Two-Factor Authentication)

You can set up Juniper VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure Juniper Secure Access SSL VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Juniper Secure Access SSL VPN using RADIUS are available here.

2.3. Configure Juniper VPN RADIUS Server Profile

1. Log in to the Juniper administrative interface.
2. In the left menu, navigate to Authentication –> Auth Servers.
3. Select Radius Server from the drop down menu then click New Server.
4. In the Name field, enter Protectimus RADIUS.
5. Under the Primary Server section, enter the following information:

Radius Server	IP of server where the Protectimus RADIUS Server component is installed.
Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
Authentication Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Timeout	Set to 60 seconds.

6. Click Save Changes to save the RADIUS server profile.

2.4. Add a Custom Radius Rules to Juniper VPN

2.4.1. Create a rule for the Access Challenge packet

1. Scroll down to the Custom Radius Rules section.
2. Click on New Radius Rule.
3. In the Name field, enter Protectimus Radius Rule 1.
4. For the Response Packet Type, select Access Challenge.
5. Under the Then take action section, select Show Generic Login page.

6. Click Save Changes.

2.4.1. Create another rule for the Access Reject packet

1. Click on New Radius Rule.
2. In the Name field, enter Protectimus Radius Rule 2.
3. For the Response Packet Type, select Access Reject.
4. Under the Then take action section, select Show Generic Login page.
5. Click Save Changes.

2.5. Configure a User Realm

To configure a user realm for the Protectimus Radius server, you can do one or more of the following:

• Create a new realm for testing;
• Create a realm to gradually migrate users to the new system (for instance, by duplicating an existing realm);
• Use the default Users realm.

To add 2FA to a user realm:

1. In the left menu, navigate to Users –> User Realms and click the link for the user realm to which you want to add secondary authentication.
2. In the Authentication field, select Protectimus RADIUS and click Save Changes.

3. Add the newly created Protectimus RADIUS realm to the authentication realm.

• Click Authentication –> Signing In –> the relevant User URL.
• Move the newly created realm from the Available realms area to the Selected realms area.
• Click Save Changes.

Integration of two-factor authentication (2FA/MFA) for your Juniper Secure Access SSL VPN is now complete. If you have other questions, contact Protectimus customer support service.

This Cisco Switches 2FA guide shows how to add two-factor authentication for Cisco Switches Login with the help of Protectimus 2FA Service or On-Premise 2FA Platform.

Protectimus two-factor authentication system communicates with Cisco network equipment using the RADIUS protocol. The Protectimus RADIUS Server component acts as a RADIUS server. It accepts incoming authentication requests via the RADIUS protocol, contacts the user storage (Active Directory, etc.) to verify the login and password, and then contacts the Protectimus 2FA server to verify the one-time password. If both authentication factors are correct, the Protectimus RADIUS Server allows the user to login.

The scheme of work of the Protectimus solution for Cisco switches two-factor authentication is shown below.

1. How Cisco Switches 2FA Two-Factor Authentication (2FA) Works

When you set up two-factor authentication for Cisco Switches, you make your users enter two different factors of authentication when they get access to the Cisco Switch.

1. The first authentication factor is a login and password (something the user knows);
2. The second authentication factor is a one-time passcode generated with the help of a hardware 2FA token or a smartphone (something the user owns).

After you enable two-factor authentication (2FA) for Cisco Switches login, it becomes too hard to hack it. It’s almost impossible to get both authentication factors at the same time. Moreover, a one-time passcode validity time is only for 30 seconds, so the intruder will have too little time to hack the second factor.

Tho-factor authentication (2FA / MFA) is an effective protection measi=ure against such cybersecurity threats like phishing, social emgeneering, brute force, keylogging, MITM attacks, data spoofing, etc.

2. How to Enable Cisco Switches Login 2FA

You can set up Cisco Switches two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure Cisco Switches authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Cisco Switches 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for your Cisco Switch

1. Add Protectimus as a RADIUS Server.

Switch(config) #radius server [configuration-name]

Switch(config-radius-server) #address ipv4 hostname [auth-port integer] [acct-port integer]

Switch(config-radius-server) #key [shared-secret]

2. Associate your RADIUS server with a server group.

Switch(config) #aaa group server radius [group-name]

Switch(config-sg-radius) #server name [configuration-name]

3. Configure aaa authentication login to use RADIUS group with a fallback to local authentication.

Switch(config) #aaa authentication login [default | list-name] group [group-name] local

Integration of two-factor authentication (2FA/MFA) for your Check Point VPN is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to enable Check Point VPN two-factor authentication (2FA) integrating Check Point VPN with Protectimus multi-factor authentication service or on-premise MFA platform via RADIUS.

Two-factor authentication (2FA) 2FA will protect your users’ accounts and, consequently, your corporate infrastructure from unauthorized access. By activating Check Point VPN 2FA, you protect your users’ accounts from phishing, brute force, data spoofing, keyloggers, man-in-the-middle, social engineering, and a bunch of other cyber attacks.

1. How Check Point VPN Two-Factor Authentication (2FA) Works

Two-factor authentication means using two different types of authenticators to get access to the Check Point account protected with 2FA.

1. At first, the user enters a standard password and username (something the user knows);
2. Then they enter a one-time password received with the help of a 2FA token or a smartphone (something the user owns).

Thus, when Check Point VPN 2FA is enabled, it becomes too hard to hack both two-factor authentication passwords at the same time, especially considering that a one-time password is valid only for 30 seconds.

This guide shows how you can set up Check Point 2FA via the RADIUS authentication protocol using the Protectimus Cloud Two-Factor Authentication Service or Protectimus On-Premise 2FA Platform.

2. How to Enable Check Point VPN 2FA

You can set up Check Point VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure Check Point VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Check Point VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server in Check Point

1. Log into your Check Point Web UI account and navigate to the VPN tab.

2. Under Remote Access, click the Authentications Servers.

3. Under RADIUS Servers,click Configure to add a new RADIUS server configuration.

4. Configure the following settings to add a RADIUS Server.

IP address	IP of server where the Protectimus RADIUS Server component is installed.
Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Shared Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
Timeout (in seconds)	Set to 60 seconds.

5. Then click Apply to continue.

6. Click on the permissions for RADIUS users.

7. Select Enable RADIUS authentication for Remote Access Users and click Apply.

Integration of two-factor authentication (2FA/MFA) for your Check Point VPN is now complete. If you have other questions, contact Protectimus customer support service.

This guide describes how to set up two-factor authentication (2FA) for your SonicWall VPN solution with Protectimus as a multi-factor authentication (MFA) provider.

The Protectimus two-factor authentication system can be integrated with SonicWall SSL VPN via RADIUS authentication protocol. For this purpose, you need to install an on-premise Protectimus RADIUS Server component and configure the SonicWall Network Security Appliance to refer to the Protectimus RADIUS Server for user authentication.

See how Protectimus two-factor authentication solution works for SonicWall VPN in the scheme below.

1. How Two-Factor Authentication for SonicWall VPN Works

Protectimus adds the second authentication factor to your users’ login to the SonicWall VPN. After you set up SonicWall VPN two-factor authentication, your users will enter two different authentication factors when they log into their SonicWall VPN accounts. These authentication factors are:

1. Basic credentials – username and password (something the user knows).
2. A one-time password generated with the help of a two-factor authentication token (something that belongs to the user).

Protectimus offers different kinds of two-factor authentication tokens for SonicWall:

• Classic and programmable hardware OTP tokens that look like keyfobs and plastic cards;
• 2-factor authentication app Protectimus SMART OTP on iOS and Android
• Any other 2-factor authentication apps that support TOTP auth standard, including Google Authenticator;
• Delivery of one-time passwords using chatbots in Telegram, Messenger, or Viber;
• SMS authentication;
• Delivery of one-time passwords via email.

You may enable one authentication method for all your users or let users a chance to choose themselves if you activate the Protectimus Users’ Self-Service Portal.

Two-factor authentication protects SonicWall VPN from many threats associated with stealing users’ credentials, including phishing, social engineering, brute force, keyloggers, data spoofing, etc.

It is a challenging task for the fraudster to hack two authentication factors that differ in their nature (something the user knows and owns) and use them simultaneously within 30 seconds (the time when the one-time password remains active). That is why two-factor authentication is still one of the best security measures for SonicWall VPN.

2. How to Enable SonicWall VPN 2FA

You can set up SonicWall VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure SonicWall VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for SonicWall VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for SonicWall

Below you will find two instructions for adding Protectimus as RADIUS Server to the SonicWall Network Security Appliance:

• For SonicOS 6.2 and below versions.
• For SonicOS 6.5 and above versions.

2.3.1. SonicOS 6.2 and below

1. Log into the SonicWall administrative interface.
2. Navigate to Users –> Settings –> Authentication method for login and select RADIUS. Then click on Configure.

3. Configure the following RADIUS Settings to add a RADIUS Server.

RADIUS Server Timeout	Set to 30 seconds or higher. This is to make sure that login has enough time to receive the OTP and enter it.
Name or IP Address	IP of server where the Protectimus RADIUS Server component is installed.
Shared Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Port Number	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).

4. Go to the RADIUS Users tab. Select appropriate mechanism for setting user group membership, Apply settings, and test the configuration.

2.3.2. SonicOS 6.5 and above

1. Log into the SonicWall administrative interface.
2. Click MANAGE, navigate to Users –> Settings –> User authentication method and select RADIUS. Then click on CONFIGURE RADIUS.

3. Click Add and then configure the following RADIUS Settings to add a RADIUS Server.

Host Name or IP Address	IP of server where the Protectimus RADIUS Server component is installed.
Shared Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Confirm Shared Secret	Confirm your shared secret.
Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).

4. While still in RADIUS Servers Settings, switch to General Settings and Set RADIUS Server Timeout to 30 seconds or higher.

5. Go to the RADIUS Users tab. Select appropriate mechanism for setting user group membership, click OK, and test the configuration.

Integration of two-factor authentication (2FA/MFA) for your SonicWall VPN is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to enable two-factor authentication (2FA / MFA) for Palo Alto Networks VPN using the Protectimus Cloud 2FA Service or On-Premise 2FA Platform.

Protectimus integrates with Palo Alto GlobalProtect VPN via RADIUS authentication protocol to add two-factor authentication (2FA) to VPN logins.

In this scenario, the Protectimus two-factor authentication solution for Palo Alto GlobalProtect VPN 2FA performs as a RADIUS server, and the Palo Alto Networks VPN takes the role of a RADIUS client. You will find the scheme of work of the Protectimus solution for Palo Alto Networks VPN two-factor authentication below.

1. How Two-Factor Authentication (2FA) Works for Palo Alto Networks VPN

Two-factor authentication (2FA), also known as multi-factor authentication (MFA), is a must-have security measure for Palo Alto GlobalProtect VPN. 2FA will protect Palo Alto GlobalProtect VPN logins from such threats as phishing, brute force, data spoofing, social engineering, keyloggers, man-in-the-middle attacks, etc.

And this is how two-factor authentication for Palo Alto GlobalProtect VPN works:

1. When a user initiates login to the Palo Alto GlobalProtect VPN protected with two-factor authentication, first of all, they will enter the first authentication factor – their standard password and login (something they know).


2. Then they will be asked to enter a second authentication factor – a one-time passcode from the two-factor authentication token (a 2FA token is something the user has – usually, it is a smartphone or a physical OTP token looking like a keyfob).

This way, to get access to the Palo Alto GlobalProtect VPN account protected with two-factor authentication, the fraudster has to get access to two authentication factors that differ in their nature. That is quite a challenging task. Moreover, a time-based one-time password remains active only for 30 seconds, which makes hacking way more complecated and almost impossible.

2. How to Enable Two-Factor Authentication (2FA) for Palo Alto Networks VPN

You can set up Palo Alto Networks VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure Palo Alto Networks VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Palo Alto Global Protect VPN 2FA using RADIUS are available here.

2.3. Configure Palo Alto Networks RADIUS Server Profile

1. Log in to the Palo Alto Networks administrative interface.
2. On the Device tab, navigate to Server Profiles, then RADIUS.
3. Click the Add button to add a new RADIUS server profile. You will see the following window:

4. In the Profile Name field come up with a name for your RADIUS server, enter Protectimus RADIUS or any other name you wish.
5. Increase the Timeout to at least 30 seconds.
6. Change the Authentication Protocol to PAP.

PLEASE NOTE! PAN-OS 7.x users must set the protocol in the CLI with this command:

set authentication radius-auth-type pap

7. Click on Servers –> Add button, to add a RADIUS server. After this, enter the below information:

Server	Type any name for your RADIUS server – enter Protectimus RADIUS or any other name you wish.
RADIUS Server	IP of server where the Protectimus RADIUS Server component is installed.
Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).

8. Click OK and save the new RADIUS server profile.

2.4. Create an Authentication Profile in Palo Alto Networks

1. Go to the Device tab and navigate to Authentication Profile.
2. Click on Add to create a new authentication profile, you will see the following window:

3. Enter the following data:

Name	Type PROTECTIMUS ot choose any name you wish.
Type	Select RADIUS from the drop-down list
Server Profile	Select Protectimus RADIUS from the drop-down list (or whatever name used to create the RADIUS Server Profile in Step 2.3.)

4. Keep the rest of the options on the current screen as their defaults.
5. Then click the Advanced tab and select the all group or choose a specific group to which this authentication profile will apply.
6. Click OK and save the Authentication profile you have created.

2.5. Assign the Authentication Profile to the GlobalProtect Portal and/or Gateway.

You can configure multiple client authentication configurations for the Palo Alto GlobalProtect portal and gateways. For each client authentication configuration, you can specify the Authentication Profile to apply to endpoints of a specific OS.

This step describes how to add the Authentication Profile to the Palo Alto GlobalProtect VPN portal or gateway configuration. For additional details on setting up these components, see the PaloAlto Networks documentation on GlobalProtect Portals and GlobalProtect Gateways.

1. Go to Network –> GlobalProtect –> Gateways or Portals.
2. Click on your configured GlobalProtect Gateway to bring up the properties window.
3. In the newly-opened window, select the Authentication tab.

4. Select an SSL/TLS Service Profile or Add a new one.
5. Depending on your configuration, click the current entry under Client Authentication to modify it or create a new one by clicking the Add button.
6. Fill in the Client Authentication form with the following information.

Name	Enter any descriptive name you wish.
OS	Any
Authentication Profile	Select the Authentication Profile you have created in Step 2.4.

7. Click OK to save the configuration.

Integration of two-factor authentication (2FA/MFA) for your Palo Alto Networks VPN is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to enable Fortinet FortiGate VPN 2FA (two-factor authentication) via the RADIUS authentication protocol using Protectimus multi-factor authentication system.

Two-factor authentication is a must-have measure of cybersecurity, especially if we talk about VPN connection security. Set up 2-factor authentication for Forticlient VPN to protect your users’ accounts and sensitive corporate data from unauthorized access. 2FA for Fortinet FortiGate VPN is an effective tool against brute force, data spoofing, social engineering, phishing, keyloggers, man-in-the-middle attacks, etc.

1. How Fortinet FortiGate VPN Two-Factor Authentication (2FA) Works

Setting up two-factor authentication for the FortiGate VPN, you make your end users enter two different authentication factors to get access to their accounts.

1. The first authentication factor is a standard password and login (something the user knows);
2. The second authentication factor is a one-time code generated using an OTP token or a phone (something the user has).

Fortinet FortiGate VPN 2FA enabled makes it too hard to get unauthorized access to the user account because it is almost impossible to hack both authentication factors simultaneously. And what makes the task even more challenging is that a one-time code is valid only for 30 seconds.

Below you will find detailed instructions showing how to set up Fortinet Fortigate VPN 2FA via RADIUS using the Protectimus Cloud Two-Factor Authentication Service or Protectimus On-Premise 2FA Platform.

2. How to Enable Fortinet FortiGate VPN 2FA

You can set up FortiGate VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure FortiGate VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Fortinet FortiGate 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for Fortinet FortiGate 2FA

1. Login to your Fortinet FortiGate account and go to the Admin console.
2. Navigate to User & Device –> RADIUS Servers, then choose Create New to start adding a new RADIUS Server.

3. You will see a menu that allows you to add a new RADIUS Server.

4. Configure the following RADIUS settings to add a RADIUS Server.

Name	Come up with a name for your RADIUS server.
Authentication Method	Click on Specify and then select PAP from the dropdown menu.
Primary Server IP / Name	IP of server where the Protectimus RADIUS Server component is installed
Primary Server Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Secondary Server IP / Name	Optional
Secondary Server Secret	Optional

5. Click Test Connectivity to make sure that the RADIUS Server IP address and shared secret you indicated above work and that the connection between FortiGate VPN and RADIUS Server is established.

6. If everything looks good, click OK to save your settings.

2.4. Create a User Group

1. Navigate to User & Device –> User Groups.
2. To add a new group, click on Create New.

3. Choose Firewall in Type. Then find the Remote Groups section, click Add, and select Protectimus Radius Server as the Remote Server.

4. Save your settings – click OK.

2.5. Associate the User Group with the FortiGate VPN

PLEASE NOTE! Use an IPsec Wizard to add a new IPSec Tunnel if there is no configured one.

1. Navigate to VPN –> IPSec Tunnels and choose the IPSec Tunnel you have configured.

2. Click on Convert To Custom Tunnel if this IPSec Tunnel is not a custom tunnel yet.

3. Go to the XAuth section and click Edit
4. Click on PAP Server in the Type dropdown menu.

5. In User Group dropdown select the User Group you have created in Step 2.4.
6. Click OK to save your settings.

2.6. Synchronize the Fortinet FortiGate Timeout with Protectimus RADIUS Server

1. FortiGate VPN default timeout is 5 seconds, which is insufficient while setting up FortiGate VPN 2FA. You need to change the timeout to 30 Seconds.
2. To do this, connect to the appliance CLI.
3. And execute the commands that are shown below:

2.7. Test Protectimus 2FA setup for Fortinet VPN Login

1. Login to Forticlient and enter your Username and Password.

2. You will be asked to enter a One-Time Password if you have enabled two-factor authentication for Fortigate VPN successfully.

3. Enter your one-time code from the two-factor authentication token and you should get access to the Fortigare VPN.

PLEASE NOTE! When you confige an IPSec VPN connection in FortiClient use the Pre-Shared key of the IPSec Tunnel that was created LAST. Fortinet may have issues if multiple IPSec Tunnels are present at FortiGate Server.

Integration of Fortinet FortiGate VPN 2FA is now complete. If you have other questions, contact Protectimus customer support service.