Author: Anna Korobkyna

With Protectimus multi-factor authentication (MFA) solution, you can set up CentOS two-factor authentication (2FA) in a few steps.

1. How CentOS Two-Factor Authentication (2FA) Works

After you enable CentOS 2FA, your users will need to use two authentication passwords to get access to their CentOS accounts:

1. The first is a standard password (something the user keeps in memory);
2. The second is a one-time password valid only for 30 or 60 seconds (the one-time password is generated with the help of a hardware OTP token or a 2FA app on a user’s phone – something that the user owns and has to carry with them).

This way, the CentOS account becomes protected with two different authentication factors. Even if the hacker steals the users’s password using phishing, brute force, social engineering, data spoofing, or any other attack, they can’t access the CentOS account without the one-time password from a user’s 2FA token.

This guide shows how you can set up CentOS two-factor authentication (2FA) using Protectimus RADIUS 2FA component for the integration with Protectimus Cloud 2FA service or Protectimus On-Premise MFA Platform.

2. How to Enable CentOS Two-Factor Authentication (2FA)

You can set up CentOS two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS 2FA Service or On-Premise 2FA Platform and configure basic settings.
2. Install Protectimus PAM module for CentOS 2FA
3. Install and configure Protectimus RADIUS Server module.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install Protectimus PAM module for CentOS 2FA

yum -y install epel-release
yum -y install pam_radius

 

2.3. Install and configure Protectimus RADIUS Server

1. Install protectimus-radius

git clone https://github.com/protectimus/platform-linux.git
cd platform-linux/radius
edit config/radius.yml
docker compose up -d

2. Configure radius.yml file.
   
   Configure Protectimus RADIUS Server settings in the radius.yml file. It must be located in the same directory as the executable.
   
   You will find detailed instructions on available properties that you can add to the radius.yml file here.
   
   The example of radius.yml file configuration:

radius:
  secret: secret
  auth-port: 1812

auth:
  #  Could be :
  #  - LDAP
  #  - PROTECTIMUS_PASSWORD
  #  - PROTECTIMUS_OTP
  #  - PROTECTIMUS_PUSH
  providers:
    - PROTECTIMUS_OTP

protectimus-api:
  login: [email protected]
  api-key: aslkjdljsdlaskmWpXjT5K0xqLXkd3
  url: https://api.protectimus.com/
  resource-name: radius
  resource-id: 723

3. Edit pam_radius config, configure secret
   
   /etc/pam_radius.conf

# server[:port] shared_secret      timeout (s)
127.0.0.1       secret             1

4. Configure SSH to use challenge response
   
   /etc/ssh/sshd_config

ChallengeResponseAuthentication yes

5. Execute the command systemctl restart sshd

6. Configure PAM for SSH to use RADIUS
   
   Add auth required pam_radius_auth.so after auth substack password-auth into /etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_sepermit.so
# protectimus pam radius
auth       substack     password-auth
auth       required     pam_radius_auth.so
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare

CentOS multi-factor authentication setup is now complete. If you have other questions, contact our customer support service.

This guide shows how you can set up VMware Horizon View two-factor authentication (2FA) via RADIUS using the Protectimus multi-factor authentication system.

Protectimus two-factor authentication system integrates with VMware Horizon View via RADIUS authentication protocol. In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform takes the role of a RADIUS server via a special connector Protectimus RADIUS Server, and the VMware Horizon View performs as a RADIUS client.

The Protectimus RADIUS Server connector transfers authentication requests from the VMware Horizon View to the Protectimus multi-factor authentication (MFA) server and returns the answer permitting or denying access.

Below is an example of integration of the Protectimus 2FA solution with VMware Horizon View.

1. How to Enable Two-Factor Authentication for VMware Horizon View

You can set up multi-factor authentication (2FA) for VMware Horizon View with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for VMware Horizon View.

2. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

 

3. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for VMware Horizon View two-factor authentication using RADIUS are available here.

4. Add Protectimus as RADIUS Server for VMware Horizon View 2FA

1. Log into the VMware Horizon View admin panel.
2. Navigate to Settings and then click Servers.
3. Select the Connection Servers tab.

4. Select the necessary connection server, and after that click the Edit button.

5. Navigate to the Authentication tab.
6. Then go to the Advanced Authentication section and select RADIUS in the 2-factor authentication dropdown.
7. Check the box Enforce 2-factor and Windows user name matching.
8. Find the Authenticator dropdown, and select Create New Authenticator.

9. You will see an Add RADIUS Authenticator form. Navigate to the Client Customization page and enter any name for your new RADIUS server (e. g. Protectimus). Then click Next.
10. On the Primary Authentication Server page, fill in the required information referring to the table and image below.

Hostname/Address	Enter the IP of server where the Protectimus RADIUS Server component is installed.
Authentication Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Accounting Port	Leave the default value.
Authentication Type	PAP.
Shared Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
Server Timeout	Set to 60.
Max Attempts	Set to 5.

11. For all other fields, leave the default values. Then click Next.
12. Add a Secondary Authentication Server if you wish (it is optional), and click Finish to complete creating the RADIUS server.
13. We recommend you review the Advanced Authentication section:
    • check if the RADIUS server you have just created (Protectimus) is selected in the Authenticator dropdown;
    • make sure that you have checked the box Enforce 2-factor and Windows user name matching.

Integration of two-factor authentication (2FA/MFA) for your VMware Horizon View 2FA is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to enable multi-factor authentication (MFA / 2FA) for F5 BIG-IP APM VPN with the help of the Protectimus two-factor authentication system.

Protectimus two-factor authentication system integrates with F5 BIG-IP APM VPN via RADIUS authentication protocol. In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform takes the role of a RADIUS server, and the F5 BIG-IP VPN performs of a RADIUS client.

The scheme of work of the Protectimus solution for F5 BIG-IP APM VPN 2FA is presented below.

1. How F5 BIG-IP APM VPN Two-Factor Authentication Works

Protectimus Two-Factor Authentication Solution for F5 BIG-IP APM VPN allows you to add an extra layer of security to your F5 BIG-IP VPN logins.

When you add 2FA/MFA for F5 VPN, your users will use two different authentication factors to get access to their accounts.

1. The first factor is login and password (something the user knows);
2. The second factor is a one-time password generated with the help of a hardware OTP token or an app on the smartphone (something the user owns).

To hack an F5 BIG-IP APM VPN protected with two-factor authentication, a hacker needs to get a standard password and a one-time password at once. And they only have 30 seconds to hack a one-time password. It is almost impossible, which makes two-factor authentication so effective against brute force, data spoofing, keyloggers, phishing, man-in-the-middle attacks, social engineering, and similar hacking attacks.

2. How to Enable 2FA for F5 BIG-IP APM VPN

You can set up multi-factor authentication (2FA) for F5 BIG-IP VPN with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for F5 BIG-IP APM VPN.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

 

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for F5 BIG-IP APM VPN two-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for F5 BIG-IP APM VPN 2FA

1. Log into the F5 BIG-IP administrator dashboard.
2. Navigate to Access –> Authentication –> RADIUS.

3. Click the Create… button to add a new RADIUS server.
4. Then fill in the form referring to the table and image below, and click Finished to save your settings.

Name	Type any name for your RADIUS server – enter Protectimus_RADIUS_Server or any other name you wish.
Mode	Authentication
Server Connection	Direct
Server Address	Enter the IP of server where the Protectimus RADIUS Server component is installed.
Authentication Service Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Confirm Secret	Confirn the shared secret.
Timeout	Set to 180 seconds.
Retries	Set to 3.
Character Set	Set to UTF-8.
Service Type	Default.

2.4. Modify the F5 BIG-IP APM Access Policy

1. Navigate to Access –> Profiles/Policies –> Access Profiles (Per-Session Policies).

2. Click Edit… to modify your F5 BIG-IP APM access policy.

3. You will see the Access Policy editor. Click + (Plus) on the arrow to the right of the Logon Page.

4. In a new window, select the Authentication tab. The select RADIUS Auth and click the Add Item button.

5. In the AAA Server dropdown, select Protectimus_RADIUS_Server – the server you have created previously. Then click Save to save the changes.

PLEASE NOTE!
If you have a former authentication method (e.g. Active Directory) you can either remove it or keep it.
You can keep your former authentication method and use Protectimus after or before that authentication method.
To remove it, click X, select Connect previous node to Successful branch, and click Delete.

6. Click Close to return to the Access Profiles page. Check your profile and click Apply. The status flag next to your profile should change to green.

Integration of two-factor authentication (2FA/MFA) for your F5 BIG-IP APM VPN 2FA is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to enable two-factor authentication (2FA / MFA) for Array AG SSL VPN with the help of the Protectimus multi-factor authentication system.

Protectimus multi-factor authentication system integrates with Array AG SSL VPN via RADIUS authentication protocol. In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform performs as a RADIUS server, and the Array VPN takes the role of a RADIUS client.

The scheme of work of the Protectimus solution for Array VPN 2FA is presented below.

1. How Array VPN Two-Factor Authentication Works

Protectimus Two-Factor Authentication Solution for Array AG SSL VPN allows you to add an extra layer of security to your Array VPN logins.

When you add 2FA/MFA for Array VPN, your users will use two different authentication factors to get access to their accounts.

1. The first factor is login and password (something the user knows);
2. The second factor is a one-time password generated with the help of a hardware OTP token or an app on the smartphone (something the user owns).

To hack a Array VPN protected with two-factor authentication, a hacker needs to get a standard password and a one-time password at once. And they only have 30 seconds to hack a one-time password. It is almost impossible, which makes two-factor authentication so effective against brute force, data spoofing, keyloggers, phishing, man-in-the-middle attacks, social engineering, and similar hacking attacks.

2. How to Enable 2FA for Array AG SSL VPN

You can set up multi-factor authentication (2FA) for Array VPN with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for Array AG SSL VPN.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Array VPN two-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for Array VPN 2FA

1. Login to the Array VPN administration panel.
2. Change the mode to Config.
3. Navigate to the Virtual Site using the dropdown in the upper left corner.
4. Find the Site Configuration menu on the left and click on AAA.
5. Open the General tab and check Enable AAA.

6. Navigate to the Server tab and click RADIUS.
7. Enter the Server Name (e.g. Protectimus RADIUS Server). You can also add a Description. Then click Add.

8. The newly added server will appear on the list of servers. Open Advanced RADIUS Server Configuration by double-clicking the name of your RADIUS server.
9. Click Add RADIUS Server on the Advanced RADIUS Server Configuration page. Fill in the form referring to the table and image below, and click Save.

Server IP	Enter the IP of server where the Protectimus RADIUS Server component is installed.
Server Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Secret Password	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Timeout	Set to 180 seconds.
Redundancy Order	Set to 1 if this is your first RADIUS server.
Retries	Set to 3.
Accounting Port	Set to 1813.

10. Go to the Method tab and click Add Method.
11. Enter the Method Name (e.g. Protectimus) and Method Description (e.g. Protectimus RADIUS Server). Then select the AAA server in Authentication. The AAA server is the server you created earlier (Protectimus RADIUS Server).
12. Click Save. The method you just created will appear in the table on the Method tab.

13. Find the AAA Method for Mobile VPN Clients dropdown and select the method you created (Protectimus).

14. Go to the top right corner of the Array VPN administration panel and click Save Configuration.

Integration of two-factor authentication (2FA/MFA) for your Array AG SSL VPN is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to enable multi-factor authentication (2FA / MFA) for WatchGuard Mobile VPN with the help of the Protectimus two-factor authentication solution.

Protectimus multi-factor authentication system integrates with WatchGuard Mobile VPN via RADIUS authentication protocol.

In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform performs as a RADIUS server, and the WatchGuard Mobile VPN takes the role of a RADIUS client.

The scheme of work of the Protectimus solution for WatchGuard Mobile VPN two-factor authentication is presented below.

1. How WatchGuard Mobile VPN 2FA Works

Protectimus Two-Factor Authentication Solution for WatchGuard Mobile VPN allows you to add an extra layer of security to your WatchGuard VPN logins.

Protectimus WatchGuard Mobile VPN 2FA Solution enables 2-factor authentication during WatchGuard connections via IPSec and SSL.

When you add 2FA/MFA for WatchGuard Mobile VPN, your users will use two different authentication factors to get access to their accounts.

1. The first factor is login and password (something the user knows);
2. The second factor is a one-time password generated with the help of a hardware OTP token or an app on the smartphone (something the user owns).

To hack a WatchGuard Mobile VPN protected with two-factor authentication, a hacker needs to get a standard password and a one-time password at once. And they only have 30 seconds to intercept a one-time password. It is almost impossible, which makes two-factor authentication so effective against brute force, data spoofing, keyloggers, phishing, man-in-the-middle attacks, social engineering, and similar hacking attacks.

2. How to Enable 2FA for WatchGuard Mobile VPN

You can set up multi-factor authentication (2FA) for WatchGuard Mobile VPN with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for WatchGuard Mobile VPN MFA.
4. Configure WatchGuard Mobile VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for WatchGuard Mobile VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for WatchGuard Mobile VPN MFA

1. Log in to the WatchGuard Firebox Admin Panel (Fireware Web UI).
2. Navigate to Authentication –> Servers –> RADIUS.

3. Click Add.

4. Fill in the required fields in the Primary Server Settings tab. Please refer to the following table and image.

Domain Name	Come up with a name for your RADIUS domain, e.g. Protectimus RADIUS Server. Note that You cannot change the Domain Name after you save the settings.
Enable RADIUS Server	Check the box.
IP Address	Enter the IP of server where the Protectimus RADIUS Server component is installed.
Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Shared Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Confirm Secret	Reenter the shared secret
Timeout	Set to 60 seconds.
Retries	Set to 3.
Dead Time	Set to 10 minutes.
Group Attribute	Set to 11.

5. Click Save to save your settings.

2.4. Configure WatchGuard Mobile VPN with SSL or IPSec

1. In the WatchGuard Firebox Admin Panel left pane, click VPN –> Mobile VPN.
2. Then navigate to the SSL or IPSec section, whichever method suits you best, and follow the instructions below.

2.4.1. Configure WatchGuard Mobile VPN with SSL

PLEASE NOTE! To enable 2FA for SSL Mobile VPN, you need to manually add all your users to WatchGuard VPN and then allow them to use SSL VPN.

1. Go to Authentication –> Users and Groups. Then click ADD to add a new user.

2. In Add User or Group, enter the name of the user and select the Authentication Server. Refer to the following table and image.

Type	User
Name	Enter the username.
Description	Optional, you can enter a description of the user if you want.
Authentication Server	Select the server you have created before (Protectimus RADIUS Server).

3. Other options are optional. Click OK and then click Save in the main list of all groups and users to confirm the new user.

PLEASE NOTE! You need to do the above three steps for every user you want to allow to use Mobile VPN with SSL.

4. After you add all your users, click VPN –> Mobile VPN. Then, go to the SSL section and click CONFIGURE.

5. Select the Authentication tab.
6. In AUTHENTICATION SERVERS, select the server you have created before (Protectimus RADIUS Server) and click ADD.
7. Then, select it on the list of authentication servers and click MOVE UP to make it default.

8. In Users and Groups, select the groups and users you want to allow to use SSL VPN.
9. Click SAVE to confirm and save your settings.

2.4.2. Configure WatchGuard Mobile VPN with IPSec

1. Navigate to VPN –> Mobile VPN. Then, go to the IPSec section and click CONFIGURE.

2. In the Groups section, select your profile and click EDIT.

3. Select the General tab.
4. In the Authentication Server dropdown, the server you have created before (Protectimus RADIUS Server). It has the Domain Name you set when configuring Protectimus as RADIUS Server.

5. Click SAVE to confirm and save your settings.

Integration of two-factor authentication (2FA/MFA) for your WatchGuard Mobile VPN is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to enable multi-factor authentication (2FA / MFA) for users logging in to Pulse Connect Secure SSL VPN with the help of the Protectimus two-factor authentication solution for Pulse Connect Secure SSL VPN.

Protectimus’s two-factor authentication system integrates with Pulse Connect Secure SSL VPN via RADIUS authentication protocol.

In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform performs as a RADIUS server, and the Pulse Connect Secure SSL VPN takes the role of a RADIUS client.

You will find the scheme of work of the Protectimus solution for Pulse Connect Secure SSL VPN two-factor authentication below.

1. How 2FA for Pulse Connect Secure SSL VPN Works

Two-factor authentication (2FA / MFA) protects the Pulse Connect Secure SSL VPN user accounts from phishing, brute force, keyloggers, man-in-the-middle attacks, data spoofing, social engineering, and other similar hacking tricks.

When you enable 2FA/MFA for Pulse Connect Secure SSL VPN, Pulse Secure VPN users will use two different authentication factors to get access to their accounts.

1. The first factor is username and password (something they know);
2. The second factor is a one-time password generated with the help of a hardware OTP token or a 2FA app (something they own).

To hack a Pulse Connect Secure SSL VPN user account protected with two-factor authentication, a hacker needs both passwords at once. Moreover, a hacker has only 30 seconds to crack and use a time-based one-time password. It is almost impossible to fulfill these conditions, which makes two-factor authentication so effective.

2. How to Enable 2FA for Pulse Connect Secure SSL VPN

You can set up two-factor authentication (2FA) for Pulse Connect Secure SSL VPN with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure Pulse Connect Secure SSL VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Pulse Connect Secure SSL VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for Pulse Connect Secure SSL VPN

1. Log into the Pulse Secure administration panel.
2. Navigate to Authentication –> Auth. Servers.

3. Select RADIUS Server in the dropdown, and click New Server….

4. Fill in the required fields in the Settings tab. Please refer to the following table and image.

Name	Come up with a name for your RADIUS server, e.g. Protectimus Server.
RADIUS Server	Enter the IP of server where the Protectimus RADIUS Server component is installed.
Authentication Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Shared Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Timeout	Set to 180 seconds.
Retries	Set to 3.

5. Keep default values of all other fields and click Save Changes.
6. Navigate to Users –> User Realms –> New User Realm….

7. Come up with a Name for your new realm, e.g. Protectimus Server.
8. Select the previously created authentication server (Protectimus Server) in the Authentication dropdown.
9. Click Save Changes.

10. Navigate to Authentication Policy –> Password.
11. Select Allow all users (passwords of any length) and click Save Changes.

12. Go to the Role Mapping tab and click New Rule….

13. Come up with the name for a new rule, e.g. Protectimus Rule.
14. Set Rule:If username… to is *.
15. Assign a Users role. Select Users on the Available Roles list and click Add –>.
16. Click Save Changes.

17. Navigate to Authentication –> Signing In –> Sign-in Policies.

18. Click the */ URL in the User URLs table.
19. Select User picks from a list of authentication realms and select the Protectimus Server realm you have created before. To do this, just select Protectimus Server on the Available realms list and click Add –>.
20. Click Save Changes.

Integration of multi-factor authentication for Pulse Connect Secure SSL VPN is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to set up two-factor authentication for Aruba switches. This requires Aruba ClearPass to be integrated with Protectimus’ Multi-Factor Authentication (MFA) solution. You can use the Protectimus Cloud MFA Service or the Protectimus On-Prem MFA platform, which should be installed in the client’s environment or private cloud.

The Protectimus Two-Factor Authentication Server communicates with Aruba network equipment using the RADIUS authentication protocol. The Protectimus RADIUS Server component acts as a RADIUS server:

1. It accepts an incoming RADIUS authentication request.
2. Then, it accesses the user store (Active Directory, etc.) to confirm the user’s login and password.
3. The next step is to check the one-time password. To do this, Protectimus RADIUS Server contacts the Protectimus two-factor authentication server.
4. If both authentication factors are correct, Protectimus RADIUS Server allows the user to connect to the Aruba switch.

The diagram below shows how the Protectimus two-factor authentication solution for Aruba network equipment works.

1. How Aruba Switches Two-Factor Authentication (2FA) Works

Two-factor authentication (2FA / MFA) protects user accounts from attacks such as brute force, phishing, keyloggers, man-in-the-middle, social engineering, data spoofing, etc.

After you set up two-factor authentication for Aruba switches to connect to Aruba networking equipment, users will use two different authentication factors.

1. The first factor is login and password (what the user knows);
2. The second factor is a one-time password generated using a hardware OTP token or a smartphone (which belongs to the user).

To hack a user account, an attacker must get access to two passwords at once, which is almost impossible. At the same time, the attacker has only 30 seconds to crack and use one of these passwords.

2. How to Enable MFA for Aruba Switch

You can set up Aruba Switch two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for your Aruba Switch.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Aruba switches 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for your Aruba Switch

There are two options to configure multi-factor authentication for Aruba switch via RADIUS:

• WebUI configuration. Available for the older versions of Aruba ClearPass.
• CLI configuration. Newer versions of Aruba switches can be configured only through the configuration console.

Follow only the steps of the method you choose.

How to configure MFA for Aruba switch via WebUI

1. In the Aruba Networks ClearPass WebUI Console, go to Configuration –> Security –> Authentication –> Servers.
2. Select RADIUS Server to display the RADIUS Server List.
3. Provide a Name for the new server, e.g. Protectimus, and click Add.
4. Select the name to configure the parameters, such as IP Address; and then check Mode to activate the server.
5. Click Apply.
6. Select Server Group to display the Server Group List.
7. Provide a Name for the new server group, e.g. corp_radius, and click Add.
8. Select the name to configure the parameters.
9. Under Servers, select New to add a server to the group.
10. Select the server (i.e. Protectimus) from the dropdown menu and click Add Server.
11. Click Apply.
12. Go to Configuration –> Management –> Administration.
13. Under Management Authentication Servers, select a management role, e.g. root, for the Default Role.
14. Check Mode to activate.
15. For the Server Group, select the newly created group, i.e. corp_radius.
16. Click Apply.

How to configure MFA for Aruba switch via CLI

How to Add New RADIUS Server

aaa authentication-server radius Protectimus
  host <ipaddr>
  enable

How to Add New Server Group

aaa server-group corp_radius
  auth-server Protectimus

How to Define Role for Server Group

aaa authentication mgmt
  default-role root
  enable
  server-group corp_radius

Integration of two-factor authentication (2FA/MFA) for your Aruba ClearPass is now complete. If you have other questions, contact Protectimus customer support service.

This Barracuda SSL VPN 2FA guide shows how to enable two-factor authentication (2FA / MFA) for Barracuda SSL VPN using the Protectimus Cloud 2FA Service or On-Premise 2FA Platform.

Protectimus integrates with Barracuda SSL VPN via RADIUS authentication protocol to add two-factor authentication (2FA) to Barracuda SSL VPN logins.

In this scenario, the Protectimus two-factor authentication solution for Barracuda VPN 2FA performs as a RADIUS server, and the Barracuda SSL VPN takes the role of a RADIUS client. You will find the scheme of work of the Protectimus solution for Barracuda SSL VPN two-factor authentication below.

1. How Barracuda SSL VPN Two-Factor Authentication (2FA) Works

Setting up two-factor authentication for Barracuda SSL VPN means that your users will have to enter two different factors of authentication when they get access to their accounts.

1. The first 2FA factor is a username and password (something the user knows);
2. The second 2FA factor is a time-based one-time password generated with the help of an OTP token or an app on a phone (something the user owns). A one-time passwords remains valid only for 30 seconds.

It is too hard to get unauthorized access to the Barracuda SSL VPN account protected with multi-factor authentication. A hacker has to get two passwords of different natures and use them simultaneously. Moreover, he has only 30 seconds to hack and use a one-time passcode, which complicates the task умут further and makes it almost impossible.

Tho-factor authentication (2FA / MFA) is an effective protection measure against such cybersecurity threats like phishing, keylogging, social emgeneering, brute force, MITM attacks, data spoofing, etc.

2. How to Enable Barracuda SSL VPN 2FA

You can set up Barracuda SSL VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure Barracuda SSL VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Barracuda SSL VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for your Barracuda SSL VPN

1. Log in to Barracuda VPN interface.
2. Navigate to Users –> External Authentication.

3. Select RADIUS and configure the following RADIUS settings to add a RADIUS Server. After that, click Save to save the changes.

Server Address	IP of server where the Protectimus RADIUS Server component is installed.
Server Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Server Key	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
Group Attribute	Keep the default value.
Group Attribute Delimiter	Keep the default value.
NAS ID	If your RADIUS server requires NAS credentials to be set, enter the NAS identifier.
NAS IP Address	If your RADIUS server requires NAS credentials to be set, enter the NAS IP Address.
NAS IP Port	If your RADIUS server requires NAS credentials to be set, enter the NAS IP Port.
Group Information From	Set to blank/empty.

4. Navigate to VPN –> SSL VPN.

5. Go to the Authentication section. Select RADIUS in User Authentication. Click Save.

Integration of two-factor authentication (2FA/MFA) for your Barracuda SSL VPN is now complete. If you have other questions, contact Protectimus customer support service.

This guide describes how to enable Protectimus Two-Factor Authentication (2FA) for users connecting to MikroTik VPN.

The Protectimus two-factor authentication system can be integrated with MikroTik VPN via RADIUS authentication protocol. For this purpose, you need to install an on-premise Protectimus RADIUS Server component and configure the MikroTik VPN to refer to the Protectimus RADIUS Server for user authentication.

See how Protectimus two-factor authentication solution works for MikroTik VPN in the scheme below.

1. How MikroTik VPN Two-Factor Authentication (2FA) Works

After integrating MikroTik VPN with the Protectimus MFA system, your users will need to pass two stages of authentication to connect to MikroTik VPN:

1. Enter their username and password.
2. Enter the one-time passcode, which is only valid for 30 seconds.

To generate one-time passcodes, the following types of two-factor authentication tokens will be available to your users:

• Classic and programmable hardware OTP tokens that look like keyfobs and plastic cards;
• 2-factor authentication app Protectimus SMART OTP on iOS and Android;
• Any other 2-factor authentication apps that support TOTP auth standard, including Google Authenticator;
• Delivery of one-time passwords using chatbots in Telegram, Messenger, or Viber;
• SMS authentication;
• Delivery of one-time passwords via email.

It is a challenging task for the intruder to hack two authentication factors that differ in their nature (something the user knows and owns) and use them simultaneously within 30 seconds (the time when the one-time password remains active). That is why two-factor authentication is one of the best security measures for MikroTik VPN.

2. How to Enable MikroTik VPN 2FA

You can set up MikroTik VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure MikroTik VPN Client.
4. Configure Windows VPN.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for MikroTik VPN 2-factor authentication using RADIUS are available here.

2.3. Configure MikroTik VPN Client

1. Open Webfig.
2. Navigate to the menu on the left, and select the RADIUS tab.
3. Click Add New to configure your Protectimus RADIUS Server as a RADIUS server.
4. Check ppp and ipsec in the Service section.
5. Check login in the Service section.
6. Indicate the IP of the server where the Protectimus RADIUS Server is installed.
7. Set Protocol to udp.
8. Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property).
9. Change the default timeout to 30000 ms or higher.
10. Click OK to save your settings.

11. Navigate to the menu on the left, and select the PPP tab.
12. Select the Interface tab and then click PPTP Server, SSTP Server, L2TP Server, or OVPN Server depending on which one you are using.
13. Check pap and uncheck every other checkbox in Authentication. Click OK.
14. Select the Secrets tab, and click the PPP Authentication & Accounting button.

15. Check Use Radius, and click OK to finish the configuration and enable Protectimus two-factor authentica in your VPN.

2.4. Configure Windows VPN

1. On your Windows operating system, go to Settings –> Network & Internet –> VPN and select Add a VPN connection.
2. Fill in the form and click Save. Refer to the following image and table.

VPN Provider	Windows (in-built)
Connection name	MikroTik
Server name or address	Enter the IP address of your server
VPN type	Select your VPN Type. We chose L2TP/IPsec with pre-shared key, but you have to select the one you use in MikroTik.
Pre-shared key	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Type of sign-in info	User name and password
User name (optional)	Your user name
Password (optional)	Your password

3. Go to Control Panel → Network and Sharing Center and select Change adapter options.
4. Right-click your newly-created MikroTik connection and select Properties.
5. Select the Security tab.
6. Select Allow these protocols and then check the Unencrypted password (PAP) checkbox.
7. Then click OK to save the changes.

Integration of two-factor authentication (2FA/MFA) for your MikroTik VPN is now complete. If you have other questions, contact Protectimus customer support service.

We suggest using TOTP hardware tokens for Electronic Visit Verification (EVV). Protectimus EVV solution based on the TOTP algorithm allows identifying the exact time of visits using one-time passwords from TOTP tokens.

TOTP tokens for Electronic Visit Verification (EVV) are a super easy and effective EVV method both for homecare personnel and people receiving help at home.

Hardware TOTP tokens for EVV look like keyfobs and don’t require installation, internet connection, or electricity to work. It’s enough to give the TOTP token device to the care receiver and ask the homecare worker to write down one-time codes from the EVV TOTP token at the beginning and the end of their visits. Then the one-time codes are transferred to the Protectimus EVV solution via API, and Protectimus returns the precise time when every OTP code was generated.

This guide shows how to integrate the Protectimus EVV solution with your Electronic Visit Verification system.

1. How the Protectimus TOTP Tokens Work for Electronic Visit Verification (EVV)

The Time-Based One-Time Password generation algorithm (TOTP) allows us to calculate the time when every one-time code was generated with an accuracy of 30 or 60 seconds, depending on the type of TOTP token you choose. We highly recommend using TOTP tokens with 60 second time step for EVV because of the problem of matching OTPs that occurs with 30-second time step tokens. We’ll describe this issue in detail below.

The TOTP algorithm for EVV works like this:

• The patient gets the hardware TOTP token. The EVV TOTP token has a built-in clock and a unique pre-programmed shared secret.
• The same shared secret is known to the Protectimusr EVV system, which verifies the one-time passwords and calculates the time when these OTPs were generated.

So the scenario of using Protectimus TOTP tokens for Electronic Visit Verification (EVV) looks like this:

1. The caregiver visits the patient and writes down two one-time passwords from the OTP token: before and after the visit.
2. Then the caregiver enters these one-time codes into the Electronic Visit Verification System to confirm they conducted the visit.
3. The Electronic Visit Verification System turns to the Protectimus EVV server to calculate the time of the visit.
4. Knowing the shared secret, the Protectimusr EVV server generates one-time passwords for the previous day/week/month and calculates the time of generation of certain OTPs. This way, we find out when the caregiver visited the patient.

2. The Problem of Coinciding One-Time Passwords in EVV

PLEASE NOTE! We recommend 8-digit TOTP tokens with 60 seconds time steps for Electronic Visit Verification (EVV).

There is a limit to the number of combinations consisting of 6 digits. And this limit is not very large.

Over a long period (a week or a month), the numeric values of one-time passwords will inevitably repeat. Two one-time passwords generated at different times will match. It may complicate the recognition of the exact time of OTP generation.

To reduce this problem, it is better to use TOTP tokens with a larger number of characters and larger time intervals. We recommend 8-digit TOTP tokens with 60 seconds time steps for Electronic Visit Verification (EVV).

3. How to Integrate Protectimus EVV with Your Electronic Visit Verification System

3.1. Get Registered and Add Tokens to the Protectimus Cloud Service or On-Prem Platform

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform.
2. Add Tokens. To do this, log into your account in Protectimus SAAS Service or On-Premise Platform and go to the Tokens page.

 

3. Click the Add Token button.

 

4. Select the Token Protectimus Two

 

5. Upload the file that will be sent to you after you order the TOTP tokens for EVV.

3.2. Use Protectimus API to Integrate Protectimus with Your Electronic Visit Verification System

PLEASE NOTE! You can use our Postman Collection for quicker integration. A Postman Collection is available upon request. Please, contact our support team.

Protectimus API’s design is based on the REST principles. Data is transmitted in the XML format or the JSON format. Parameter values are identical in these formats. By default, responses are transmitted in the XML format.

Detailed API Integration Instructions are available here.

3.2.1. Authorization

The Protectimus API is only accessible to authorized users. Our solution uses Basic authentication. The login (username) of the administrator that submits a request is used as the username, and an authentication token is used as the password.

An authentication token is the hash of a string that consists of the following elements:

<ApiKey>:<YYYYMMDD>:<HH>

Where:

• ApiKey is an API key, which is unique for each administrator; it is provided and may be changed on the profile management page https://service.protectimus.com/profile
• YYYYMMDD is the current date in the specified format
• НН is the UTC time in the HH format (only hours in the 24-hour format, without minutes or seconds)

Example:

The administrator’s profile contains the following information: 
ApiKey – MySecureApiKey; Date - 30 January 2014; Time - 17:42 (UTC).

String for hash: MySecureApiKey:20140130:17

Hash SHA256 for this text: 62704fb3a9dcf7b5b3cf7bda6ac9d0b0aa37c6fce8d0fae6b466c91ba68894f5

3.2.2. Request Submission

The protocol for transmitting all requests to the Protectimus API is HTTPS.

Request Format:

<НТТР-method>
https://service.protectimus.com/multipass-web-api/v<API_version>/<API_section>/<API_method>.<respo
nse_format>

The parameters specified above have the following values:

• НТТР-method is the method typical for the current request.
• API_version is the API version that you want to use. Currently, only the first version is available; therefore, this part of the request will look like this: “v1”.
• API_section is the section to which the method you are calling belongs. The following sections are available: auth-service, resource-service, token-service, and user-service. The API methods’ descriptions are divided into the sections to which these methods belong.
• API_method is the method you are calling.
• response_format is the format in which you want to receive a response: XML or JSON. By default, XML is the selected format.

If an error occurs, the processing of a request is terminated, and an error message is returned. A list of errors and descriptions of errors are given in the Error Message section of the Protectimus API Integration Instructions.

3.2.3. Protectimus EVV API Method

Use this API Method to get the time when the one-time password was generated.

Option 1. CURL

curl --request POST 'https://api.protectimus.com/api/v1/token-service/otp-time' \

--header 'Authorization: Basic ZGFueWxvLmRlaW5la29AZ21haWwuY29tOmNTI=' \

--header 'Content-Type: application/x-www-form-urlencoded' \



--data-urlencode 'tokenId=123' \

--data-urlencode 'otp=825043'

Option 2. HTTP

POST /api/v1/token-service/otp-time HTTP/1.1
Host: api.protectimus.com
Authorization: Basic ZGFueWxvLmRlaW5la29AZ21haWwuY29tOmNTI=
Content-Type: application/x-www-form-urlencoded
Content-Length: 22


tokenId=123&otp=825043

If you have any questions, please, contact Protectimus customer support service.