Author: Anna Korobkyna

This Juniper VPN 2FA guide shows how to enable two-factor authentication (2FA / MFA) for Juniper Secure Access SSL VPN using the Protectimus Cloud 2FA Service or On-Premise 2FA Platform.

Protectimus integrates with Juniper Secure Access SSL VPN via RADIUS authentication protocol to add two-factor authentication (2FA) to VPN logins.

In this scenario, the Protectimus two-factor authentication solution for Juniper VPN 2FA performs as a RADIUS server, and the Juniper Secure Access SSL VPN takes the role of a RADIUS client. You will find the scheme of work of the Protectimus solution for Juniper VPN two-factor authentication below.

1. How Two-Factor Authentication (2FA) Works for Juniper VPN

Two-factor authentication (2FA), also known as multi-factor authentication (MFA), is a must-have security measure for Juniper Secure Access SSL VPN. 2FA will protect Juniper VPN logins from such threats as phishing, brute force, data spoofing, social engineering, keyloggers, man-in-the-middle attacks, etc.

And this is how two-factor authentication for Juniper Secure Access SSL VPN works:

1. When a user initiates login to the Juniper VPN protected with two-factor authentication, first of all, they will enter the first authentication factor – their standard password and login (something they know).


2. Then they will be asked to enter a second authentication factor – a one-time passcode from the two-factor authentication token (a 2FA token is something the user has – usually, it is a smartphone or a physical OTP token looking like a keyfob).

This way, to get access to the Juniper Secure Access SSL VPN account protected with two-factor authentication, the fraudster has to get access to two authentication factors that differ in their nature. That is quite a challenging task. Moreover, a time-based one-time password remains active only for 30 seconds, which makes hacking way more complecated and almost impossible.

2. How to Enable Juniper VPN 2FA (Two-Factor Authentication)

You can set up Juniper VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure Juniper Secure Access SSL VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Juniper Secure Access SSL VPN using RADIUS are available here.

2.3. Configure Juniper VPN RADIUS Server Profile

1. Log in to the Juniper administrative interface.
2. In the left menu, navigate to Authentication –> Auth Servers.
3. Select Radius Server from the drop down menu then click New Server.
4. In the Name field, enter Protectimus RADIUS.
5. Under the Primary Server section, enter the following information:

Radius Server	IP of server where the Protectimus RADIUS Server component is installed.
Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
Authentication Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Timeout	Set to 60 seconds.

6. Click Save Changes to save the RADIUS server profile.

2.4. Add a Custom Radius Rules to Juniper VPN

2.4.1. Create a rule for the Access Challenge packet

1. Scroll down to the Custom Radius Rules section.
2. Click on New Radius Rule.
3. In the Name field, enter Protectimus Radius Rule 1.
4. For the Response Packet Type, select Access Challenge.
5. Under the Then take action section, select Show Generic Login page.

6. Click Save Changes.

2.4.1. Create another rule for the Access Reject packet

1. Click on New Radius Rule.
2. In the Name field, enter Protectimus Radius Rule 2.
3. For the Response Packet Type, select Access Reject.
4. Under the Then take action section, select Show Generic Login page.
5. Click Save Changes.

2.5. Configure a User Realm

To configure a user realm for the Protectimus Radius server, you can do one or more of the following:

• Create a new realm for testing;
• Create a realm to gradually migrate users to the new system (for instance, by duplicating an existing realm);
• Use the default Users realm.

To add 2FA to a user realm:

1. In the left menu, navigate to Users –> User Realms and click the link for the user realm to which you want to add secondary authentication.
2. In the Authentication field, select Protectimus RADIUS and click Save Changes.

3. Add the newly created Protectimus RADIUS realm to the authentication realm.

• Click Authentication –> Signing In –> the relevant User URL.
• Move the newly created realm from the Available realms area to the Selected realms area.
• Click Save Changes.

Integration of two-factor authentication (2FA/MFA) for your Juniper Secure Access SSL VPN is now complete. If you have other questions, contact Protectimus customer support service.

This Cisco Switches 2FA guide shows how to add two-factor authentication for Cisco Switches Login with the help of Protectimus 2FA Service or On-Premise 2FA Platform.

Protectimus two-factor authentication system communicates with Cisco network equipment using the RADIUS protocol. The Protectimus RADIUS Server component acts as a RADIUS server. It accepts incoming authentication requests via the RADIUS protocol, contacts the user storage (Active Directory, etc.) to verify the login and password, and then contacts the Protectimus 2FA server to verify the one-time password. If both authentication factors are correct, the Protectimus RADIUS Server allows the user to login.

The scheme of work of the Protectimus solution for Cisco switches two-factor authentication is shown below.

1. How Cisco Switches 2FA Two-Factor Authentication (2FA) Works

When you set up two-factor authentication for Cisco Switches, you make your users enter two different factors of authentication when they get access to the Cisco Switch.

1. The first authentication factor is a login and password (something the user knows);
2. The second authentication factor is a one-time passcode generated with the help of a hardware 2FA token or a smartphone (something the user owns).

After you enable two-factor authentication (2FA) for Cisco Switches login, it becomes too hard to hack it. It’s almost impossible to get both authentication factors at the same time. Moreover, a one-time passcode validity time is only for 30 seconds, so the intruder will have too little time to hack the second factor.

Tho-factor authentication (2FA / MFA) is an effective protection measi=ure against such cybersecurity threats like phishing, social emgeneering, brute force, keylogging, MITM attacks, data spoofing, etc.

2. How to Enable Cisco Switches Login 2FA

You can set up Cisco Switches two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure Cisco Switches authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Cisco Switches 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for your Cisco Switch

1. Add Protectimus as a RADIUS Server.

Switch(config) #radius server [configuration-name]

Switch(config-radius-server) #address ipv4 hostname [auth-port integer] [acct-port integer]

Switch(config-radius-server) #key [shared-secret]

2. Associate your RADIUS server with a server group.

Switch(config) #aaa group server radius [group-name]

Switch(config-sg-radius) #server name [configuration-name]

3. Configure aaa authentication login to use RADIUS group with a fallback to local authentication.

Switch(config) #aaa authentication login [default | list-name] group [group-name] local

Integration of two-factor authentication (2FA/MFA) for your Check Point VPN is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to enable Check Point VPN two-factor authentication (2FA) integrating Check Point VPN with Protectimus multi-factor authentication service or on-premise MFA platform via RADIUS.

Two-factor authentication (2FA) 2FA will protect your users’ accounts and, consequently, your corporate infrastructure from unauthorized access. By activating Check Point VPN 2FA, you protect your users’ accounts from phishing, brute force, data spoofing, keyloggers, man-in-the-middle, social engineering, and a bunch of other cyber attacks.

1. How Check Point VPN Two-Factor Authentication (2FA) Works

Two-factor authentication means using two different types of authenticators to get access to the Check Point account protected with 2FA.

1. At first, the user enters a standard password and username (something the user knows);
2. Then they enter a one-time password received with the help of a 2FA token or a smartphone (something the user owns).

Thus, when Check Point VPN 2FA is enabled, it becomes too hard to hack both two-factor authentication passwords at the same time, especially considering that a one-time password is valid only for 30 seconds.

This guide shows how you can set up Check Point 2FA via the RADIUS authentication protocol using the Protectimus Cloud Two-Factor Authentication Service or Protectimus On-Premise 2FA Platform.

2. How to Enable Check Point VPN 2FA

You can set up Check Point VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure Check Point VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Check Point VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server in Check Point

1. Log into your Check Point Web UI account and navigate to the VPN tab.

2. Under Remote Access, click the Authentications Servers.

3. Under RADIUS Servers,click Configure to add a new RADIUS server configuration.

4. Configure the following settings to add a RADIUS Server.

IP address	IP of server where the Protectimus RADIUS Server component is installed.
Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Shared Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
Timeout (in seconds)	Set to 60 seconds.

5. Then click Apply to continue.

6. Click on the permissions for RADIUS users.

7. Select Enable RADIUS authentication for Remote Access Users and click Apply.

Integration of two-factor authentication (2FA/MFA) for your Check Point VPN is now complete. If you have other questions, contact Protectimus customer support service.

This guide describes how to set up two-factor authentication (2FA) for your SonicWall VPN solution with Protectimus as a multi-factor authentication (MFA) provider.

The Protectimus two-factor authentication system can be integrated with SonicWall SSL VPN via RADIUS authentication protocol. For this purpose, you need to install an on-premise Protectimus RADIUS Server component and configure the SonicWall Network Security Appliance to refer to the Protectimus RADIUS Server for user authentication.

See how Protectimus two-factor authentication solution works for SonicWall VPN in the scheme below.

1. How Two-Factor Authentication for SonicWall VPN Works

Protectimus adds the second authentication factor to your users’ login to the SonicWall VPN. After you set up SonicWall VPN two-factor authentication, your users will enter two different authentication factors when they log into their SonicWall VPN accounts. These authentication factors are:

1. Basic credentials – username and password (something the user knows).
2. A one-time password generated with the help of a two-factor authentication token (something that belongs to the user).

Protectimus offers different kinds of two-factor authentication tokens for SonicWall:

• Classic and programmable hardware OTP tokens that look like keyfobs and plastic cards;
• 2-factor authentication app Protectimus SMART OTP on iOS and Android
• Any other 2-factor authentication apps that support TOTP auth standard, including Google Authenticator;
• Delivery of one-time passwords using chatbots in Telegram, Messenger, or Viber;
• SMS authentication;
• Delivery of one-time passwords via email.

You may enable one authentication method for all your users or let users a chance to choose themselves if you activate the Protectimus Users’ Self-Service Portal.

Two-factor authentication protects SonicWall VPN from many threats associated with stealing users’ credentials, including phishing, social engineering, brute force, keyloggers, data spoofing, etc.

It is a challenging task for the fraudster to hack two authentication factors that differ in their nature (something the user knows and owns) and use them simultaneously within 30 seconds (the time when the one-time password remains active). That is why two-factor authentication is still one of the best security measures for SonicWall VPN.

2. How to Enable SonicWall VPN 2FA

You can set up SonicWall VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure SonicWall VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for SonicWall VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for SonicWall

Below you will find two instructions for adding Protectimus as RADIUS Server to the SonicWall Network Security Appliance:

• For SonicOS 6.2 and below versions.
• For SonicOS 6.5 and above versions.

2.3.1. SonicOS 6.2 and below

1. Log into the SonicWall administrative interface.
2. Navigate to Users –> Settings –> Authentication method for login and select RADIUS. Then click on Configure.

3. Configure the following RADIUS Settings to add a RADIUS Server.

RADIUS Server Timeout	Set to 30 seconds or higher. This is to make sure that login has enough time to receive the OTP and enter it.
Name or IP Address	IP of server where the Protectimus RADIUS Server component is installed.
Shared Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Port Number	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).

4. Go to the RADIUS Users tab. Select appropriate mechanism for setting user group membership, Apply settings, and test the configuration.

2.3.2. SonicOS 6.5 and above

1. Log into the SonicWall administrative interface.
2. Click MANAGE, navigate to Users –> Settings –> User authentication method and select RADIUS. Then click on CONFIGURE RADIUS.

3. Click Add and then configure the following RADIUS Settings to add a RADIUS Server.

Host Name or IP Address	IP of server where the Protectimus RADIUS Server component is installed.
Shared Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Confirm Shared Secret	Confirm your shared secret.
Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).

4. While still in RADIUS Servers Settings, switch to General Settings and Set RADIUS Server Timeout to 30 seconds or higher.

5. Go to the RADIUS Users tab. Select appropriate mechanism for setting user group membership, click OK, and test the configuration.

Integration of two-factor authentication (2FA/MFA) for your SonicWall VPN is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to enable two-factor authentication (2FA / MFA) for Palo Alto Networks VPN using the Protectimus Cloud 2FA Service or On-Premise 2FA Platform.

Protectimus integrates with Palo Alto GlobalProtect VPN via RADIUS authentication protocol to add two-factor authentication (2FA) to VPN logins.

In this scenario, the Protectimus two-factor authentication solution for Palo Alto GlobalProtect VPN 2FA performs as a RADIUS server, and the Palo Alto Networks VPN takes the role of a RADIUS client. You will find the scheme of work of the Protectimus solution for Palo Alto Networks VPN two-factor authentication below.

1. How Two-Factor Authentication (2FA) Works for Palo Alto Networks VPN

Two-factor authentication (2FA), also known as multi-factor authentication (MFA), is a must-have security measure for Palo Alto GlobalProtect VPN. 2FA will protect Palo Alto GlobalProtect VPN logins from such threats as phishing, brute force, data spoofing, social engineering, keyloggers, man-in-the-middle attacks, etc.

And this is how two-factor authentication for Palo Alto GlobalProtect VPN works:

1. When a user initiates login to the Palo Alto GlobalProtect VPN protected with two-factor authentication, first of all, they will enter the first authentication factor – their standard password and login (something they know).


2. Then they will be asked to enter a second authentication factor – a one-time passcode from the two-factor authentication token (a 2FA token is something the user has – usually, it is a smartphone or a physical OTP token looking like a keyfob).

This way, to get access to the Palo Alto GlobalProtect VPN account protected with two-factor authentication, the fraudster has to get access to two authentication factors that differ in their nature. That is quite a challenging task. Moreover, a time-based one-time password remains active only for 30 seconds, which makes hacking way more complecated and almost impossible.

2. How to Enable Two-Factor Authentication (2FA) for Palo Alto Networks VPN

You can set up Palo Alto Networks VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure Palo Alto Networks VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Palo Alto Global Protect VPN 2FA using RADIUS are available here.

2.3. Configure Palo Alto Networks RADIUS Server Profile

1. Log in to the Palo Alto Networks administrative interface.
2. On the Device tab, navigate to Server Profiles, then RADIUS.
3. Click the Add button to add a new RADIUS server profile. You will see the following window:

4. In the Profile Name field come up with a name for your RADIUS server, enter Protectimus RADIUS or any other name you wish.
5. Increase the Timeout to at least 30 seconds.
6. Change the Authentication Protocol to PAP.

PLEASE NOTE! PAN-OS 7.x users must set the protocol in the CLI with this command:

set authentication radius-auth-type pap

7. Click on Servers –> Add button, to add a RADIUS server. After this, enter the below information:

Server	Type any name for your RADIUS server – enter Protectimus RADIUS or any other name you wish.
RADIUS Server	IP of server where the Protectimus RADIUS Server component is installed.
Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).

8. Click OK and save the new RADIUS server profile.

2.4. Create an Authentication Profile in Palo Alto Networks

1. Go to the Device tab and navigate to Authentication Profile.
2. Click on Add to create a new authentication profile, you will see the following window:

3. Enter the following data:

Name	Type PROTECTIMUS ot choose any name you wish.
Type	Select RADIUS from the drop-down list
Server Profile	Select Protectimus RADIUS from the drop-down list (or whatever name used to create the RADIUS Server Profile in Step 2.3.)

4. Keep the rest of the options on the current screen as their defaults.
5. Then click the Advanced tab and select the all group or choose a specific group to which this authentication profile will apply.
6. Click OK and save the Authentication profile you have created.

2.5. Assign the Authentication Profile to the GlobalProtect Portal and/or Gateway.

You can configure multiple client authentication configurations for the Palo Alto GlobalProtect portal and gateways. For each client authentication configuration, you can specify the Authentication Profile to apply to endpoints of a specific OS.

This step describes how to add the Authentication Profile to the Palo Alto GlobalProtect VPN portal or gateway configuration. For additional details on setting up these components, see the PaloAlto Networks documentation on GlobalProtect Portals and GlobalProtect Gateways.

1. Go to Network –> GlobalProtect –> Gateways or Portals.
2. Click on your configured GlobalProtect Gateway to bring up the properties window.
3. In the newly-opened window, select the Authentication tab.

4. Select an SSL/TLS Service Profile or Add a new one.
5. Depending on your configuration, click the current entry under Client Authentication to modify it or create a new one by clicking the Add button.
6. Fill in the Client Authentication form with the following information.

Name	Enter any descriptive name you wish.
OS	Any
Authentication Profile	Select the Authentication Profile you have created in Step 2.4.

7. Click OK to save the configuration.

Integration of two-factor authentication (2FA/MFA) for your Palo Alto Networks VPN is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to enable Fortinet FortiGate VPN 2FA (two-factor authentication) via the RADIUS authentication protocol using Protectimus multi-factor authentication system.

Two-factor authentication is a must-have measure of cybersecurity, especially if we talk about VPN connection security. Set up 2-factor authentication for Forticlient VPN to protect your users’ accounts and sensitive corporate data from unauthorized access. 2FA for Fortinet FortiGate VPN is an effective tool against brute force, data spoofing, social engineering, phishing, keyloggers, man-in-the-middle attacks, etc.

1. How Fortinet FortiGate VPN Two-Factor Authentication (2FA) Works

Setting up two-factor authentication for the FortiGate VPN, you make your end users enter two different authentication factors to get access to their accounts.

1. The first authentication factor is a standard password and login (something the user knows);
2. The second authentication factor is a one-time code generated using an OTP token or a phone (something the user has).

Fortinet FortiGate VPN 2FA enabled makes it too hard to get unauthorized access to the user account because it is almost impossible to hack both authentication factors simultaneously. And what makes the task even more challenging is that a one-time code is valid only for 30 seconds.

Below you will find detailed instructions showing how to set up Fortinet Fortigate VPN 2FA via RADIUS using the Protectimus Cloud Two-Factor Authentication Service or Protectimus On-Premise 2FA Platform.

2. How to Enable Fortinet FortiGate VPN 2FA

You can set up FortiGate VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure FortiGate VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Fortinet FortiGate 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for Fortinet FortiGate 2FA

1. Login to your Fortinet FortiGate account and go to the Admin console.
2. Navigate to User & Device –> RADIUS Servers, then choose Create New to start adding a new RADIUS Server.

3. You will see a menu that allows you to add a new RADIUS Server.

4. Configure the following RADIUS settings to add a RADIUS Server.

Name	Come up with a name for your RADIUS server.
Authentication Method	Click on Specify and then select PAP from the dropdown menu.
Primary Server IP / Name	IP of server where the Protectimus RADIUS Server component is installed
Primary Server Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Secondary Server IP / Name	Optional
Secondary Server Secret	Optional

5. Click Test Connectivity to make sure that the RADIUS Server IP address and shared secret you indicated above work and that the connection between FortiGate VPN and RADIUS Server is established.

6. If everything looks good, click OK to save your settings.

2.4. Create a User Group

1. Navigate to User & Device –> User Groups.
2. To add a new group, click on Create New.

3. Choose Firewall in Type. Then find the Remote Groups section, click Add, and select Protectimus Radius Server as the Remote Server.

4. Save your settings – click OK.

2.5. Associate the User Group with the FortiGate VPN

PLEASE NOTE! Use an IPsec Wizard to add a new IPSec Tunnel if there is no configured one.

1. Navigate to VPN –> IPSec Tunnels and choose the IPSec Tunnel you have configured.

2. Click on Convert To Custom Tunnel if this IPSec Tunnel is not a custom tunnel yet.

3. Go to the XAuth section and click Edit
4. Click on PAP Server in the Type dropdown menu.

5. In User Group dropdown select the User Group you have created in Step 2.4.
6. Click OK to save your settings.

2.6. Synchronize the Fortinet FortiGate Timeout with Protectimus RADIUS Server

1. FortiGate VPN default timeout is 5 seconds, which is insufficient while setting up FortiGate VPN 2FA. You need to change the timeout to 30 Seconds.
2. To do this, connect to the appliance CLI.
3. And execute the commands that are shown below:

2.7. Test Protectimus 2FA setup for Fortinet VPN Login

1. Login to Forticlient and enter your Username and Password.

2. You will be asked to enter a One-Time Password if you have enabled two-factor authentication for Fortigate VPN successfully.

3. Enter your one-time code from the two-factor authentication token and you should get access to the Fortigare VPN.

PLEASE NOTE! When you confige an IPSec VPN connection in FortiClient use the Pre-Shared key of the IPSec Tunnel that was created LAST. Fortinet may have issues if multiple IPSec Tunnels are present at FortiGate Server.

Integration of Fortinet FortiGate VPN 2FA is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to set up Windows VPN 2FA (two-factor authentication) using Protectimus multi-factor authentication system. After integrating Windows VPN with the Protectimus MFA system, to connect to Windows VPN, users will need to pass two stages of authentication:

1. Enter their username and password.
2. Enter the one-time passcode, which is only valid for 30 seconds.

To generate one-time passcodes, the following types of two-factor authentication tokens will be available to your users: a 2FA application on a smartphone; delivery of one-time codes via Telegram, Viber, and Facebook Messenger; physical TOTP tokens; delivery of one-time codes by e-mail or SMS.

It is almost impossible to hack a standard password and a one-time password simultaneously. Therefore, two-factor authentication is a must-have element in protecting Windows VPN user accounts from unauthorized access and hacking using attacks such as phishing, brute force, keyloggers, social engineering, and the like.

1. Two-Factor Authentication for Windows VPN – How It Works

This guide shows you how to set up two-factor authentication for Windows VPN using Protectimus Cloud-Based Two-Factor Authentication Service or Protectimus On-Premise 2FA Platform and RRAS component. RRAS integration with Protectimus via the RADIUS authentication protocol is required.

The scheme of work of the Protectimus two-factor authentication solution for Windows VPN is shown below.

2. How to Enable Windows VPN 2FA

You can set up Windows VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Install and configure RRAS.
4. Configure Windows VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for OpenVPN 2-factor authentication using RADIUS are available here.

Specify “inline-mode” in the configuration file. In the “auth” section, add the following settings (you may specify any separator):

inline-mode: 
  enabled: true
  separator: ‘,’

2.3. Install and Configure Routing and Remote Access Service (RRAS)

RRAS installation

1. Open Server Manager and select “Add Roles and Features Wizard” from the Manage menu.
2. In the “Server Roles” section, select “Remote Access”.
3. In the “Role Services” section, select “Direct Access and VPN (RAS)”.
4. Complete the installation.

RRAS setup

1. Start “Routing and Remote Access”.
2. Select “Deploy VPN only”.
3. Right click on the server name, then select “Configure and Enable Routing and Remote Access”.

4. Select “Custom Configuration”.
5. Next, check “VPN Access”.
6. Complete the installation and start the service.

Authentication setup

1. Go to settings by right-clicking on the server name and selecting “Properties”, then switch to the “Security” tab.
2. Select “RADIUS Authentication” from the “Authentication Provider” drop-down list.
3. Click on the “Configure” button in the same drop-down list.
4. Next, add a new server:
   • Server name: IP address of the PC component where the RADIUS server is installed.
   • Shared Secret: the shared secret that was specified in the radius.yml file when configuring RADIUS.
   • Also select “Always use message authenticator”.
   • Leave the rest of the settings as default.
5. Save the added server.

6. Next, click on the “Authentication methods” button.
7. ВIn the window that appears, leave only “Unencrypted password (PAP)” selected.

8. Save all settings.

2.4. Set up Windows VPN

1. Go to VPN settings.
2. Click “Add a VPN connection”.
   • VPN provider: Windows (built-in).
   • Server name or address: your server address.
   • Type of sign-in info: Username and password.
3. Save the VPN connection.

4. Next, go to the adapter settings: Control Panel > Network and Internet > Network Connections.
5. Right-click on the created VPN connection appapter and click Properties.
6. In the “Security” tab, select “Allow the following protocols”.
7. Leave only “Unencrypted password (PAP)”.

8. Save the settings.
9. You have completed the Windows VPN 2FA setup, now you can test the connection.

The integration of two-factor authentication into Windows VPN is complete. If you have questions, please contact Protectimus Support.

Enable OpenVPN two-factor authentication (2FA) using Protectimus multi-factor authentication system.

Multi-factor authentication (MFA) is an essential measure of cyber security. MFA protects users’ accounts, infrastructure, and confidential data from unauthorized access. OpenVPN 2FA saves the users’ accounts from hacking with brute force, keyloggers, data spoofing, phishing, MITM, social engineering attacks, etc.

1. How OpenVPN Two-Factor Authentication (2FA) Works

Two-factor authentication means using two different types of authenticators to get access to the OpenVPN account protected with 2FA.

1. At first, the user enters a standard password and username (something the user knows);
2. Then they enter a one-time password received with the help of a 2FA token or a smartphone (something the user owns).

Thus, when OpenVPN 2FA is enabled, it becomes too hard to hack both 2-factor authentication passwords at the same time, especially if you consider that a one-time password is valid only for 30 seconds.

This guide shows how you can set up OpenVPN 2FA via the RADIUS authentication protocol using the Protectimus Cloud Two-Factor Authentication Service or Protectimus On-Premise 2FA Platform.

2. How to Enable OpenVPN 2FA

You can set up OpenVPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure OpenVPN Server authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for OpenVPN 2-factor authentication using RADIUS are available here.

2.3. Configure OpenVPN Server Authentication Policies

1. Go to the OpenVPN Access Server administration panel, find the Authentication settings section and choose General.
2. To enable OpenVPN two-factor authentication (2FA), activate authentication using RADIUS and Save settings.


3. You will see the pop-up, click Update Running Server, and continue.


4. Return to the Authentication settings section and choose RADIUS.


5. In the RADIUS Authentication Method section, choose the PAP option. Then configure the following RADIUS settings:

Hostname or IP Address	Indicate the IP of the server where the Protectimus RADIUS Server is installed
Shared Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property).

6. You’ve finished setting up OpenVPN Server authentication policies, Save Settings, and then click on the Update Running Server button on the pop-up.

Integration is now complete. If you have other questions, contact Protectimus customer support service.

With Protectimus Roundcube 2FA Plugin it takes about 15 minutes to configure two-factor authentication (2FA) in Roundcube and secure access to the Roundcube webmail client with one-time passwords. You can learn more about the Protectimus solution for Roundcube 2FA here.

See below for detailed instructions on setting up Roundcube two-factor authentication (2FA) with Protectimus.

1. Get Registered and Configure Basic Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform.
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2. Download and Setup the Protectimus Roundcube 2FA Plugin

1. Download the Protectimus Roundcube 2FA Plugin here.
 
2. Place the protectimus_otp_authentication dir into the plugins/ folder of your roundcube install.
 
3. Enable the protectimus_otp_authentication plugin in config/main.inc.php:

   $config['plugins'] = array('protectimus_otp_authentication');

    
4. Open and adjust plugins/protectimus_otp_authentication/config.inc.php
   
   You have to fill in these parameters:
   • This is your login name

     This is your login name

      
   • You can find api key at service.protectimus.com Profile -> API Key

     $config['protectimus_api_key']

      
   • You don’t need to change this, if you use our cloud service

     $config['protectimus_api_url'] = 'https://api.protectimus.com/';

      
   • ID of the resource in the Protectimus service

     $config['protectimus_resource_id']

      

IMPORTANT:
If you use theme skin different from default you need to copy your skin folder to Protectimus plugin.
For example:

cp -a skins/default skins/elastic

 

The Protectimus Windows logon & RDP 2FA solution adds two-factor authentication (2FA / MFA) to protect access to computers running:

• Windows 8;
• Windows 8.1;
• Windows 10;
• Windows 11;
• Windows Server 2012;
• Windows Server 2016;
• Windows Server 2019;
• Windows Server 2022.

It protects access to the Windows PCs with 2FA both locally (Windows logon) and via RDP (Remote Desctop Protocol).

The Windows 2FA solution will work even when the computer is offline due to a backup feature. When installing the 2FA component on a Windows computer, the administrator can generate and save a backup code. Then it’s possible to use it instead of a one-time password to log into the user accounts on this computer in offline mode.

You can learn more about the Protectimus two-factor authetication (2FA) solution for Windows and RDP here.

See below for detailed instructions on setting up Windows two-factor authentication with Protectimus.

1. Get Registered and Configure Basic Settings

Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform.

2. Add Resource

Resources are used to logically group users and tokens and manage them easily.

Detailed instructions on adding resources are availabe here.

3. Configure Access Policies

1. Go to the Resources page.

 

2. Click on the name of your resource.

 

3. Open the Winlogon tab.

 

4. You will see the list of access policies. Configure the solution according to your requirements.
   
   We strongly recommend you enable Automatic Registration of Users and Tokens.
   
   When this feature is activated, the first time your user logs into their account, they will need to enter their usual Windows login, password, and after that, they will have to enroll a token. To enable Automatic Registration of Users and Tokens, tick the next points:
   • Access for unregistered users;
   • User auto-registration;
   • Token auto-registration;
   • And choose the type of tokens your users can enroll (Protectimus Mail, Protectimus SMS, or Protectimus SMART OTP).

 

PLEASE NOTE! You may choose different settings for logging into your Windows account directly or via RDP.

1. Access accepted (activated by default)
   Opens access to the computer. If this parameter is deactivated, access to the computer locally and/or over RDP will be completely disabled.
2. Apply 2FA (activated by default)
   Activate this parameter to enable two-factor authentication when logging into your Windows account locally and/or over RDP. If this option is deactivated, a one-time password will not be requested.
3. Access for unregistered users
   • This parameter allows you to enable two-factor authentication only for selected users. For example, one computer is used by 3 people – John, Adam, and Michael – but you want a one-time password to be requested only when logging in to Adam’s account. To do this, create only one user (Adam) in the Protectimus service and activate the “Access for unregistered users” parameter so that the other users (John and Michael) log in without two-factor authentication.
   • If this parameter is deactivated, the auto-registration of users and tokens is impossible.
   • If this parameter is deactivated, only users registered in the Protectimus service and assigned to your resource will be able to login to their accounts.
4. Single Factor Access
   If this parameter is enabled, users without tokens assigned to the current resource can log in to their Windows accounts without one-time passwords.
5. User auto-registration
   If this parameter is enabled, the first time the users log into their accounts, they will be automatically registered in the Protectimus service and will be assigned to the current resource.
6. Token auto-registration
   If this parameter is enabled, the first time the users log into their accounts, they will need to enroll a token. The type of token that will be available to the users should be selected in the “Token Type” field.
7. Token Type
   In this field, you must select the type of token that will be available to the users during token auto-registration.
8. Access by IP addresses
   If you enable this option and add the list of allowed IP addresses below, then when logging in from trusted IP addresses, users will not be prompted for the one-time passwords.
9. Allowed IP addresses
   If you have activated access by IP addresses, add a list of trusted IP addresses when entering from which a one-time password will not be requested.

 

PLEASE NOTE!

To use hardware OTP tokens or enable OTP delivery via chatbots in messaging apps:

1. Add Users manually.
   
   ATTENTION! The user login in the Protectimus service must match the Windows username. Before creating a user, make sure that your Windows username contains only Latin characters, numbers and the following symbols: _-∽!#.$.. Spaces and any other symbols are not allowed.
   
   When you add 2-factor authentication to your local user account in Windows, your user’s login in Protectimus service must be identical to your username in Windows. For example, if your Windows username is John-Doe, then in the Protectimus service, you need to add a user with the John-Doe login.
   
   When you add users from Active Directory your users’ logins in Protectimus service must have the form login@domain, where login is the username in Active Directory, and domain is your corporate domain. For example, if the username in Active Directory is John-Doe and the corporate domain is google.com, then in the Protectimus service, you need to add a user with the John-Doe@google login.


2. Add Tokens manually.
3. Assign Tokens to Users.
4. Assign Tokens with Users to a Resource.

4. Install Protectimus Winlogon

4.1. Download the installer and follow the initial setup steps

1. Download the Protectimus Winlogon installer here.
2. Run the installer as administrator.

 

3.  You will see a welcome screen, click Next to continue.

 

4. Read the license agreement, tick I accept the license and click Next to continue.

 

4.2. Enter API URL, Login, API Key, then choose resource ID

1. Enter API URL, Login, and API Key and click LogIn.
   
   These parameters stand for:
   • API URL – an address of the API endpoint. If you use SAAS Service API URL is https://api.protectimus.com/. In the case of the on-premise Platform, API URL is a server address, where the Platform is running (for example, https://localhost:8443).
   • Login – the login of your account, the same as for signing in.
   • API Key – you’ll find it in your profile. To access a profile, click the user’s login in the top right corner of the interface, and choose the “Profile” entry from the drop-down list.

 

2. Resource ID. Choose the Resource you’ve created before the installation. After that click Next to continue.

If you haven’t added the resource yet, add it now. Click Add Resource and enter any Resource Name you wish.

 

4.3. Configure 2FA policy and save the backup code

Configure 2FA policy and save the backup code, if necessary. By default, two-factor authentication will be applied to all accounts on this computer except the Built-in Administrator and guest accounts.

• You can enable 2FA for the Built-in Administrator or for a group of users.
• You can configure additional settings like:
  • Require 2FA during login, not when unlocking (available only for the domain installation);
  • Require 2FA only for RDP logins;
  • Disable offline login.
• You can also save the backup code. Your users will need this code to log into Windows accounts if there is no internet connection. The same backup code will work for all accounts on this computer.
  
  

  ATTENTION! When the user logs in to the system with this backup code, a new code will be generated, which must be saved and used the next time the user will log into their account in offline mode. This backup code will also work for all accounts on this computer.

 

4.4. Choose domain installation options

If it is NOT a domain controller, just click Install.



If you install the Protectimus Winlogon & RDP 2FA component on the domain controller, at this stage, you will see two options:

• Create a GPO for installation in the domain: this option creates a GPO for the automatic installation of Protectimus MFA software on all Windows machines in the domain
• Perform remote installation in the domain: this option opens an installation window to install the component directly on any PC in the domain.

4.4.1. Create a GPO for installation in the domain

If you choose Create a GPO for installation in the domain, a GPO will contain a script for automatic installation when the computer starts.

In dropdown menus, you can select the computers on which the component will be installed via Group Policy Objects (GPO), similar to the logic used with groups on in the previous step. If the checkbox “Create GPO for install in domain” is not selected, the dropdown menus will be disabled.

ATTENTION!

If you decide to uninstall the Protectimus Winlogon & RDP component on the domain controller, you will be suggested to create a GPO for the automatic uninstalling of this software on all other machines in the domain.

When you create GPO to uninstall Protectimus Winlogon & RDP on all the machines in your domain, delete this GPO manually when you finish uninstalling the software.

If you don’t delete the uninstall GPO manually, it can lead to some troubles when you install the Protectimus Winlogon & RDP component again. In this case, the software may not be installed/removed automatically on Windows machines in the domain.

4.4.2. Perform remote installation in the domain

If you select the Perform remote installation in the domain option, the final step of the installation will display a screen where you can select computers for remote installation. From there, you can install the component directly on any selected machine in the domain. This option is useful for avoiding a computer restart, which is required when deploying via GPO.

4.5. Choose the domain controller installation option

If you install the Protectimus Winlogon & RDP 2FA component on the domain controller, you will have two options. Choose the one that best suits your needs:

• Install on current computer: Selecting this option deploys the component directly onto the current computer. For example, if the installation is on a domain controller and we have specified on the “Install Policy” screen that the component should not be installed on the domain controller, selecting this checkbox will install it on the current computer, i.e., the domain controller.
• Protect installation from deletion: Enabling this option safeguards the component from removal on workstations, ensuring that it can only be deleted through authorized actions on the Domain Controller, thus enhancing security. This option is enabled by default.

Additionally, you can save the current installation configuration for manual installation in the domain using the Save button.

4.6. Select computers for remote installation

If you selected the Perform remote installation in the domain option in step 4.4, a screen will appear with a list of all computers in the domain, allowing you to install the component directly on any of them.

By default, all computers except the Domain Controller (DC) are selected. The installation process for each computer takes typically 1-2 seconds. We recommend using this feature for installing the component on a few computers, rather than a large number. For installations on a large scale, it’s better to use GPO.

To check the status of a computer, hover over its name, and a tooltip with a description will appear.

Component Version column displays the version if the component is installed.

G1/G2 button selects computers according to the settings on the Install Policy screen (Step 8).

Clear All button clears all checkboxes.

And Ping target before install checkbox enables the sending of an ICMP request (ping) to the selected machine before the installation itself.

4.7. Finish the installation

After the installation is completed, click OK. The next time you start the computer, the two-factor authentication will be on.

5. How to Enable Access Over RDP

PLEASE NOTE! Until you do the following, access to the computer via RDP will be denied.

1. Go to the Resources page, click on the name of your Resource and move to the Winlogon tab.
2. Activate the parameter Access accepted for RDP. Activating this parameter allows access to the computer via RDP without two-factor authentication.

 

3. To enable two-factor authentication when requesting access via RDP, additionally, activate the Apply 2FA parameter for RDP.

6. Backup codes for offline access

For the Protectimus two-factor authentication system to work normally, the computer must be connected to the Internet.

For emergencies, when the user is unable to connect to the Internet, it is possible to log into the account using a backup code instead of a one-time password.

The first backup code is issued when installing the component. Please, note that this code is valid for all accounts registered on this computer. It can be used one time, then a new code will be generated and shown to the user. A new backup code will also be valid for all user accounts registered on this computer.

ATTENTION! When the user logs in to the system with the backup code, a new code will be generated, which must be saved and used the next time the user will log into their account in offline mode. This backup code will also work for all accounts on this computer.

6.1. How to Reissue a Backup Code

If the users lose the backup code for some reason, they can release a new backup code when they are online. This requires a special utility software, which your chief Protectimus account administrator should request at [email protected].

To use the utility software:

• Sign in to your Windows account.
• Download and run the utility software.
• Press CTRL + ALT + DEL
• Save your new backup code.

7. Logs and Errors

In case of some errors, you have several points to check what’s going on. First of all, you can check System’s logs on Windows (Event Viewer -> Windows Logs -> Application).

The Protectimus On-Premise Platform logs could be found in the PLATFORM_DIR and TOMCAT_HOME/logs directories (for example C:\Windows\Temp\Protectimus.log).

Also, visit the Events page in the Protectimus Platform and you will see related information.

8. Uninstalling

If there is no access to your Windows user account, you can disable the Protectimus Winlogon app in Safe Mode.

1. Go to the Windows Uninstall or Change a Program menu, find the program Protectimus Winlogon and click Uninstall.
2. Start uninstallation setup window will be opened for the domain installation. Use the same approach as the Perform remote installation in the domain option during the installation process to uninstall the component. This is an optional step, you can close the window to uninstall the component using GPO or only on the current machine.
   
   
3. After closing the previous window the Complete/Keep Uninstall window will be opened, where you have 2 options:
   • The first checkbox will create a GPO for the automatic uninstalling of this software on all other machines in the domain.
   • The second one will keep the component on the current computer for further uninstallation purposes.
   
   

ATTENTION!

When you create GPO to uninstall Protectimus Winlogon & RDP on all the machines in your domain, delete this GPO manually when you finish uninstalling the software.

If you don’t delete the uninstall GPO manually, it can lead to some troubles when you install the Protectimus Winlogon & RDP component again. In this case, the software may not be installed/removed automatically on Windows machines in the domain.