Ukraine flag

We stand with our friends and colleagues in Ukraine. To support Ukraine in their time of need visit this page

Ubuntu 2FA

With Protectimus multi-factor authentication (MFA) solution, you can set up Ubuntu two-factor authentication (2FA) in a few steps and securely protect your Ubuntu users’ accounts from unauthorized access.

1. How Ubuntu Two-Factor Authentication (2FA) Works

After you enable Ubuntu two-factor authentication, your users will enter two different authentication passwords at the same time to get access to their Ubuntu accounts:


  1. The first is a standard password (the one the user keeps in memory);
  2. The second is a temporary password valid only for 30 or 60 seconds (this code is generated with the help of a 2FA token or a 2FA app on a user’s phone – a device that the user owns and has to carry with them).

This way, the Ubuntu account becomes protected with two different authentication factors. Even if the hacker steals the one-time password using phishing, brute force, social engineering, data spoofing, or any other way, they can’t get access to the Ubuntu account without the one-time password from a user’s 2FA token.


This guide shows how you can set up Ubuntu two-factor authentication (2FA) using Protectimus RADIUS 2FA component for the integration with Protectimus Cloud 2FA service or Protectimus On-Premise MFA Platform.


Ubuntu 2FA (two-factor authentication) setup scheme

2. How to Enable Ubuntu Two-Factor Authentication (2FA)

You can set up Ubuntu two-factor authentication (2FA) with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS 2FA Service or On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Configure Ubuntu Settings.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protestimus RADIUS Server are available here.

2.3. Configure Ubuntu Authentication Settings

apt install libpam-radius-auth vim /etc/pam_radius_server.conf
# server[:port]    shared_secret      timeout (s)
127.0.0.1          secret             1
IMPORTANT! Use your platform IP instead of 127.0.0.1

SSH

vim /etc/sshd/sshd_config
ChallengeResponseAuthentication yes

Local authentication + OTP via Protectimus

vim /etc/pam.d/ssh
# Standard Un*x authentication.
@include common-auth

auth    required    pam_radius_auth.so

Authentication + OTP via Protectimus

vim /etc/pam.d/ssh
# Standard Un*x authentication.
#@include common-auth

auth    required    pam_radius_auth.so

GUI

/etc/pam.d/gdm-password
auth required pam_radius_auth.so

DSPA: Integration with Active Directory for Secure Two-Factor Authentication

The Protectmus DSPA (Dynamic Strong Password Authentication) component allows integrating Protectimus two-factor authentication solution with Microsoft Active Directory or any other user directory (AD/LDAP, DBMS). After that, the 2FA dynamic passwords will be requested on all services connected to this directory (for example on Winlogon, RDP, ADFS, and OWA at once).

Protectimus DSPA adds six-digit time-based one-time passwords onto users’ static passwords. The resulting passwords look somehow like this: P@ssw0rd!459812. Where:
  • P@ssw0rd! is the fixed part;
  • 459812 is a TOTP one-time password that changes within a set time interval.

The administrator sets the one-time password change interval, which must be a multiple of 30 seconds.

From the end-user side, authentication will look like this: to access their accounts, a user must enter their fixed password and a one-time code in one line. To generate OTPs, users should use the app Protectimus SMART.

1. Install Protectimus On-Premise Platform

1.1. Windows

Download the Protectimus On-Premise Platform installer for Windows here.

The Protectimus DSPA component will be installed automatically.

1.2. Another OS

Install the Protectimus On-Premise Platform using the Docker image. You’ll find instructions here.

2. Get Registered

Open the Protectimus On-Premise Platform at http://localhost:8080 or https://localhost:8443.

Please, create an account and log in to configure the necessary settings. How to get registered in Protectimus system when you install Protectimus 2FA platform

3. Add User Provider

  1. After installing the platform and registering in the Protectimus system, log into your account, open the DSPA tab, and select Add task  -> Add LDAP user provider.
Protectimus DSPA setup - step 1 Protectimus DSPA setup - step 2  
  1. Fill in the details about your user directory.
Protectimus DSPA setup - step 3  

Basic settings:
FieldValueNote
Connection URLsURL to connect to your LDAP serverExample: ldaps://dc1.domain.local:636
For DSPA, you need to use the LDAP connection, and you also need to import the SSL certificate.
A standard way:
keytool -import -alias ___ -file '___.cer' -keystore 'C:\Program Files\Java\jre___\lib\security\cacerts' -storepass changeit
Base DNFull DN of the directory in which your users are storedExample:
DC=domain,DC=local
PasswordThe password of the specified user
User DNDN or userPrincipalName of the administrator or user who has access to user informationExample:
CN=Administrator, CN=Users, DC=demo, DC=domain, DC=local
[email protected]
For DSPA, the user must have rights to change passwords
Timeout (ms)Connection timeout
 
  1. After filling in details about your user directory, add synchronization attributes.

    Click on the Attributes button.
    How to enable Protectimus on-premise platform users synchronization with your user directory - Add synchronization attributes

    Then add your attributes as shown in the example.

    Additionally, the OpenLDAP configuration is available from the provided vendors. You can select it in the Vendor field.

    How to enable Protectimus on-premise platform users synchronization with your user directory - Synchronization attributes

  1. Now configure the Password Encoder setting.

    Select an algorithm that matches your configuration. Available algorithms: AD-specific (UTF-16LE), Plain, BCRYPT, SHA256, SSHA256, SHA512, SSHA512, MD4, MD5, SMD5, SHA, and SSHA.

    Configure the Password Encoder setting.

  1. After successfully adding the user provider, you need to import the users into the Protectimus system and synchronize them with your user directory.

    In the Synchronization mode field, you should choose how you would like to import your users.

    Importing users can be set up in three ways:
    • Import – will never update user data.
    • Import and Update – will always update user data when possible.
    • Import, Update and Delete – will always update user data when possible. Protectimus users, as well as the software tokens assigned to them, will be removed upon the user’s removal from external user storage.
How to enable Protectimus on-premise platform users synchronization with your user directory - Imporing Users

  1. Now configure the Use pagination setting.

    When Use pagination is activated, it means that if the number of records exceeds 200 or 500, multiple queries will be used for retrieval. This is due to LDAP typically returning a limited number of entries by default.
How to enable Protectimus on-premise platform users synchronization with your user directory - Use Pagination

  1. Set up a filter to be applied during synchronization.

    Use this filter to select only the users you want to synchronize.

    For example, to import only those users who have the telephoneNumber and mail attributes specified, set up such a filter:

    (&(telephoneNumber=*)(mail=*))

    To import users from a specific group, choose the required group. In our example, it is the Users group.

How to enable Protectimus on-premise platform users synchronization with your user directory - Set up filters

  1. Leave thr Enroll SMS token empty.
How to enable Protectimus on-premise platform users synchronization with your user directory - Enroll SMS token

  1. In the Resource associations section, you can choose the resource to which the users will be assigned during synchronization.

How to enable Protectimus on-premise platform users synchronization with your user directory - Resource associations

  1. The next step is to enable user synchronization. This can be accomplished in three ways:

    1. Use the Synchronize now button to synchronize all users at once.
      How to enable Protectimus on-premise platform users synchronization with your user directory - Synchronize now button

      You can also select the Synchronize modified button to synchronize only the users who have been modified since the last synchronization.
      How to enable Protectimus on-premise platform users synchronization with your user directory - Synchronize modified

    1. Use the Synchronize individuals feature to synchronize only the selected users from your user directory.
    How to enable Protectimus on-premise platform users synchronization with your user directory - Synchronize individuals button

    1. Or enable automatic user synchronization by activating the Enabled option at the top of the page.
    How to enable Protectimus on-premise platform users synchronization with your user directory - Enabled button
 

4. Add Passwords

PLEASE NOTE! You can activate the Users’ Self-Service Portal so that your users could add their passwords to the system themselves. Read how to set up a Users’ Self-Service Portal below.
If you prefer to set a password for a user manually:
  1. Go to the user editing page: click Users in the menu on the left > click on the user’s Edit button on the right side
Protectimus DSPA setup - How to add users passwords manually - step 1  
  1. Enter the user password in the corresponding field and click Save.
Protectimus DSPA setup - How to add users passwords manually - step 2  

5. Add Tokens

So far, the Protectimus DSPA component is only compatible with the in-app 2FA tokens Protectimus Smart OTP, available on iOS and Android, therefore we recommend activating the User Self-Service Portal so that your end users could issue tokens on their own. Read about setting up a Self-Service Portal below.
If you prefer to add tokens to uers manually:
  1. Select a synced user and click Assign Token, then click New.
Protectimus DSPA setup - How to add users tokens manually - step 1  
  1. Select the Protectimus SMART token and configure it. Protectimus Smart OTP App is available for free on Google Play and App Store.
Protectimus DSPA setup - How to add users tokens manually - step 2

6. Protectimus DSPA Activation and Deactivation

  1. To activate the Protectimus DSPA component, go to the DSPA tab and click on the name of DSPA:

    Protectimus DSPA setup - click on the name of DSPA

    Then activate the Enabled parameter.

    Protectimus DSPA setup - activate the Enabled parameter

    Accordingly, to deactivate the Protectimus DSPA component, it is necessary to uncheck the Enabled parameter.

    When DSPA is disabled, all passwords will be reset automatically (i.e., the dynamic part will be removed).

  1. For the Protectimus DSPA component to work, you need:
    • A configured user provider;
    • A synchronized user;
    • A password set for the user;
    • A token assigned to the user.
    You can check whether these conditions are fulfilled on the Affected users section on the DSPA tab.
Protectimus DSPA Activation and Deactivation - Affected users  
  1. You can see the results of the passwords update in the Report section.
Protectimus DSPA Activation and Deactivation - Scheduled passwords update  
  1. The result of updates can be viewed by clicking on the icon in the table of reports.
Protectimus DSPA Activation and Deactivation - result of updates Protectimus DSPA Activation and Deactivation - result of updates 2

7. How to Activate the Users’ Self-Service Portal

If you want users to enroll tokens and set passwords on their own, use the Users’ Self-Service Portal.

From the Resource information page, navigate to the Self-Service tab. You can enable self-service for a resource after entering the address at which the self-service page will be located. More detailed instructions on how to set up a self-service portal can be found here. Protectimus DSPA setup - how to activate the Users Self-Service Portal - step 1 Protectimus DSPA setup - how to activate the Users Self-Service Portal - step 2 Protectimus DSPA setup - how to activate the Users Self-Service Portal - step 3 Protectimus DSPA setup - how to activate the Users Self-Service Portal - step 4

8. Users Interaction with the Self-Service Portal

8.1. Authorization on the Users’ Self-Service Portal

You can choose the authentication method your users will use to log into their self-service accounts. All available authentication methods are detailed in this guide. Depending on the selected settings, the required authentication method will be applied. User Interaction with the Protectimus Users' Self-Service Portal - step 1 User Interaction with the Protectimus Users' Self-Service Portal - step 2

8.2. Enrolling the token Protectimus SMART OTP

  1. The user needs to choose the tab Register New Token -> Software Tokens -> Protectimus SMART.
User Interaction with the Protectimus Users' Self-Service Portal - step 3  
  1. After that the user needs to enter the name of the token, set the length of the one-time password, select the lifetime of the one-time password and click on the “Show QR code” button.

    To create a token, the user should scan the QR code using the Protectimus SMART OTP application, having previously installed it on their smartphone. The Protectimus Smart OTP app is available for free on Google Play and the App Store.

    And to finish the token enrollment, the user must enter the OTP code generated using the Protectimus SMART OTP application.
User Interaction with the Protectimus Users' Self-Service Portal - step 4

8.3. Creating a password

  1. The user should navigate to the Create Password tab in Self-Service.
User Interaction with the Protectimus Users' Self-Service Portal - step 5  
  1. The user should enter the password identical to their password in user directory.
User Interaction with the Protectimus Users' Self-Service Portal - step 6

Citrix ADC & Citrix Gateway 2FA

This guide shows how you can set up Citrix 2FA using the Protectimus two-factor authentication system.

Citrix ADC (NetScaler ADC), Citrix Gateway (NetScaler Gateway), as well as Citrix Virtual Apps and Desktops (XenApp & XenDesktop) can be integrated with Protectimus Two-Factor Authentication System using the RADIUS protocol.

Configuring authentication policies in Citrix allows the transmission of an authentication request over the RADIUS protocol to Protectimus RADIUS Server. Having received the request, the Protectimus RADIUS Server, in its turn, contacts the Protectimus authentication server to verify the one-time password of the user and returns the answer to Citrix using RADIUS.

Below is an example of integration of the Protectimus Cirtix 2FA solution with Citrix Gateway (NetScaler Gateway).

Protectimus Citrix 2FA integration via RADIUS - scheme

To enable Citrix Gateway two-factor authentication (2FA):
  1. Install and configure Protectimus RADIUS Server.
  2. Get registered with Protectimus SAAS 2FA Service or On-Premise 2FA Platform and configure basic settings.
  3. Configure Citrix authentication policies.

1. Install and configure Protectimus RADIUS Server for Citrix 2FA

Detailed instructions for installing and configuring the Protestimus RADIUS Server are available here.

2. Get Registered and Configure Basic Settings

  1. Register with the Protectimus Cloud 2FA Service and activate API or the Protectimus On-Premise 2FA Platform.
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

3. Configure Citrix Gateway authentication policies

1. Configure the LDAP policy

For the first factor, we’ll use the user’s Active Directory domain authentication. To do so, configure the LDAP policy:
  1. Navigate to Citrix Gateway → Policies → Authentication → LDAP
  2. Choose the Servers tab and add a new server
  3. Configure the LDAP connection:
    • Specify the IP address of the Active Directory server and its port. By default, the port used is 389.
      PLEASE NOTE! To support the password-change function when first logging in and upon password expiry, use LDAPS on port 636. For this function to work correctly, you must also import an SSL certificate.
    • Specify the full path to the user directory:
      CN=Users,DC=protectimus,DC=office
    • Specify the full name of the domain administrator:
      CN=admin,CN=Users,DC=protectimus,DC=office
    • Click “BindDN Password” and input the administrator password for the domain. The rest can be left as it is.
Citrix Gateway two-factor authentication setup - step 1  
  1. Navigate to the Policies tab and add the created server.
  2. For Expression, input ns_true
Citrix 2FA setup - step 2

2. Configure the second factor over the RADIUS protocol

  1. Navigate to Citrix Gateway → Policies → Authentication → RADIUS; choose the Servers tab.
Citrix two-factor authentication setup - step 3  
  1. Add the server
  2. Specify the RADIUS server settings for connecting to Protectimus RADIUS Server
  3. Specify the IP address of the computer running the Protectimus RADIUS Server and the port, as set in the configuration file, radius.yml
  4. Specify the SecretKey, again as set in radius.yml
Citrix Gateway multi-factor authentication setup - step 4  
  1. Navigate to the Policies tab and choose the created server. For Expression, input ns_true
Citrix 2FA for Citrix Gateway setup - step 5

3. Configure the virtual server

Policy and authentication factor setup is now complete; next, you must specify them on the virtual server.
  1. Navigate to Citrix Gateway → Virtual Servers, and choose your server; in the Basic Authentication tab, click “+”
Citrix Gateway two-factor authentication setup - step 6  
  1. Choose Policy – LDAP Choose Type – Primary. Then click Continue.
Citrix Gateway 2-factor authentication setup - step 7  
  1. Click Add Binding and select a policy using Select Policy. Select the LDAP policy.
Citrix Gateway MFA setup - step 8  
  1. Do the same for Radius.
Citrix Gateway two-factor authentication setup - step 9  
  1. Choose Policy – RADIUS ChooseType – Secondary, and repeat the steps as for the LDAP policy.
Integration of Citrix 2FA is now complete. If you have other questions, contact Protectimus customer support service.

Cisco AnyConnect 2FA

Cisco AnyConnect 2FA can be enabled with Protectimus Two-Factor Authentication System using the RADIUS protocol.

Configuring authentication policies in Cisco AnyConnect allows the transmission of an authentication request over the RADIUS protocol to Protectimus RADIUS Server. Having received the request, the Protectimus RADIUS Server, in its turn, contacts the Protectimus authentication server to verify the one-time password of the user and returns the answer to Cisco AnyConnect using RADIUS.

Check the Cisco AnyConnect 2FA setup scheme showing how Cisco AnyConnect two-factor authentication via RADIUS will work.

Cisco AnyConnect 2FA (two-factor authentication) setup scheme

To enable Cisco AnyConnect two-factor authentication (2FA):
  1. Install and configure Protectimus RADIUS Server.
  2. Get registered with Protectimus SAAS 2FA Service or On-Premise 2FA Platform and configure basic settings.
  3. Configure Cisco AnyConnect authentication policies.

1. Install and configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server are available here.

2. Get Registered and Configure Basic Settings

  1. Register with the Protectimus Cloud 2FA Service and activate API or the Protectimus On-Premise 2FA Platform.
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

3. Configure Cisco AnyConnect 2FA authentication policies

1. Add the RADIUS server group to Cisco ASA configuration:

  • Connect to Cisco ASA using Cisco ASDM
  • Open Configuration —> Remote Access VPN —> AAA/Local Users —> AAA Server Groups
  • Click AAA Server Groups —> Add (1, 2)
  • Set the name and parameters as shown in the figure below (3)
  • Click OK (4)
Cisco AnyConnect two-factor authentication setup - step 1

2. Add the RADIUS Server to a Server Group:

  • Select a RADIUS Server Group that you’ve just created (1)
  • Click Add (2)
  • Set parameters of your RADIUS server (3)
  • Click OK (4)
Cisco AnyConnect two-factor authentication setup - step 2

3. Set up the AnyConnect VPN Connection:

  1. Open the AnyConnect VPN Wizard Click Wizards —> VPN Wizards —> AnyConnect VPN Wizard as shown in the figure.
Cisco AnyConnect two-factor authentication setup - step 3
  1. Then click Next as shown in the figure below.
Cisco AnyConnect two-factor authentication setup - step 4
  1. Specify the Connection Profile Name and VPN Access Interface name (1). Then click Next (2).
Cisco AnyConnect two-factor authentication setup - step 5
  1. Configure the VPN Protocols and add a Certificate as shown in the figures below.
Cisco AnyConnect two-factor authentication setup - step 6 Cisco AnyConnect two-factor authentication setup - step 7
  1. You can generate and add a self-signed certificate if necessary as shown in the figure below. After that click OK —> OK —> Next.
Cisco AnyConnect two-factor authentication setup - step 8
  1. Add a VPN client image (*.pkg files)
Cisco AnyConnect two-factor authentication setup - step 9
  1. Set up Authentication Methods:
  • Select the RADIUS Server Group that you’ve created as an AAA Server Group (1)
  • Modify the server name or IP if necessary (2)
  • Click Next (3)
Cisco AnyConnect two-factor authentication setup - step 10
  1. Configure SAML:
  • Select the RADIUS Server Group that you’ve created as an AAA Server Group (1)
  • Leave “None in the SAML Server field (2)
  • And click Next (3)
Cisco AnyConnect two-factor authentication setup - step 11
  1. Configure a Pool of IP addresses that will be assigned to the clients:
  • Choose New (1)
  • Specify the IP Pool parameters: Name, Starting IP Address, Ending IP Address, and Subnet Mask (2, 3)
  • And then click Next (4)
Cisco AnyConnect two-factor authentication setup - step 12 Cisco AnyConnect two-factor authentication setup - step 13
  1. Specify the DNS Server
Cisco AnyConnect two-factor authentication setup - step 14
  1. Configure NAT Exemptions:
  • Check the box Exempt VPN traffic from network address translation (1)
  • Set up an exemptions for Inside Interface (2)
  • And click Next (3)
Cisco AnyConnect two-factor authentication setup - step 15
  1. Allow connection via https, to do this check the box Allow Web Launch (1). And click Next.
Cisco AnyConnect two-factor authentication setup - step 16
  1. Check the settings you have specified and click Finish.
Cisco AnyConnect two-factor authentication setup - step 17

Integration of Cisco AnyConnect 2FA is now complete. If you have other questions, contact Protectimus customer support service.

RADIUS 2FA

The Protectimus RADIUS 2FA solution can be used to enable two-factor authentication for any software or equipment that supports RADIUS authentication protocol.


The Protectimus RADIUS Server connector works as a RADIUS server. It transfers authentication requests from the RADIUS device to the Protectimus multi-factor authentication (MFA) server and returns the answer permitting or denying access.


Protectimus 2FA integration via RADIUS scheme

Add two-factor authentication (2FA / MFA) to protect your VPN, Wi-Fi, and any other software or device that supports RADIUS. To do that, integrate with Protectimus Cloud MFA Service or On-Premise Platform via RADIUS authentication protocol.


The list of software and devices that can be integrated with Protectimus via RADIUS authentication protocol includes but is not limited to:



The Protectimus RADIUS 2FA software is easy to set up. But if you have any questions, our team is always ready to help you with deploying RADIUS two-factor authentication (2FA) even in the most complex infrastructure. Get in touch with our support team here.



To integrate Protectimus 2FA solution with your RADIUS supporting device or software you need to set up and configure Protectimus RADIUS Server, and then configure the authentication policies on the device or application you want to add Protectimus 2FA to:
  1. You allow the transmission of an authentication request over the RADIUS protocol to Protectimus RADIUS Server;
  2. The Protectimus RADIUS Server component receives and processes the authentication request;
  3. Then Protectimus RADIUS Server contacts the Protectimus authentication server to verify the one-time password entered by the user.

1. Install Protectimus RADIUS Server to enable RADIUS 2FA

1.1. How to Install Protectimus RADIUS Server Using a Docker Image

  1. To start installing the Protectimus RADIUS Server, first of all, download and install docker and docker-compose:
 
  1. Then clone the git repository: https://github.com/protectimus/platform-linux.git
 
  1. Go to the platform-linux/radius directory and run:
docker-compose up -d
 
  1. You can monitor the process of Protectimus RADIUS Server deployment using the command:
docker-compose logs -f
 
  1. After the deployment process is complete, the Protectimus RADIUS Server will be available at: https://localhost:8443

1.2. How to Install Protectimus RADIUS Server on Windows

  1. Download the installer at the Platform page.
  2. Run the installer as administrator.
  3. Check the Radius checkbox.

    ATTENTION!
    If you plan to use the Protectimus On-Premise Platform, keep the Platform checkbox checked.
    If you plan to use the Protectimus SAAS Service, uncheck the Platform checkbox.

If you plan to use the Protectimus On-Premise Platform

If you use plan to use the Protectimus SAAS Service

How to install Protectimus RProxy and Protectimus PlatformHow to install Protectimus RProxy is you will use the Protectimus Cloud Service

  1. Java (JDK 7 and above) must be installed on the machine, if not, it will be installed automatically, click Install.
How to install Protectimus RProxy - install Java

  1. When Java is installed, click Next.
How to install Protectimus RProxy - update Java and click Next

  1. Choose the folder to install the Protectimus components and click Install.
How to install Protectimus RProxy - select folder

  1. When the installation is complete, you’ll see this message.
How to install Protectimus RProxy - the installation was successful

2. Get Registered and Configure Basic Settings

  1. Register with the Protectimus Cloud Service and activate API or the Protectimus On-Premise Platform.
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

3. Configure Protectimus RADIUS Server

The Protectimus RADIUS Server settings can be configured by specifying them in the radius.yml file, which must be located in the same directory as the executable.


Available properties that you should add to the radius.yml file include:

3.1. Authentication Process Settings

auth:
    providers:
    	- LDAP
		- PROTECTIMUS_OTP
    re-enter-otp: true
    principal-normalization: true
	bypass-otp:
    	ldap-filter: (memberOf=cn=bypass-otp,ou=groups,dc=test,dc=com)
    	usernames:
      		- john
      		- luci
	inline-mode:
		enabled: false
   		separator: ''
   		attributes:
     		NAS-Identifier:
       		- home-nas
       		- work-nas

PROPERTY NAMEPROTERTY STANDS FOR
providers:
Could be:
  • LDAP
  • AD
  • PROTECTIMUS_PASSWORD
  • PROTECTIMUS_OTP
  • RADIUS_PROXY
  • PROTECTIMUS_PUSH

  • LDAP: Authentication with LDAP provider performs an LDAP bind operation to validate user credentials. It searches for the user’s DN based on a specified filter and then attempts to bind using the provided password, ensuring the credentials are valid.
  • AD: Authentication with the AD provider performs an LDAP bind operation using the userPrincipalName. The full username is in email-like format (e.g., [email protected]), where the @example.com part is retrieved from a configuration file.
  • PROTECTIMUS_PASSWORD: The first factor will be verified using a password of the user created in Protectimus Service/Platform.
  • PROTECTIMUS_OTP: The second factor will be verified via Protectimus Service/Platform using OTP.
  • RADIUS_PROXY: current installation will be used as a proxy server only for the first factor, second factor requests will not be redirected (that’s why you should specify PROTECTIMUS_OTP provider in current configuration as well, if you need 2FA).
re-enter-otp:
When re-enter-otp is enabled, password is not requested after unsuccessful OTP check.
principal-normalization:
When normalization is enabled any domain information is stripped from the username, so “username”, “DOMAIN\username” and “[email protected]” would all resolve to a single “username”
bypass-otp:
When bypass-otp is enabled, OTP is not requested for specified users.
inline-mode:
Inline mode allows you to use 2FA in case when Access-Challenge is not supported.

Inline mode can be activated with ‘enabled: true’ or using request attributes that match.

In this case password must be in following format ‘password,otp’, if using separator: ‘,’.
 

3.2. RADIUS Settings

radius:
  secret: secret
  clients:
    - name: vpn-client
      secret: secret
      ips:
        - 10.0.0.0/24
  auth-port: 1812
  listen-address: 0.0.0.0
  dictionaries:
    - file:<some_path>/<some_name>.dat
  attributes:
    copy-state: true
    defaults:
      Service-Type: NAS-Prompt-User
    for-users:
      john:
        Service-Type: Login-User
    ldap:
      memberOf:
        '[cn=admins,ou=groups,dc=test,dc=com]':
          Service-Type: Administrative
      uid:
        john_wick:
          Class: Pro
    conditional:
      '[ldapUser.attributes["uid"] == "john"]':
        Service-Type:
          - Login-User
      '[request.getAttributeValue("User-Name") == "john"]':
        Class:
          - RDP_HeadOffice_GP
  ip-attributes:
    - NAS-IP-Address
    - NAS-IPv6-Address

PROPERTY NAMEPROPERTY STANDS FOR
secret:
The secret to be used by your RADIUS server.
clients:
Clients with specific secrets (Clients are resolved based on IP address).
Each client MUST have a unique name.
auth-port:
The port where the RADIUS server will run.
listen-address:
The IP address the server listens on.
dictionaries:
Attribute list extension for RADIUS. Find an example of the dictionary extension here.
attributes:
Attributes that will be returned in response on successful authentication.
copy-state:
Copies each returned attribute into the response.
defaults:
Attributes for all users.
for-users:
Attributes for specific users.
ldap:
Attributes for specific user or group of users in LDAP.
conditional:
When conditional is enabled, it allows to specify a script that will check the condition under which the attribute will be returned.
ip-attributes:
Attributes that will return an IP address of the incoming request using the specified attribute.
 

3.3. PROTECTIMUS API Settings (setting up connection to the PROTECTIMUS service )

Configuration for PROTECTIMUS_PASSWORD/PROTECTIMUS_OTP auth provider.

protectimus-api:
    login: 
    api-key: 
    url: https://api.protectimus.com/
    resource-id:

PROPERTY NAMEPROTERTY STANDS FOR
login:
Your login in the PROTECTIMUS system.
api-key:
Your API key in the PROTECTIMUS system.
url:
If you are using the PROTECTIMUS cloud service, specify the following API URL: https://api.protectimus.com/

If you are using the Protectimus on-premise platform, the API URL will be something like: protectimus.api.url=http://127.0.0.1:8080/
resource-id:
ID of the resource that you created in the PROTECTIMUS system.
 

3.4. LDAP Settings

Configuration for LDAP auth provider.

ldap:
  base: dc=test,dc=com
  urls:
    - ldap://127.0.0.1:389
  username: [email protected]
  password: secret
  principal-attribute: userPrincipalName
  custom-filter: (memberof=cn=managers,ou=groups,dc=test,dc=com)

PROPERTY NAMEPROTERTY STANDS FOR
base:
The LDAP DN of Group or organizational unit containing all of the users you wish to permit to log in.
urls:
The hostname or IP address of your domain controller.
principal-attribute:
Is used for LDAP authentication by defined attribute.

If you want to authenticate user with “sAMAccountName” instead of “userPrincipalName”, specify the attributes “query-attribute” and “principal-attribute” accordingly
custom-filter:
Is used to restrict which users are allowed to authenticate.
 

3.5. RADIUS_PROXY Authentication Provider Configuration

Configuration for RADIUS_PROXY auth provider.

proxy:
  secret: secret
  auth-port: 1812
  remote-address: 192.168.1.1

PROPERTY NAMEPROTERTY STANDS FOR
secret:
The secret to be used by your RADIUS_PROXY server.
auth-port:
The port where the RADIUS server will run.
remote-address:
IP address of the PROXY_RADIUS server.
 

3.6. AD Authentication Provider Configuration

Configuration for AD auth provider.

ad:
  urls:
    - ldap://127.0.0.1:389
  domain: test.com

3.7. An Example of radius.yml file

radius:
  secret: secret
  clients:
    - name: vpn-client
      secret: secret
      ips:
        - 10.0.0.0/24
  auth-port: 1812
  listen-address: 0.0.0.0
  dictionaries:
    - file:/.dat
  attributes:
    copy-state: true
    defaults:
      Service-Type: NAS-Prompt-User
    for-users:
      john:
        Service-Type: Login-User
    ldap:
      memberOf:
        '[cn=admins,ou=groups,dc=test,dc=com]':
          Service-Type: Administrative
      uid:
        john_wick:
          Class: Pro
    conditional:
      '[ldapUser.attributes["uid"] == "john"]':
        Service-Type:
          - Login-User
      '[request.getAttributeValue("User-Name") == "john"]':
        Class:
          - RDP_HeadOffice_GP
  ip-attributes:
    - NAS-IP-Address
    - NAS-IPv6-Address

auth:
  providers:
    - LDAP
    - AD
    - PROTECTIMUS_PASSWORD
    - PROTECTIMUS_OTP
    - RADIUS_PROXY
  bypass-otp:
    ldap-filter: (memberOf=cn=bypass-otp,ou=groups,dc=test,dc=com)
    usernames:
      - john
      - luci
    ips:
      - 10.0.0.0/24
      - 1::/64
  re-enter-otp: true
  principal-normalization: true
  inline-mode:
    enabled: false
    separator: ''

ldap:
  base: dc=test,dc=com
  urls:
    - ldap://127.0.0.1:389
  username:
  password:
  principal-attribute: userPrincipalName
  custom-filter: (memberof=cn=managers,ou=groups,dc=test,dc=com)

ad:
  urls:
    - ldap://127.0.0.1:389
  domain: test.com

protectimus-api:
  login: [email protected]
  api-key: secret
  url: https://api.protectimus.com/
  resource-id: 1

proxy:
  secret: secret
  auth-port: 1812
  remote-address: 192.168.1.1

3.6. Dictionary example

VENDOR      12356   fortinet 

VENDORATTR  12356   Fortinet-Group-Name         1   string 
VENDORATTR  12356   Fortinet-Access-Profile     6   string

Now you need to configure your device or application to communicate with Protectimus RADIUS Server service over RADIUS protocol.

Office 365 (SSO) 2FA

Protectimus two-factor authentication (2FA) system supports an SP (Service Provider) initiated Single Sign On (SSO).

This means that your end-users will have the ability to sign into their accounts directly from the protected resource login page. When the end-user tries to sign into a protected resource, an authorization request is sent to the Identify Provider (Protectimus). Once the Protectimus authenticates the user’s identity, the user is logged into their account in the protected resource.

A scheme of interaction of Protectimus On-Premise Two-Factor Authentication Platform with Microsoft Office 365 through Keycloak is presented below.
Office 365 2FA integration scheme

1. Get Registered and Configure Basic Settings

  1. Install the Protectimus On-Premise Platform and get registered with Protectimus.
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2. Synchronize your On-Premise AD with Azure AD

2.1. Open office.com

Admin -> Show all -> Azure Active Directory -> Custom domain names -> “Add custom domain”

In DNS, you need to create a TXT record to confirm adding a domain to Azure AD.

2.2. Download and run the Azure AD Connect

https://www.microsoft.com/en-us/download/details.aspx?id=47594

Continue -> Customize -> Install (No checked options) -> Password Hash Synchronization -> Next -> Connect to Azure AD:

username@[something].onmicrosoft.com pass:

Next -> Add Directory -> domain


You can create a separate Organizational Unit (OU) for users whose accounts must be protected with two-factor authentication and set up synchronization only for this OU. Every User in this OU must have an email, it will be used as a UPN (User Principal Name).
  • Create new AD account
  • Enterprise ADMIN username: domain\Administrator
  • PASSWORD: Windows AD Administrator password
(Check the image below) ↓ Office 365 two-factor authentication setup with Protectimus - step 1

Next -> Next -> Sync Selected Domain Office 365 two-factor authentication setup with Protectimus - step 2

Next -> Next -> Next -> Exit.

3. Configure Keycloak

3.1. Create Realm

Add Realm, for example, name it Office365

3.2. Create User Federation

Add Mapper:
  • Name: saml.persistent.name.id.for.urn:federation:MicrosoftOnline
  • Mapper Type: user-attribute-ldap-mapper
  • User Model Attribute: saml.persistent.name.id.for.urn:federation:MicrosoftOnline
  • LDAP Attribute: objectGUID
  • Read Only: ON
  • Always Read Value from LDAP: ON
  • Is Mandatory in LDAP: OFF
  • Is Binary Attribute: OFF
Office 365 two-factor authentication setup with Protectimus - step 3

3.3. Create a client 

  1. To do this, import this file when creating a client:
    https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml

    ATTENTION! It is important to name the file: “urn:federation:MicrosoftOnline”
  2. Edit the client properties:
    • Client Signature Required – Disable
    • Signature Algorithm – “RSA_SHA1”
  3. Create a Mapper for the client “Add builtin” -> X500 email
    • Mapper: Name: IDPEmail
    • Mapper Type: User Property
    • Property: email
    • SAML Attribute Name: IDPEmail
    An email of a user in Active Directory will be used as a username.
Office 365 two-factor authentication setup with Protectimus - step 4

4. Connect Office 365 with Keycloak

4.1. Get SAML certificate

First of all, you need to get a SAML certificate and check it using this URL:

https://kc.dev.protectimus.com/auth/realms/[realm name]/protocol/saml/descriptor

Or check the certificate using the corresponding feature in the interface – SAML keys.

4.2. Install the required software 

  • Install-Module -Name AzureAD
  • Install-Module MSOnline
If you’ll be asked about NuGet and PSGallery – install them too.

4.3. Connecting Office 365 with Keycloak

Execute the following script:
# get the public key certificate from keycloak
# https://kc.dev.protectimus.com/auth/realms/2608/protocol/saml/descriptor
# see X509Certificate
$cert="MIICoTCCAYkCBgF3Y+nVLjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlvZmZpY2UzNjUwHhcNMjEwMjAyMTgwMTQ0WhcNMzEwMjAyMTgwMzI0WjAUMRIwEAYDVQQDDAlvZmZpY2UzNjUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3eE+GuP2ubqH0C2sceb1iBsPr5LNIK0dtW67CQPL2tLM0YlRAFXu2sWRMKwPl8ZULvMzufA855j0Chd5KX1izVi8c6fclqge+OB9iMB05Ew/zGb8zmCXETgVU9+lsQFchd8M/I/i0QKKOatIbP50t9SKJI5daX78wb/IVk2pexB76cqXaQrrddh9ksXo3OFyFpAk1xlCC9Nu77QLCPWK4fBnSEbnzxDP3ZMhPXMQsn3MbD1SHGmHmJ93wMeXFGGIU77aDI/uAYZj1tb7dj/aICqG8RpUVXEolf8BDH/nT2TonYSmMaSqd99wCNJaKJWpyPd2qid7118DtOyPzZza/AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFglY4CdTJkGTL7/YUY1uBhSTSGvtbv6GiQ+2Uox3JVNVECB1Za63mUU1tTC/r4Jp02jRnTtBfSR7Sra+HDIKgAOkwcVTh2P++i1bk7PiY1Rb2ePrBtXWnb0GC8qCLAOK7b2/y9E1K5Wjg2Qg1dxnNZFys8CLpHkkYwMwChJA6E8DMg/bWUYfighBo4mAUpORAwqkmEB2mC39VbWZAUyBysQ5Cb9xK8RWnOgj7XhZfhpihK815z+uwirQjOFmGhWs2Mxk9PHkPkCFeWdcGGoRPvBuVYaG5/MrWu5hqQFtiu4ZDsySEnBdUqfudD6Iorc6QHVYf6VCunSIdE9L9sIovs="

$uri="https://kc.dev.protectimus.com/auth/realms/Office365/protocol/saml"
$issuer_uri="https://kc.dev.protectimus.com/auth/realms/Office365"
$dom="yourdomain.com"

$cred = Get-Credential
Connect-MsolService -Credential $cred

Set-MsolDomainAuthentication -DomainName $dom  -Authentication Federated -ActiveLogOnUri $uri -SigningCertificate $cert -PassiveLogOnUri $uri -IssuerUri $issuer_uri -LogOffUri $uri -PreferredAuthenticationProtocol SAMLP

You can check if the operation has been performed successfully:
Get-MsolDomainFederationSettings -DomainName domain.name

4.4. Disconnecting Office 365 and Keycloak

Execute the following script:
$dom="yourdomain.com"
Set-MsolDomainAuthentication -DomainName $dom -Authentication managed

Everything is ready, open office365.com and try to log in with an account from AD.

ADFS 4.0 2FA

ATTENTION! When you integrate Protectimus 2FA system with ADFS, Users in the Protectimus service or platform must have logins of the form [email protected]

1. Get Registered and Configure Basic Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform.
  2. Add Resource.
  3. Add Users. NOTE! Users in Protectimus system must have logins of the form [email protected].
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2. Install the Protectimus ADFS Сomponent

  1. Download the Protectimus ADFS installer here.

  2. Run the installer as administrator.
Protectimus OWA two-factor authentication component installation - run the intaller as administrator  
  1. You will see a welcome screen, click Next to continue.
How to set up ADFS two-factor authentication with Protectimus - step 1  
  1. On this page, select Protectimus MFA ADFS and click Next.
How to set up ADFS two-factor authentication with Protectimus - step 2  
  1. On this screen, you will need to enter the API URL, Login, API Key, and Resource ID. These parameters stand for:
  • API URL – an address of the API endpoint. If you use SAAS Service API URL is https://api.protectimus.com. In the case of the on-premise Platform, API URL is a server address, where the Platform is running.
  • API Login – the login of your account, the same as for signing in.
  • API Key – you’ll find it in your profile. To access a profile, click the user’s login in the top right corner of the interface, and choose the “Profile” entry from the drop-down list.
  • Resource ID – After creating the resource, you’ll be taken to a page with a list of available resources, where you can see the resource you’ve just created. In addition, the ID of the resource will be displayed in the table.
How to set up ADFS two-factor authentication with Protectimus - step 3  
  1. Everything is ready for installation, click Install. During the installation, the ADFS service will be restarted.
How to set up ADFS two-factor authentication with Protectimus - step 4  
  1. When the installation is completed, click Finish.
How to set up ADFS two-factor authentication with Protectimus - step 5  

3. Configure ADFS Multi-Factor Authentication

  1. Run the ADFS configuration console: Server Manager -> Tools -> AD FS Management
ADFS multi-factor authentication settings configuration - Step 1  
  1. Navigate to Multi-Factor Authentication settings: Service -> Authentication methods -> Multi-Factor Authentication methods -> Edit
ADFS 4.0 two-factor authentication setup - step 1  
  1. Choose Protectimus MFA.
ADFS 4.0 two-factor authentication setup - step 2  
  1. Navigate to Access Control Policies.
ADFS 4.0 two-factor authentication setup - step 3  
  1. Add Access Control Policy.
ADFS 4.0 two-factor authentication setup - step 4  
  1. Tick the checkbox “require MFA” and setup specific networks, users groups, etc.
ADFS 4.0 two-factor authentication setup - step 5  
  1. Navigate to Relying Party Trust and choose Relying Party Trust where you want to add Protectimus MFA.
ADFS 4.0 two-factor authentication setup - step 6  
  1. Choose the Access Control Policy which was added on the 5th step.
ADFS 4.0 two-factor authentication setup - step 7  
  1. Setting Protectimus MFA for ADFS is completed. You can read more about Access Control Policies here.

4. Check the correctness of the installation and settings

  1. For verification, go to: https://adfs.yourdomain.com/adfs/ls/idpinitiatedsignon.aspx
ADFS 4.0 two-factor authentication setup - step 8  
  1. At the second stage of authentication, enter your one-time password.
ADFS 4.0 two-factor authentication setup - step 9  
  1. In case ADFS user is not in “Administrators” group you may get the following error message: ADFS 4.0 two-factor authentication setup - step 10   To fix this error execute the next command in the PowerShell with administrative privileges:
    eventcreate /ID 1 /L APPLICATION /T INFORMATION  /SO "Protectimus MFA ADFS" /D "Init"

ADFS 3.0 2FA

ATTENTION! When you integrate Protectimus 2FA system with ADFS, Users in the Protectimus service or platform must have logins of the form [email protected]

1. Get Registered and Configure Basic Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform.
  2. Add Resource.
  3. Add Users. NOTE! Users in Protectimus system must have logins of the form [email protected].
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2. Install the Protectimus ADFS Сomponent

  1. Download the Protectimus ADFS installer here.
  2. Run the installer as administrator.
Protectimus OWA two-factor authentication component installation - run the intaller as administrator  
  1. You will see a welcome screen, click Next to continue.

How to set up ADFS two-factor authentication with Protectimus - step 1

 
  1. On this page, select Protectimus MFA ADFS and click Next.
How to set up ADFS two-factor authentication with Protectimus - step 2  
  1. On this screen, you will need to enter the API URL, Login, API Key, and Resource ID. These parameters stand for:
  • API URL – an address of the API endpoint. If you use SAAS Service API URL is https://api.protectimus.com. In the case of the on-premise Platform, API URL is a server address, where the Platform is running.
  • API Login – the login of your account, the same as for signing in.
  • API Key – you’ll find it in your profile. To access a profile, click the user’s login in the top right corner of the interface, and choose the “Profile” entry from the drop-down list.
  • Resource ID – After creating the resource, you’ll be taken to a page with a list of available resources, where you can see the resource you’ve just created. In addition, the ID of the resource will be displayed in the table.
How to set up ADFS two-factor authentication with Protectimus - step 3  
  1. Everything is ready for installation, click Install. During the installation, the ADFS service will be restarted.
How to set up ADFS two-factor authentication with Protectimus - step 4  
  1. When the installation is completed, click Finish.
How to set up ADFS two-factor authentication with Protectimus - step 5

3. Configure ADFS Multi-Factor Authentication

  1. Run the ADFS configuration console: Server Manager -> Tools -> AD FS Management
ADFS multi-factor authentication settings configuration - Step 1  
  1. Navigate to Multi-Factor Authentication settings: Authentication Policies  -> Multi-Factor Authentication -> Global settings -> Edit
ADFS multi-factor authentication settings configuration - Step 2  
  1. Then:
  • Add users/group of users (by clicking ADD), to which the multi-factor authentication will be applied;
  • Check the boxes where you want to enable multi-factor authentication;
  • And choose Protectimus MFA;
  • Click Apply to complete setting Protectimus MFA for ADFS.
ADFS multi-factor authentication settings configuration - Step 3

4. Check the correctness of the installation and settings

  1. For verification, go to: https://adfs.yourdomain.com/adfs/ls/idpinitiatedsignon.aspx
Checking the correctness of the Protectimus ADFS installation - Step 1  
  1. At the second stage of authentication, enter your one-time password.
Checking the correctness of the Protectimus ADFS installation - Step 2

Intelligent Identification

This feature may also be called smart identification or user environment analysis. The Intelligent Identification function allows analyzing the user’s environment (browser name and version, operating system and language, window size and screen resolution, color depth, presence or absence of Java, plugins, etc.). If an established mismatch threshold has been exceeded, a user will be blocked and won’t get access to their account even with the one-time password.

How to Activate Intelligent Identification

  1. Login to your account in Protectimus SAAS Service or On-Premise Platform and go to the Resources page.
Protectimus two-factor authentication sytem setup - Open the Resources page  
  1. Find the desired Resource from the list, click on its Name.
How to activate Protectimus Untelligent Identification - step 1  
  1. Go to the Intelligent Identification tab. Set the desired “weight” of each parameter: minimal, normal, or trusted. And click Save.
How to activate Protectimus Untelligent Identification - step 2

Administrators

PLEASE NOTE:
  1. Administrators can do all your work on the Resources you specify, but only the chief system administrator can manage Administrators: create, assign rights, and/or delete them.
  2. The Administrator can manage Users, Tokens, and Filters, but the Administrator cannot delete them if they were not created by the Administrator.
  3. Also, the Administrator cannot change a Service Plan, deposit funds in the account, and view payment statistics.
  4. The number of Administrators that you may add depends on the Service Plan you select.

How to Add an Administrator

  1. Log into your account in Protectimus SAAS Service or On-Premise Platform and go to Administrators.
How to add an Administrator in Protectimus two-factor authentication system - step 1  
  1. Click the Add Administrator button.
How to add an Administrator in Protectimus two-factor authentication system - Add administrator button  
  1. Enter the Administrator’s email, create a confirmation code, select the Resources that the Administrator will have access to, and click Continue.
How to add an Administrator in Protectimus two-factor authentication system - step 3  
  1. Then share the confirmation code with your Administrator in any convenient manner, so that he could register in the system.
How to add an Administrator in Protectimus two-factor authentication system - step 4