Ukraine flag

We stand with our friends and colleagues in Ukraine. To support Ukraine in their time of need visit this page

How to Enable Protectimus Bots

Protectimus Bots are used for delivering one-time passwords (OTPs) and important notifications from the Protectimus Two-Factor Authentication System to end users. These chatbots, named Protectimus Bot, are available on Facebook Messenger, Telegram, and Viber. The list of supported messaging applications is constantly growing and can be expanded upon request from our clients. OTP delivery through messaging apps addresses several key issues: it is much more secure than SMS authentication, completely free, and easy to use.

1. Login to Your Protectimus Account and Add Resource

  1. Login to your account in Protectimus SAAS Service or On-Premise Platform and go to the Resources page.
Protectimus two-factor authentication sytem setup - Open the Resources page  
  1. Click the Add Resource button.
Protectimus two-factor authentication sytem setup - Add Resource  
  1. This will take you to the Resource adding page, where you’ll need to specify just a Resource Name and click Save, the remaining parameters are optional.
Protectimus two-factor authentication sytem setup - Add Resource Name  
  • Webhook URL. Whenever there is an update for the Resources, we will send a POST request containing a JSON update to the specified webhook URL. In case of an unsuccessful request, we will give up only after a reasonable amount of attempts. Currently, webhook is used to receive the result of INTERACTIVE authentications. INTERACTIVE authentications are supported by Protectimus Bot token.
  • SSL certificate. The public key certificate certifies the belonging of the public key to the indicated webhook. The certificate supplied should be PEM encoded (ASCII BASE64), The pem file must contain only the public key beginning with “—–BEGIN CERTIFICATE—– ” and end with “—– END CERTIFICATE —–“
  • Allowed IP Addresses. Allows you to restrict access to the system only from trusted IP addresses.
  • IP Verification is Enabled. Enables the restriction of access to the system only from trusted IP addresses.
  • Number of Unsuccessful Login Attempts before Locking. The value of this parameter should be specified between 3 and 10. If a User or Token is not authenticated successfully, the number of failed authentication attempts will be increased for this User. When the threshold number of failed attempts for the specified Resource is exceeded, this User will be locked. A User can be unlocked through the web interface or the API (the edit user method). If a User is authenticated successfully, the number of failed authentication attempts will be set at zero, if the threshold number of failed attempts for the specified resource is not exceeded, and if this User has not yet been locked.
  • Enabled. Allows you to enable or disable the Resource.

2. Activate Users’ Self-Service Portal

You can find the full detailed guide on enabling Protectimus Self-Service Portal and testing it here:
https://www.protectimus.com/guides/users-self-service-portal/.
  1. Go to the Resources tab, click on the resource name, and navigate to the Self-Service tab.
Set Up the Protectimus User's Self-Service Portal - Step 1 Set Up the Protectimus User's Self-Service Portal - Step 2

  1. If you haven’t enabled the Self-Service Portal for your users yet, click on Enable User’s Self-Service for your resource.
Set Up the Protectimus User's Self-Service Portal - Step 3

  1. Specify the address at which your users will access the Self-Service Portal.

    Enter just the final portion of the address, the portal alias, in the field. The full address to the portal will be the authentication server address plus the alias you specified. For example, if you’re using the Protectimus SaaS service, and you specify “portal” as the alias, the link you give to your users will look like this: https://service.protectimus.com/selfservice/portal

    If you are running your own instance of the authentication platform on your own premises, the “service.protectimus.com” portion of the address will be replaced with the address to your platform instance. For example: https://localhost:8080/selfservice/portal.
Set Up the Protectimus User's Self-Service Portal - Step 4

  1. Set up the list of actions available to your users in the self-service portal.

    You’ll see the list of actions available to your users, as shown in the image below. By default, all actions are disabled.

    Enable the action Register New Token. Then you’ll need to specify the Token types for enroll token, if your users will use only Protectimus Bots, leave only Protectimus Bot.
Set Up the Protectimus User's Self-Service Portal - Add Protetimus Bot

3. Add Users and Specify Their Passwords or Emails

  1. Go to the Users page.
Protectimus two-factor authentication sytem setup - Go to Users page  
  1. Click the Add User button.
Protectimus two-factor authentication sytem setup - Click Add Users

  1. Set the user Login. The User Login must contain only Latin letters, numbers, and symbols _-@∽!#%+.$. Spaces and any other symbols are not allowed.

    Also set a password or an email address. A verification code will be sent to the registered email address to allow your users to log into the Self-Service Portal. If a User has both a password and a registered email address, that User will use the password to log in. After a Token is issued for a User and assigned to a Resource, the User will also be asked for an OTP password from the Token when logging in to the Users’ Self-Service Portal.
Protectimus 2FA sytem setup - Add User password or email if you will activate Users's Self Service

PLEASE NOTE! You can import users. Detailed instructions on importing users are available here – https://www.protectimus.com/guides/users/#2-how-to-import-users. Make sure that your Users have specified passwords or email addresses.

4. Assign Users to the Resource

  1. Go to the Resources page.
Protectimus two-factor authentication sytem setup - Open the Resources page

  1. Find the Resource you need, click Assign, then Users. And assign all necessary Users to this Resource. Users must be assigned to an appropriate Resource in order to have access to the Self-Service Portal.
How to Assign Tokens With Users to a Resource - step 1

5. Provide Your Users With Instructions on How to Access the Protectimus Self-Service Portal

  1. Give your users a URL to access the Self-Service Portal.
URL to access the Protectimus Self-Service Portal

  1. Inform your users what usernames and passwords / emails should they use to access the Users Self-Service Portal.

6. Provide Your Users With Instructions on How to Add the Protectimus Bot

  1. Log into the Protectimus Self-Service Portal using your username and password or email (contact your administrator for more info if you have any questions).
  2. Choose Register New Token.
Choose Register New Token

  1. Then choose Bot Token.
Bot Token button

  1. Enter the token name (any name you want).
  2. Open the messaging app you prefer: Facebook Messenger, Telegram, or Viber.
  3. Find the ProtectimusBot chatbot using the built-in search (built-in search works only for Telegram) or use the link:

    Please note: To find the ProtectimusBot chatbot on Facebook Messenger and Viber, users will need to use a direct link, as the built-in search feature doesn’t work for these messaging apps.
    • For Facebook Messenger: http://m.me/ProtectimusBot
    • For Telegram: https://t.me/protectimusbot
    • For Viber: viber://pa?chatURI=Protectimus
  4. Send the command /getid to the ProtectimusBot to receive a unique chat ID.
  5. Input the received chat ID into the field User’s Chat ID.
  6. Indicate which messaging app you’ve chosen in the field Messenger.
  7. Don’t change anything in the field One-time Password Length.
  8. Click Save.
Enable Protectimus Bot

  1. After that, you will receive the one-time password in the messaging app you’ve chosen. Enter it into the field One-time Password and click Save.
Enter OTP into the field One-time Password and click Save

  1. If everything was done correctly, you will see the message: The token has been successfully created.
The token has been successfully created

NComputing vSpace 2FA

Here’s a simple guide to beefing up your NComputing vSpace with Protectimus multi-factor authentication (MFA or 2FA) using the RADIUS protocol.

To set up Protectimus two-factor authentication in NComputing vSpace through RADIUS, you’ll need either Protectimus Cloud 2FA Service or the On-Premise 2FA Platform. The connection is made via a connector called Protectimus RADIUS Server. NComputing vSpace acts as the RADIUS client.

Here’s how it works: The Protectimus RADIUS Server connector passes authentication requests from NComputing vSpace to the Protectimus multi-factor authentication (MFA) server. Depending on the response, access is either granted or denied.

Below, we’ll walk you through an example of integrating Protectimus 2FA with NComputing vSpace.

Protectimus NComputing vSpace 2FA integration via RADIUS - scheme

1. How to Enable Multi-Factor Authentication for NComputing vSpace

You can set up multi-factor authentication (2FA) for NComputing vSpace with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Add Protectimus as RADIUS Server for NComputing vSpace.

2. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.
 

3. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for NComputing vSpace two-factor authentication using RADIUS are available here.

4. Add Protectimus as RADIUS Server for NComputing vSpace

  1. Access your NComputing vSpace dashboard and navigate to the RADIUS Server Settings section.

  2. Input the details as specified below:
    LabelCome up with a name for your RADIUS server.
    Hostname/AddressIP of server where the Protectimus RADIUS Server component is installed.
    Authentication PortIndicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
    Authentication TypePAP authentication is required.
    Shared Secret CodeIndicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
    Server Timeout (in seconds)Set to 90 seconds.
    Max AttemptsThis specifies how many times the authentication request should be sent. Set to 1.

  3. Click Save and test the integration.

Integration of two-factor authentication (2FA/MFA) for your NComputing vSpace is now complete. If you have other questions, contact Protectimus customer support service.

Nerdio 2FA

This guide details the steps to set up Protectimus multi-factor authentication (MFA or 2FA) for Nerdio using the RADIUS protocol.

When integrating Protectimus two-factor authentication with Nerdio via RADIUS, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform acts as a RADIUS server through a dedicated connector named Protectimus RADIUS Server. Conversely, Nerdio functions as a RADIUS client.

Here’s how it works: the Protectimus RADIUS Server connector forwards authentication requests from Nerdio to the Protectimus multi-factor authentication (MFA) server. Access is granted or denied based on the response received.

Below, we provide an example of how to integrate Protectimus 2FA with Nerdio.

Protectimus Nerdio 2FA integration via RADIUS - scheme

1. How to Enable Multi-Factor Authentication for Nerdio

You can set up multi-factor authentication (2FA) for Nerdio with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Add Protectimus as RADIUS Server for Nerdio.

2. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.
 

3. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Nerdio two-factor authentication using RADIUS are available here.

4. Add Protectimus as RADIUS Server for Nerdio

  1. Access your Nerdio dashboard and navigate to the RADIUS Server Settings section.

  2. Input the details as specified below:
    LabelCome up with a name for your RADIUS server.
    Hostname/AddressIP of server where the Protectimus RADIUS Server component is installed.
    Authentication PortIndicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
    Authentication TypePAP authentication is required.
    Shared Secret CodeIndicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
    Server Timeout (in seconds)Set to 90 seconds.
    Max AttemptsThis specifies how many times the authentication request should be sent. Set to 1.

  3. Click Save and test the integration.

Integration of two-factor authentication (2FA/MFA) for your Nerdio is now complete. If you have other questions, contact Protectimus customer support service.

NetApp Virtual Desktop Service 2FA

This guide outlines the process of setting up Protectimus multi-factor authentication (MFA or 2FA) for NetApp Virtual Desktop Service (VDS) using the RADIUS protocol.

When integrating Protectimus two-factor authentication with NetApp Virtual Desktop Service via RADIUS, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform serves as a RADIUS server through a dedicated connector known as Protectimus RADIUS Server. On the other hand, NetApp VDS operates as a RADIUS client.

Here’s how it functions: the Protectimus RADIUS Server connector forwards authentication requests from NetApp VDS to the Protectimus multi-factor authentication (MFA) server. Depending on the response received, access is either granted or denied.

Below, we offer an example of how to integrate Protectimus 2FA with NetApp Virtual Desktop Service for seamless NetApp VDS MFA.

Protectimus NetApp Virtual Desktop Service 2FA integration via RADIUS - scheme

1. How to Enable Multi-Factor Authentication for NetApp Virtual Desktop Service

You can set up multi-factor authentication (2FA) for NetApp VDS with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Add Protectimus as RADIUS Server for NetApp Virtual Desktop Service.

2. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.
 

3. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for NetApp Virtual Desktop Service two-factor authentication using RADIUS are available here.

4. Add Protectimus as RADIUS Server for NetApp VDS

  1. Access your NetApp Virtual Desktop Service dashboard and navigate to the RADIUS Server Settings section.

  2. Input the details as specified below:
    LabelCome up with a name for your RADIUS server.
    Hostname/AddressIP of server where the Protectimus RADIUS Server component is installed.
    Authentication PortIndicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
    Authentication typePAP authentication is required.
    Shared secret codeIndicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
    Server timeout (in seconds)Set to 90 seconds.
    Max attemptsThis specifies how many times the authentication request should be sent. Set to 1.

  3. Click Save and test the integration.

Integration of two-factor authentication (2FA/MFA) for your NetApp Virtual Desktop Service is now complete. If you have other questions, contact Protectimus customer support service.

Parallels RAS MFA

This guide explains how to set up multi-factor authentication (MFA or 2FA) for Parallels RAS (Remote Application Server) using the Protectimus system.

When integrating Protectimus two-factor authentication with Parallels RAS, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform acts as a RADIUS server through a dedicated connector called Protectimus RADIUS Server. Parallels RAS, on the other hand, functions as a RADIUS client.

Here’s how it works: the Protectimus RADIUS Server connector forwards authentication requests from Parallels RAS to the Protectimus multi-factor authentication (MFA) server. Based on the response received, access is either granted or denied.

Below, we provide an example of how to integrate Protectimus 2FA with Parallels RAS for seamless Parallels RAS MFA.

Protectimus Parallels Desktop 2FA integration via RADIUS - scheme

1. How to Enable Multi-Factor Authentication for Parallels RAS

You can set up multi-factor authentication (2FA) for Parallels RAS with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Add Protectimus as RADIUS Server for Parallels Desktop.

2. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.
 

3. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Parallels RAS two-factor authentication using RADIUS are available here.

4. Add Protectimus as RADIUS Server for Parallels RAS

  1. Access your Parallels RAS Application Server Console and navigate to:
    Connection –> Multi-Factor authentication –> + (plus) icon in the upper-right corner –> RADIUS –> RADIUS…

    Configuring Multi-Factor Authentication (MFA) for Parallels RAS

  2. In the upcoming window, provide the following details:
    • Name: Select a name for your RADIUS server, such as Protectimus RADIUS Server.
    • Description: This field is optional and enables you to include a description for your RADIUS server if desired.
    • Themes: Ensure to choose the “Default” option.

    Enabling Two-Factor Authentication (2FA) for Parallels RAS - Step 2

  3. Click Next and proceed to fill in the details regarding your RADIUS server. Please consult the provided image and table for reference.
    Display NameCome up with a name for your RADIUS server.
    Primary ServerIP of server where the Protectimus RADIUS Server component is installed.
    Secondary ServerSimply leave it blank.
    HA ModeSimply leave it blank.
    PortIndicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
    TimeoutSet to 60 seconds.
    RetriesSet to 3.
    Secret keyIndicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
    Password encodingChoose PAP.

    Enabling Two-Factor Authentication (2FA) for Parallels RAS - Step 3

  4. All remaining options are voluntary. Click Finish and save your configuration.

Please note: Configuring MFA for Parallels RAS is unique. By default, the RADIUS MFA provider only supports the TOTP authentication method, which includes Protectimus hardware TOTP tokens or the 2FA app Protectimus SMART OTP. Enabling SMS, chatbot, or email authentication may require additional setup. If you need assistance with these authentication methods, please contact our support team.

Integration of two-factor authentication (2FA/MFA) for your Parallels RAS is now complete. If you have other questions, contact Protectimus customer support service.

User’s Self-Service Portal

The Protectimus User’s Self-Service Portal lets users handle various tasks independently, such as enrolling and managing their security tokens and personal information. The system administrator decides which tasks users can do.

Please note:
  1. The Self-Service Portal must be enabled and configured separately for each resource.
  2. Users must be assigned to an appropriate Resource in order to have access to the Self-Service Portal.
  3. Users must additionally have a password in Protectimus system or an email address on record. A verification code will be sent to the registered email address to allow users to log into the Self-Service Portal. If a user has both a password and a registered email address, that user will use the password to log in.
  4. After a token is issued for a user and assigned to a Resource, the user will also be asked to input a password from the token when logging in.

1. Activate the Protectimus User’s Self-Service Portal

  1. Log into your account in Protectimus SAAS Service or On-Premise Platform. Then, go to the Resources tab, click on the resource name, and navigate to the Self-Service tab.
Set Up the Protectimus User's Self-Service Portal - Step 1 Set Up the Protectimus User's Self-Service Portal - Step 2

  1. If you haven’t enabled the Self-Service Portal for your users yet, click on Enable User’s Self-Service for your resource, and specify the address at which your users will access the Self-Service Portal.
Set Up the Protectimus User's Self-Service Portal - Step 3 Set Up the Protectimus User's Self-Service Portal - Step 4

2. Set Up the Protectimus User’s Self-Service Portal

Now, choose the authentication methods your users will use to log into the Self-Service Portal and specify the actions that will be available to them.

2.1. If you use the Protectimus Cloud Service

Once you click on the Save button, you will see a list of actions that your users can perform, as depicted in the image below. Initially, all actions are turned off by default. Activate the actions you’d like your users to have access to:

  • Register New Token. This feature lets users create, issue, and assign themselves tokens. When you activate this option, users will see a list of token types they can access through the portal. You can choose to enable only the types of tokens you intend to use, preventing users from being overwhelmed by too many options. Once a user creates a token, it will be linked to this resource as a “token with user.” Afterward, the user will need to input a one-time password from the token every time they log into the portal.
  • Existing Token Registration. Allows users to confirm that they have received a token. Helpful when using physical tokens. After receiving a set of tokens, assign them to a resource and distribute them to your users as you wish. When users receive their tokens, they can input their serial numbers on their own and confirm the tokens are in their possession with one-time passwords.
  • Re-Assign Token. Allows users to exchange an existing token for a new one. After performing this action, the old token will be unavailable.
  • Unassign Token. Allows users to unlink a token with a user from a resource. The user will remain associated with the token. In effect, the resource assignment is changed from “token with user” to just “user.”
  • Token Synchronization. Allows users to synchronize tokens if the time or counter on the device has become desynchronized from the server (more relevant for hardware tokens using TOTP and OCRA algorithms). Used primarily with physical tokens. Protectimus Smart has a built-in synchronization feature. It’s important to note that Protectimus Smart synchronizes itself with the time on Protectimus servers. If you have your own platform, be sure to set the time on it correctly.
  • PIN Setup. Allows users to add a PIN to a token. When this feature is enabled, users are required to enter a four-digit code either before or after the OTP itself, depending on their settings. For example, if a user chooses “1111” as a PIN and chooses to enter the PIN after the OTP, and the user’s token generates “123456” as a one-time password, the user must input the following combination into the OTP entry field: “1234561111”.
  • Remove PIN. Allows users to turn off the PIN feature.
  • Create Password. Allows users to create a Protectimus password.
  • Change Password. Allows users to change their Protectimus passwords.
  • Change Email Address. Allows users to change the email address registered with Protectimus.
  • Change Contact Phone Number. Allows users to change their phone number registered with Protectimus.
  • Change Login. Allows users to change their Protectimus usernames. Important: when integration with other services has been set up, links between systems are usually login-based. For this reason, if users change their logins on only one system, Protectimus may become unable to identify them. This may also break business logic when communicating with third-party services.
  • Change First Name and Last Name. Allows users to change their first and last name registered with Protectimus.
  • Manage User Environment: Experimental feature for smart user identification. When logging into the system, the degree of correspondence between the user’s current environment and the environment they typically log in from will be evaluated.

Set Up the Protectimus User's Self-Service Portal - choose the authentication methods your users will use to log into the Self-Service Portal and specify the actions that will be available to them

2.2. If you use the Protectimus On-Premise Platform

All these access methods can be enabled simultaneously without conflicts. If both Federated Auth and Password Auth are enabled, users can log into the Self-Service Portal using either the AD password or the Platform password; both will be valid:

  • Federated Auth: Users log into the Self-Service Portal using their password from Active Directory (AD). If enabled, setting the user’s password within the Protectimus Platform is not required.
  • Auth via Security Questions: Users log into the Self-Service Portal by answering secret questions.
  • Password Auth: Users log into the Self-Service Portal using the password set in the Users’ settings within the Protectimus Platform.
  • Email Auth: Users log into the Self-Service Portal using a one-time code sent to the email specified in the Users’ settings within the Protectimus Platform.

  • Password Policy: This feature allows you to set policies for users, enabling them to change/create a password themselves after logging into the Self-Service Portal.
  • Change Federated Password: By enabling this feature, you grant users permission to change their AD password through the Self-Service Portal. To change the AD password, they will need to specify both the old and new AD passwords.
  • Reset Federated Password: Enabling this feature grants users permission to reset the AD password through the Self-Service Portal, requiring only the specification of the new password.

NOTE:
  1. Changing the password in AD using the Self-Service Portal works only via LDAPS (SSL) connection; it does not work via LDAP.
  2. The option to change passwords in AD using the Self-Service Portal is available exclusively for users synchronized from AD; it is not applicable to DSPA users.

Set Up the Protectimus User's Self-Service Portal - Step 5

3. Give Your Users Access to Protectimus User’s Self-Service Portal

To log into the Self-Service Portal, your users will need:
  1. Either a password or an email registered in the Protectimus platform.
    Users with both a password and a registered email address will use the password. For those with only an email, a verification code will be sent to the registered email address. If necessary, you can add passwords or emails in User settings.
Edin Protectimus Users Settings

  1. The link specified when enabling the Self-Service Portal. Protectimus User's Seld Service link

    Users should follow this link to log into their Self-Service Portal account, where they will see the available actions. Then, they should click the respective button and follow the required sequence of steps to complete their chosen action.

    User’s Self-Service Portal

How to Set Up Two-Factor Authentication in Volet

  1. Log in to your Volet account and navigate to the Security Settings page.

    How to Set Up Two-Factor Authentication in Volet - Go to Security Settings

  1. Scroll down to the Two-Factor Authentication (2FA) settings and click the CONFIGURE button.

How to Set Up Two-Factor Authentication in Volet - Go to Two-Factor Authentication Settings

  1. Choose your preferred two-factor authentication method for receiving one-time passwords.
    There are two options:

How to Set Up Two-Factor Authentication in Volet - Coose your preferred two-factor authentication method

1. Setting up the Protectimus SMART OTP Authenticator App

  1. If you plan to use the Protectimus SMART OTP authenticator app for generating one-time passwords, select the Token option and click on CONFIGURE.

How to Set Up Two-Factor Authentication in Volet - Setting up the Protectimus SMART OTP Authenticator App

  1. Next, press the SOFTWARE TOKEN button.

Setting up the Protectimus SMART OTP Authenticator App - Press the SOFTWARE TOKEN button

  1. At this stage, you will need the Protectimus SMART OTP application. Download the application from Google Play Store if you are using an Android phone, or from App Store if you are using an iOS phone.

    The application is available for free. To download, use the provided link or scan the corresponding QR code below.
 
  • Show QR code
  •         
  • Show QR code







  1. After installing the application, open it. You will see the welcome screen. Press Continue.

Show QR code

  1. Next, you will be prompted to activate Cloud Backup.

    We strongly recommend using the cloud backup feature to ensure the preservation of your OTP tokens in case of loss, phone damage, or accidental deletion of the two-factor authentication app.

    To activate cloud backup, select the Cloud Backup option.


    Show QR code

    Select your account in Google Cloud or iCloud and log in if necessary, providing all the required permissions.

    Set a password for the backup file – it can be any password from 3 to 16 characters. Enter the password, repeat it, and press Continue.

    After activating cloud backup, press Continue to proceed to token enrollment.

    Show QR code

  1. Now you can add a new token. Click on the Add new token button.


    Show QR code

    Select Scan QR code.


    Show QR code

    Point your smartphone camera at the QR code displayed on the Volet page.

    Setting up the Protectimus SMART OTP Authenticator App - Point your smartphone camera at the QR code displayed on the Volet page

    The application will scan the QR code containing the secret key and enroll the token.

    Note: In case you’re unable to scan the QR code for any reason, you also have the option to manually add the secret key to the application.

    Token enrolled

  1. Enter the one-time password displayed in the application into the corresponding field in Volet and click the ACTIVATE button.

  2. OTP code

    Setting up the Protectimus SMART OTP Authenticator App - Enter the OTP code

  1. You have successfully registered a two-factor authentication token for your Volet account. From now on, each time you log in, you will start by entering your standard username and password, followed by the one-time password generated by the Protectimus Smart OTP application.

  2. Note: Do not uninstall the application from your smartphone. If you want to deactivate or remove the token from your Volet account, you will also need to enter a one-time password.

1.1. How to Manually Add a Secret Key to the Protectimus Smart OTP App

  1. Click on the “Can’t scan the QR code?” option on your Volet Software Token settings page.

How to Manually Add a Secret Key to the Protectimus Smart OTP App

  1. A secret key will be displayed, which you need to add to the Protectimus Smart OTP App.

How to Manually Add a Secret Key to the Protectimus Smart OTP App - A secret key will be displayed, which you need to add to the Protectimus Smart OTP App.

  1. In the Protectimus Smart OTP App, click on the Add new token button.
    Add new token button

    or

    Add new token button

  1. Select Add token manually.

  2. Add token manually

  1. Fill in the required fields:
  2. Issuer:Volet
    Login:This is the name of the token; add any name you wish.
    Additional Information:You may leave this field empty or add a note if you wish.
    Token key:Enter the secret key from your Volet Software Token settings page (without empty spaces).
    Protectimus checksum:Leave as it is.
    OTP Type:Leave as it is – By time (TOTP).
    Algorithm:Leave as it is – SHA1.
    OTP Length:Leave as it is – 6 digits.
    OTP Lifetime:Leave as it is – 30 seconds.

    How to Manually Add a Secret Key to the Protectimus Smart OTP App - Fill in the required fields

    Save the changes by tapping the Add token button in the upper right corner.

    How to Manually Add a Secret Key to the Protectimus Smart OTP App - Save the changes by tapping the Add token button in the upper right corner.

  1. Enter the one-time password displayed in the application into the corresponding field and click the ACTIVATE button.

Enter the one-time password displayed in the application into the corresponding field and click the ACTIVATE button

  1. You have successfully registered a two-factor authentication token for your Volet account. From now on, each time you log in, you will start by entering your standard username and password, followed by the one-time password generated by the Protectimus Smart OTP application.

    Note: Do not uninstall the application from your smartphone. If you want to deactivate or remove the token from your Volet account, you will also need to enter a one-time password.

2. Additional Protectimus SMART OTP Application Settings

With the Protectimus Smart OTP 2FA authenticator, you can generate one-time passwords (OTPs) on your mobile device that can be used as the second factor in the authentication process not only on Volet, but on any website that supports MFA.

The Protectimus Smart two-factor authentication app offers many advantages, including:
  • Encrypted cloud backup;
  • Ability to transfer tokens to a new phone;
  • Ability to import tokens from Google Authenticator;
  • PIN and biometric authentication protection (Touch ID and Face ID);
  • Support for all OATH one-time password generation algorithms (HOTP, TOTP, and OCRA);
  • 6 and 8 digit one-time passwords;
  • Multiple language support: English, French, German, Italian, Spanish, Russian, and Ukrainian;
  • Convenient distribution of OTP tokens by folders;
  • Customization of tokens with different emojis and descriptions.

2.1. Adding Tokens for Other Accounts or Websites

  1. To add a new token, open the Protectimus Smart OTP two-factor auth app and tap on the plus sign in the upper left corner.

Add new token button

  1. You can choose to add the token by scanning a QR code or by entering the secret key manually.

    If you choose to Scan QR code, simply point your smartphone’s camera at the code on the security settings page of the website you want to protect with two-factor authentication. The app will automatically scan the QR code and create a token.

Adding tokens to MFA app Protectimus Smart OTP - Step 2 - Scanning the QR code

  1. If you choose to Add token manually, you’ll need to enter the token name (Login), the secret key (Token key), choose the OTP generation algorithm (OTP Type), the one-time passwords length, and lifetime. Then save the changes tapping the Add token button in the right upper corner.

    Note that if you’re using a two-factor authentication system other than Protectimus, you should uncheck the Protectimus checksum checkbox.

Adding tokens to MFA app Protectimus Smart OTP - Step 3 - Adding tokens manually

2.2. Editing and Deleting Tokens in the Protectimus SMART OTP App

  1. To edit or delete a token, long-press on its name and choose the desired action. Alternatively, you can open the Edit Token menu by tapping the pen icon in the upper-right corner and selecting the token you want to modify.

How to edit tokens in the 2FA app Protectimus Smart OTP

  1. Once you’re in the Edit Token menu, you can customize the token by:
    • changing its emoji,
    • setting the issuer,
    • updating its name (Login),
    • adding a description (Additional information),
    • adjusting the OTP length,
    • assigning it to a folder.
    If you need to remove the token entirely, there’s an option to delete it.

    Once you’ve made your changes, click Save and close in the upper-right corner to confirm.

How to edit tokens in the 2FA app Protectimus Smart OTP - Edit token menu

2.3. Grouping Tokens by Folders

  1. To keep your tokens organized, you can group them into folders.

    To add a token to a folder, simply long-press its name and select Add to folder.

2FA application Protectimus Smart OTP - how to add tokens to folders

  1. You’ll be taken to the folder settings menu, where you can either choose an existing folder or create a new one. If you want to create a new folder, click on the icon in the top right corner.

2FA application Protectimus Smart OTP - how to add tokens to folders - create folder

  1. To manage your folders, click on the gear icon in the upper right corner to go to the Settings page.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Select Folder Settings.

2FA application Protectimus Smart OTP - Folder Settings

  1. From here, you can edit, delete, and create new folders, as well as edit tokens in any folder.

2FA application Protectimus Smart OTP - Folder Settings

2.4. Changing the Order of Tokens

You can customize the order of your tokens to suit your needs. With this feature, you can quickly access your most frequently used tokens.
  1. To do so, open the Edit Token menu by tapping the pen icon in the upper-right corner.

2FA app Protectimus Smart OTP - Changing the Order of Tokens - Step 1

  1. From there, simply drag the tokens to rearrange them in the desired order. Save the changes by clicking on the checkmark in the upper right corner.

2FA app Protectimus Smart OTP - Changing the Order of Tokens - Step 2

2.5. Cloud Backup

To safeguard your OTP tokens in case of device loss or accidental deletion of the 2FA app, we strongly recommend using the Cloud Backup feature. Additionally, we strongly advise protecting the backup file with a password for added security.

To manage your backup files, simply navigate to the Backup page where you can activate, update, restore or delete your backup.

By utilizing this feature, you can ensure that your OTP tokens are always available and secure, even in unexpected circumstances.

  1. Go to Settings.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Tap Backup in cloud.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 2

  1. If the backup function is not activated yet, enable it.

2FA app Protectimus Smart OTP - Cloud backup activation

  1. If the backup function has been activated and you have made any changes, you can Restore the previous version or Update the backup file. Tap the Upload button to upload the latest changes to the cloud.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 3

  1. You will see the allert message. If you are sure that you want to upload current OTP tokens in the cloud, tap Update. Please note that this will erase previous backup.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 4

Please note! To secure you backup file, we recommend adding a password, use the Add backup file password button.

Protectimus Smart OTP 2FA application - Add Cloud Backup Password

2.6. App Security (PIN and Biometric Authentication)

For optimal security, it is highly recommended that you safeguard access to the Protectimus Smart OTP two-factor authentication application with either a PIN or biometric authentication.

To enable PIN or biometric authentication with fingerprint or face ID, follow these steps:

  1. Go to the Settings menu.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Select App security.

2FA authenticator Protectimus Smart - Security Settings

  1. Create a unique PIN for the application.

2FA authenticator Protectimus Smart - PIN setup

  1. The app will prompt you to allow biometric authentication for easier access.

2FA authenticator Protectimus Smart - Biometric authentication setup

  1. Once both PIN and biometric protection are enabled, you can manage your PIN, and turn biometric authentication on or off from the App security page.

2FA authenticator Protectimus Smart - App Security Settings Page

By taking these simple steps, you can ensure that your Protectimus Smart OTP two-factor authentication application is as secure as possible.

2.7. Transferring Tokens to a New Phone

Protectimus Smart OTP authenticator offers a convenient Data Transfer feature that enables you to effortlessly move your tokens from one phone to another or download and store the backup file in the place you like. With this feature, you can export your data into an encrypted file with password protection for added security.

  1. To get started, simply navigate to the Settings menu.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Tap on the Data transfer option.

Two-factor authentication app Protectimus Smart OTP - Data transfer feature

  1. If you want to transfer tokens from your current device to another, choose Export tokens. Alternatively, if you want to import saved data onto your device, select Import tokens.

Two-factor authentication app Protectimus Smart OTP - Data transfer feature - Export tokens

  1. If you choose to export tokens, create a strong password and click on Continue to generate the file containing all your data.

Two-factor authentication app Protectimus Smart OTP - Data transfer feature - Export tokens

  1. Remember to save this file so you can import your tokens onto the new device later.

Two-factor authentication app Protectimus Smart OTP - Data transfer feature - Export tokens

2.8. Importing from Google Authenticator

You can easily transfer your tokens from Google Authenticator 2FA app to the Protectimus Smart OTP.

To get started, open your Google Authenticator application and:
  • tap the menu button located at the top-right corner;
  • select Transfer accounts;
  • then choose Export accounts;
  • select the tokens you wish to transfer to Protectimus Smart OTP;
  • tap Next, and you will see a QR code, scan this QR code using the Protectimus Smart OTP app.

In the Protectimus Smart OTP app:
  1. Go to Settings.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Select Import from Google Authenticator, scan the QR code generated by Google Authenticator and wait for the import process to complete.

Two-factor authentication app Protectimus Smart OTP - Import from Google Authenticator

2.9. Time Correction

If you see the message “The one-time code is invalid” when attempting to enter a one-time password, it may be due to a time drift between your token and the two-factor authentication server. To resolve this issue, a time correction may be necessary.

To synchronize your Protectimus Smart OTP app’s internal clock with Protectimus servers:
  1. Navigate to Settings.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Select the Time correction option.

2FA app Protectimus Smart - Time correction

  1. If everything is in order, you will see a message confirming that the time is already correct.

2FA app Protectimus Smart - Time correction

2.10. Application Language

To select the desired language, go to the application settings.
Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

Choose Application language, and select the language you prefer.
Protectimus Smart OTP 2FA application - Application language



Currently, the Protectimus Smart OTP authenticator is available in English, French, German, Italian, Spanish, Russian, and Ukrainian.

Protectimus Smart OTP 2FA app language settings

2.11. Screen Capture Access

You can enable or disable Screen Capture Access. To enhance your security, we advise against enabling screen capture access.

To change this setting, go to the application settings.
Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

Tap on Screen capture access.

Protectimus Smart OTP 2FA application - Screen capture access

And allow or deny access to screen capture.

Protectimus Smart OTP 2FA app - screen capture access

2.12. Changing Light and Dark Appearance

You may also choose between a dark or bright app appearance to suit your preferences.

To change this setting, go to the application settings.
Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

Tap on Appearance.

Protectimus Smart OTP 2FA app - Appearance

Choose the desired option and click Save and go back.

Protectimus Smart OTP 2FA app - Appearance

3. Setting up 2FA Chatbot on Telegram, Viber, or Messenger

  1. If you’re opting for the two-factor authentication chatbot on Telegram, Viber, or Facebook Messenger, select the Chat Bots option and click CONFIGURE.

How to Set Up Two-Factor Authentication in Volet - Setting up 2FA Chatbot on Telegram, Viber, or Messenger

  1. Choose the messaging app you prefer and find the ProtectimusBot chatbot within the messaging app.
    • Telegram – find ProtectimusBot by using the built-in search or use this link https://t.me/protectimusbot.
    • Facebook Messenger – find ProtectimusBot through the app’s search function or click http://m.me/ProtectimusBot.
    • Viber – copy the link viber://pa?chatURI=Protectimus, add it to your Notes in Viber to make it clickable, then click it to open the Protectimus chatbot in Viber.
  1. Click CONFIGURE.

Protectimus Bot setup - click Configure

  1. Enter the /getid command in the chatbot.

    Afterward, you will see your chat ID, which needs to be added to the Volet system for token enrollment.

Protectimus Bot setup - getid

  1. Enter the chat ID you received into the corresponding field in Volet and click SEND.

Protectimus Bot setup - Enter the chat ID

  1. Then, enter the one-time password from the Protectimus chatbot to complete the token registration.

Protectimus Bot setup - Enter the OTP code

4. How to Delete or Deactivate a Two-Factor Authentication Token in Volet

You can delete or deactivate your Volet two-factor authentication token, whether you are using the 2FA app Protectimus Smart OTP or a 2FA chatbot in the messaging app. In both cases, you’ll need to enter your one-time password to complete the action.

To deactivate or delete your two-factor authentication token in Volet:

  1. Navigate to the Security Settings page.

  2. How to Delete or Deactivate a Two-Factor Authentication Token in Volet - Go to Security Settings

  1. Scroll down to the Two-Factor Authentication (2FA) settings and click the CONFIGURE button.

How to Delete or Deactivate a Two-Factor Authentication Token in Volet - Go to Two-Factor Authentication Settings

  1. Click on CHANGE SETTINGS for the two-factor authentication method you use.

How to Delete or Deactivate a Two-Factor Authentication Token in Volet - Click on CHANGE SETTINGS

  1. If you are deactivating or deleting the Protectimus Smart OTP software token, click on the SOFTWARE TOKEN button.

How to Delete or Deactivate a Two-Factor Authentication Token in Volet - Press the SOFTWARE TOKEN button

  1. Choose whether you would like to DEACTIVATE or DELETE the token.

    • If you DEACTIVATE the token, you can activate it again; for this, you’ll need the one-time code from your token.
    • If you DELETE the token, you cannot reactivate it; you’ll need to enroll a new one.

How to Delete or Deactivate a Two-Factor Authentication Token in Volet - Choose whether you would like to DEACTIVATE or DELETE the token

  1. Enter the one-time password and click CONFIRM.

How to Delete or Deactivate a Two-Factor Authentication Token in Volet - Enter the one-time password and click CONFIRM

If you have any questions, please, contact Protectimus customer support service.

Auto-Registration of a Token for Windows Two-Factor Authentication

Upon the first login to their Windows account, after installing the two-factor authentication component for Windows and RDP, the user will need to undergo the auto-registration process and enroll the token in the 2FA authenticator Protectimus SMART OTP. Below is a step-by-step guide on how to do this.

  1. To log in to your Windows account, enter your username and password as usual.

  2. After that, you will see the token auto-registration window. Click on the Show QR button.

  3. Show QR code

  1. At this stage, you will need the Protectimus SMART OTP application. Download the application from Google Play Store if you are using an Android phone, or from App Store if you are using an iOS phone.

    The application is available for free. To download, use the provided link or scan the corresponding QR code below.
 
  • Show QR code
  •         
  • Show QR code







  1. After installing the application, open it. You will see the welcome screen. Press Continue.

Show QR code

  1. Next, you will be prompted to activate Cloud Backup.

    We strongly recommend using the cloud backup feature to ensure the preservation of your OTP tokens in case of loss, phone damage, or accidental deletion of the two-factor authentication app.

    To activate cloud backup, select the Cloud Backup option.


    Show QR code

    Select your account in Google Cloud or iCloud and log in if necessary, providing all the required permissions.

    Set a password for the backup file – it can be any password from 3 to 16 characters. Enter the password, repeat it, and press Continue.

    After activating cloud backup, press Continue to proceed to token enrollment.

    Show QR code

  1. Now you can add a new token. Click on the Add new token button.


    Show QR code

    Select Scan QR code.


    Show QR code

    Point your smartphone camera at the QR code you see on the Windows account login page.

    Show QR code

    The application will automatically scan the QR code and create the token.


    Show QR code

  1. Enter the one-time password that you see in the application

    Show QR code

    into the Windows one-time password input field, and press Enter.

    Show QR code

  1. You have successfully logged into your Windows account and created a token. Now, every time you log into Windows, you will need to enter your standard username and password first, followed by the one-time password from this application. Don’t delete the application.
    Show QR code

OpenVPN pfSense 2FA

Implement two-factor authentication (2FA) for pfSense OpenVPN through the use of the Protectimus multi-factor authentication system.

Multi-factor authentication (MFA) stands as a crucial component of cybersecurity, safeguarding user accounts, infrastructure, and sensitive data against unauthorized entry. By integrating 2FA into pfSense OpenVPN, potential threats like brute force attacks, keyloggers, data spoofing, phishing, MITM attacks, and social engineering are mitigated.

Protectimus facilitates a secure approach to pfSense OpenVPN access by employing multi-factor authentication (MFA) via the Protectimus RADIUS server.

The following scheme outlines the operational process of the Protectimus solution designed for implementing two-factor authentication on pfSense OpenVPN.

pfSense OpenVPN two-factor authentication via RADIUS

1. How Two-Factor Authentication for pfSense OpenVPN Works

The Two-Factor Authentication Solution by Protectimus enhances the security of pfSense OpenVPN, adding an extra layer of protection that effectively thwarts any unauthorized attempts to access your VPN.

Upon activating pfSense OpenVPN two-factor authentication (2FA), users will be prompted to provide two distinct authentication stages to gain entry to their accounts.

When attempting to access their pfSense OpenVPN accounts protected with 2FA/MFA, users will need to provide:

  1. Their username and password (something the user knows).
  2. A unique one-time password generated through a hardware OTP token, 2FA chatbot, or a smartphone app (something the user possesses).

In order to breach a pfSense OpenVPN fortified with two-factor authentication (2FA/MFA), a hacker must obtain both a regular password and a one-time password simultaneously, within a mere 30-second timeframe to intercept the latter. This challenging feat underscores the exceptional effectiveness of two-factor authentication against the majority of hacking endeavors.

2. How to Enable 2FA for pfSense OpenVPN

You can set up 2-factor authentication (2FA) for pfSense OpenVPN with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Add Protectimus as RADIUS Server for pfSense OpenVPN.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for pfSense OpenVPN two-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for pfSense OpenVPN MFA

First of all, make sure your authentication source is set up accurately, which involves utilizing an external Identity Provider (IdP) such as OpenLDAP, Microsoft Active Directory, FreeIPA, or a standalone FreeRADIUS.

Important Note:
The built-in FreeRADIUS within pfSense has a limited range of settings and does not permit the specification of the user email attribute. Due to this limitation, you cannot employ the internal FreeRADIUS for this integration. Instead, opt for a separate FreeRADIUS installation or select any other Identity Provider mentioned in the preceding section.

It’s imperative to have a correctly configured pfSense system. We assume that you have already added an OpenVPN Server to pfSense via VPN → OpenVPN. Before proceeding with the implementation of multi-factor authentication through Protectimus, you should have a primary authentication solution configured for your OpenVPN users. Refer to the documentation at pfsense.org if you haven’t installed and configured pfSense yet.
  1. Launch a web browser and access the pfSense WebGUI.
  2. Navigate to System –> Package Manager. Switch to the Available Packages tab.
  3. Find openvpn-client-export and select Install. Confirm your action by clicking the Confirm button. After a brief moment, you’ll receive confirmation of a successful installation. The package should now be visible within the Installed Packages tab.

PfSense OpenVPN two-factor authentication setup - step 1

  1. Access the System –> User Manager section.
  2. Move to the Authentication Servers tab and proceed to Add.

PfSense OpenVPN 2-factor authentication setup - step 2

  1. Complete the form, using the table below for additional guidance on the settings. Once done, click Save to add the Authentication Server.

Descriptive nameAdd any name you like, e.g., Protectimus RADIUS Server.
TypeAlways choose RADIUS.
ProtocolChoose PAP.
Hostname or IP addressIP of server where the Protectimus RADIUS Server component is installed.
Shared SecretIndicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
Services offeredMust be Authentication.
Authentication portIndicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Accounting portRetain the preset/default value.
Authentication TimeoutDetermines the permissible duration for the RADIUS server to respond to an authentication request.

Default: 5.
Suggested: 60.
RADIUS NAS IP AttributeInput the IP address to be utilized as the “NAS-IP-Address” attribute when sending RADIUS Access-Requests.

PfSense OpenVPN multi-factor authentication setup - step 3

  1. Select the Save option.
  2. Navigate to VPN –> OpenVPN. Locate your interface within the list of OpenVPN Servers. Click on the pencil icon situated on the right side.

PfSense OpenVPN MFA setup - step 4

  1. Transition to the Servers tab. Confirm that the Server mode is configured as Remote Access (User Auth).
  2. Verify that the Backend for authentication is configured to the Authentication Server generated in Step 6.

PfSense OpenVPN 2FA setup - step 5

  1. The remaining settings should be adjusted according to your specific requirements. Click on Save to preserve the modifications.
  2. Transition to the Client Export tab. Proceed to Advanced –> Additional configuration options.
  3. Integrate the reneg-sec 0 option into Additional configuration options.

    The reneg-sec n option grants you the ability to modify the duration (in seconds) before a data channel key renegotiation takes place. Adjust it to 0 in order to avoid the need for re-authentication as long as you remain connected without any disconnections.

We highly advise configuring reneg-sec as 0. If an alternate value is chosen, there’s a possibility that your users will encounter 2FA reauthentication prompts once the time defined by that value elapses.

By default, this value stands at 3600 seconds. Therefore, without incorporating the reneg-sec 0 option and leaving the Additional configuration options blank, your users will be prompted to reauthenticate every hour.

  1. Within the Additional configuration options, include the hand-window 120 option. This choice guarantees the accurate timeout of the authentication process in situations where a user is unable to complete 2FA within the designated timeframe.
  2. Utilize the Save as default button to preserve this alteration as the default setting.

PfSense OpenVPN 2FA setup - step 6

  1. Navigate further down to the OpenVPN Clients section, and select the suitable download button in accordance with your requirements. While the Windows Installer is a commonly chosen option, you have the flexibility to opt for any of the provided choices.

PfSense OpenVPN two-factor authentication setup - step 7

  1. At this point, you possess a suitable installation file or package tailored for your OpenVPN users. Your configuration process is now finished. Following the installation of the package, your users will experience enabled Protectimus two-factor authentication during their VPN login process.

Integration of two-factor authentication (2FA/MFA) for your pfSense OpenVPN is now complete. If you have other questions, contact Protectimus customer support service.

Ubiquiti UniFi Controller SMS Authentication

Implement Wi-Fi SMS Authentication (Ubiquiti UniFi Controller SMS Authentication) by setting up a Unifi Captive Guest Portal secured with Protectimus Unifi Guest Portal Server. This solution seamlessly integrates with the Ubiquiti UniFi Controller, enabling you to protect your Wi-Fi network through SMS authentication. You have the flexibility to choose any SMS provider that suits your preferences.

Here’s how the Wi-Fi SMS authentication process works after configuring the guest portal with the Ubiquiti UniFi Controller and connecting it to Protectimus:

  1. Users attempting to connect to the Wi-Fi network will be prompted to enter their phone number.
  2. A unique one-time password is sent to the user via SMS.
  3. The user enters the received one-time password in the designated field.
  4. Protectimus verifies the one-time password and either grants or denies access to the Wi-Fi network based on the authentication result.

For security and administrative purposes, the Protectimus server meticulously logs all user inputs in CSV format. The recorded data includes the user’s MAC address, the access point’s MAC address, the assigned IP, and the phone number provided during authentication. Depending on your requirements, you can configure the data storage period to meet your specific needs. Note that in most countries, data retention for a minimum of 6 months is typically required.

You have the option to install the On-Prem Protectimus Authentication Platform on your hardware on-premises or utilize the convenience of the Protectimus Cloud Service. Either way, you can ensure a robust and reliable Wi-Fi SMS authentication solution for your network.

1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.

2. Install the Protectimus Unifi Guest Portal Server Using a Docker Image

  1. To start installing the Protectimus Unifi Guest Portal Server, first of all, download and install docker and docker-compose:
 
  1. Then clone the git repository: https://github.com/protectimus/platform-linux.git
 
  1. Once you have successfully cloned the git repository, edit the file located at unifi-guest-portal/config/guest-portal.yml, and incorporate the properties detailed in the third paragraph.
 
  1. Go to the unifi-guest-portal directory and run:
docker-compose up -d
 
  1. You can monitor the process of Protectimus Unifi Guest Portal Server deployment using the command:
docker-compose logs -f
 
  1. There is also an additional file fragments.html, it is needed to customise the UI of the login screen.
 
  1. After the deployment process is complete, the Protectimus Unifi Guest Portal Server will be available at: https://localhost:8080.
    You can modify the port in the configuration file (unifi-guest-portal/config/guest-portal.yml).

If you are unable to use the Docker Image for any reason, please get in touch with our support team, and we will assist you with the installation.

3. Configure Protectimus Unifi Guest Portal Authentication Server Settings

The Protectimus Unifi Guest Portal Authentication Server settings can be configured by specifying them in the guest-portal.all.yml file, which must be located in the same directory as the executable.

Available properties that you should add to the guest-portal.all.yml file include:

3.1. Guest Portal Server Settings

server:
  port: 8888
  ssl:
    enabled: true
    key-store-type: PKCS12
    key-store: classpath:keystore/guest-portal.p12
    key-store-password: password
    key-alias: guest-portal

PROPERTY NAMEPROTERTY STANDS FOR
port:
The port where the Protectimus Unifi Guest Portal Authentication Server will run.
ssl:
If you would like to import your own trusted SSL certificate, this property allows you to configure the SSL certificate settings, which include the keystore type, keystore path, keystore password, and key alias.

3.2. Unifi Settings

unifi:
  cookie-expiration-time: 30000
  base-url: https://localhost:8443
  username: admin
  password: admin
  sites-verification-enabled: true
  sites:
    - default
  session:
    duration-minutes: 90
    download-speed: 2048
    upload-speed: 640
    quota: 4096
  redirect-page: https://www.google.com


PROPERTY NAMEPROTERTY STANDS FOR
cookie-expiration-time:
Allows setting cookie expiration time.
base-url:
The UniFi Controller URL.
username:
The username of the Unifi Controller administrator.
password:
The password of the Unifi Controller administrator.
sites-verification-enabled:
Allows restricting access to the portal from the specified websites.
sites:
UniFi Controller sites (fundamental organizational unit that allows you to manage and monitor your UniFi network devices and clients.)
session:
This property allows you to set session settings, including the maximum duration of the session, upload and download limits, and data quota amount.
redirect-page:
This is the URL that the client is attempting to open after successful authentication on the guest portal. In this instance, it is https://www.google.com. These types of URLs are commonly used to test internet connectivity or to redirect to a specific webpage after the authentication process.

3.3. Protectimus API Settings (setting up connection to the PROTECTIMUS service)

protectimus-api:
  login:
  api-key:
  url: https://api.protectimus.com/
  resource-id: 

PROPERTY NAMEPROTERTY STANDS FOR
login:
Your login in the PROTECTIMUS system.
api-key:
Your API key in the PROTECTIMUS system.
url:
If you are using the PROTECTIMUS cloud service, specify the following API URL: https://api.protectimus.com/

If you are using the Protectimus on-premise platform, the API URL will be something like: protectimus.api.url=http://127.0.0.1:8080/
resource-id:
ID of the resource that you created in the PROTECTIMUS system.

3.4. Report Settings

report:
  csv:
    params:
      - action
      - id
      - ip
      - ap
      - ssid
      - time
      - phoneNumber
    date-format: 'yyyy-MM-dd HH:mm:ss z'
    zone-id: UTC

PROPERTY NAMEPROTERTY STANDS FOR
csv:
Indicates that the report will be stored in CSV format.
params:
You can specify the parameters you wish to save about your guest logins.
The available options include:
  • Action;
  • ID;
  • IP;
  • Access Point (AP);
  • SSID;
  • Time;
  • Phone Number.
date-format:
The date format as it should be displayed in the report (e.g., Unix).
zone-id:
Time zone ID.

3.5. An Example of guest-portal.all.yml file

server:
  port: 8888
  ssl:
    enabled: true
    key-store-type: PKCS12
    key-store: file:guest-portal.p12
    key-store-password: password
    key-alias: guest-portal

unifi:
  base-url: https://localhost:8443
  username: admin
  password: admin
  sites:
    - default

protectimus-api:
  login: [email protected]
  api-key: secret
  url: https://api.protectimus.com/
  resource-id: 1

logging:
  level:
    com.protectimus: INFO
 

4. Configure Ubiquiti UniFi Controller

4.1. Create a Guest User Group

Create a new User Group before setting up the Guest Network. Creating the user group enables you to define upload and download limits specifically for the guests, giving you greater control over the network usage.
  1. Navigate to Settings –> User Groups.
  2. Select Create New User Group.
  3. Assign the group a name, such as Guests.
  4. Set the upload and download bandwidth limits. For basic internet browsing, 5mbps download and 1mbps upload should suffice. However, if you want to enable streaming, ensure a minimum of 10mbps download.
  5. Click Save to apply the changes.

How to setup the Unifi Captive Portal for your Guests - Step 1 -Create a Guest User group

4.2. Create a Wireless Unifi Guest Network

Now you need to set up a special wireless network for your guests, called the Guest Network. This network will have some important rules to follow:
  • Pre and Post-Authorization Access: This means guests can use the network’s login page to sign in. But once they are logged in, they won’t be able to access the main network.
  • Client Isolation: This feature stops guests from sending messages to other guests on the same network. It keeps their communication private and secure.

To create a Guest Network:
  1. Open the Unifi Controller.
  2. Navigate to Settings –> Wireless Networks.
  3. Click on Create New Wireless Network.
  4. Give the network a name that guests will easily identify as the guest network.
  5. Set the security to open for now, as we will later secure it with a captive portal.
  6. Select Apply guest policies (captive portal, guest authentication, access).
  7. Expand the Advanced Options.
  8. Choose the User Group you just made.

How to setup the Unifi Captive Portal for your Guests - Step 2 - Create a Unifi Guest Network

You’ve successfully set up the Guest Network. Now you need to Configure the Captive Portal.

4.3. Set Up the Guest Policies

In the Unifi Controller, head to the Guest Control section where you can easily create the Guest Portal and configure the authentication method and access duration.

Set up the Guest Policies as shown in the image below.
  1. Enable the Guest Portal.
  2. Select External portal server.
  3. Enter the IP address of the Protectimus Unifi Guest Portal Authentication Server in the IPv4 Address field.
  4. Choose Redirect using hostname and provide the URL of the page that the client will attempt to open after successful authentication on the guest portal (e.g., google.com).
  5. The Pre-Authorization Access field is typically left blank as the default setting.
  6. For the Post-Authorization Restrictions, enter the subnet of your local network. By default, all possible local network addresses are blocked, so you can leave this as it is. However, if you want to grant guests access to specific devices like a printer while restricting access to the rest of your network, you can set those restrictions here. It is recommended to use different subnets for your guest network and your own network to simplify these restrictions.

 Howto setup the Unifi Captive Portal for your Guests - Step 3 - Set Up the Guest Policies

If you have other questions, contact our customer support service.