Author: Anna Korobkyna

IMPORTANT NOTE:

1. Changing the password in AD using the self-service portal works only via LDAPS (SSL) connection; it does not work via LDAP.
2. The option to change passwords in AD using the self-service portal is available exclusively for users synchronized from AD; it is not applicable to DSPA users.

1. Update the Protectimus On-Premise Platform

You can update the Protectimus On-Premise Platform using a Docker image on any operating system.

However, if you initially installed the Platform on Windows, you may follow the instructions for Windows users below.

1.1. Updating Platform Using a Docker Image

You have two options for updating the Protectimus On-Premise Platform with a Docker image:

• cloning a repository from Git;
• manual update.

We’ll walk you through both methods, allowing you to choose the one that best suits your preferences.

1.1.1. Updating via Git Repository Cloning

1. Use this command to copy the repository containing Docker Compose files to your local computer, where the Protectimus On-Premise Platform is installed.
   
   

   git clone 
   https://github.com/protectimus/platform

   
   The contents of the archive will be as follows:
   
   

   .
   └── platform
       ├── platform
       │   ├── docker-compose.yaml
       │   ├── .env
       │   ├── platform_data
       │   │   ├── autogenerated-keystore.jks
       │   │   └── protectimus.platform.properties
       │   └── postgres_data
       ├── radius
       │   ├── config
       │   │   ├── radius.all.yml
       │   │   └── radius.yml
       │   ├── docker-compose.yaml
       │   └── .env
       └── unifi-guest-portal
           ├── config
           │   ├── fragments.html
           │   ├── guest-portal.all.yml
           │   └── guest-portal.yml
           ├── docker-compose.yaml
           └── .env

2. Go to the platform directory:
   
   

   cd platform/platform

   
   

3. Run the application using Docker Compose.
   
   This command will start all the containers required for your application in the background (-d):
   
   

   docker-compose up -d

   
   

4. Stop running containers using this command:
   
   

   docker-compose down

   
   

5. Make a backup of your database. The data is located in the postgres_data directory.

6. Get latest changes from Git repository.
   
   This command will update your local repository to the latest version that you have uploaded to Git.
   
   Resolve any configuration conflicts if necessary.
   
   

   git pull

   
   

7. Download the updated images. This command will download the updated Docker images from your Docker registry:
   
   

   docker-compose pull

   
   

8. Restart containers with new images.
   
   This command will restart the containers using the updated images in the background mode (-d):
   
   

   docker-compose up -d

   
   

1.1.2. Manual Update from Github

1. Download the latest version of the archive with the Protectimus Platform from Github and extract it:
   https://github.com/protectimus/platform/releases
   
   The contents of the archive will be as follows:
   
   

   .
   └── platform
       ├── platform
       │   ├── docker-compose.yaml
       │   ├── .env
       │   ├── platform_data
       │   │   ├── autogenerated-keystore.jks
       │   │   └── protectimus.platform.properties
       │   └── postgres_data
       ├── radius
       │   ├── config
       │   │   ├── radius.all.yml
       │   │   └── radius.yml
       │   ├── docker-compose.yaml
       │   └── .env
       └── unifi-guest-portal
           ├── config
           │   ├── fragments.html
           │   ├── guest-portal.all.yml
           │   └── guest-portal.yml
           ├── docker-compose.yaml
           └── .env

2. Go to the platform directory:
   
   

   cd platform/platform

   
   

3. Run the application using Docker Compose.
   
   This command will start all the containers required for your application in the background (-d):
   
   

   docker-compose up -d

   
   

4. Stop running containers using this command:
   
   

   docker-compose down

   
   

5. Make a backup of your database. The data is located in the postgres_data directory.

6. Change the component version to the latest in the .env file.

7. Download the updated images. This command will download the updated Docker images from your Docker registry:
   
   

   docker-compose pull

   
   

8. Restart containers with new images.
   
   This command will restart the containers using the updated images in the background mode (-d):
   
   

   docker-compose up -d

   
   

1.2. Updating Platform on Windows

1.2.1. Before updating the platform, stop the platform in services.

1.2.2. Install the new version of the Protectimus On-Premise Platform, and when selecting a database, choose the one used in the old version of the Protectimus platform.

1. Choose the necessary components.

2. Click Next.

3. Click Next.

4. Use your username and password to log in to the PostgreSQL database you created during the first platform installation and click LogIn.

5. Enter the name of the database you used in the old version of the Protectimus platform and click Select.
   You can click the List button to see the list of available databases if you don’t remember the exact name of the necessary database.

6. Preferably, use the same destination folder as previously.

7. Once the platform is installed, you will see the changelog describing recent updates; close it.

8. Then click OK to finish the installation.

2. Set Up the Protectimus User’s Self-Service Portal

1. Open the Protectimus Platform, which is available at http://localhost:8080, and log in to your account. Then, go to the Resources tab, click on the resource name, and navigate to the Self-Service tab.

2. If you haven’t enabled the Self-Service Portal for your users yet, click on Enable User’s Self-Service for your resource, and specify the address at which your users will access the Self-Service Portal.

3. Now, choose the authentication methods your users will use to log into the Self-Service Portal and specify the actions that will be available to them.
   
   All these access methods can be enabled simultaneously without conflicts. If both Federated Auth and Password Auth are enabled, users can log into the Self-Service Portal using either the AD password or the Platform password; both will be valid:
   • Federated Auth: Users log into the Self-Service Portal using their password from Active Directory (AD). If enabled, setting the user’s password within the Protectimus Platform is not required.
   • Auth via Security Questions: Users log into the Self-Service Portal by answering secret questions.
   • Password Auth: Users log into the Self-Service Portal using the password set in the Users’ settings within the Protectimus Platform.
   • Email Auth: Users log into the Self-Service Portal using a one-time code sent to the email specified in the Users’ settings within the Protectimus Platform.
   
   
   • Password Policy: This feature allows you to set policies for users, enabling them to change/create a password themselves after logging into the Self-Service Portal.
   • Change Federated Password: By enabling this feature, you grant users permission to change their AD password through the Self-Service Portal. To change the AD password, they will need to specify both the old and new AD passwords.
   • Reset Federated Password: Enabling this feature grants users permission to reset the AD password through the Self-Service Portal, requiring only the specification of the new password.

3. Give Your Users Access to Protectimus User’s Self-Service Portal

To log into the Self-Service Portal, your users will need:

1. Either a password or an email registered in the Protectimus platform.
   Users with both a password and a registered email address will use the password. For those with only an email, a verification code will be sent to the registered email address. If necessary, you can add passwords or emails in User settings.

2. The link specified when enabling the Self-Service Portal.

Users should follow this link, log into their Self-Service Portal account, and they will see the Change Federated Password button and any other activated buttons. Then they should click the respective button and follow the required sequence of steps to perform the chosen action.

NOTE:

1. Changing the password in AD using the Self-Service Portal works only via LDAPS (SSL) connection; it does not work via LDAP.
2. The option to change passwords in AD using the Self-Service Portal is available exclusively for users synchronized from AD; it is not applicable to DSPA users.

You can easily set up Forcepoint VPN two-factor authentication (2FA) with Protectimus’s seamless integration process, which takes only a few minutes to configure. By incorporating MFA as an additional layer of security, the Forcepoint VPN system allows only authorized users to gain access, providing a stronger defense against potential cyber threats.

In today’s world, where remote work is becoming increasingly common, it’s critical to have a secure remote access system. Protectimus multifactor authentication solution for Forcepoint VPN ensures that even if a user’s login credentials are compromised, their access to the Forcepoint VPN remains protected. Two-factor authentication provides a robust defense against potential cyber threats incuding phishing, bruteforce, social engineering, MITM and data spoofing attacks, ensuring your organization’s data and resources are kept secure.

Protectimus allows secure access to your Forcepoint VPN by providing multi-factor authentication (MFA) using the Protectimus RADIUS server.

The scheme of work of the Protectimus solution for Worcepoint VPN two-factor authentication is presented below.

1. How Forcepoint VPN 2FA Works

Protectimus Two-Factor Authentication Solution for Forcepoint VPN provides an extra layer of security to prevent unauthorized access to your Forcepoint VPN.

Once you enable two-factor authentication (2FA) on your Forcepoint server, your users will use two different authentication factors to get access to their accounts.

When you add 2FA/MFA for WatchGuard Mobile VPN, your users will use two different authentication factors to get access to their accounts.

1. The first factor is username and password (something the user knows);
2. The second factor is a one-time password generated with the help of a hardware OTP token or an app on the smartphone (something the user owns).

To hack a Forcepoint VPN protected with two-factor authentication (2FA/MFA), a hacker needs to get a standard password and a one-time password at once. And they only have 30 seconds to intercept a one-time password. It is almost impossible, which makes two-factor authentication so effective against most hacking attacks.

2. How to Enable 2FA for Forcepoint VPN

You can set up multi-factor authentication (2FA) for Forcepoint VPN with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for Forcepoint VPN.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Forcepoint VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for Forcepoint VPN MFA

1. Navigate to the Forcepoint Server Admin Dashboard.
2. From the Configuration menu, select User Authentication.
3. Right-click on the Servers section and choose New –> RADIUS Authentication Server.
4. Next, proceed to the General tab and configure the following settings.

Name	Come up with a name for your RADIUS server, e.g. Protectimus RADIUS Server.
IP Address	Enter the IP of server where the Protectimus RADIUS Server component is installed.
Resolve	The IP address of the server will be automatically resolved from a domain name entered into the Name field.
Location	If there is a NAT device between the server and other SMC components, this field specifies the location of the server.
Contact Addresses	1. Default — This option is used by default when a component belonging to another location connects to the server. 2. Exceptions — Selecting this option will open the Exceptions dialog box.
Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Shared Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Number of Retries	This setting specifies the number of times that Firewalls attempt to connect to the RADIUS authentication server in the event of a failed connection.
Timeout	This setting specifies the time (in seconds) that Firewalls will wait for a reply from the RADIUS authentication server. Set to 60 seconds.
Tools Profile	You can add custom commands to the server’s right-click menu. Click Select and select a Tools Profile element.

5. To configure the authentication methods, go to the Authentication Methods tab and adjust the following settings:

Name	This field displays the name of the Authentication Method.
Type	This field displays the authentication type. In this case: RADIUS — The RADIUS protocol is used.
Comment	To enter a comment, double-click on the cell.
Add	Clicking this option opens the Select Element dialog box, which allows you to add the selected authentication method to the Authentication Methods list.
Edit	Selecting this option opens the Properties dialog box for the chosen authentication method.
Remove	Selecting this option removes the chosen authentication method.

6. Click OK.

7. After clicking OK, you can proceed to configure the RADIUS authentication server to accept connections from your Firewall engines by following these steps:
   • Ensure that the shared secret is identical on both the Management Client and RADIUS authentication server.
   • The Firewall’s identity that is presented to the server is the IP address of the interface chosen as the value for the IPv4 Identity for Authentication Requests, IPv6 Identity for Authentication Requests, or IPv6 Identity for Authentication Requests in the Firewall’s Interface Options.

   Please note! The IP address used as the identity is merely a name, and the interface and IP address used for authentication-related connections are selected based on the Firewall’s routing information, like any other connection.

Integration of two-factor authentication (2FA/MFA) for your Forcepoint VPN is now complete. If you have other questions, contact Protectimus customer support service.

Protectimus Smart OTP is a free 2FA authenticator app with cloud backup support that is available for both Android and iOS devices. This guide will show you how to use the Protectimus MFA app to enhance the security of your online accounts.

How Does Protectimus Smart 2FA App Work

Protectimus Smart OTP is a two-factor authentication app that provides an additional layer of security to your online accounts. With the Protectimus Smart OTP 2FA authenticator, you can generate one-time passwords (OTPs) on your mobile device that can be used as the second factor in the authentication process on any website that supports MFA.

The Protectimus Smart 2FA authenticator offers many advantages, including:

• Encrypted cloud backup;
• Ability to transfer tokens to a new phone;
• Ability to import tokens from Google Authenticator;
• PIN and biometric authentication protection (Touch ID and Face ID);
• Support for all OATH one-time password generation algorithms (HOTP, TOTP, and OCRA);
• Delivery of two-factor push notifications;
• Data signature function (Confirm What You See) to better control your operations with funds;
• 6 and 8 digit one-time passwords;
• Multiple language support: English, French, German, Spanish, Russian, and Ukrainian;
• Convenient distribution of OTP tokens by folders;
• Customization of tokens with different emojis and descriptions.

1. Getting Started With the Protectimus Smart 2FA Authenticator

1. Download and install the Protectimus Smart OTP two-factor authentication app from the App Store or Google Play.

 

2. You will see a welcome screen. Tap Continue.

   

3. On the next step, you will be asked to Activate Cloud Backup.
   
   We strongly recommend using this feature to ensure that you do not lose your OTP tokens in case you lose or damage your phone, or accidentally delete the 2FA app. To activate cloud backup, select the option and press Continue.
   
   

   Please note! If you already have a cloud backup saved, all the tokens from your backup will be added to the 2FA app after you activate cloud backup at this stage.

4. Now you can add a new token or import your 2FA tokens from Google Authenticator.
   
   For instructions on how to import tokens from Google Authenticator, please refer to the detailed guide here.
   
   For instructions on how to add new tokens, please refer to the detailed guide here.

2. Adding Tokens

1. To add a new token, open the Protectimus Smart OTP two-factor auth app and tap on the plus sign in the upper left corner.

2. You can choose to add the token by scanning a QR code or by entering the secret key manually.
   
   If you choose to Scan QR code, simply point your smartphone’s camera at the code on the security settings page of the website you want to protect with two-factor authentication. The app will automatically scan the QR code and create a token.

3. If you choose to Add token manually, you’ll need to enter the token name (Login), the secret key (Token key), choose the OTP generation algorithm (OTP Type), the one-time passwords length, and lifetime. Then save the changes tapping the Add token button in the right upper corner.
   
   

   Note that if you’re using a two-factor authentication system other than Protectimus, you should uncheck the Protectimus checksum checkbox.

3. Editing and Deleting Tokens

1. To edit or delete a token, long-press on its name and choose the desired action. Alternatively, you can open the Edit Token menu by tapping the pen icon in the upper-right corner and selecting the token you want to modify.

2. Once you’re in the Edit Token menu, you can customize the token by:
   • changing its emoji,
   • setting the issuer,
   • updating its name (Login),
   • adding a description (Additional information),
   • adjusting the OTP length,
   • assigning it to a folder.
   If you need to remove the token entirely, there’s an option to delete it.
   
   Once you’ve made your changes, click Save and close in the upper-right corner to confirm.

4. Grouping Tokens by Folders

1. To keep your tokens organized, you can group them into folders.
   
   To add a token to a folder, simply long-press its name and select Add to folder.

2. You’ll be taken to the folder settings menu, where you can either choose an existing folder or create a new one. If you want to create a new folder, click on the icon in the top right corner.

3. To manage your folders, click on the gear icon in the upper right corner to go to the Settings page.

4. Select Folder Settings.

5. From here, you can edit, delete, and create new folders, as well as edit tokens in any folder.

5. Changing the Order of Tokens

You can customize the order of your tokens to suit your needs. With this feature, you can quickly access your most frequently used tokens.

1. To do so, open the Edit Token menu by tapping the pen icon in the upper-right corner.

2. From there, simply drag the tokens to rearrange them in the desired order. Save the changes by clicking on the checkmark in the upper right corner.

6. Cloud Backup

To safeguard your OTP tokens in case of device loss or accidental deletion of the 2FA app, we strongly recommend using the Cloud Backup feature. Additionally, we strongly advise protecting the backup file with a password for added security.

To manage your backup files, simply navigate to the Backup page where you can activate, update, restore or delete your backups.

By utilizing this feature, you can ensure that your OTP tokens are always available and secure, even in unexpected circumstances.

1. Go to Settings.

2. Tap Backup in cloud.

3. If the backup function is not activated yet, enable it.

4. If the backup function has been activated and you have made any changes, you can Restore the previous version or Update the backup file. Tap the Upload button to upload the latest changes to the cloud.

5. You will see the allert message. If you are sure that you want to upload current OTP tokens in the cloud, tap Update. Please note that this will erase previous backups.

Please note! To secure you backup file, we recommend adding a password, use the Add backup file password button.

7. App Security (PIN and Biometric Authentication)

For optimal security, it is highly recommended that you safeguard access to the Protectimus Smart OTP two-factor authentication application with either a PIN or biometric authentication.

To enable PIN or biometric authentication with fingerprint or face ID, follow these steps:

1. Go to the Settings menu.

2. Select App security.

3. Create a unique PIN for the application.

4. The app will prompt you to allow biometric authentication for easier access.

5. Once both PIN and biometric protection are enabled, you can manage your PIN, and turn biometric authentication on or off from the App security page.

By taking these simple steps, you can ensure that your Protectimus Smart OTP two-factor authentication application is as secure as possible.

8. Transferring Tokens to a New Phone

Protectimus Smart OTP authenticator offers a convenient Data Transfer feature that enables you to effortlessly move your tokens from one phone to another or doenload and store the backup file in the place you like. With this feature, you can export your data into an encrypted file with password protection for added security.

1. To get started, simply navigate to the Settings menu.

2. Tap on the Data transfer option.

3. If you want to transfer tokens from your current device to another, choose Export tokens. Alternatively, if you want to import saved data onto your device, select Import tokens.

4. If you choose to export tokens, create a strong password and click on Continue to generate the file containing all your data.

5. Remember to save this file so you can import your tokens onto the new device later.

9. Importing from Google Authenticator

You can easily transfer your tokens from Google Authenticator 2FA app to the Protectimus Smart OTP.

To get started, open your Google Authenticator application and:

• tap the menu button located at the top-right corner;
• select Transfer accounts;
• then choose Export accounts;
• select the tokens you wish to transfer to Protectimus Smart OTP;
• tap Next, and you will see a QR code, scan this QR code using the Protectimus Smart OTP app.

In the Protectimus Smart OTP app:

1. Go to Settings.

2. Select Import from Google Authenticator, scan the QR code generated by Google Authenticator and wait for the import process to complete.

10. Data Signature Method (CWYS)

Protectimus Data Signature, also known as CWYS (Confirm What You See), is a powerful tool that safeguards against phishing, data spoofing, man-in-the-middle attacks, and similar hacking techniques.

Based on the OCRA algorithm, Protectimus Data Signature allows users to verify key details of financial transactions before confirming them.

To use this feature, you will need to enter a challenge code into the app to generate a one-time password. You can enter the code manually or scan a QR code.

To set your preferred method for entering a challenge code:

1. Go to Settings.

2. Select the Data Signature method.

3. Choose your desired option, and click Save and go back.

11. Push Tokens

Two-factor authentication app Protectimus Smart OTP offers push notifications as a convenient way to confirm transactions and streamline the login process for end-users, providing additional protection against transaction data replacement.

This feature is available exclusively for services that use Protectimus 2FA solution as their two-factor authentication system backend.

To add, use, or delete push tokens, follow the steps outlined in the next paragraph.

Please note!

1. You cannon receive push notification if your phone is offline.
2. Push tokens cannot be edited, backed up, or transferred to another device.

11.1. How to Add Push Tokens

1. Open the Protectimus Smart OTP MFA app and tap on the plus sign in the upper left corner.

2. Choose to Scan QR code and scan the QR code on the service where you plan to use this push token.

3. To proceed, save the public key to your device by tapping the Continue button.

4. You’re all set! The push token has been created, and you’ll receive a notification confirming its successful creation.

Important! To receive push notifications from the Protectimus Smart OTP 2FA app, you must enable notifications in your app settings. Please ensure that notifications from the Protectimus Smart OTP app are allowed.

11.2. How 2FA Push Notifications Work

This advanced two-factor authentication feature provides additional protection against data spoofing and transaction data replacement.

Note! The device must be online to receive the push notification.

1. When making a transaction or attempting to log in to a two-factor authentication-protected service, a push notification will be sent to your phone.

2. You’ll need to open the app to view and confirm the details of the transaction.

3. Or to view and confirm the location of the login attempt.

11.3. How to Delete Push Tokens

Please note! Please note that push tokens cannot be edited, backed up, or transferred to another device. Deleting the push token is irreversible, and there is no way to restore it. This means that you may lose access to the account associated with the token if it is deleted.

1. To delete a push token, go to Settings.

2. Go to Push tokens.

3. Tap the three dots next to the token you wish to delete, and select Delete token.

4. A confirmation message will appear, and you should only proceed if you are certain that deleting the token will not result in the loss of access to the account protected by it.

12. Time Correction

If you see the message “The one-time code is invalid” when attempting to enter a one-time password, it may be due to a time drift between your token and the two-factor authentication server. To resolve this issue, a time correction may be necessary.

To synchronize your Protectimus Smart OTP app’s internal clock with Protectimus servers:

1. Navigate to Settings.

2. Select the Time correction option.

3. If everything is in order, you will see a message confirming that the time is already correct.

13. Additional Settings

The Protectimus Smart OTP settings page provides additional options for customization, such as selecting your preferred language for the interface, enabling or disabling Screen Capture Access, and choosing between a dark or bright appearance to suit your preferences.

12.1. Application Language

Currently, the Protectimus Smart OTP authenticator is available in English, French, German, Spanish, Russian, and Ukrainian.

12.2. Screen Capture Access

To enhance your security, we advise against enabling screen capture access.



If you have any questions, please, contact Protectimus customer support service.

With Protectimus multi-factor authentication (MFA) solution, you can set up CentOS two-factor authentication (2FA) in a few steps.

1. How CentOS Two-Factor Authentication (2FA) Works

After you enable CentOS 2FA, your users will need to use two authentication passwords to get access to their CentOS accounts:

1. The first is a standard password (something the user keeps in memory);
2. The second is a one-time password valid only for 30 or 60 seconds (the one-time password is generated with the help of a hardware OTP token or a 2FA app on a user’s phone – something that the user owns and has to carry with them).

This way, the CentOS account becomes protected with two different authentication factors. Even if the hacker steals the users’s password using phishing, brute force, social engineering, data spoofing, or any other attack, they can’t access the CentOS account without the one-time password from a user’s 2FA token.

This guide shows how you can set up CentOS two-factor authentication (2FA) using Protectimus RADIUS 2FA component for the integration with Protectimus Cloud 2FA service or Protectimus On-Premise MFA Platform.

2. How to Enable CentOS Two-Factor Authentication (2FA)

You can set up CentOS two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS 2FA Service or On-Premise 2FA Platform and configure basic settings.
2. Install Protectimus PAM module for CentOS 2FA
3. Install and configure Protectimus RADIUS Server module.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install Protectimus PAM module for CentOS 2FA

yum -y install epel-release
yum -y install pam_radius

 

2.3. Install and configure Protectimus RADIUS Server

1. Install protectimus-radius

git clone https://github.com/protectimus/platform-linux.git
cd platform-linux/radius
edit config/radius.yml
docker compose up -d

2. Configure radius.yml file.
   
   Configure Protectimus RADIUS Server settings in the radius.yml file. It must be located in the same directory as the executable.
   
   You will find detailed instructions on available properties that you can add to the radius.yml file here.
   
   The example of radius.yml file configuration:

radius:
  secret: secret
  auth-port: 1812

auth:
  #  Could be :
  #  - LDAP
  #  - PROTECTIMUS_PASSWORD
  #  - PROTECTIMUS_OTP
  #  - PROTECTIMUS_PUSH
  providers:
    - PROTECTIMUS_OTP

protectimus-api:
  login: [email protected]
  api-key: aslkjdljsdlaskmWpXjT5K0xqLXkd3
  url: https://api.protectimus.com/
  resource-name: radius
  resource-id: 723

3. Edit pam_radius config, configure secret
   
   /etc/pam_radius.conf

# server[:port] shared_secret      timeout (s)
127.0.0.1       secret             1

4. Configure SSH to use challenge response
   
   /etc/ssh/sshd_config

ChallengeResponseAuthentication yes

5. Execute the command systemctl restart sshd

6. Configure PAM for SSH to use RADIUS
   
   Add auth required pam_radius_auth.so after auth substack password-auth into /etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_sepermit.so
# protectimus pam radius
auth       substack     password-auth
auth       required     pam_radius_auth.so
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare

CentOS multi-factor authentication setup is now complete. If you have other questions, contact our customer support service.

This guide shows how you can set up VMware Horizon View two-factor authentication (2FA) via RADIUS using the Protectimus multi-factor authentication system.

Protectimus two-factor authentication system integrates with VMware Horizon View via RADIUS authentication protocol. In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform takes the role of a RADIUS server via a special connector Protectimus RADIUS Server, and the VMware Horizon View performs as a RADIUS client.

The Protectimus RADIUS Server connector transfers authentication requests from the VMware Horizon View to the Protectimus multi-factor authentication (MFA) server and returns the answer permitting or denying access.

Below is an example of integration of the Protectimus 2FA solution with VMware Horizon View.

1. How to Enable Two-Factor Authentication for VMware Horizon View

You can set up multi-factor authentication (2FA) for VMware Horizon View with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for VMware Horizon View.

2. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

 

3. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for VMware Horizon View two-factor authentication using RADIUS are available here.

4. Add Protectimus as RADIUS Server for VMware Horizon View 2FA

1. Log into the VMware Horizon View admin panel.
2. Navigate to Settings and then click Servers.
3. Select the Connection Servers tab.

4. Select the necessary connection server, and after that click the Edit button.

5. Navigate to the Authentication tab.
6. Then go to the Advanced Authentication section and select RADIUS in the 2-factor authentication dropdown.
7. Check the box Enforce 2-factor and Windows user name matching.
8. Find the Authenticator dropdown, and select Create New Authenticator.

9. You will see an Add RADIUS Authenticator form. Navigate to the Client Customization page and enter any name for your new RADIUS server (e. g. Protectimus). Then click Next.
10. On the Primary Authentication Server page, fill in the required information referring to the table and image below.

Hostname/Address	Enter the IP of server where the Protectimus RADIUS Server component is installed.
Authentication Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Accounting Port	Leave the default value.
Authentication Type	PAP.
Shared Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
Server Timeout	Set to 60.
Max Attempts	Set to 5.

11. For all other fields, leave the default values. Then click Next.
12. Add a Secondary Authentication Server if you wish (it is optional), and click Finish to complete creating the RADIUS server.
13. We recommend you review the Advanced Authentication section:
    • check if the RADIUS server you have just created (Protectimus) is selected in the Authenticator dropdown;
    • make sure that you have checked the box Enforce 2-factor and Windows user name matching.

Integration of two-factor authentication (2FA/MFA) for your VMware Horizon View 2FA is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to enable multi-factor authentication (MFA / 2FA) for F5 BIG-IP APM VPN with the help of the Protectimus two-factor authentication system.

Protectimus two-factor authentication system integrates with F5 BIG-IP APM VPN via RADIUS authentication protocol. In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform takes the role of a RADIUS server, and the F5 BIG-IP VPN performs of a RADIUS client.

The scheme of work of the Protectimus solution for F5 BIG-IP APM VPN 2FA is presented below.

1. How F5 BIG-IP APM VPN Two-Factor Authentication Works

Protectimus Two-Factor Authentication Solution for F5 BIG-IP APM VPN allows you to add an extra layer of security to your F5 BIG-IP VPN logins.

When you add 2FA/MFA for F5 VPN, your users will use two different authentication factors to get access to their accounts.

1. The first factor is login and password (something the user knows);
2. The second factor is a one-time password generated with the help of a hardware OTP token or an app on the smartphone (something the user owns).

To hack an F5 BIG-IP APM VPN protected with two-factor authentication, a hacker needs to get a standard password and a one-time password at once. And they only have 30 seconds to hack a one-time password. It is almost impossible, which makes two-factor authentication so effective against brute force, data spoofing, keyloggers, phishing, man-in-the-middle attacks, social engineering, and similar hacking attacks.

2. How to Enable 2FA for F5 BIG-IP APM VPN

You can set up multi-factor authentication (2FA) for F5 BIG-IP VPN with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for F5 BIG-IP APM VPN.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

 

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for F5 BIG-IP APM VPN two-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for F5 BIG-IP APM VPN 2FA

1. Log into the F5 BIG-IP administrator dashboard.
2. Navigate to Access –> Authentication –> RADIUS.

3. Click the Create… button to add a new RADIUS server.
4. Then fill in the form referring to the table and image below, and click Finished to save your settings.

Name	Type any name for your RADIUS server – enter Protectimus_RADIUS_Server or any other name you wish.
Mode	Authentication
Server Connection	Direct
Server Address	Enter the IP of server where the Protectimus RADIUS Server component is installed.
Authentication Service Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Confirm Secret	Confirn the shared secret.
Timeout	Set to 180 seconds.
Retries	Set to 3.
Character Set	Set to UTF-8.
Service Type	Default.

2.4. Modify the F5 BIG-IP APM Access Policy

1. Navigate to Access –> Profiles/Policies –> Access Profiles (Per-Session Policies).

2. Click Edit… to modify your F5 BIG-IP APM access policy.

3. You will see the Access Policy editor. Click + (Plus) on the arrow to the right of the Logon Page.

4. In a new window, select the Authentication tab. The select RADIUS Auth and click the Add Item button.

5. In the AAA Server dropdown, select Protectimus_RADIUS_Server – the server you have created previously. Then click Save to save the changes.

PLEASE NOTE!
If you have a former authentication method (e.g. Active Directory) you can either remove it or keep it.
You can keep your former authentication method and use Protectimus after or before that authentication method.
To remove it, click X, select Connect previous node to Successful branch, and click Delete.

6. Click Close to return to the Access Profiles page. Check your profile and click Apply. The status flag next to your profile should change to green.

Integration of two-factor authentication (2FA/MFA) for your F5 BIG-IP APM VPN 2FA is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to enable two-factor authentication (2FA / MFA) for Array AG SSL VPN with the help of the Protectimus multi-factor authentication system.

Protectimus multi-factor authentication system integrates with Array AG SSL VPN via RADIUS authentication protocol. In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform performs as a RADIUS server, and the Array VPN takes the role of a RADIUS client.

The scheme of work of the Protectimus solution for Array VPN 2FA is presented below.

1. How Array VPN Two-Factor Authentication Works

Protectimus Two-Factor Authentication Solution for Array AG SSL VPN allows you to add an extra layer of security to your Array VPN logins.

When you add 2FA/MFA for Array VPN, your users will use two different authentication factors to get access to their accounts.

1. The first factor is login and password (something the user knows);
2. The second factor is a one-time password generated with the help of a hardware OTP token or an app on the smartphone (something the user owns).

To hack a Array VPN protected with two-factor authentication, a hacker needs to get a standard password and a one-time password at once. And they only have 30 seconds to hack a one-time password. It is almost impossible, which makes two-factor authentication so effective against brute force, data spoofing, keyloggers, phishing, man-in-the-middle attacks, social engineering, and similar hacking attacks.

2. How to Enable 2FA for Array AG SSL VPN

You can set up multi-factor authentication (2FA) for Array VPN with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for Array AG SSL VPN.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Array VPN two-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for Array VPN 2FA

1. Login to the Array VPN administration panel.
2. Change the mode to Config.
3. Navigate to the Virtual Site using the dropdown in the upper left corner.
4. Find the Site Configuration menu on the left and click on AAA.
5. Open the General tab and check Enable AAA.

6. Navigate to the Server tab and click RADIUS.
7. Enter the Server Name (e.g. Protectimus RADIUS Server). You can also add a Description. Then click Add.

8. The newly added server will appear on the list of servers. Open Advanced RADIUS Server Configuration by double-clicking the name of your RADIUS server.
9. Click Add RADIUS Server on the Advanced RADIUS Server Configuration page. Fill in the form referring to the table and image below, and click Save.

Server IP	Enter the IP of server where the Protectimus RADIUS Server component is installed.
Server Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Secret Password	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Timeout	Set to 180 seconds.
Redundancy Order	Set to 1 if this is your first RADIUS server.
Retries	Set to 3.
Accounting Port	Set to 1813.

10. Go to the Method tab and click Add Method.
11. Enter the Method Name (e.g. Protectimus) and Method Description (e.g. Protectimus RADIUS Server). Then select the AAA server in Authentication. The AAA server is the server you created earlier (Protectimus RADIUS Server).
12. Click Save. The method you just created will appear in the table on the Method tab.

13. Find the AAA Method for Mobile VPN Clients dropdown and select the method you created (Protectimus).

14. Go to the top right corner of the Array VPN administration panel and click Save Configuration.

Integration of two-factor authentication (2FA/MFA) for your Array AG SSL VPN is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to enable multi-factor authentication (2FA / MFA) for WatchGuard Mobile VPN with the help of the Protectimus two-factor authentication solution.

Protectimus multi-factor authentication system integrates with WatchGuard Mobile VPN via RADIUS authentication protocol.

In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform performs as a RADIUS server, and the WatchGuard Mobile VPN takes the role of a RADIUS client.

The scheme of work of the Protectimus solution for WatchGuard Mobile VPN two-factor authentication is presented below.

1. How WatchGuard Mobile VPN 2FA Works

Protectimus Two-Factor Authentication Solution for WatchGuard Mobile VPN allows you to add an extra layer of security to your WatchGuard VPN logins.

Protectimus WatchGuard Mobile VPN 2FA Solution enables 2-factor authentication during WatchGuard connections via IPSec and SSL.

When you add 2FA/MFA for WatchGuard Mobile VPN, your users will use two different authentication factors to get access to their accounts.

1. The first factor is login and password (something the user knows);
2. The second factor is a one-time password generated with the help of a hardware OTP token or an app on the smartphone (something the user owns).

To hack a WatchGuard Mobile VPN protected with two-factor authentication, a hacker needs to get a standard password and a one-time password at once. And they only have 30 seconds to intercept a one-time password. It is almost impossible, which makes two-factor authentication so effective against brute force, data spoofing, keyloggers, phishing, man-in-the-middle attacks, social engineering, and similar hacking attacks.

2. How to Enable 2FA for WatchGuard Mobile VPN

You can set up multi-factor authentication (2FA) for WatchGuard Mobile VPN with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for WatchGuard Mobile VPN MFA.
4. Configure WatchGuard Mobile VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for WatchGuard Mobile VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for WatchGuard Mobile VPN MFA

1. Log in to the WatchGuard Firebox Admin Panel (Fireware Web UI).
2. Navigate to Authentication –> Servers –> RADIUS.

3. Click Add.

4. Fill in the required fields in the Primary Server Settings tab. Please refer to the following table and image.

Domain Name	Come up with a name for your RADIUS domain, e.g. Protectimus RADIUS Server. Note that You cannot change the Domain Name after you save the settings.
Enable RADIUS Server	Check the box.
IP Address	Enter the IP of server where the Protectimus RADIUS Server component is installed.
Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Shared Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Confirm Secret	Reenter the shared secret
Timeout	Set to 60 seconds.
Retries	Set to 3.
Dead Time	Set to 10 minutes.
Group Attribute	Set to 11.

5. Click Save to save your settings.

2.4. Configure WatchGuard Mobile VPN with SSL or IPSec

1. In the WatchGuard Firebox Admin Panel left pane, click VPN –> Mobile VPN.
2. Then navigate to the SSL or IPSec section, whichever method suits you best, and follow the instructions below.

2.4.1. Configure WatchGuard Mobile VPN with SSL

PLEASE NOTE! To enable 2FA for SSL Mobile VPN, you need to manually add all your users to WatchGuard VPN and then allow them to use SSL VPN.

1. Go to Authentication –> Users and Groups. Then click ADD to add a new user.

2. In Add User or Group, enter the name of the user and select the Authentication Server. Refer to the following table and image.

Type	User
Name	Enter the username.
Description	Optional, you can enter a description of the user if you want.
Authentication Server	Select the server you have created before (Protectimus RADIUS Server).

3. Other options are optional. Click OK and then click Save in the main list of all groups and users to confirm the new user.

PLEASE NOTE! You need to do the above three steps for every user you want to allow to use Mobile VPN with SSL.

4. After you add all your users, click VPN –> Mobile VPN. Then, go to the SSL section and click CONFIGURE.

5. Select the Authentication tab.
6. In AUTHENTICATION SERVERS, select the server you have created before (Protectimus RADIUS Server) and click ADD.
7. Then, select it on the list of authentication servers and click MOVE UP to make it default.

8. In Users and Groups, select the groups and users you want to allow to use SSL VPN.
9. Click SAVE to confirm and save your settings.

2.4.2. Configure WatchGuard Mobile VPN with IPSec

1. Navigate to VPN –> Mobile VPN. Then, go to the IPSec section and click CONFIGURE.

2. In the Groups section, select your profile and click EDIT.

3. Select the General tab.
4. In the Authentication Server dropdown, the server you have created before (Protectimus RADIUS Server). It has the Domain Name you set when configuring Protectimus as RADIUS Server.

5. Click SAVE to confirm and save your settings.

Integration of two-factor authentication (2FA/MFA) for your WatchGuard Mobile VPN is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to enable multi-factor authentication (2FA / MFA) for users logging in to Pulse Connect Secure SSL VPN with the help of the Protectimus two-factor authentication solution for Pulse Connect Secure SSL VPN.

Protectimus’s two-factor authentication system integrates with Pulse Connect Secure SSL VPN via RADIUS authentication protocol.

In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform performs as a RADIUS server, and the Pulse Connect Secure SSL VPN takes the role of a RADIUS client.

You will find the scheme of work of the Protectimus solution for Pulse Connect Secure SSL VPN two-factor authentication below.

1. How 2FA for Pulse Connect Secure SSL VPN Works

Two-factor authentication (2FA / MFA) protects the Pulse Connect Secure SSL VPN user accounts from phishing, brute force, keyloggers, man-in-the-middle attacks, data spoofing, social engineering, and other similar hacking tricks.

When you enable 2FA/MFA for Pulse Connect Secure SSL VPN, Pulse Secure VPN users will use two different authentication factors to get access to their accounts.

1. The first factor is username and password (something they know);
2. The second factor is a one-time password generated with the help of a hardware OTP token or a 2FA app (something they own).

To hack a Pulse Connect Secure SSL VPN user account protected with two-factor authentication, a hacker needs both passwords at once. Moreover, a hacker has only 30 seconds to crack and use a time-based one-time password. It is almost impossible to fulfill these conditions, which makes two-factor authentication so effective.

2. How to Enable 2FA for Pulse Connect Secure SSL VPN

You can set up two-factor authentication (2FA) for Pulse Connect Secure SSL VPN with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure Pulse Connect Secure SSL VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Pulse Connect Secure SSL VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for Pulse Connect Secure SSL VPN

1. Log into the Pulse Secure administration panel.
2. Navigate to Authentication –> Auth. Servers.

3. Select RADIUS Server in the dropdown, and click New Server….

4. Fill in the required fields in the Settings tab. Please refer to the following table and image.

Name	Come up with a name for your RADIUS server, e.g. Protectimus Server.
RADIUS Server	Enter the IP of server where the Protectimus RADIUS Server component is installed.
Authentication Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Shared Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Timeout	Set to 180 seconds.
Retries	Set to 3.

5. Keep default values of all other fields and click Save Changes.
6. Navigate to Users –> User Realms –> New User Realm….

7. Come up with a Name for your new realm, e.g. Protectimus Server.
8. Select the previously created authentication server (Protectimus Server) in the Authentication dropdown.
9. Click Save Changes.

10. Navigate to Authentication Policy –> Password.
11. Select Allow all users (passwords of any length) and click Save Changes.

12. Go to the Role Mapping tab and click New Rule….

13. Come up with the name for a new rule, e.g. Protectimus Rule.
14. Set Rule:If username… to is *.
15. Assign a Users role. Select Users on the Available Roles list and click Add –>.
16. Click Save Changes.

17. Navigate to Authentication –> Signing In –> Sign-in Policies.

18. Click the */ URL in the User URLs table.
19. Select User picks from a list of authentication realms and select the Protectimus Server realm you have created before. To do this, just select Protectimus Server on the Available realms list and click Add –>.
20. Click Save Changes.

Integration of multi-factor authentication for Pulse Connect Secure SSL VPN is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to set up two-factor authentication for Aruba switches. This requires Aruba ClearPass to be integrated with Protectimus’ Multi-Factor Authentication (MFA) solution. You can use the Protectimus Cloud MFA Service or the Protectimus On-Prem MFA platform, which should be installed in the client’s environment or private cloud.

The Protectimus Two-Factor Authentication Server communicates with Aruba network equipment using the RADIUS authentication protocol. The Protectimus RADIUS Server component acts as a RADIUS server:

1. It accepts an incoming RADIUS authentication request.
2. Then, it accesses the user store (Active Directory, etc.) to confirm the user’s login and password.
3. The next step is to check the one-time password. To do this, Protectimus RADIUS Server contacts the Protectimus two-factor authentication server.
4. If both authentication factors are correct, Protectimus RADIUS Server allows the user to connect to the Aruba switch.

The diagram below shows how the Protectimus two-factor authentication solution for Aruba network equipment works.

1. How Aruba Switches Two-Factor Authentication (2FA) Works

Two-factor authentication (2FA / MFA) protects user accounts from attacks such as brute force, phishing, keyloggers, man-in-the-middle, social engineering, data spoofing, etc.

After you set up two-factor authentication for Aruba switches to connect to Aruba networking equipment, users will use two different authentication factors.

1. The first factor is login and password (what the user knows);
2. The second factor is a one-time password generated using a hardware OTP token or a smartphone (which belongs to the user).

To hack a user account, an attacker must get access to two passwords at once, which is almost impossible. At the same time, the attacker has only 30 seconds to crack and use one of these passwords.

2. How to Enable MFA for Aruba Switch

You can set up Aruba Switch two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for your Aruba Switch.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Aruba switches 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for your Aruba Switch

There are two options to configure multi-factor authentication for Aruba switch via RADIUS:

• WebUI configuration. Available for the older versions of Aruba ClearPass.
• CLI configuration. Newer versions of Aruba switches can be configured only through the configuration console.

Follow only the steps of the method you choose.

How to configure MFA for Aruba switch via WebUI

1. In the Aruba Networks ClearPass WebUI Console, go to Configuration –> Security –> Authentication –> Servers.
2. Select RADIUS Server to display the RADIUS Server List.
3. Provide a Name for the new server, e.g. Protectimus, and click Add.
4. Select the name to configure the parameters, such as IP Address; and then check Mode to activate the server.
5. Click Apply.
6. Select Server Group to display the Server Group List.
7. Provide a Name for the new server group, e.g. corp_radius, and click Add.
8. Select the name to configure the parameters.
9. Under Servers, select New to add a server to the group.
10. Select the server (i.e. Protectimus) from the dropdown menu and click Add Server.
11. Click Apply.
12. Go to Configuration –> Management –> Administration.
13. Under Management Authentication Servers, select a management role, e.g. root, for the Default Role.
14. Check Mode to activate.
15. For the Server Group, select the newly created group, i.e. corp_radius.
16. Click Apply.

How to configure MFA for Aruba switch via CLI

How to Add New RADIUS Server

aaa authentication-server radius Protectimus
  host <ipaddr>
  enable

How to Add New Server Group

aaa server-group corp_radius
  auth-server Protectimus

How to Define Role for Server Group

aaa authentication mgmt
  default-role root
  enable
  server-group corp_radius

Integration of two-factor authentication (2FA/MFA) for your Aruba ClearPass is now complete. If you have other questions, contact Protectimus customer support service.