Ukraine flag

We stand with our friends and colleagues in Ukraine. To support Ukraine in their time of need visit this page

Smart OTP: User Guide for Secure Two-Factor Authentication

Protectimus Smart OTP is a free 2FA authenticator app with cloud backup support that is available for both Android and iOS devices. This guide will show you how to use the Protectimus MFA app to enhance the security of your online accounts.

How Does Protectimus Smart 2FA App Work

Protectimus Smart OTP is a two-factor authentication app that provides an additional layer of security to your online accounts. With the Protectimus Smart OTP 2FA authenticator, you can generate one-time passwords (OTPs) on your mobile device that can be used as the second factor in the authentication process on any website that supports MFA.

The Protectimus Smart 2FA authenticator offers many advantages, including:
  • Encrypted cloud backup;
  • Ability to transfer tokens to a new phone;
  • Ability to import tokens from Google Authenticator;
  • PIN and biometric authentication protection (Touch ID and Face ID);
  • Support for all OATH one-time password generation algorithms (HOTP, TOTP, and OCRA);
  • Delivery of two-factor push notifications;
  • Data signature function (Confirm What You See) to better control your operations with funds;
  • 6 and 8 digit one-time passwords;
  • Multiple language support: English, French, German, Spanish, Russian, and Ukrainian;
  • Convenient distribution of OTP tokens by folders;
  • Customization of tokens with different emojis and descriptions.

1. Getting Started With the Protectimus Smart 2FA Authenticator

  1. Download and install the Protectimus Smart OTP two-factor authentication app from the App Store or Google Play.
 
  •         

  1. You will see a welcome screen. Tap Continue.
 
MFA application Protectimus Smart OTP setup - Step 1
 
  1. On the next step, you will be asked to Activate Cloud Backup.

    We strongly recommend using this feature to ensure that you do not lose your OTP tokens in case you lose or damage your phone, or accidentally delete the 2FA app. To activate cloud backup, select the option and press Continue.

    Please note! If you already have a cloud backup saved, all the tokens from your backup will be added to the 2FA app after you activate cloud backup at this stage.

2FA application Protectimus Smart OTP setup - Step 2

  1. Now you can add a new token or import your 2FA tokens from Google Authenticator.

    For instructions on how to import tokens from Google Authenticator, please refer to the detailed guide here.

    For instructions on how to add new tokens, please refer to the detailed guide here.

MFA application Protectimus Smart OTP setup - Step 3

2. Adding Tokens

  1. To add a new token, open the Protectimus Smart OTP two-factor auth app and tap on the plus sign in the upper left corner.

Adding tokens to MFA app Protectimus Smart OTP - Step 1

  1. You can choose to add the token by scanning a QR code or by entering the secret key manually.

    If you choose to Scan QR code, simply point your smartphone’s camera at the code on the security settings page of the website you want to protect with two-factor authentication. The app will automatically scan the QR code and create a token.

Adding tokens to MFA app Protectimus Smart OTP - Step 2 - Scanning the QR code

  1. If you choose to Add token manually, you’ll need to enter the token name (Login), the secret key (Token key), choose the OTP generation algorithm (OTP Type), the one-time passwords length, and lifetime. Then save the changes tapping the Add token button in the right upper corner.

    Note that if you’re using a two-factor authentication system other than Protectimus, you should uncheck the Protectimus checksum checkbox.

Adding tokens to MFA app Protectimus Smart OTP - Step 3 - Adding tokens manually

3. Editing and Deleting Tokens

  1. To edit or delete a token, long-press on its name and choose the desired action. Alternatively, you can open the Edit Token menu by tapping the pen icon in the upper-right corner and selecting the token you want to modify.

How to edit tokens in the 2FA app Protectimus Smart OTP

  1. Once you’re in the Edit Token menu, you can customize the token by:
    • changing its emoji,
    • setting the issuer,
    • updating its name (Login),
    • adding a description (Additional information),
    • adjusting the OTP length,
    • assigning it to a folder.
    If you need to remove the token entirely, there’s an option to delete it.

    Once you’ve made your changes, click Save and close in the upper-right corner to confirm.

How to edit tokens in the 2FA app Protectimus Smart OTP - Edit token menu

4. Grouping Tokens by Folders

  1. To keep your tokens organized, you can group them into folders.

    To add a token to a folder, simply long-press its name and select Add to folder.

2FA application Protectimus Smart OTP - how to add tokens to folders

  1. You’ll be taken to the folder settings menu, where you can either choose an existing folder or create a new one. If you want to create a new folder, click on the icon in the top right corner.

2FA application Protectimus Smart OTP - how to add tokens to folders - create folder

  1. To manage your folders, click on the gear icon in the upper right corner to go to the Settings page.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Select Folder Settings.

2FA application Protectimus Smart OTP - Folder Settings

  1. From here, you can edit, delete, and create new folders, as well as edit tokens in any folder.

2FA application Protectimus Smart OTP - Folder Settings

5. Changing the Order of Tokens

You can customize the order of your tokens to suit your needs. With this feature, you can quickly access your most frequently used tokens.
  1. To do so, open the Edit Token menu by tapping the pen icon in the upper-right corner.

2FA app Protectimus Smart OTP - Changing the Order of Tokens - Step 1

  1. From there, simply drag the tokens to rearrange them in the desired order. Save the changes by clicking on the checkmark in the upper right corner.

2FA app Protectimus Smart OTP - Changing the Order of Tokens - Step 2

6. Cloud Backup

To safeguard your OTP tokens in case of device loss or accidental deletion of the 2FA app, we strongly recommend using the Cloud Backup feature. Additionally, we strongly advise protecting the backup file with a password for added security.

To manage your backup files, simply navigate to the Backup page where you can activate, update, restore or delete your backups.

By utilizing this feature, you can ensure that your OTP tokens are always available and secure, even in unexpected circumstances.

  1. Go to Settings.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Tap Backup in cloud.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 2

  1. If the backup function is not activated yet, enable it.

2FA app Protectimus Smart OTP - Cloud backup activation

  1. If the backup function has been activated and you have made any changes, you can Restore the previous version or Update the backup file. Tap the Upload button to upload the latest changes to the cloud.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 3

  1. You will see the allert message. If you are sure that you want to upload current OTP tokens in the cloud, tap Update. Please note that this will erase previous backups.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 4

Please note! To secure you backup file, we recommend adding a password, use the Add backup file password button.

Protectimus Smart OTP 2FA application - Add Cloud Backup Password

7. App Security (PIN and Biometric Authentication)

For optimal security, it is highly recommended that you safeguard access to the Protectimus Smart OTP two-factor authentication application with either a PIN or biometric authentication.

To enable PIN or biometric authentication with fingerprint or face ID, follow these steps:

  1. Go to the Settings menu.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Select App security.

2FA authenticator Protectimus Smart - Security Settings

  1. Create a unique PIN for the application.

2FA authenticator Protectimus Smart - PIN setup

  1. The app will prompt you to allow biometric authentication for easier access.

2FA authenticator Protectimus Smart - Biometric authentication setup

  1. Once both PIN and biometric protection are enabled, you can manage your PIN, and turn biometric authentication on or off from the App security page.

2FA authenticator Protectimus Smart - App Security Settings Page

By taking these simple steps, you can ensure that your Protectimus Smart OTP two-factor authentication application is as secure as possible.

8. Transferring Tokens to a New Phone

Protectimus Smart OTP authenticator offers a convenient Data Transfer feature that enables you to effortlessly move your tokens from one phone to another or doenload and store the backup file in the place you like. With this feature, you can export your data into an encrypted file with password protection for added security.

  1. To get started, simply navigate to the Settings menu.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Tap on the Data transfer option.

Two-factor authentication app Protectimus Smart OTP - Data transfer feature

  1. If you want to transfer tokens from your current device to another, choose Export tokens. Alternatively, if you want to import saved data onto your device, select Import tokens.

Two-factor authentication app Protectimus Smart OTP - Data transfer feature - Export tokens

  1. If you choose to export tokens, create a strong password and click on Continue to generate the file containing all your data.

Two-factor authentication app Protectimus Smart OTP - Data transfer feature - Export tokens

  1. Remember to save this file so you can import your tokens onto the new device later.

Two-factor authentication app Protectimus Smart OTP - Data transfer feature - Export tokens

9. Importing from Google Authenticator

You can easily transfer your tokens from Google Authenticator 2FA app to the Protectimus Smart OTP.

To get started, open your Google Authenticator application and:
  • tap the menu button located at the top-right corner;
  • select Transfer accounts;
  • then choose Export accounts;
  • select the tokens you wish to transfer to Protectimus Smart OTP;
  • tap Next, and you will see a QR code, scan this QR code using the Protectimus Smart OTP app.

In the Protectimus Smart OTP app:
  1. Go to Settings.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Select Import from Google Authenticator, scan the QR code generated by Google Authenticator and wait for the import process to complete.

Two-factor authentication app Protectimus Smart OTP - Import from Google Authenticator

10. Data Signature Method (CWYS)

Protectimus Data Signature, also known as CWYS (Confirm What You See), is a powerful tool that safeguards against phishing, data spoofing, man-in-the-middle attacks, and similar hacking techniques. 2FA app Protectimus Smart - Data signature method

Based on the OCRA algorithm, Protectimus Data Signature allows users to verify key details of financial transactions before confirming them.

To use this feature, you will need to enter a challenge code into the app to generate a one-time password. You can enter the code manually or scan a QR code. 2FA app Protectimus Smart - Data signature method

To set your preferred method for entering a challenge code:

  1. Go to Settings.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Select the Data Signature method.

2FA app Protectimus Smart - Data signature method

  1. Choose your desired option, and click Save and go back.

2FA app Protectimus Smart - Data signature method

11. Push Tokens

Two-factor authentication app Protectimus Smart OTP offers push notifications as a convenient way to confirm transactions and streamline the login process for end-users, providing additional protection against transaction data replacement.

This feature is available exclusively for services that use Protectimus 2FA solution as their two-factor authentication system backend.

To add, use, or delete push tokens, follow the steps outlined in the next paragraph.

Please note!
  1. You cannon receive push notification if your phone is offline.
  2. Push tokens cannot be edited, backed up, or transferred to another device.

11.1. How to Add Push Tokens

  1. Open the Protectimus Smart OTP MFA app and tap on the plus sign in the upper left corner.

Adding tokens to MFA app Protectimus Smart OTP - Step 1

  1. Choose to Scan QR code and scan the QR code on the service where you plan to use this push token.

Adding tokens to MFA app Protectimus Smart OTP - Step 2 - Scanning the QR code

  1. To proceed, save the public key to your device by tapping the Continue button.

Adding push tokens to MFA app Protectimus Smart OTP - Step 3

  1. You’re all set! The push token has been created, and you’ll receive a notification confirming its successful creation.

Adding push tokens to MFA app Protectimus Smart OTP - Step 4

Important! To receive push notifications from the Protectimus Smart OTP 2FA app, you must enable notifications in your app settings. Please ensure that notifications from the Protectimus Smart OTP app are allowed.

Adding push tokens to MFA app Protectimus Smart OTP - Step 5

11.2. How 2FA Push Notifications Work

This advanced two-factor authentication feature provides additional protection against data spoofing and transaction data replacement.

Note! The device must be online to receive the push notification.
  1. When making a transaction or attempting to log in to a two-factor authentication-protected service, a push notification will be sent to your phone.

Push tokens in the Protectimus Smart OTP 2FA app - Step 1

  1. You’ll need to open the app to view and confirm the details of the transaction.

Push tokens in the Protectimus Smart OTP 2FA app -  Confirm transaction

  1. Or to view and confirm the location of the login attempt.

Push tokens in the Protectimus Smart OTP 2FA app -  Confirm location

11.3. How to Delete Push Tokens

Please note! Please note that push tokens cannot be edited, backed up, or transferred to another device. Deleting the push token is irreversible, and there is no way to restore it. This means that you may lose access to the account associated with the token if it is deleted.
  1. To delete a push token, go to Settings.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Go to Push tokens.

Deleting push tokens to MFA app Protectimus Smart OTP - Step 2

  1. Tap the three dots next to the token you wish to delete, and select Delete token.

Deleting push tokens to MFA app Protectimus Smart OTP - Step 3

  1. A confirmation message will appear, and you should only proceed if you are certain that deleting the token will not result in the loss of access to the account protected by it.

Deleting push tokens to MFA app Protectimus Smart OTP - Step 4

12. Time Correction

If you see the message “The one-time code is invalid” when attempting to enter a one-time password, it may be due to a time drift between your token and the two-factor authentication server. To resolve this issue, a time correction may be necessary.

To synchronize your Protectimus Smart OTP app’s internal clock with Protectimus servers:
  1. Navigate to Settings.

Protectimus Smart OTP 2FA application - Cloud Backup update - Step 1

  1. Select the Time correction option.

2FA app Protectimus Smart - Time correction

  1. If everything is in order, you will see a message confirming that the time is already correct.

2FA app Protectimus Smart - Time correction

13. Additional Settings

The Protectimus Smart OTP settings page provides additional options for customization, such as selecting your preferred language for the interface, enabling or disabling Screen Capture Access, and choosing between a dark or bright appearance to suit your preferences.

Protectimus Smart OTP addotional settings

12.1. Application Language

Currently, the Protectimus Smart OTP authenticator is available in English, French, German, Spanish, Russian, and Ukrainian.

Protectimus Smart OTP 2FA app language settings

12.2. Screen Capture Access

To enhance your security, we advise against enabling screen capture access.

Protectimus Smart OTP 2FA app - screen capture access

If you have any questions, please, contact Protectimus customer support service.

CentOS: Enabling Two-Factor Authentication for Enhanced Security

With Protectimus multi-factor authentication (MFA) solution, you can set up CentOS two-factor authentication (2FA) in a few steps.

1. How CentOS Two-Factor Authentication (2FA) Works

After you enable CentOS 2FA, your users will need to use two authentication passwords to get access to their CentOS accounts:


  1. The first is a standard password (something the user keeps in memory);
  2. The second is a one-time password valid only for 30 or 60 seconds (the one-time password is generated with the help of a hardware OTP token or a 2FA app on a user’s phone – something that the user owns and has to carry with them).

This way, the CentOS account becomes protected with two different authentication factors. Even if the hacker steals the users’s password using phishing, brute force, social engineering, data spoofing, or any other attack, they can’t access the CentOS account without the one-time password from a user’s 2FA token.


This guide shows how you can set up CentOS two-factor authentication (2FA) using Protectimus RADIUS 2FA component for the integration with Protectimus Cloud 2FA service or Protectimus On-Premise MFA Platform.


CentOS 2FA (two-factor authentication) setup scheme

2. How to Enable CentOS Two-Factor Authentication (2FA)

You can set up CentOS two-factor authentication (2FA) with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS 2FA Service or On-Premise 2FA Platform and configure basic settings.
  2. Install Protectimus PAM module for CentOS 2FA
  3. Install and configure Protectimus RADIUS Server module.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2.2. Install Protectimus PAM module for CentOS 2FA

yum -y install epel-release
yum -y install pam_radius
 

2.3. Install and configure Protectimus RADIUS Server

  1. Install protectimus-radius

git clone https://github.com/protectimus/platform-linux.git
cd platform-linux/radius
edit config/radius.yml
docker compose up -d

  1. Configure radius.yml file.

    Configure Protectimus RADIUS Server settings in the radius.yml file. It must be located in the same directory as the executable.

    You will find detailed instructions on available properties that you can add to the radius.yml file here.

    The example of radius.yml file configuration:

radius:
  secret: secret
  auth-port: 1812

auth:
  #  Could be :
  #  - LDAP
  #  - PROTECTIMUS_PASSWORD
  #  - PROTECTIMUS_OTP
  #  - PROTECTIMUS_PUSH
  providers:
    - PROTECTIMUS_OTP

protectimus-api:
  login: [email protected]
  api-key: aslkjdljsdlaskmWpXjT5K0xqLXkd3
  url: https://api.protectimus.com/
  resource-name: radius
  resource-id: 723

  1. Edit pam_radius config, configure secret

    /etc/pam_radius.conf

# server[:port] shared_secret      timeout (s)
127.0.0.1       secret             1

  1. Configure SSH to use challenge response

    /etc/ssh/sshd_config

ChallengeResponseAuthentication yes

  1. Execute the command systemctl restart sshd

  1. Configure PAM for SSH to use RADIUS

    Add auth required pam_radius_auth.so after auth substack password-auth into /etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_sepermit.so
# protectimus pam radius
auth       substack     password-auth
auth       required     pam_radius_auth.so
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare


CentOS multi-factor authentication setup is now complete. If you have other questions, contact our customer support service.

Setting Up Two-Factor Authentication on VMware Horizon View

This guide shows how you can set up VMware Horizon View two-factor authentication (2FA) via RADIUS using the Protectimus multi-factor authentication system.

Protectimus two-factor authentication system integrates with VMware Horizon View via RADIUS authentication protocol. In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform takes the role of a RADIUS server via a special connector Protectimus RADIUS Server, and the VMware Horizon View performs as a RADIUS client.

The Protectimus RADIUS Server connector transfers authentication requests from the VMware Horizon View to the Protectimus multi-factor authentication (MFA) server and returns the answer permitting or denying access.

Below is an example of integration of the Protectimus 2FA solution with VMware Horizon View.

Protectimus VMware Horizon View 2FA integration via RADIUS - scheme

1. How to Enable Two-Factor Authentication for VMware Horizon View

You can set up multi-factor authentication (2FA) for VMware Horizon View with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Add Protectimus as RADIUS Server for VMware Horizon View.

2. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.
 

3. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for VMware Horizon View two-factor authentication using RADIUS are available here.

4. Add Protectimus as RADIUS Server for VMware Horizon View 2FA

  1. Log into the VMware Horizon View admin panel.
  2. Navigate to Settings and then click Servers.
  3. Select the Connection Servers tab.

How to set up VMware Horizon 2FA via RADIUS -  step1
  1. Select the necessary connection server, and after that click the Edit button.

How to enable VMware Horizon View 2FA via RADIUS -  step1
  1. Navigate to the Authentication tab.
  2. Then go to the Advanced Authentication section and select RADIUS in the 2-factor authentication dropdown.
  3. Check the box Enforce 2-factor and Windows user name matching.
  4. Find the Authenticator dropdown, and select Create New Authenticator.

How to enable VMware Horizon View MFA via RADIUS - step 3
  1. You will see an Add RADIUS Authenticator form. Navigate to the Client Customization page and enter any name for your new RADIUS server (e. g. Protectimus). Then click Next.
  2. On the Primary Authentication Server page, fill in the required information referring to the table and image below.

Hostname/AddressEnter the IP of server where the Protectimus RADIUS Server component is installed.
Authentication PortIndicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Accounting PortLeave the default value.
Authentication TypePAP.
Shared SecretIndicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
Server TimeoutSet to 60.
Max AttemptsSet to 5.

How to enable VMware Horizon View two-factor authentication via RADIUS -  step 4
  1. For all other fields, leave the default values. Then click Next.
  2. Add a Secondary Authentication Server if you wish (it is optional), and click Finish to complete creating the RADIUS server.
  3. We recommend you review the Advanced Authentication section:
    • check if the RADIUS server you have just created (Protectimus) is selected in the Authenticator dropdown;
    • make sure that you have checked the box Enforce 2-factor and Windows user name matching.

How to set up VMware Horizon multi-factor authentication via RADIUS -  step1
Integration of two-factor authentication (2FA/MFA) for your VMware Horizon View 2FA is now complete. If you have other questions, contact Protectimus customer support service.

Deploying Two-Factor Authentication on F5 BIG-IP APM VPN

This guide shows how to enable multi-factor authentication (MFA / 2FA) for F5 BIG-IP APM VPN with the help of the Protectimus two-factor authentication system.

Protectimus two-factor authentication system integrates with F5 BIG-IP APM VPN via RADIUS authentication protocol. In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform takes the role of a RADIUS server, and the F5 BIG-IP VPN performs of a RADIUS client.

The scheme of work of the Protectimus solution for F5 BIG-IP APM VPN 2FA is presented below.

F5 BIG-IP APM VPN 2FA setup via RADIUS

1. How F5 BIG-IP APM VPN Two-Factor Authentication Works

Protectimus Two-Factor Authentication Solution for F5 BIG-IP APM VPN allows you to add an extra layer of security to your F5 BIG-IP VPN logins.

When you add 2FA/MFA for F5 VPN, your users will use two different authentication factors to get access to their accounts.
  1. The first factor is login and password (something the user knows);
  2. The second factor is a one-time password generated with the help of a hardware OTP token or an app on the smartphone (something the user owns).

To hack an F5 BIG-IP APM VPN protected with two-factor authentication, a hacker needs to get a standard password and a one-time password at once. And they only have 30 seconds to hack a one-time password. It is almost impossible, which makes two-factor authentication so effective against brute force, data spoofing, keyloggers, phishing, man-in-the-middle attacks, social engineering, and similar hacking attacks.

2. How to Enable 2FA for F5 BIG-IP APM VPN

You can set up multi-factor authentication (2FA) for F5 BIG-IP VPN with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Add Protectimus as RADIUS Server for F5 BIG-IP APM VPN.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.
 

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for F5 BIG-IP APM VPN two-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for F5 BIG-IP APM VPN 2FA

  1. Log into the F5 BIG-IP administrator dashboard.
  2. Navigate to Access –> Authentication –> RADIUS.

How to add two-factor authentication to F5 BIG-IP APM
  1. Click the Create… button to add a new RADIUS server.
  2. Then fill in the form referring to the table and image below, and click Finished to save your settings.
NameType any name for your RADIUS server – enter Protectimus_RADIUS_Server or any other name you wish.
ModeAuthentication
Server ConnectionDirect
Server AddressEnter the IP of server where the Protectimus RADIUS Server component is installed.
Authentication Service PortIndicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
SecretIndicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Confirm SecretConfirn the shared secret.
TimeoutSet to 180 seconds.
RetriesSet to 3.
Character SetSet to UTF-8.
Service TypeDefault.

How to add multi-factor authentication to F5 BIG-IP APM - step 2

2.4. Modify the F5 BIG-IP APM Access Policy

  1. Navigate to Access –> Profiles/Policies –> Access Profiles (Per-Session Policies).

How to set up F5 BIG-IP APM 2FA - step 3
  1. Click Edit… to modify your F5 BIG-IP APM access policy.

How to set up F5 BIG-IP APM MFA - step 4
  1. You will see the Access Policy editor. Click + (Plus) on the arrow to the right of the Logon Page.

How to set up F5 BIG-IP APM two-factor auth - step 5
  1. In a new window, select the Authentication tab. The select RADIUS Auth and click the Add Item button.

How to set up F5 BIG-IP APM two-factor authentication - step 6
  1. In the AAA Server dropdown, select Protectimus_RADIUS_Server – the server you have created previously. Then click Save to save the changes.

How to set up F5 BIG-IP APM 2FA - step 7
PLEASE NOTE!
If you have a former authentication method (e.g. Active Directory) you can either remove it or keep it.
You can keep your former authentication method and use Protectimus after or before that authentication method.
To remove it, click X, select Connect previous node to Successful branch, and click Delete.
  1. Click Close to return to the Access Profiles page. Check your profile and click Apply. The status flag next to your profile should change to green.

Integration of two-factor authentication (2FA/MFA) for your F5 BIG-IP APM VPN 2FA is now complete. If you have other questions, contact Protectimus customer support service.

Securing Array AG SSL VPN with Two-Factor Authentication

This guide shows how to enable two-factor authentication (2FA / MFA) for Array AG SSL VPN with the help of the Protectimus multi-factor authentication system.

Protectimus multi-factor authentication system integrates with Array AG SSL VPN via RADIUS authentication protocol. In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform performs as a RADIUS server, and the Array VPN takes the role of a RADIUS client.

The scheme of work of the Protectimus solution for Array VPN 2FA is presented below.

Array VPN 2FA setup via RADIUS

1. How Array VPN Two-Factor Authentication Works

Protectimus Two-Factor Authentication Solution for Array AG SSL VPN allows you to add an extra layer of security to your Array VPN logins.

When you add 2FA/MFA for Array VPN, your users will use two different authentication factors to get access to their accounts.
  1. The first factor is login and password (something the user knows);
  2. The second factor is a one-time password generated with the help of a hardware OTP token or an app on the smartphone (something the user owns).

To hack a Array VPN protected with two-factor authentication, a hacker needs to get a standard password and a one-time password at once. And they only have 30 seconds to hack a one-time password. It is almost impossible, which makes two-factor authentication so effective against brute force, data spoofing, keyloggers, phishing, man-in-the-middle attacks, social engineering, and similar hacking attacks.

2. How to Enable 2FA for Array AG SSL VPN

You can set up multi-factor authentication (2FA) for Array VPN with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Add Protectimus as RADIUS Server for Array AG SSL VPN.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Array VPN two-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for Array VPN 2FA

  1. Login to the Array VPN administration panel.
  2. Change the mode to Config.
  3. Navigate to the Virtual Site using the dropdown in the upper left corner.
  4. Find the Site Configuration menu on the left and click on AAA.
  5. Open the General tab and check Enable AAA.

Array VPN 2FA setup via RADIUS - step 1
  1. Navigate to the Server tab and click RADIUS.
  2. Enter the Server Name (e.g. Protectimus RADIUS Server). You can also add a Description. Then click Add.

Array VPN MFA setup via RADIUS - step 1
  1. The newly added server will appear on the list of servers. Open Advanced RADIUS Server Configuration by double-clicking the name of your RADIUS server.
  2. Click Add RADIUS Server on the Advanced RADIUS Server Configuration page. Fill in the form referring to the table and image below, and click Save.
Server IPEnter the IP of server where the Protectimus RADIUS Server component is installed.
Server PortIndicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Secret PasswordIndicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
TimeoutSet to 180 seconds.
Redundancy OrderSet to 1 if this is your first RADIUS server.
RetriesSet to 3.
Accounting PortSet to 1813.

Array VPN two-factor authentication setup via RADIUS - step 3
  1. Go to the Method tab and click Add Method.
  2. Enter the Method Name (e.g. Protectimus) and Method Description (e.g. Protectimus RADIUS Server). Then select the AAA server in Authentication. The AAA server is the server you created earlier (Protectimus RADIUS Server).
  3. Click Save. The method you just created will appear in the table on the Method tab.

Array VPN 2-factor authentication setup via RADIUS - step 4
  1. Find the AAA Method for Mobile VPN Clients dropdown and select the method you created (Protectimus).

Array VPN multi-factor authentication setup via RADIUS - step 4
  1. Go to the top right corner of the Array VPN administration panel and click Save Configuration.

Array AG SSL VPN 2FA setup via RADIUS - step 6
Integration of two-factor authentication (2FA/MFA) for your Array AG SSL VPN is now complete. If you have other questions, contact Protectimus customer support service.

Configuring Two-Factor Authentication for WatchGuard Mobile VPN

This guide shows how to enable multi-factor authentication (2FA / MFA) for WatchGuard Mobile VPN with the help of the Protectimus two-factor authentication solution.

Protectimus multi-factor authentication system integrates with WatchGuard Mobile VPN via RADIUS authentication protocol.

In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform performs as a RADIUS server, and the WatchGuard Mobile VPN takes the role of a RADIUS client.

The scheme of work of the Protectimus solution for WatchGuard Mobile VPN two-factor authentication is presented below.

WatchGuard Mobile VPN 2FA setup via RADIUS

1. How WatchGuard Mobile VPN 2FA Works

Protectimus Two-Factor Authentication Solution for WatchGuard Mobile VPN allows you to add an extra layer of security to your WatchGuard VPN logins.

Protectimus WatchGuard Mobile VPN 2FA Solution enables 2-factor authentication during WatchGuard connections via IPSec and SSL.

When you add 2FA/MFA for WatchGuard Mobile VPN, your users will use two different authentication factors to get access to their accounts.
  1. The first factor is login and password (something the user knows);
  2. The second factor is a one-time password generated with the help of a hardware OTP token or an app on the smartphone (something the user owns).

To hack a WatchGuard Mobile VPN protected with two-factor authentication, a hacker needs to get a standard password and a one-time password at once. And they only have 30 seconds to intercept a one-time password. It is almost impossible, which makes two-factor authentication so effective against brute force, data spoofing, keyloggers, phishing, man-in-the-middle attacks, social engineering, and similar hacking attacks.

2. How to Enable 2FA for WatchGuard Mobile VPN

You can set up multi-factor authentication (2FA) for WatchGuard Mobile VPN with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Add Protectimus as RADIUS Server for WatchGuard Mobile VPN MFA.
  4. Configure WatchGuard Mobile VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for WatchGuard Mobile VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for WatchGuard Mobile VPN MFA

  1. Log in to the WatchGuard Firebox Admin Panel (Fireware Web UI).
  2. Navigate to Authentication –> Servers –> RADIUS.
WatchGuard Mobile VPN 2FA setup via RADIUS - step 1
  1. Click Add.
WatchGuard Mobile VPN MFA setup via RADIUS - step 2
  1. Fill in the required fields in the Primary Server Settings tab. Please refer to the following table and image.
Domain NameCome up with a name for your RADIUS domain, e.g. Protectimus RADIUS Server. Note that You cannot change the Domain Name after you save the settings.
Enable RADIUS ServerCheck the box.
IP AddressEnter the IP of server where the Protectimus RADIUS Server component is installed.
PortIndicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Shared SecretIndicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Confirm SecretReenter the shared secret
TimeoutSet to 60 seconds.
RetriesSet to 3.
Dead TimeSet to 10 minutes.
Group AttributeSet to 11.
WatchGuard Mobile VPN two-factor authentication setup via RADIUS - step 3
  1. Click Save to save your settings.

2.4. Configure WatchGuard Mobile VPN with SSL or IPSec

  1. In the WatchGuard Firebox Admin Panel left pane, click VPN –> Mobile VPN.
  2. Then navigate to the SSL or IPSec section, whichever method suits you best, and follow the instructions below.
WatchGuard Mobile VPN 2FA setup via RADIUS - step 4

2.4.1. Configure WatchGuard Mobile VPN with SSL

PLEASE NOTE! To enable 2FA for SSL Mobile VPN, you need to manually add all your users to WatchGuard VPN and then allow them to use SSL VPN.
  1. Go to Authentication –> Users and Groups. Then click ADD to add a new user.
How to Configure WatchGuard Mobile VPN with SSL - step 1
  1. In Add User or Group, enter the name of the user and select the Authentication Server. Refer to the following table and image.
TypeUser
NameEnter the username.
DescriptionOptional, you can enter a description of the user if you want.
Authentication ServerSelect the server you have created before (Protectimus RADIUS Server).

How to Configure WatchGuard Mobile VPN with SSL - step 2
  1. Other options are optional. Click OK and then click Save in the main list of all groups and users to confirm the new user.
PLEASE NOTE! You need to do the above three steps for every user you want to allow to use Mobile VPN with SSL.

  1. After you add all your users, click VPN –> Mobile VPN. Then, go to the SSL section and click CONFIGURE.
How to Configure WatchGuard Mobile VPN with SSL - step 4
  1. Select the Authentication tab.
  2. In AUTHENTICATION SERVERS, select the server you have created before (Protectimus RADIUS Server) and click ADD.
  3. Then, select it on the list of authentication servers and click MOVE UP to make it default.
How to Configure WatchGuard Mobile VPN with SSL - step 5
  1. In Users and Groups, select the groups and users you want to allow to use SSL VPN.
  2. Click SAVE to confirm and save your settings.

2.4.2. Configure WatchGuard Mobile VPN with IPSec

  1. Navigate to VPN –> Mobile VPN. Then, go to the IPSec section and click CONFIGURE.
How to Configure WatchGuard Mobile VPN with IPSec - step 1
  1. In the Groups section, select your profile and click EDIT.
How to Configure WatchGuard Mobile VPN with IPSec - step 2
  1. Select the General tab.
  2. In the Authentication Server dropdown, the server you have created before (Protectimus RADIUS Server). It has the Domain Name you set when configuring Protectimus as RADIUS Server.
How to Configure WatchGuard Mobile VPN with IPSec - step 3
  1. Click SAVE to confirm and save your settings.

Integration of two-factor authentication (2FA/MFA) for your WatchGuard Mobile VPN is now complete. If you have other questions, contact Protectimus customer support service.

Enabling Two-Factor Authentication on Pulse Connect Secure SSL VPN

This guide shows how to enable multi-factor authentication (2FA / MFA) for users logging in to Pulse Connect Secure SSL VPN with the help of the Protectimus two-factor authentication solution for Pulse Connect Secure SSL VPN.

Protectimus’s two-factor authentication system integrates with Pulse Connect Secure SSL VPN via RADIUS authentication protocol.

In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform performs as a RADIUS server, and the Pulse Connect Secure SSL VPN takes the role of a RADIUS client.

You will find the scheme of work of the Protectimus solution for Pulse Connect Secure SSL VPN two-factor authentication below.

2FA/MFA for Pulse Connect Secure SSL VPN via RADIUS

1. How 2FA for Pulse Connect Secure SSL VPN Works

Two-factor authentication (2FA / MFA) protects the Pulse Connect Secure SSL VPN user accounts from phishing, brute force, keyloggers, man-in-the-middle attacks, data spoofing, social engineering, and other similar hacking tricks.

When you enable 2FA/MFA for Pulse Connect Secure SSL VPN, Pulse Secure VPN users will use two different authentication factors to get access to their accounts.
  1. The first factor is username and password (something they know);
  2. The second factor is a one-time password generated with the help of a hardware OTP token or a 2FA app (something they own).

To hack a Pulse Connect Secure SSL VPN user account protected with two-factor authentication, a hacker needs both passwords at once. Moreover, a hacker has only 30 seconds to crack and use a time-based one-time password. It is almost impossible to fulfill these conditions, which makes two-factor authentication so effective.

2. How to Enable 2FA for Pulse Connect Secure SSL VPN

You can set up two-factor authentication (2FA) for Pulse Connect Secure SSL VPN with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Configure Pulse Connect Secure SSL VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Pulse Connect Secure SSL VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for Pulse Connect Secure SSL VPN

  1. Log into the Pulse Secure administration panel.
  2. Navigate to Authentication –> Auth. Servers.
How to set up 2FA/MFA for Pulse Connect Secure SSL VPN - step 2
  1. Select RADIUS Server in the dropdown, and click New Server….
How to set up MFA for Pulse Connect Secure SSL VPN - step 3
  1. Fill in the required fields in the Settings tab. Please refer to the following table and image.
NameCome up with a name for your RADIUS server, e.g. Protectimus Server.
RADIUS ServerEnter the IP of server where the Protectimus RADIUS Server component is installed.
Authentication PortIndicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Shared SecretIndicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
TimeoutSet to 180 seconds.
RetriesSet to 3.
How to set up two-factor authentication for Pulse Connect Secure SSL VPN - step 4
  1. Keep default values of all other fields and click Save Changes.
  2. Navigate to Users –> User Realms –> New User Realm….
How to set up 2-factor authentication for Pulse Connect Secure SSL VPN - step 6
  1. Come up with a Name for your new realm, e.g. Protectimus Server.
  2. Select the previously created authentication server (Protectimus Server) in the Authentication dropdown.
  3. Click Save Changes.
How to set up multi-factor authentication for Pulse Connect Secure SSL VPN - step 7
  1. Navigate to Authentication Policy –> Password.
  2. Select Allow all users (passwords of any length) and click Save Changes.
How to set up multi-factor auth for Pulse Connect Secure SSL VPN - step 10
  1. Go to the Role Mapping tab and click New Rule….
How to set up  two-factor auth for Pulse Connect Secure SSL VPN - step 12
  1. Come up with the name for a new rule, e.g. Protectimus Rule.
  2. Set Rule:If username… to is *.
  3. Assign a Users role. Select Users on the Available Roles list and click Add –>.
  4. Click Save Changes.
How to set up  2FA for Pulse Connect Secure SSL VPN - step 13
  1. Navigate to Authentication –> Signing In –> Sign-in Policies.
How to set up  MFA for Pulse Connect Secure SSL VPN - step 17
  1. Click the */ URL in the User URLs table.
  2. Select User picks from a list of authentication realms and select the Protectimus Server realm you have created before. To do this, just select Protectimus Server on the Available realms list and click Add –>.
  3. Click Save Changes.
How to set up two-factor authentication for Pulse Connect Secure SSL VPN - step 19

Integration of multi-factor authentication for Pulse Connect Secure SSL VPN is now complete. If you have other questions, contact Protectimus customer support service.

Implementing Two-Factor Authentication in Aruba ClearPass

This guide shows how to set up two-factor authentication for Aruba switches. This requires Aruba ClearPass to be integrated with Protectimus’ Multi-Factor Authentication (MFA) solution. You can use the Protectimus Cloud MFA Service or the Protectimus On-Prem MFA platform, which should be installed in the client’s environment or private cloud.

The Protectimus Two-Factor Authentication Server communicates with Aruba network equipment using the RADIUS authentication protocol. The Protectimus RADIUS Server component acts as a RADIUS server:
  1. It accepts an incoming RADIUS authentication request.
  2. Then, it accesses the user store (Active Directory, etc.) to confirm the user’s login and password.
  3. The next step is to check the one-time password. To do this, Protectimus RADIUS Server contacts the Protectimus two-factor authentication server.
  4. If both authentication factors are correct, Protectimus RADIUS Server allows the user to connect to the Aruba switch.

The diagram below shows how the Protectimus two-factor authentication solution for Aruba network equipment works.

MFA Aruba Switch - how to enable via RADIUS

1. How Aruba Switches Two-Factor Authentication (2FA) Works

Two-factor authentication (2FA / MFA) protects user accounts from attacks such as brute force, phishing, keyloggers, man-in-the-middle, social engineering, data spoofing, etc.

After you set up two-factor authentication for Aruba switches to connect to Aruba networking equipment, users will use two different authentication factors.
  1. The first factor is login and password (what the user knows);
  2. The second factor is a one-time password generated using a hardware OTP token or a smartphone (which belongs to the user).
To hack a user account, an attacker must get access to two passwords at once, which is almost impossible. At the same time, the attacker has only 30 seconds to crack and use one of these passwords.

2. How to Enable MFA for Aruba Switch

You can set up Aruba Switch two-factor authentication (2FA) with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Add Protectimus as RADIUS Server for your Aruba Switch.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Aruba switches 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for your Aruba Switch

There are two options to configure multi-factor authentication for Aruba switch via RADIUS:
  • WebUI configuration. Available for the older versions of Aruba ClearPass.
  • CLI configuration. Newer versions of Aruba switches can be configured only through the configuration console.
Follow only the steps of the method you choose.

How to configure MFA for Aruba switch via WebUI
  1. In the Aruba Networks ClearPass WebUI Console, go to Configuration –> Security –> Authentication –> Servers.
  2. Select RADIUS Server to display the RADIUS Server List.
  3. Provide a Name for the new server, e.g. Protectimus, and click Add.
  4. Select the name to configure the parameters, such as IP Address; and then check Mode to activate the server.
  5. Click Apply.
  6. Select Server Group to display the Server Group List.
  7. Provide a Name for the new server group, e.g. corp_radius, and click Add.
  8. Select the name to configure the parameters.
  9. Under Servers, select New to add a server to the group.
  10. Select the server (i.e. Protectimus) from the dropdown menu and click Add Server.
  11. Click Apply.
  12. Go to Configuration –> Management –> Administration.
  13. Under Management Authentication Servers, select a management role, e.g. root, for the Default Role.
  14. Check Mode to activate.
  15. For the Server Group, select the newly created group, i.e. corp_radius.
  16. Click Apply.

How to configure MFA for Aruba switch via CLI

How to Add New RADIUS Server
aaa authentication-server radius Protectimus
  host <ipaddr>
  enable

How to Add New Server Group
aaa server-group corp_radius
  auth-server Protectimus

How to Define Role for Server Group
aaa authentication mgmt
  default-role root
  enable
  server-group corp_radius

Integration of two-factor authentication (2FA/MFA) for your Aruba ClearPass is now complete. If you have other questions, contact Protectimus customer support service.

Configuring Two-Factor Authentication for Barracuda SSL VPN

This Barracuda SSL VPN 2FA guide shows how to enable two-factor authentication (2FA / MFA) for Barracuda SSL VPN using the Protectimus Cloud 2FA Service or On-Premise 2FA Platform.

Protectimus integrates with Barracuda SSL VPN via RADIUS authentication protocol to add two-factor authentication (2FA) to Barracuda SSL VPN logins.

In this scenario, the Protectimus two-factor authentication solution for Barracuda VPN 2FA performs as a RADIUS server, and the Barracuda SSL VPN takes the role of a RADIUS client. You will find the scheme of work of the Protectimus solution for Barracuda SSL VPN two-factor authentication below.

How to set up Barracuda SSL VPN two-factor authentication via RADIUS

1. How Barracuda SSL VPN Two-Factor Authentication (2FA) Works

Setting up two-factor authentication for Barracuda SSL VPN means that your users will have to enter two different factors of authentication when they get access to their accounts.

  1. The first 2FA factor is a username and password (something the user knows);
  2. The second 2FA factor is a time-based one-time password generated with the help of an OTP token or an app on a phone (something the user owns). A one-time passwords remains valid only for 30 seconds.

It is too hard to get unauthorized access to the Barracuda SSL VPN account protected with multi-factor authentication. A hacker has to get two passwords of different natures and use them simultaneously. Moreover, he has only 30 seconds to hack and use a one-time passcode, which complicates the task умут further and makes it almost impossible.

Tho-factor authentication (2FA / MFA) is an effective protection measure against such cybersecurity threats like phishing, keylogging, social emgeneering, brute force, MITM attacks, data spoofing, etc.

2. How to Enable Barracuda SSL VPN 2FA

You can set up Barracuda SSL VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Configure Barracuda SSL VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Barracuda SSL VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for your Barracuda SSL VPN

  1. Log in to Barracuda VPN interface.
  2. Navigate to Users –> External Authentication.
How to set up Barracuda SSL VPN 2FA via RADIUS - step 1
  1. Select RADIUS and configure the following RADIUS settings to add a RADIUS Server. After that, click Save to save the changes.
Server AddressIP of server where the Protectimus RADIUS Server component is installed.
Server PortIndicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Server KeyIndicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
Group AttributeKeep the default value.
Group Attribute DelimiterKeep the default value.
NAS IDIf your RADIUS server requires NAS credentials to be set, enter the NAS identifier.
NAS IP AddressIf your RADIUS server requires NAS credentials to be set, enter the NAS IP Address.
NAS IP PortIf your RADIUS server requires NAS credentials to be set, enter the NAS IP Port.
Group Information FromSet to blank/empty.
How to set up Barracuda SSL VPN MFA via RADIUS - step 2
  1. Navigate to VPN –> SSL VPN.
How to set up Barracuda SSL VPN two-factor authentication via RADIUS - step 3
  1. Go to the Authentication section. Select RADIUS in User Authentication. Click Save.
How to set up Barracuda SSL VPN multi-factor authentication via RADIUS - step 4
Integration of two-factor authentication (2FA/MFA) for your Barracuda SSL VPN is now complete. If you have other questions, contact Protectimus customer support service.

Implementing Two-Factor Authentication in MikroTik VPN

This guide describes how to enable Protectimus Two-Factor Authentication (2FA) for users connecting to MikroTik VPN.

The Protectimus two-factor authentication system can be integrated with MikroTik VPN via RADIUS authentication protocol. For this purpose, you need to install an on-premise Protectimus RADIUS Server component and configure the MikroTik VPN to refer to the Protectimus RADIUS Server for user authentication.

See how Protectimus two-factor authentication solution works for MikroTik VPN in the scheme below. How to set up  MikroTik two-factor authentication via RADIUS

1. How MikroTik VPN Two-Factor Authentication (2FA) Works

After integrating MikroTik VPN with the Protectimus MFA system, your users will need to pass two stages of authentication to connect to MikroTik VPN:
  1. Enter their username and password.
  2. Enter the one-time passcode, which is only valid for 30 seconds.

To generate one-time passcodes, the following types of two-factor authentication tokens will be available to your users:
  • Classic and programmable hardware OTP tokens that look like keyfobs and plastic cards;
  • 2-factor authentication app Protectimus SMART OTP on iOS and Android;
  • Any other 2-factor authentication apps that support TOTP auth standard, including Google Authenticator;
  • Delivery of one-time passwords using chatbots in Telegram, Messenger, or Viber;
  • SMS authentication;
  • Delivery of one-time passwords via email.

It is a challenging task for the intruder to hack two authentication factors that differ in their nature (something the user knows and owns) and use them simultaneously within 30 seconds (the time when the one-time password remains active). That is why two-factor authentication is one of the best security measures for MikroTik VPN.

2. How to Enable MikroTik VPN 2FA

You can set up MikroTik VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Configure MikroTik VPN Client.
  4. Configure Windows VPN.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for MikroTik VPN 2-factor authentication using RADIUS are available here.

2.3. Configure MikroTik VPN Client

  1. Open Webfig.
  2. Navigate to the menu on the left, and select the RADIUS tab.
  3. Click Add New to configure your Protectimus RADIUS Server as a RADIUS server.
  4. Check ppp and ipsec in the Service section.
  5. Check login in the Service section.
  6. Indicate the IP of the server where the Protectimus RADIUS Server is installed.
  7. Set Protocol to udp.
  8. Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property).
  9. Change the default timeout to 30000 ms or higher.
  10. Click OK to save your settings.
MikroTik VPN 2FA setup - step 1
  1. Navigate to the menu on the left, and select the PPP tab.
  2. Select the Interface tab and then click PPTP Server, SSTP Server, L2TP Server, or OVPN Server depending on which one you are using.
  3. Check pap and uncheck every other checkbox in Authentication. Click OK.
  4. Select the Secrets tab, and click the PPP Authentication & Accounting button.
MikroTik VPN two-factor authentication setup - step 2
  1. Check Use Radius, and click OK to finish the configuration and enable Protectimus two-factor authentica in your VPN.

2.4. Configure Windows VPN

  1. On your Windows operating system, go to Settings –> Network & Internet –> VPN and select Add a VPN connection.
  2. Fill in the form and click Save. Refer to the following image and table.
VPN ProviderWindows (in-built)
Connection nameMikroTik
Server name or addressEnter the IP address of your server
VPN typeSelect your VPN Type. We chose L2TP/IPsec with pre-shared key, but you have to select the one you use in MikroTik.
Pre-shared keyIndicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Type of sign-in infoUser name and password
User name (optional)Your user name
Password (optional)Your password

Windows VPN  setup - step 1
  1. Go to Control Panel → Network and Sharing Center and select Change adapter options.
  2. Right-click your newly-created MikroTik connection and select Properties.
  3. Select the Security tab.
  4. Select Allow these protocols and then check the Unencrypted password (PAP) checkbox.
  5. Then click OK to save the changes.
Windows VPN  setup - step 2
Integration of two-factor authentication (2FA/MFA) for your MikroTik VPN is now complete. If you have other questions, contact Protectimus customer support service.