Documentation

 

 

Introduction

This guide illustrates the different types of end-user login experiences using a VPN to access remote resources via RADIUS on a desktop, web, and mobile two-factor authentication.

NOTE: The images in this document provide examples of some user interfaces; the appearances of user interfaces will differ depending on the RADIUS client model or the VPN client application.

CONTENTS OF THIS DOCUMENT:

 


Single screen login workflows

The authentication workflow requires the entry of your username followed by at least one other code entry, such as a password or passcode, before the login button is enabled.

Password Only

1. Enter your username.

2. Enter your password.

Timed Passcode Only

1. Enter your username.

2. In the password field, enter the TOTP.

Timed Passcode / Password

1. Enter your username.

2. In the password field, enter the TOTP, then a "/" (forward slash), followed by the password. For example: 563719/Password!

PIN + TOTP

1. Enter your username.

2. In the password field, enter the PIN followed by the TOTP. For example: 3236198337 – in which 3236 is the PIN and 198337 is the TOTP.

 


Multi-screen login workflows

Password | Timed Passcode

1. On the initial VPN login screen, enter your username.

2. Enter your password.

3. Get the timed passcode from the SecureAuth Authenticate App or other SecureAuth TOTP application.

4. On the second VPN login screen, enter your passcode.

Password & Mobile Login Request (Approve / Deny)

1. On the initial VPN login screen, enter your username.

2. Enter your password. The VPN waits for RADIUS to respond.

3. On the mobile app Login Request screen, tap Approve or Deny request.

Password | Timed Passcode or Second Factor 

1. On the initial VPN login screen, enter your username.

2. Enter your password.

3. The response screen prompts you for one of two options:

a. Entry of a timed passcode (TOTP), or

b. Entry of the number corresponding to an available Second Factor authentication method:

    • SMS / Text Message Phone
    • Email
    • Send Passcode to Phone (Push Notification)
    • Send Login Request to Phone (Push-to-Accept)
    • PIN

NOTE: The list of available Second Factor authentication methods is dynamic, since it is based on configured Multi-Factor Authentication options.

4. Make the appropriate entry on the response screen, based on the selected workflow (option "a" or "b" in step 3).

NOTE: If the Send Passcode to Phone (Push Notification) workflow or PIN workflow is initially selected, and then another Second Factor authentication option is preferred, entering 0 (zero) in the response field presents the screen with available Second Factor authentication options so another option can be selected.

If selecting option "a" (Timed Passcode)...

5a. Get the timed passcode from the SecureAuth Authenticate App or other SecureAuth TOTP application.

6a. Enter the passcode.

If selecting option "b" (Second Factor)...

5b. Enter the number corresponding to an available Second Factor authentication method.

 If the Phone option is selected...

If more than one phone number is set up in your account, select the number corresponding to the phone number to use in the Second Factor authentication workflow session.

 If the Push-to-Accept option is selected...

The VPN waits for RADIUS to respond.

When the Login Request screen appears on the mobile app, tap Approve or Deny on the screen.

Timed Passcode | Password

1. On the initial VPN login screen, enter your username.

2. Get the timed passcode from the SecureAuth Authenticate App or other SecureAuth TOTP application.

3. Enter your password on the second VPN login screen.

Username | Second Factor

1. On the initial VPN login screen, enter your username.

2. A password entry is not required.

3. On the response screen, enter the number corresponding to an available Second Factor authentication method:

1 = SMS / Text Message
2 = Phone
3 = Email
4 = Send Passcode to Phone (Push Notification)
5 = Send Login Request to Phone (Push-to-Accept)
6 = PIN

NOTE: The list of available Second Factor authentication methods is dynamic, since it is based on configured Second Factor authentication options.

4. Proceed with the Second Authentication Factor workflow.

NOTE: If the Send Passcode to Phone (Push Notification) workflow or PIN workflow is initially selected, and then another Second Factor authentication option is preferred, entering 0 (zero) in the response field presents the screen with available Second Factor authentication methods so another option can be selected.

See Password | Timed Passcode or Second Factor for sample screen shots showing the results of selections made at step 4.

Username | Second Factor | Password

1. On the VPN login screen, enter your username.

2. A password entry is not required at this step.

3. On the response screen, enter the number corresponding to an available Multi-Factor Authentication method:

1 = SMS / Text Message
2 = Phone
3 = Email
4 = Send Passcode to Phone (Push Notification)
5 = Send Login Request to Phone (Push-to-Accept)
6 = PIN 

NOTE: The list of available Second Factor authentication methods is dynamic, since it is based on configured Second Factor authentication options.

4. Proceed with the Second Authentication Factor workflow.

NOTE: If the Send Passcode to Phone (Push Notification) workflow or PIN workflow is initially selected, and then another Second Factor authentication option is preferred, entering 0 (zero) in the response field presents the screen with available Second Factor authentication methods so another option can be selected.

See Password | Timed Passcode or Second Factor for sample screen shots showing the results of selections made at step 4.

5. On the response screen, enter your password.

 

Password & Timed Passcode

1. On the initial VPN login screen, enter your username.

2. Enter your password.

3. Get the timed passcode from the SecureAuth Authenticate App or other SecureAuth TOTP application.

4. Enter your passcode.

 


Multiple devices registered for Second Factor authentication

If you have more than one registered mobile device, each with more than one phone number or email address registered, a prompt appears for you to select which mobile device, phone number, or email address to use in the Second Factor authentication workflow session.

1. Select the Second Factor authentication option – for example, "4".

2. Click Continue.

3. Since option 4 was selected in this example, a prompt appears for you to select which phone number to use for receiving a passcode.

 


Related documentation

SecureAuth IdP RADIUS server v2.4 integration guide

Installation guide - v2.4 - SecureAuth IdP RADIUS server

Configuration guide - v2.4 - SecureAuth IdP RADIUS server

For the prior version, see:

SecureAuth IdP RADIUS Server v2.3.9+ Integration Guide

SecureAuth IdP RADIUS Server v2.3.9+ Installation Guide