Documentation

 

 

Introduction

This guide illustrates the different types of end-user login experiences using a virtual private network (VPN) to access remote resources through RADIUS on a desktop, web, and mobile two-factor authentication.

NOTE: The images in this document provide examples of some user interfaces; the appearances of user interfaces will differ depending on the RADIUS client model or the VPN client application.

CONTENTS OF THIS DOCUMENT:



Prerequisites

If end-users will use YubiKey devices to obtain a one-time HOTP or TOTP passcode, ensure that the YubiKey devices are supported. See the "YubiKey" section of the SecureAuth Compatibility Guide.



Single screen login workflows

The authentication workflow requires the entry of your username followed by at least one other code entry, such as a password or passcode, before the login button is enabled.

Password Only

1. Enter your username.

2. Enter your password.

One-Time Passcode (TOTP/HOTP) Only

1. Enter your username.

2. In the password field, enter the TOTP.

One-Time Passcode (TOTP/HOTP) / Password

1. Enter your username.

2. In the password field, enter the TOTP, then a "/" (forward slash), followed by the password. For example: 563719/Password!

PIN + OTP

1. Enter your username.

2. In the password field, enter the PIN followed by the OTP. For example: 3236198337 – in which 3236 is the PIN and 198337 is the OTP.

Yubico One-Time Passcode (OTP) Only

1. On the initial VPN login screen, click Connect. Your username is automatically displayed in the login screen, and the password screen is displayed.

2. Enter your password by pressing your YubiKey.

The Yubico OTP is automatically sent to the login app, the login app receives the OTP, and you are connected to your network.



Multi-screen login workflows

Password | One-Time Passcode (TOTP/HOTP)

1. On the initial VPN login screen, enter your username.

2. Enter your password.

3. Get the one-time passcode from the SecureAuth Authenticate App or other SecureAuth TOTP application.

4. On the second VPN login screen, enter your passcode.

Password & Mobile Login Request (Approve / Deny)

1. On the initial VPN login screen, enter your username.

2. Enter your password. The VPN waits for RADIUS to respond.

3. On the mobile app Login Request screen, tap Approve or Deny request.

Password | Second Factor

1. On the initial VPN login screen, enter your username.

2. Enter your password.

3. The response screen prompts you for one of two options:

  • Enter an HOTP one-time passcode (from a YubiKey) or a TOTP one-time passcode (from SecureAuth Authenticate, SecureAuth Passcode, or Yubico Authenticator). 
  • Enter the number corresponding to an available Second Factor authentication method:
    • SMS / Text Message Phone
    • Email
    • Send Passcode to Phone (Push Notification)
    • Send Login Request to Phone (Push-to-Accept)
    • PIN
    • Yubico OTP Token

NOTE: The list of available Second Factor authentication methods is dynamic, since it is based on configured Multi-Factor Authentication options.

4. Make the appropriate entry on the response screen, based on the selected workflow (from the two options in step 3). 

NOTE: If the Send Passcode to Phone (Push Notification) workflow or PIN workflow is initially selected, and then another Second Factor authentication option is preferred, entering 0 (zero) in the response field presents the screen with available Second Factor authentication options so another option can be selected.

If selecting option "a" (One-Time Passcode-TOTP/HOTP)...

5a. Get the one-time passcode from the SecureAuth Authenticate App (or other SecureAuth TOTP application, such as SecureAuth Passcode), HOTP from YubiKey, or TOTP from a Yubico Authenticator app by using a YubiKey.

6a. Enter the passcode.

If selecting option "b" (Second Factor)...

5b. Enter the number corresponding to an available Second Factor authentication method.

 If the Phone option is selected...

If more than one phone number is set up in your account, select the number corresponding to the phone number to use in the Second Factor authentication workflow session.

 If the Push-to-Accept option is selected...

The VPN waits for RADIUS to respond.

When the Login Request screen appears on the mobile app, tap Approve or Deny on the screen.

One-Time Passcode (TOTP/HOTP) | Password

1. On the initial VPN login screen, enter your username.

2. Get the one-time passcode from the SecureAuth Authenticate App (or other SecureAuth TOTP application, such as SecureAuth Passcode), HOTP from YubiKey, or TOTP from a Yubico Authenticator app by using a YubiKey.

3. Enter your password on the second VPN login screen.

Username | Second Factor

1. On the initial VPN login screen, enter your username.

2. A password entry is not required.

3. On the response screen, enter the number corresponding to an available Second Factor authentication method. (The following numbers are examples; yours will be different.)

  • SMS / Text Message
  • Phone
  • Email
  • Send Passcode to Phone (Push Notification)
  • Send Login Request to Phone (Push-to-Accept)
  • PIN
  • Yubico OTP Token

NOTE: The list will show only the Second Factor authentication options that the administrator set up for your organization, as shown in the example above in step 4.

4. Proceed with the Second Authentication Factor workflow.

NOTE: If the Send Passcode to Phone (Push Notification) workflow or PIN workflow is initially selected, and then another Second Factor authentication option is preferred, entering 0 (zero) in the response field presents the screen with available Second Factor authentication methods so another option can be selected.

See Password | Second Factor for sample screen shots showing the results of selections made at step 4.

Username | Second Factor | Password

1. On the VPN login screen, enter your username.

2. A password entry is not required at this step.

3. On the response screen, enter the number corresponding to an available Multi-Factor Authentication method. (The following numbers are examples; yours will be different.)

  • SMS / Text Message
  • Phone
  • Email
  • Send Passcode to Phone (Push Notification)
  • Send Login Request to Phone (Push-to-Accept)
  • PIN
  • Yubico OTP Token

NOTE: The list will show only the Second Factor authentication options that the administrator set up for your organization, as shown in the example above in step 4.

4. Proceed with the Second Authentication Factor workflow.

NOTE: If the Send Passcode to Phone (Push Notification) workflow or PIN workflow is initially selected, and then another Second Factor authentication option is preferred, entering 0 (zero) in the response field presents the screen with available Second Factor authentication methods so another option can be selected.

See Password | Second Factor for sample screen shots showing the results of selections made above in step 4.

5. On the response screen, enter your password.

 

Password & One-Time Passcode (TOTP/HOTP)

1. On the initial VPN login screen, enter your username.

2. Enter your password.

3. Get the one-time passcode from the SecureAuth Authenticate App (or other SecureAuth TOTP application, such as SecureAuth Passcode), HOTP from YubiKey, or TOTP from a Yubico Authenticator app by using a YubiKey.

4. Enter your passcode.

Password & Yubico One-Time Passcode (OTP)

1. On the initial VPN login screen, enter your username.

2. Enter your password.

3. Get the Yubico one-time passcode by pressing your YubiKey.

The Yubico OTP is automatically sent to the login app, the login app receives the OTP, and you are connected to your network.



Multiple devices registered for Second Factor authentication

If you have more than one registered mobile device, each with more than one phone number or email address registered, a prompt appears for you to select which mobile device, phone number, or email address to use in the Second Factor authentication workflow session.

1. Select the Second Factor authentication option – for example, "4".

2. Click Continue.

3. Since option 4 was selected in this example, a prompt appears for you to select the phone number where the passcode will be sent.



Related documentation

SecureAuth IdP RADIUS server v19.06 integration guide

Installation guide - v19.06 - SecureAuth IdP RADIUS server

Configuration guide - v19.06 - SecureAuth IdP RADIUS server

SecureAuth compatibility guide

Prior version

SecureAuth IdP RADIUS server v2.5 integration guide

Installation guide - v2.5 - SecureAuth IdP RADIUS server

Configuration guide - v2.5 - SecureAuth IdP RADIUS server

End-user experience - v2.5 - SecureAuth IdP RADIUS server