2.9.4. One Time Password OTP

A One Time Password or OTP is an authorization code or dynamic password that can only be used one time. It is often used on login and it prevents several deficiencies associated with the traditional static login methods.

OpenNAC Enterprise offers the possibility to configure and manage OTPs to use this second authentication password when accessing to the VPN or the Web Administration portal itself.

You can modify the OTP in Configuration -> OTP.

Before entering the Web Administration Portal, there is some VPN configuration needed to be done on the Core component.

Note

This configuration only applies on the OpenVPN case. If you are using Wireguard authentication, skip to the Administration Portal configuration.

  • Edit the /etc/raddb/huntgroups file and add a line with your VPN

vpn             NAS-IP-Address == <VPN_IP_address>

  • Edit the /etc/raddb/mods-available/opennac and add the following line

vpnHuntgroupName = vpn

  • Lastly, edit the /etc/raddb/clients.conf file to add the vpn network

client <VPN_IP_address> {
   secret = <preshared_key>
   shortname = <VPN_identifier>
}

You can manage all the tasks related to OTP Network Access in Configuration -> OTP. OTP Management includes different functions.

../../_images/otp_menu.png


We can add new users by clicking on the Add new button and writing the desired username for the QR owner. We can create OTPs for external users as well as for the CMDB users (local users or admin users).

../../_images/otp_add_new.png


We can also Regenerate the QR for a selected user.

We can create a OTP for a user selecting a group from a selected LDAP or AD by clicking on Create OTP using LDAP/AD group. We have to configure the following options:

../../_images/otp_ldap_ad.png


  • User data source: The LDAP or AD source we want to use.

  • Users group: The group of users that will be using the OTP.

  • Regenerate OTPs that already exist and send QR: Flag that allows to enable or disable the OTP regeneration if it already existed.

We can Delete the selected OTP or Refresh the page.

When we click on Other actions we can see the following drop-down menu:

../../_images/other_actions.png


  • Export data: Export the data in JSON format.

  • Check token: Allows us to check a token based on a username.

  • Query user log: By selecting a user and clicking on this button, we will be able to see the log.

  • Send QR: To send an email with a QR to a specific user.

It is also possible to filter the entries by the QR that have been sent and not used, or sent not used and expired by clicking on View Only.

../../_images/otp_filter.png


It is also possible to Search for a user and review its OTP parameters by clicking on the + icon.

../../_images/otp_user_expanded.png


  • User: The owner of the QR.

  • User e-mail: The email where the QR has been sent.

  • OTP Secret downloaded: Boolean indicating whether the OTP has been downloaded or not.

  • OTP Secret sent as QR: Date and time indicating when the QR was sent.

  • OTP Secret sent by: The user that sent the QR.

  • #QR used: Number of times the QR was used.

  • QR last use: Date of the last use of the QR.

  • QR expiration date: Expiration date of the sent QR (in red if the QR has expired).

  • Created by: User who created the OTP.

  • Modified by: User who modified the OTP.

After creating a user or group QR and sending it to the users, you will also have to have configured the Configuration -> Configuration Vars -> OTP.

You can use your one-time QR with any authenticator app, such as Google authenticator. Once you scan the QR, a dynamic PIN will appear for about 30 seconds.

../../_images/google_auth.png


Now you can connect to the VPN selecting the 2FA on the authentication window and filling in your username, password, and OTP pin.

../../_images/opennac_agent_2fa.png