3.2.2.4.4. OTP

A One-Time Password or OTP is an authorization code or dynamic password that can be used only one time. It is often used on login and it prevents several deficiencies associated with the traditional static login methods.

OpenNAC Enterprise offers the possibility to configure and manage OTPs to use this second authentication password when accessing the VPN or the Web Administration Portal itself.

There are some VPN configurations required on the Core component before proceeding with the configuration settings in this section.

3.2.2.4.4.1. Configuring VPN (OpenVPN)

Note

This configuration only applies to the OpenVPN case. If you are using Wireguard authentication, please skip to the OTP Configuration topic.

  • Edit the /etc/raddb/huntgroups file and add a line with your VPN

vpn             NAS-IP-Address == <VPN_IP_address>

  • Edit the /etc/raddb/mods-available/opennac and add the following line

vpnHuntgroupName = vpn

  • Lastly, edit the /etc/raddb/clients.conf file to add the vpn network

client <VPN_IP_address> {
   secret = <preshared_key>
   shortname = <VPN_identifier>
}

3.2.2.4.4.2. OTP Configuration

From this view, you can configure tasks related to OTP Network Access. In the following topics we will explore its toolbar capabilities and all features displayed in this view.

../../../../_images/config_otp_view.png


The button Create new located at the upper-right corner, allows you to add new users. Type the desired username for the QR owner:

../../../../_images/create_new1.png


3.2.2.4.4.2.1. Toolbar

The toolbar helps you quickly find users, create OTPs for a user or group of users, and configure mail settings.

../../../../_images/config_otp_toolbar.png


Let’s explore the toolbar row from left to right ->.

  • Search: This field allows you to search users.

  • Create new OTPs for a group of users: By clicking on this button you can create new OTPs for a group of users based on User Data Sources. You must previously configure your UDS to have them available on this view.

../../../../_images/new_group.png


  • OTP Configuration: It displays a window for configuring the OTP service.

../../../../_images/otp_config.png


General

  • OTP service name: Enter a name for the OTP service.

  • Enable ‘Send OTP secret as QR’: Enable this flag so users can receive a QR code to be used in an authenticator service.

  • Allows sending the QR more than once: By default the QR Code can be sent only once (if you want to send another email, you must generate a new OTP secret). In case you want to reuse the same code, enable this flag.

  • Limited use QR: Flag that enables one-time QR mode.

  • Life time of the limited use QR (in minutes): Defines the time in minutes that a QR image will take to expire from when it is sent until it is scanned by the user.

  • Maximum number of uses of the QR image: Defines the maximum number of scans of the same QR image.

  • Captive portal url: Captive portal address for the one-time QR.

../../../../_images/otp_config2.png


Mail settings

  • Email from: Enter the email address that will send the QR secret.

  • Username of ‘Email From’: Provide a descriptive name (e.g., the sender’s name or the organization’s name) instead of an email address, especially avoiding the same email address used in the “Email from:” field. This information is crucial to prevent potential rejection by mail relay servers due to anti-spam rules.

  • Email Title: Enter an email title, e.g. ‘OTP QR secret’.

  • QR Mail Template: HTML template for the email body.

../../../../_images/otp_config3.png


Limited Use QR Mail Settings

  • Email from: Enter the email address that will send the QR secret.

  • Username of ‘Email From’: Provide a descriptive name (e.g., the sender’s name or the organization’s name) instead of an email address, especially avoiding the same email address used in the “Email from:” field. This information is crucial to prevent potential rejection by mail relay servers due to anti-spam rules.

  • Email Title: Enter an email title, e.g. ‘OTP QR secret’.

  • QR Mail Template: HTML template for the email body.

Click on Confirm to save your configurations.

  • Export: You can export the entire database or a subset by filtering the table by the desired value.

3.2.2.4.4.2.2. OTP table

The OPT table displays the following columns. Click on the arrow located at the beginning of each row to expand information about a user.

../../../../_images/configure_otp.png


  • User: User name.

  • E-mail: User email

  • OTP Secret: Shows the expiration date of a users QR code.

  • QR used: Number of QR codes used.

  • QR last used: Date of QR usage.

At the end of each row, clicking on the three-dot icon provides options to:

  • Send QR code to the selected user.

  • Regenerate OTP for the selected user.

  • Delete the user.