Security / Two-Factor Authentication (2FA) for Device Access
Parent topic: Two-Factor Authentication (2FA) for Device Access

Admin OTPs

The settings for OTPs for administrator accounts can be found in LANconfig under Management > Admin > Device configuration > Admin OTPs.









Username
Username of the administrator for whom two-factor authentication is to be enabled, e.g., "root".
Hash algorithm
Defines the hash algorithm to be used.
Important: Make sure that the authenticator app supports the highest possible hash algorithm.
Time step
Defines the interval in seconds after which a new OTP is generated.
Network delay
Defines the maximum number of time steps by which the client’s clock may differ. The device checks the OTP that is older or newer by this value.
Secret
Defines the actual shared secret that must be shared with the authenticator app. The secret must be unique for each user. There are currently three input options in the table:
Base32 (Default)
Prefix "base32:" followed by the Base32-encoded secret. The prefix may also be omitted.
Hexadecimal
Prefix "hex:" followed by an even number of hex digits.
Plain text passphrase
Prefix "ascii:" followed by the characters.
Note: For Google Authenticator, the secret must be 16 characters long (80 bits, Base32 encoded), e.g. E3U5IDWEE3KFCJ7G.
Issuer
Freely definable text used in the authenticator to distinguish between multiple keys or for general display purposes when the same username is used. The value must not contain a colon.
Number digits
Length of the OTPs.
Note: For Google Authenticator, the value should be set to 6.
Required for protocol over
Defines whether two-factor authentication is required for this user when logging in via this protocol and whether the device should prompt for it. You can configure granularly over which access paths two-factor authentication is required, e.g., only via a WAN connection.
All
Two-factor authentication is required for all access protocols.
WAN
Two-factor authentication is required for access via "WAN".
VPN over LAN
Two-factor authentication is required for access via "VPN over LAN".
VPN over WLAN
Two-factor authentication is required for access via "VPN over WLAN".
LAN
Two-factor authentication is required for access via "LAN".
WLAN
Two-factor authentication is required for access via "WLAN".
VPN over WAN
Two-factor authentication is required for access via "VPN over WAN".
Required for outband
Defines whether two-factor authentication is required for this user when logging in via the serial interface, or whether the device should request it.
Parent topic: Two-Factor Authentication (2FA) for Device Access

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo