Access to management protocols (e.g., WEBconfig, SSH, Telnet) can be secured using two-factor authentication (2FA) in addition to the regular password. The feature can be configured separately for additional administrators or for the default root user.
In certain cases, management protocols must be allowed over unsecure channels, such as the Internet. To provide additional protection and safeguard the device against brute-force attacks, two-factor authentication can be enabled granularly for different access paths.
Common authenticator apps for mobile devices, such as smartphones, are supported.
Note that in the event of loss of the authenticator, a complete device reset may be required in the worst case. It is therefore recommended not to require 2FA for all configuration access methods — for example, not for serial console access or local LAN access — so that in the event of loss or misconfiguration, the device can still be accessed through normal means without 2FA.
It is especially recommended to enable 2FA protection for access via the WAN interface, including the use of encrypted protocols such as HTTPS or SSH.
Using 2FA requires the device to have the correct time. Therefore, the time reference should always be configured via the NTP client on the router in LANconfig under .
- Create an entry in the "Admin-OTPs" table (LANconfig: ), specifying the administrator account name to which this entry applies.
- Open WEBconfig under . From there, the generated QR code for the user can be displayed, saved, or scanned by an external authenticator app.
- When the management connection for the admin user is initiated, the user will be prompted to enter the one-time password (OTP) after entering their regular password.
Generating QR Codes for Connection with the Authenticator
The QR codes used to connect the authenticator with the device are generated in WEBconfig under or alternatively via the CLI command "show Admin-OTP-QR".
Show Commands
- Admin-OTP – Displays the administrator OTP profiles
- Admin-OTP-CODES – Displays the administrator OTP profiles (codes only)
- Admin-OTP-QR – Displays the administrator OTP profiles (QR code only)
- Admin-OTP-URI – Displays the administrator OTP profiles (URI only)
