TOTPRadius LDAP Configuration
LDAP Proxy
The principle behind it is that users will provide their AD or LDAP password together with the one-time passwords in the password field. TOTPRadius will then parse the password, split it into two parts and authenticate the OTP and if correct will send the AD/LDAP password part further to the AD/LDAP server configuration.
The order of authentication is exactly as stated above, OTP is checked first and AD after OTP is confirmed correct; this is done in order to prevent account lockouts during brute force attacks. Enabling LDAP Proxy on your TOTPRadius appliance allows implementing two-factor authentication for systems that do not natively support it, such as Cisco Meraki VPN, Cisco WLC and many others.
Configuring LDAP Proxy
LDAP Feature of TOTPRadius can be enabled on the "General settings" page. There are following LDAP related settings:
► LDAP (Enable/Disable) - Enables LDAP verification. This parameter is to be used for systems not supporting 2FA natively. If enabled the system will expect the OTP to be sent together with LDAP password. This setting controls authentication only, not enrollment.
► LDAP server - IP or FQDN of the LDAP server; if you need to specify multiple servers for redundancy, full URIs separated by space must be used. Example "ldap://192.168.200.208 ldap://192.168.200.209" or "ldaps://ADDC01.domain.local ldaps://ADDC02.domain.local " .
Starting from version 0.2.5 LDAPS is also supported, use ldaps:// protocol in the server address . Using LDAPS is possible with FQDN only - make sure you add the CA certificates used by your LDAPS server.
► LDAP username format - Username format. UPN suffix or leading domain name. %username% will be replaced by the actual username. Examples: %username%@domain.local or DOMAIN\%username%.
Enrollment
These settings are active even if the LDAP proxy feature are not enabled and can be used for self-enrollment using LDAP as the authentication
► Allow ldap enrollment (Enable/Disable) - Allow users to self-enroll their second factor (i.e. generate a QR key) by logging in with LDAP credentials.
► Allow ldap key change (Enable/Disable) - Allow users to re-enroll their second factor (i.e. generate a new QR key) by logging in with LDAP credentials.
► Allow ldap web enrollment (Enable/Disable) - Allow users to self-enroll their second factor (i.e. generate a QR key) by logging in with LDAP credentials via the public Web interface (as a part of VPN Portal). For security reasons, this portal allows only the initial enrollment and does not allow re-enrollment. >Starting from version 0.2.5 the web facing enrollment portal also allows associating a hardware token with user's account. The database of the hardware tokens should be added to the admin portal by the system administrator to allow the user to enroll the hardware token.
► Ldap intro text - This text will appear on LDAP web enrollment page. HTML tags are allowed.
About
Installation and configuration
- Installation and initial configuration
- Network configuration
- Migrating from older versions
- LDAP Configuration
- Azure AD Configuration
- Self-service enrollment portal
- Web and LDAPS Certificates
- Syslog configuration
- Single-factor authentication exceptions
- Slave appliance mode
- Dynamic RADIUS Attributes
Integration guides
Blog
30-01-2022
Top myths about FIDO2 security keys and Passwordless access
We have been getting quite a lot of questions about the security level of FIDO keys, in the light of some recent news and research papers covering potential vulnerabilities of both the protocol stack itself and the hardware of certain implementations.
03-01-2022
molto2.py - Molto2 USB Config tool
molto2.py is a solution developed by Token2 to program and configure the Molto2v2 TOTP hardware tokens using pyscard python library. It works under Linux, macOS and Windows.
15-12-2022
Introducing Passwordless Login for Our Website!
At Token2, we are always looking for ways to improve the user experience and make it as convenient and secure as possible. That's why we are excited to announce the addition of a passwordless login option for our website.