Token Settings

Numerous settings apply to tokens:

Per-user Settings

Single Factor Flag

When set (green checkmark in the Single Factor Flag column), the user can log in without a second factor. This setting is most useful in conjunction with the Auto Provisioning and Gradual Deployment settings described below.

Temporary Token

Selecting a user and clicking "Temporary Token Settings" will bring you to a page where you can add a temporary token to a user. You must specify an expiration date and the maximum number of logins for the temporary token.

Users with valid temporary tokens will have a green checkmark in the Temporary Token column.

Per-domain Settings

Domain configuration can be found under the "Configuration" tab in each GreenRADIUS domain.

Auto Provisioning

Auto provisioning for domain

When Auto Provisioning is enabled, the first time a user logs in with a YubiKey OTP, that YubiKey will be automatically assigned to the user. The token assignment will appear on the Users/Groups tab.

The "Enable Auto Provisioning for Multiple Tokens Per User" options allow users to provision multiple tokens to themselves by this method. By default, only users with no tokens already assigned can auto provision.

The per-domain Auto Provisioning setting has no effect if it is not also enabled at a global level in the Global Configuration→General tab. (See below.)

Gradual Deployment

Gradual deployment

Gradual Deployment allows administrators to roll out the deployment of two-factor authentication gradually, without requiring every user to switch and register a second factor at once. When Gradual Deployment is enabled, the first time a user logs in successfully with a token, his Single Factor Flag is automatically disabled, thus requiring two-factor authentication from that point forward. Gradual Deployment is most useful in conjunction with Auto Provisioning, described above.

Important: Changing this setting from Disable to Enable will set all users to needing only passwords (single factor only) to authenticate, even those users that have tokens assigned or are set to needing tokens to authenticate. You can check each user's requirement under the Single Factor Flag column in the Users/Groups tab. A green check mark means the user only needs a password. A red X means the user needs password and token.

Note: This Gradual Deployment feature is not available for Windows Logon.

Token Label Prefix

Token label prefix

The Token Label Prefix is a text string which appears in Google Authenticator and other similar soft token apps to signify which Authenticator token is for GreenRADIUS integrated logins. This text string is configurable, but must not contain spaces.

Global Configuration

Token-related global configuration settings are found under the Global Configuration tab→General heading.

OTP Input Method

OTP input method

This setting controls where users input the OTP during login attempts. It is described in more detail in the Authentication Requests section.

Enable Auto Provisioning

Global auto provisioning

The Global Auto Provisioning settings must be enabled for any of the domain settings to have an effect. If Auto Provisioning is disabled in Global Configuration, no domain will have auto provisioning, irrespective of their domain settings.

Web Analytics Made Easy - StatCounter

Updated 2023-03-10
© 2024 Green Rocket Security Inc. All rights reserved.