Numerous settings apply to tokens:
When set (green checkmark in the Single Factor Flag column), the user can log in without a second factor. This setting is most useful in conjunction with the Auto Provisioning and Gradual Deployment settings described below.
Selecting a user and clicking "Temporary Token Settings" will bring you to a page where you can add a temporary token to a user. You must specify an expiration date and the maximum number of logins for the temporary token.
Users with valid temporary tokens will have a green checkmark in the Temporary Token column.
Domain configuration can be found under the "Configuration" tab in each GreenRADIUS domain.
When Auto Provisioning is enabled, the first time a user logs in with a YubiKey OTP, that YubiKey will be automatically assigned to the user. The token assignment will appear on the Users/Groups tab.
The "Enable Auto Provisioning for Multiple Tokens Per User" options allow users to provision multiple tokens to themselves by this method. By default, only users with no tokens already assigned can auto provision.
The per-domain Auto Provisioning setting has no effect if it is not also enabled at a global level in the Global Configuration→General tab. (See below.)
Gradual Deployment allows administrators to roll out the deployment of two-factor authentication gradually, without requiring every user to switch and register a second factor at once. When Gradual Deployment is enabled, the first time a user logs in successfully with a token, his Single Factor Flag is automatically disabled, thus requiring two-factor authentication from that point forward. Gradual Deployment is most useful in conjunction with Auto Provisioning, described above.
Important: Changing this setting from
Enable will set all users to needing only passwords (single factor only) to authenticate, even those users that have tokens assigned or are set to needing tokens to authenticate. You can check each user's requirement under the
Single Factor Flag column in the Users/Groups tab. A green check mark means the user only needs a password. A red X means the user needs password and token.
Note: This Gradual Deployment feature is not available for Windows Logon.
The Token Label Prefix is a text string which appears in Google Authenticator and other similar soft token apps to signify which Authenticator token is for GreenRADIUS integrated logins. This text string is configurable, but must not contain spaces.
Token-related global configuration settings are found under the Global Configuration tab→General heading.
This setting controls where users input the OTP during login attempts. It is described in more detail in the Authentication Requests section.
The Global Auto Provisioning settings must be enabled for any of the domain settings to have an effect. If Auto Provisioning is disabled in Global Configuration, no domain will have auto provisioning, irrespective of their domain settings.
© 2023 Green Rocket Security Inc. All rights reserved.