GreenRADIUS supports several different types of second factor, called tokens:
The Yubikey OTP protocol emits a 44-character One-Time Password (OTP). Once one OTP has been used, it cannot be used again. Another must be generated from the YubiKey. Thus to compromise a Yubikey-secured device, a malicious party would have to gain access to the YubiKey device itself. YubiKeys can be assigned to users in three ways:
- By the administrator in the Users/Groups tab of the GreenRADIUS domain
- With auto-provisioning
- By the user in the GreenRADIUS Self-Service Portal
https://<IP address of GreenRADIUS>
Yubikey OTPs come in two variants: pre-programmed and custom. By default, Yubikeys ship with a pre-programmed secret. OTPs generated using this pre-programmed secret can only be validated using Yubico's YubiCloud servers. You can re-program and overwrite this secret, however, and import that secret into GreenRADIUS. Please refer to our Document Library to see our YubiKey programming guide.
The Global Configuration→Validation Server setting allows you to select whether Yubikey OTPs will be validated by the YubiCloud or locally by GreenRADIUS. If using pre-programmed keys, select YubiCloud. If you are using custom secrets, use local validation.
The OATH protocol is similar to the OTP protocol. OATH OTPs are shorter than the traditional YubiKey OTP, which may make OATH OTPs desirable for situations where password fields have a character-lenght limitation. This option is available for customers with a license for our premium OATH Module.
Please refer to our Document Library to see our guide on programming YubiKeys in OATH-HOTP mode.
GreenRADIUS supports Google Authenticator and other similar soft tokens as a second
factor for users for those customers with a license for our premium OATH Module. Users
sign in to the GreenRADIUS Self-Service Portal, select
Google Authenticator, and scan
a QR code with the phone app. Once the user clicks
Proceed on the Self-Service Portal,
the soft token is registered to his user account in GreenRADIUS, and a six-digit code is
regenerated every 30 seconds, providing a secure second factor.
The "Green Rocket 2FA" app is available for iOS or Android. Once the app is installed, there is a simple, one-time registration process. This feature is available for customers that have a GreenRADIUS license for our mobile app. (The app is free to download for users.)
In addition to a GreenRADIUS license enabling the use of our mobile app, make sure of the following:
- A valid certificate should be installed in GreenRADIUS. See our Certificate guide for more details.
- Ports 443 and 9443 should be open for communication to and from GreenRADIUS.
When an authentication request reaches GreenRADIUS, and a user has our mobile app installed and registered with GreenRADIUS, a push request will be sent to the user's phone, appearing as a notification in which they can either approve or deny the request.
The U2F function of the YubiKey (or any other FIDO U2F token) is used with our 2FA for Windows Logon solution. When users log in to Windows, the U2F token flashes, prompting the user to touch the token button and complete the login. No pre-registration of the token is required.
U2F can also be used for web applications on supported browsers.
A temporary token is a static per-user text string which is valid for a limited time and a limited number of logins only. Temporary tokens can be created from the Users/Groups tab.
© 2020 Green Rocket Security Inc. All rights reserved.