Configuration with LANconfig

OTP user accounts

The OTP users are defined in the OTP user accounts table. For EAP-OTP, the user must be created with his normal password in the table of RADIUS user accounts, as well as additionally created in this table with the OTP secret.

The configuration of the OTP user accounts is done via RADIUS > Server > User database > OTP user accounts.

Username

Enter the name of the OTP user here. This must already be contained in the RADIUS user accounts table with the same name.

Hash algorithm

Defines the hash algorithm used.

Note: Note that the Authenticator app supports the maximum possible hash algorithm. For example, Google Authenticator currently supports only SHA1 on certain Android platforms.

Time step

Defines the interval in seconds after which a new OTP is calculated. Default: 30 seconds

Network delay

Defines the maximum number of time steps by which the client's clock may deviate. The RADIUS server checks the OTP that is older or newer by this value.

Secret

Defines the actual shared secret that must be shared with the Authenticator app. The secret must be different for each user. There are currently three possible entries in the table:

Base32 (Default): Prefix "base32:" followed by the base32 encoded secret. The prefix "base32:" may also be omitted.
Hexadezimal: Prefix "hex:" followed by an even number of hex digits.
Plain text passphrase: Prefix "ascii:" and then the characters.

Note: For Google Authenticator, the secret must be 16 characters long (80 bit, Base32 encoded), e.g. E3U5IDWEE3KFCJ7G

Issuer

Freely definable text used in Authenticator to keep multiple keys apart when the same username is used. Must not contain a colon.

Number digits

Length of OTPs. Default: 6.

Note: For Google Authenticator, the value 6 should be used.

Calling station id mask

This mask restricts the validity of the entry to certain IDs transmitted by the calling station.

Called station id mask

This mask restricts the validity of the entry to certain IDs transmitted by the called station.

EAP-OTP

RADIUS > Server > Extended configuration > EAP

The Default method has been extended by the value OTP.

OTP: One Time Password. This value must be used with EAP-OTP for two-factor authentication in the VPN, because with the LANCOM Advanced VPN Client the EAP method is specified by the EAP server.