login about faq

Hi,

It's possible to use MobileID and Google Authenticator. How to configure it?

asked Jan 24 '12 at 15:22

anttisa's gravatar image

anttisa ♦
106252627


Hi,

To use Google Authenticator, you need MobileID version 1.3.3 or newer.

1) Copy syncseed to your custom location.

# cp /usr/share/mobileid/examples/custom-policies/syncseed /var/lib/mobileid/custom/syncseed

2) Logon to Web Access and navigate to Default Parameters -> Custom Policies

3) Enable setting:

Accept Policy File       /var/lib/mobileid/custom/syncseed

=> Click Save

4) From Web Access Home view click refresh

5) Test OTP authentication

=> After successful authentication user receives Google Authenticator Key

6) Navigate to Default Parameters -> OATH token Authentication -> Init Settings

7) Enable setting:

OATH Auth mode            Google Authenticator

=> Click Save

8) Navigate to Default Parameters and enable setting:

 Default User Profile: OATH token authenticaton

9) From Web Access Home view refresh MobileID

Now user(s) can authenticate with Google Authenticator code. More information about Google Authenticator from here.

link

answered Jan 24 '12 at 15:39

anttisa's gravatar image

anttisa ♦
106252627

You might need to add these lines into your midd.conf file if you get errors about "PinChangeText" when testing the Google Authenticator (also if the PinChangeText option in GUI is greyed out).

Options OATHAUTH.TokenChallengeText = "Please enter your PASSCODE: "
Options OATHAUTH.PinChangeText = "Please provide your new PIN:"
Options OATHAUTH.PinErrorText = "Incorrect PIN"
Options OATHAUTH.PinLenInvalidText = "Incorrect PIN"
Options OATHAUTH.SeedMissingText = "Seed not set"
link

answered May 18 '12 at 16:26

Sami%20Marttinen's gravatar image

Sami Marttinen ♦
191114

If you want to receive 16 character seed for Google Authenticator

1) Edit policy file /var/lib/mobileid/custom/syncseed and change line

-       VP-Create       OATHINIT.Seed["rand:8[a-z][0-9]"] = *

To:

-       VP-Create       OATHINIT.Seed["rand:10[a-z][0-9]"] = *

2) Restart MobileID server

link

answered Jan 31 '12 at 12:14

anttisa's gravatar image

anttisa ♦
106252627

Also as the default "Run OTP test" can only use SMS, and in Google Authenticator case, this SMS OTP test is used to deliver the seed, you might want to change settings so that for new users the seed is always sent via email rather than via SMS.

SENDING SEED VIA EMAIL (new user):

1) JUNIPER SSL VPN CONFIGURATION:

Add two RADIUS realms to Juniper SA: one for “Email OTP” and one for “Google Authenticator”  (instructions in MobileID Juniper integration guide) --

     a.       Set i.e. value “EmailOTP” for NAS ID of realm Email OTP

     b.      Set i.e. value “GAuth” for NAS ID of realm Google Authenticator

2) MOBILEID CONFIGURATION:

Add two RADIUS Clients to MobileID: one for “Emails OTP” and one for “Google Authenticator” –

     a.       Set i.e. value “EmailOTP” for Allowed IDs (==NAS ID) of client Email OTP.

                i.      From Customer Parameters, set:

                    1.       Default Profile = “Password Authentication, OTP Authentication”

                    2.       Accept Policy File = “<path>/syncseed”

     b.      Set i.e. value “GAuth” for Allowed IDs (==NAS ID) of client Google Authenticator

                i.      From Customer Parameters, set:

                    1.       Default Profile = “Password Authentication, OATH Authentication”

OTP Authentication needs to be configured to deliver OTP via Email rather than SMS. After every OTP login, mobileid runs syncseed as a post authentication task (as it does now):

        a.       If Seed doesn’t exist (NEW Google Authenticator user):

                       i.      Syncseed sends Seed via Email rather SMS (syncseed has to be modified, see below)

The syncseed already submits the seed via Email and all you need to do you is delete the lines which refer to SMS sending, those being (edit the configuration file):

            -       VP-Create       WLOGINSRV.Arg1 = "You will next receive a Google Authenticator key for your Tectia account."

            -       LoadModule      LocalWLOGINSRV.IntmStr = "WLOGINSRV", WLogin.JumpFunc = "SendSMS"

            -       VP-Create       WLOGINSRV.Arg1 = "{ OATHINIT.Seed }"

            -       LoadModule      LocalWLOGINSRV.IntmStr = "WLOGINSRV", WLogin.JumpFunc = "SendSMS"

Note: GUI will wipe out all manual configuration file additions, so every time something is changed via GUI, all manual configuration file additions must be done again into the configuration file.

link

answered May 18 '12 at 16:36

Sami%20Marttinen's gravatar image

Sami Marttinen ♦
191114

NOTE: Seed values of tokens can be stored either into local LDAP or into AD. If those are stored into AD, then the user accounts will need to have write access to AD.

link

answered May 18 '12 at 18:47

Sami%20Marttinen's gravatar image

Sami Marttinen ♦
191114

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×55

Asked: Jan 24 '12 at 15:22

Seen: 5,636 times

Last updated: May 18 '12 at 18:47

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.