Page tree
Skip to end of metadata
Go to start of metadata

This article describes how to set up Nexus Hybrid Access Gateway to use an OATH-compliant mobile app as authentication method, such as Nexus Personal Mobile OTP, Google Authenticator, or Microsoft Authenticator.

Expand/Collapse All

Prerequisites

 Prerequisites
  • There must be an sms or email gateway available for sending notifications.
  • Network Time Protocol (NTP) must be configured with regards to clock synchronization.
  • To be able to use the method, the user shall download the Nexus Personal Mobile app, the Google Authenticator app or the Microsoft Authenticator app from Apple App Store or Google Play.

Step-by-step instruction

 Log in to Hybrid Access Gateway administration interface
  1. Log in to the Hybrid Access Gateway administration interface with your admin user.
 Add an OATH-compliant app as authentication method
  1. In the Hybrid Access Gateway administration interface, go to Manage System.
  2. Click OATH Configuration.
  3. Under the heading Database Connectivity, click Manage OATH Providers. Here you see the pre-defined providers (HOTP - event based one time password and TOTP - time based one time password). You cannot edit the pre-defined providers, only the new ones that you add. The SHA1, SHA256 and SHA512 are different used algorithms.
    • Nexus Personal Mobile, Google Authenticator and Microsoft Authenticator all support SHA1.
    • Nexus Personal Mobile also supports SHA256 and SHA512 with iOS and Android.
    • Google Authenticator supports SHA256 and SHA512, but only with iOS, not with Android.
    • Microsoft Authenticator only supports TOTP.
    • Nexus Personal Mobile also supports fingerprint authentication and face recognition (on iOS).

      Go here for more information about the mobile apps: Compare Personal Mobile with other mobile OTP apps.
  4. Click Manage System > Authentication Methods > Add Authentication Method...
  5. Select Portwise OATH and click Next.
  6. Enter a Display Name. Check Enable authentication method and Visible in authentication menu.
  7. Select a pre-defined provider from the OATH Provider drop-down list, for example, for Google Authenticator with HOTP select Predefined_Hotp_HmacSHA1.
    The email sent to the user can be configured to mention what OATH-compliant app that shall be used, for example, Google Authenticator. For more information about how to change email messages, go here: Change provisioning messages.

  8. Select if you want to use Two Factor Authentication and if so, if you want to use one or two fields for entering password and OTP.
    • One field: Password and OTP are entered in the same input field, like: <password><otp>.
    • Two fields: Separate input fields are used, one to enter <password> and one to enter <otp>.
  9. Click Add Authentication Method Server... and make any settings.
  10. Click Next.
  11. Click Next until the Wizard is finished.
  12. Click Finish.
  13. Click Publish.
 Enable an OATH-compliant app for an end user
  1. In the Hybrid Access Gateway administration interface, go to Manage Accounts and Storage.
  2. Click User Accounts. Search for the user that you shall enable Google Authenticator for, or add a new user account, see Add user account.
  3. If you are updating an existing user account, click Edit User Account and select the PortWise Authentication tab.
  4. Select Enable Portwise OATH for the user account.
  5. Under Notification Settings, enter email address or SMS (how you want to send the notification). If an Active Directory is connected, the information is added automatically from the user id in the Active Directory. If not, enter the values manually.
  6. Click Next.
  7. The Token ID field is out-grayed since this is not a hardware token.
  8. Select Provider from the drop-down list and select Status active.

    Select a predefined provider where an authentication method exists.

  9. If you have chosen Two Factor Authentication, enter a password that the user shall use and check any password properties.
  10. Select Notification: By screen, by sms, by email and so on.
  11. Click Next and Finish Wizard.
    1. The text in green is "Notification by screen".
    2. The email that is sent to the user contains a QR code. The user shall download the OATH-compliant app from Apple App Store or Google Play and use the app to scan the code.
 Enable OATH-compliant app self service registration
  1. In the Hybrid Access Gateway administration interface, go to Manage Accounts and Storage.
  2. Click Self Service and select the OATH Profile Provisioning tab.
  3. Check Enable OATH Profile Self Service Provisioning.
  4. Enable the Notification Channels: email, sms, QR code
  5. You can customize the notification message. To see all options for the message, click the ?-sign. Change "OATH Authentication" in the mail message to a text that informs the user about the method to use, what app to download and other relevant information.
  6. Click Save.
  7. Click Publish.
 Set up user account to be able to use self-service
  1. In the Hybrid Access Gateway administration interface, go to Manage Accounts and Storage.
  2. Click User Accounts. Search for the user that shall be able to use self-service, or add a new user account, see Add user account.
  3. If you are updating an existing user account, click Edit User Account and select the PortWise Authentication tab.

  4. Check Enable PortWise OATH for the user account. Also check, for example, Enable PortWise Password for the user account.

    In order to use OATH for authentication, the user needs the authentication method PortWise OATH to be enabled. For self-registration the user is required to authenticate with another method, like PortWise Password, to ensure that he is the one that he pretends to be. For this reason, the corresponding method (for example, PortWise Password) needs to be enabled for this user as well.

  5. Under Notification, provide email address and sms. If an Active Directory is connected, the information is added automatically from the user id in the Active Directory. If not, enter the values manually.
  6. Click Next.

    This step assumes that password has been selected in step 4 as the second authentication method.

    The password that the user shall provide comes from the Active Directory. If no AD, enter a password for the user to use. Also check any password properties.

  7. For PortWise OATH, do not add a token because the user shall do that as self service registration.
  8. Select Notification, for example, select by screen and by email.
  9. Click Next.
  10. Click Finish Wizard.
    The text in green is "Notification by screen". Note the line containing the user's password.
 Register a new device
  1. Next time when the user logs in to Hybrid Access Gateway, there is a "New Device?" link available.
  2. The user shall then first authenticate with the enabled method, for example, password. The user has received an email regarding this.
  3. The user then clicks Confirm to create a new profile.
  4. Depending on the settings, an email regarding OATH profile provisioning is sent to the user and a QR code is also presented, could be either of these or both. The user uses, for example, Google Authenticator to scan the code.
  5. The user then clicks Activate in the app and registers a PIN code and, if applicable, a fingerprint.
 Differences between Personal Mobile, Google Authenticator and Microsoft Authenticator