Nexus Documentation
Nexus Documentation
Breadcrumbs

Set up Nexus OTP as 2FA for Cyberoam

This article describes how to enable Nexus OTP in Smart ID Digital Access component as two-factor authentication method for Cyberoam, to replace static passwords.

Nexus OTP can be either Nexus TruID Synchronized or Smart ID Mobile App OTP, or any other OATH-based mobile OTP application, such as Google Authenticator or Microsoft Authenticator. 

With the setup described in this article, Digital Access functions as a RADIUS server and Cyberoam as a RADIUS client. Nexus TruID is used as an example below and is available for iOS, Android, and Windows.

Network schematic for Nexus OTP authentication

Cyberoam.png

Network schematic with Nexus TruID Synchronized as an example.


  1. The end user starts the TruID client and enters the PIN in TruID to generate an OTP.

  2. Cyberoam request the end user to enter username, password and OTP.

  3. The end user enters username, domain password and OTP.

  4. The domain credentials are validated by the Active Directory.

  5. The OTP authentication request is relayed to Digital Access Authentication Server via RADIUS.

  6. The authentication server validates the OTP with the associated TruID token and PIN from the user database.

  7. Upon successful validation, the authentication server responds with successful authentication to Cyberoam.

Cyberoam provides access to the end user.

Prerequisites

Make settings in Digital Access

Log in to Digital Access Admin

  1. Log in to Digital Access Admin with an administrator account.


Add Cyberoam as a RADIUS client


In step 3, enter the IP Address of the RADIUS Client (Cyberoam) and the Shared Secret Key.

  1. In Digital Access Admin, go to Manage System.

  2. Click RADIUS Configuration > Add RADIUS Client...

  3. Enter General Settings and Attributes. Click the ?-sign for help.

  4. Click Save.


Enable authentication method

Nexus TruID Synchronized is used as an example. Other Nexus OTP authentication methods are enabled in a similar way.

  • In step 3, select Nexus Synchronized as method.

  • When the default RADIUS replies are shown, click Next. You can also add your custom RADIUS replies or modify the default replies if required.

To add a new authentication method:

  1. In Digital Access Admin, go to Manage System.

  2. Click Authentication Methods.

  3. Click Add authentication method..., select the desired method and click Next.

  4. Enter Display Name, a unique name used in the system to identify the authentication method.

  5. Select if the method shall be enabled and if it shall be visible in authentication menu.

  6. Register Authentication Methods Server when applicable.

  7. Make other configurations as needed for the selected authentication method. For more information , click the ?-sign. Click Next.

  8. If needed, make settings in RADIUS Replies and Extended Properties.

  9. Click Next and Finish.

  10. Click Publish.

Make settings in Cyberoam

Add Digital Access as RADIUS Server

  1. Log in to the Cyberoam administrative interface.

  2. Navigate to Identity > Authentication > Authentication Server.

  3. Click Add to configure RADIUS Server parameters as shown in the table below.

    image2018-3-19_14-35-36.png

    Parameter

    Value

    Description

    Server Type

    RADIUS server

    Select RADIUS server. If user is required to authenticate using a RADIUS server, appliance needs to communicate with RADIUS server for authentication.

    Server Name

    CR_RADIUS

    Specify name to identify the RADIUS server.

    Server IP

    172.16.16.18

    Specify RADIUS server IP address.

    Authentication Port

    1812

    Specify port number through which server communicates. By default, the port is 1812.

    Shared Secret

    cyberoam

    Provide shared secret, which is to be used to encrypt information passed to the appliance.

    Integration Type

    Tight Integration

    Select Tight Integration with the appliance if you want to use vendor specific attribute for setting the user group membership and specify group name attribute.

    Group Name Attribute

    Filter-Id

    Group name attribute is vendor specific.


  4. Click Test Connection to check if Cyberoam is able to connect to the RADIUS Server.

  5. Cyberoam prompts for administrative credentials to test the connection as shown below. Enter the credentials and click Test Connection. If connection is successful, click OK to save the configuration.

  6. Go to Identity > Authentication > Firewall.

  7. Select RADIUS Server as primary authentication server.
    image2018-3-19_14-51-56.png

  8. Click Apply to save configuration.

Example: Log in to Cyberoam

The following example shows how an end user logs in, using Nexus TruID synchronized. Other Nexus OTP methods can be used in a similar way. 

Use Nexus TruID as 2FA to log in to Cyberoam

  1. Start Nexus TruID that is installed on your laptop or smartphone - Enter your PIN to generate an OTP.

    ISA_Server_5.png ISA_Server_6.png

  2. Enter Key-In domain login id and password along with Nexus TruID OTP.
    image2018-3-21_9-23-2.png


Related information