Set up Nexus OTP as 2FA for Outlook Web Access
This article describes how to enable Nexus OTP in Smart ID Digital Access component as two-factor authentication method for Outlook Web Access using Microsoft ISA Server 2006, to replace static passwords.
Nexus OTP can be either Nexus TruID Synchronized or Smart ID Mobile App OTP, or any other OATH-based mobile OTP application, such as Google Authenticator or Microsoft Authenticator.
With the setup described in this article, Digital Access functions as a RADIUS server and Microsoft ISA Server 2006 as a RADIUS client. Nexus TruID is used as an example below and is available for iOS, Android, and Windows.
Network schematic with Nexus TruID Synchronized as an example.
- The end user starts the TruID client and enters the PIN in TruID to generate an OTP.
- Outlook Web Access request the end user to enter username, password and OTP.
- The end user enters username, domain password and OTP.
- The domain credentials are validated by the Active Directory through Outlook Web Access.
- The OTP authentication request is relayed to Digital Access Authentication Server via RADIUS by Microsoft ISA Server 2006.
- The authentication server validates the OTP with the associated TruID token and PIN from the user database.
- Upon successful validation, the authentication server responds with successful authentication to Microsoft ISA Server 2006.
Microsoft ISA Server 2006 and Outlook Web Access provides access to the end user.
Make settings in Digital Access
In step 3, enter the IP Address of the RADIUS Client (Microsoft ISA Server) and the Shared Secret Key.
In Digital Access Admin, go to Manage System.
Click RADIUS Configuration > Add RADIUS Client...
Enter General Settings and Attributes. Click the ?-sign for help.
Click Save.
Nexus TruID Synchronized is used as an example. Other Nexus OTP authentication methods are enabled in a similar way.
- In step 3, select Nexus Synchronized as method.
- When the default RADIUS replies are shown, click Next. You can also add your custom RADIUS replies or modify the default replies if required.
To add a new authentication method:
- In Digital Access Admin, go to Manage System.
- Click Authentication Methods.
Click Add authentication method..., select the desired method and click Next.
- Enter Display Name, a unique name used in the system to identify the authentication method.
- Select if the method shall be enabled and if it shall be visible in authentication menu.
- Register Authentication Methods Server when applicable.
- Make other configurations as needed for the selected authentication method. For more information , click the ?-sign. Click Next.
- If needed, make settings in RADIUS Replies and Extended Properties.
- Click Next and Finish.
- Click Publish.
Make settings in Microsoft ISA Server 2006
- Log in to the Microsoft ISA Server 2006 server and open the administration console.
- Check Collect additional delegation credentials in the form.
- Select RADIUS OTP.
Click Configure Validation Servers.
Click Add in the RADIUS Servers tab.
Configure the RADIUS server’s details (Server name, Shared secret, Authentication port, Time-out) in the Add RADIUS Server pop up. Click OK to apply the changes.
In the Users tab, select the user groups that this rule should apply to. In this example, the All Users group was selected.
Click Next.
Example: Log in to Outlook Web Access
- Start Nexus TruID that is installed on your laptop or smartphone - Enter your PIN to generate an OTP.
Start the web browser and browse to Outlook Web Access.
Enter logon credentials in the Outlook Web Access logon page:
AD UserID in the User Name field.
The OTP from TruID Synchronzed in the Passcode field.
AD Password in the Password field.
Click Log On.
Related information
- Authentication methods in Digital Access
- Deploy Digital Access component
- Smart ID Digital Access component
- Smart ID Mobile App
- Set up RADIUS client in Digital Access
- Microsoft ISA Server 2006