This article describes how to enable Nexus OTP
Smart ID Mobile App OTP, or any other OATH-based mobile OTP application, such as Google Authenticator or Microsoft Authenticator.
With the setup described in this article,
functions as a RADIUS server
and SafeInspect as a RADIUS client. Nexus TruID is used as an example below and
is available for iOS, Android, and Windows
| Expand |
|---|
| title | Network schematic for Nexus OTP authentication |
|---|
|
Image Removed
Network schematic with Nexus TruID Synchronized as an example.
- The end user starts the TruID client and enters the PIN in TruID to generate an OTP.
- Cyberoam request the end user to enter username, password and OTP.
- The end user enters username, domain password and OTP.
- The domain credentials are validated by the Active Directory.
- The OTP authentication request is relayed to Hybrid Access Gateway Authentication Server via RADIUS.
- The authentication server validates the OTP with the associated TruID token and PIN from the user database.
- Upon successful validation, the authentication server responds with successful authentication to Cyberoam.
Cyberoam provides access to the end userPrerequisitesInstalled and deployed Hybrid Access Gateway, see Deploy Hybrid Access Gateway and do initial setup in Hybrid Gateway Hybrid Gateway administration interface the Hybrid Access Gateway administration interface with your admin user- Digital Access Admin with an administrator account.
|
| Expand |
|---|
| title | Add SafeInspect as a RADIUS client |
|---|
|
| Note |
|---|
| In step 3, enter the IP Address of the RADIUS Client (SafeInspect) and the Shared Secret Key. |
| Insert excerpt |
|---|
| Set up RADIUS client in Digital Access |
|---|
| Set up RADIUS client in Digital Access |
|---|
| nopanel | true |
|---|
|
|
| Expand |
|---|
| title | Enable authentication method |
|---|
|
Smart ID Mobile App is used as an example |
| Note |
|---|
- In step 3, select Nexus Synchronized as method.
- When the default RADIUS replies are shown, click Next. You can also add your custom RADIUS replies or modify the default replies if required.
|
| Insert excerpt |
|---|
Set up authentication method | Set up authentication method | | nopanel | true |
|---|
Make settings in SafeInspect
|
- Log in to the SafeInspect administrative interface.
Navigate to Identity > External Authentication > RADIUS Servers. Click Add RADIUS server and go to the Settings tab.  Image Modified
Enter the following information: | Parameter | Description |
|---|
| Address | Enter the IP address of the |
|
| Authentication server | | Port | Select the port of |
|
Authentication server for the particular authentication method | | Shared secret | Enter the RADIUS shared secret key | | Shared secret confirmation | Confirm the RADIUS shared secret key |
Go to the Policy tab. Add an authentication rule with the following settings: | Parameter | Description |
|---|
| Client-to-Hound authentication | Select: Authenticate against a RADIUS server | | RADIUS server | Select the IP address and port of |
|
Authentication server | | Hound-to-target authentication | Select: Mapped user credentials |
|
Example: Log in to SafeInspect
The following example shows how an end user logs in, using
| Smart ID Mobile App as 2FA to log in to |
|
|
Start Smart ID Mobile App that is installed on your laptop or smartphone - Enter your PIN to generate an OTP.
|
