This article describes how to enable Nexus OTP in Nexus Hybrid Access Gateway as two-factor authentication method for SafeInspect, to replace static passwords.

Nexus OTP can be either Nexus TruID Synchronized or Nexus Personal Mobile OTP, or any other OATH-based mobile OTP application, such as Google Authenticator or Microsoft Authenticator.

With the setup described in this article, Nexus Hybrid Access Gateway functions as a RADIUS server and SafeInspect as a RADIUS client. Nexus TruID is used as an example below and is available for iOS, Android, and Windows.

Related information

Links

Cyberoam

Network schematic for Nexus OTP authentication

Network schematic with Nexus TruID Synchronized as an example.

The end user starts the TruID client and enters the PIN in TruID to generate an OTP.
Cyberoam request the end user to enter username, password and OTP.
The end user enters username, domain password and OTP.
The domain credentials are validated by the Active Directory.
The OTP authentication request is relayed to Hybrid Access Gateway Authentication Server via RADIUS.
The authentication server validates the OTP with the associated TruID token and PIN from the user database.
Upon successful validation, the authentication server responds with successful authentication to Cyberoam.

Cyberoam provides access to the end user.

Prerequisites

Installed and deployed Hybrid Access Gateway, see Deploy Hybrid Access Gateway and do initial setup
Installed SafeInspect.

Make settings in Hybrid Access Gateway

Log in to Hybrid Access Gateway administration interface

Log in to the Hybrid Access Gateway administration interface with your admin user.

Add SafeInspect as a RADIUS client

In step 3, enter the IP Address of the RADIUS Client (SafeInspect) and the Shared Secret Key.

Error rendering macro 'excerpt-include' : No link could be created for 'Set up RADIUS client'.

Enable authentication method

Nexus TruID Synchronized is used as an example. Other Nexus OTP authentication methods are enabled in a similar way.

In step 3, select Nexus Synchronized as method.
When the default RADIUS replies are shown, click Next. You can also add your custom RADIUS replies or modify the default replies if required.

Error rendering macro 'excerpt-include' : No link could be created for 'Set up authentication method'.

Make settings in SafeInspect

Add Hybrid Access Gateway as RADIUS Server

Log in to the SafeInspect administrative interface.
Navigate to Identity > External Authentication > RADIUS Servers.
Click Add RADIUS server and go to the Settings tab.

Enter the following information:

Parameter	Description
Address	Enter the IP address of the Hybrid Access Gateway Authentication server
Port	Select the port of the Hybrid Access Gateway Authentication server for the particular authentication method
Shared secret	Enter the RADIUS shared secret key
Shared secret confirmation	Confirm the RADIUS shared secret key

Go to the Policy tab.

Add an authentication rule with the following settings:

Parameter	Description
Client-to-Hound authentication	Select: Authenticate against a RADIUS server
RADIUS server	Select the IP address and port of the Hybrid Access Gateway Authentication server
Hound-to-target authentication	Select: Mapped user credentials

Example: Log in to SafeInspect

The following example shows how an end user logs in, using Nexus Personal Mobile. Other Nexus OTP methods can be used in a similar way.

Use Nexus TruID as 2FA to log in to Cyberoam

Start Nexus TruID that is installed on your laptop or smartphone - Enter your PIN to generate an OTP.
Enter Key-In domain login id and password along with Nexus TruID OTP.

Set up Nexus OTP as 2FA for SafeInspect