strong 2-factor authentication with OTP

Table of contents

    1. Usages
    2. Instructions for token registration
    3. FAQ
    4. Errors
        1. Internal Server Error
        2. Authetication Error
    5. Tunnel-Groups

Usages

At TU Dresden we use the 2-factor authentication for  VPN service of ZIH for our administrators. The administrator authenticates with
VPN-GATEWAY  :  adminvpn.zih.tu-dresden.de
USERNAME       :   zih-login@Netzressource
PASSWORD       :   PIN@Einmalpasswort

Instructions for token registration

To use the token some initial steps are required:

  • send a request for an OTP token to servicedesk@tu-dresden.de to get a hardware token. Then...
  • Open the LinOTP Selfservice-Portal https://otp.zih.tu-dresden.de in your browser
otp adnmeldung © otp

Selfservice Portal

  • login with your ZIH credentials
  • You must register your token. To do this, you need the serial number of the token, you find this in the handover protocol that you received from ZIH when you handed over the token.
     
  • Please click on the tab + Token zuweisen and type the serial number of the token in the corresponding field. In the fields under PIN, enter your chosen PIN twice (6-10 alphanumeric characters, no special characters). Then click the Token zuweisen button.
otp token zuweisen © otp

assign Token

  • Afterwards you will see the token assigned to you:
otp token zugewiesen © otp

Assigned Token

  • If you click on the serial number of the token in the token view, the details of the token are displayed:
otp token details © otp

Details

  • Now you have to synchronize the token. Click in the detail view in the line at Token synchronisieren in the left field Ersten OTP-Wert eingeben and press once on the USB token, then in the field Zweiten OTP-Wert eingeben and press again on the token. Then click on Token resynchronisieren:
otp token sync © otp

Resync

  • you will see this message then:
otp ausschr erf sync © otp
  • The PIN can also be set in the Details view: In the PIN setzen line, enter the token PIN (digits, upper and lower case letters, 6 - 10 characters) 2 times and click on the [PIN setzen] field:
otp token pin © otp
  • ... and the token can be tested: To test the token, first enter the set PIN in the field next to Token testen and then press the YubiKey immediately without separator.
otp token test © otp
  • Then click on [Token testen] -  you should see this message then:
otp erfo auth © otp
  • Your token is configured successfully now.
  • Log off at the OTP self-service portal:
otp ws abmelden © otp
  • Your OTP token can be used now.  The YubiKey ist ready to use if the little light in the middle of the token's sensor field shines. If this is not the case, there may be a problem with the USB port or even with the token itself. Contact

FAQ

  • I want to disable my token because it is lost/I can't find it anymore/I leave the TU Dresden
    Please login on  OTP Selfservice-Portal web page. Tand click the Token deaktivieren tab in the Token Details view.
    If your token got lost contact  as soon as possible!
    If you leave TU Dresden please first disable your token and then return it to ZIH Service Desk
otp token deakt © otp

disable Token

  • I have forgotten my PIN/want to change my PIN.
    Please login at OTP Selfservice-Portal web page and and set a new PIN in the Token Detail view, see above PIN setzen.
otp token pin © otp

set PIN

  • I have touched the token sensor field repeatedly and can't login any more.
    The one-tine password needs to be synchronous with the LinOTP server. When touching the sensor field more often  in a USB port without using ist for authemntication, ist could happen the one-time password is not synchronous any more . You need to resync the token. Please logon at  OTP Selfservice-Portal web page and execute Token synchronisieren in the Token Detail view (see above).
otp token sync © otp
  • I have synchronised the token but am still getting "Login failed".
    This can occur for different reasons. For example the maximum error counter could be reached. Please contact

Errors

Internal Server Error

otp internal server error © otp
  • Solution: reload the web page by clicking Aktualisieren in the upper right corner:
otp seite aktuelisieren © otp

Authetication Error

otp auth failure © otp
  • Solution: log in to the otp service portal website again.

Tunnel-Groups

Beim Aufruf des Cisco AnyConnect können bei "Group:" verschiedene Tunnel-Groups ausgewählt werden. Diese werden hier erläutert:

  • A-Tunnel-TU-Networks
    Datennetzverbindungen in alle TU-Netze laufen durch den VPN-Tunnel,  das sind:
    141.30.0.0/16, 141.76.0.0/16, 172.16.0.0/12, 192.168.0.0/16
  • B-Tunnel-Public-TU-Networks
    Datennetzverbindungen zu öffentlichen TU-Netzen laufen durch den VPN-Tunnel,  das sind: 141.30.0.0/16, 141.76.0.0/16
  • C-Tunnel-All-Networks
    alle Datennetzverbindungen laufen durch den VPN Tunnel
  • TUD-vpn-lic
    Verwendung ausschließlich für den Zugriff auf den Lizenzserver (MathCAD u.a.)
    Authorisierung über die DOM Domain (der Nutzer muss explizit durch seinen IT-Administrator in einer bestimmten ActiveDirectory Group der DOM Domain dafür eingetragen werden)
  • TUD-vpn-split-sap
    tunnelt ausschließlich Verbindungen zu den SAP Servern der TU
  • Z-AdminVPN-dhcproute
    tunnelt die internen TU-Netze wie A-Tunnel-TU-Networks, richtet keine Route zum DHCP Server des lokalen Netzes ein (no-dhcp-server-route) - wichtig für Admins, für den Zugriff auf Domaincontroller/DHCP-Server in MS Umgebungen
  • TUD-vpn-split-ivv, TUD-vpn-split-la-s, TUD-vpn-split-tk, Z-TUD-vpn-split-mgmt,
    Tunnelgruppen für speziellen Einsatz

User authentication can get significantly more secure by using more than one factor at logon.

With 2-factor authentication "knowledge" (the PIN)  and "possession" (the hardware token) are being needed to login successfully. A one-time password is a password to authenticate only once - i.e. for the current session. Every next authentication needs a new one-time password. Thus replay attacks are being avoided.
The hardware token is a small electronical key the user should tote safely. The loss of a hardware token is not that much critical as the PIN is known to the user only. The token will automatically be blocked when too many failed login attempts occur.

We use privacyIDEA  OTP as the platform for authentication with one-time passwords.

eToken PASS

So far we offer  eToken PASS  SafeNet  hardware-OTP token and YubiKey Token from yubico. After pressing the button of the Token a one-time password (OTP)  is being generated. The technique, the passwords are being created with, is based on Open Authentication Standard (OATH), a ceritfied andworldwide accepted method.

YubiKey

The YubiKey is a flat USB token which is being supplied with power via the USB port. So the YubiKey's lifetime could be theoretically endless. The operating system acknowledges the YubiKey as a USB keyboard, so client software installation is not required. To authenticate move (click) the mouse pointer into the login mask. The YubiKey generates a one-time password when softly touching the sensor of the token. The OTP is inserted automatically.

About this page

ZIH Web
Last modified: Feb 10, 2023
Page Actions