Two-Factor Authentication (2FA)
Featured articles
More articles
- PG RADIUS v2 - Disable OTP Method Prompt
Problem You have completed the RADIUS v2 configuration and wish to disable the first of the two prompts during MFA - the one that asks the user to choose which method to use for the RADIUS MFA request. Solution Update the ‘AuthMethodPrompt' setting and set it to 'no’. Navigate to the RADIUS v2 server (typically an Alpine Linux server running Docker). Use a file
- App-Specific MFA Loops on the OTP Page
Problem You have enabled Application-Specific MFA through PortalGuard and upon providing the required One-Time-Passcode, the 'MFA.aspx' page simply reloads and prompts again. Solution Generate the 'General Encryption Key' via the PortalGuard Configuration Editor. Navigate to the PortalGuard server and open the PortalGuard Configuration Editor. Click on the 'Edit
- Yubico Validation and Cipher Support Update
Problem You received an update from Yubico noting that they are ending support for their v1 token validation and older TLS cipher suites. You want to ensure this will not break anything with PortalGuard's integration for YubiKey support. Solution Verify the configured 'Validation URL' within the PortalGuard 'Bootstrap Configuration' and ensure you are using
- Google Authenticator/Mobile App OTPs Rejected
Problem PortalGuard always rejects OTPs generated by a mobile authenticator app (e.g. Google Authenticator, Authy, Microsoft Authenticator). This could occur during initial enrollment of the mobile app or well after it was enrolled. Solution There are a few reasons why a PortalGuard server will reject Time-Based One Time Passwords (TOTPs) from a mobile app. If
- Enable FIDO2 / WebAuthN Support in PortalGuard
Problem Your wish to utilize a FIDO2/WebAuthN token with your PortalGuard website for MFA or Self-Service functionality. Solution Enable support for FIDO2/WebAuthN within PortalGuard. Important Note: Adding support for FIDO2/WebAuthN will ALSO add support for standard FIDO Tokens. Requirements: Must be using PortalGuard Version 6.2.2.6 or Later Navigate
- Change the OTP Length
Problem The OTP length is either too short or too long - you'd like to change it. Solution Edit the Security Policy for which group you would like to receive longer OTPs. The following steps will allow you to update the length of the OTP being sent from PortalGuard. Navigate to the PortalGuard Server. Open the PortalGuard Configuration Editor. Edit the security
- 2FA Support For Cisco VPN
Problem You need to integrate PortalGuard with your Cisco VPN. Solution PortalGuard supports integration with Cisco VPNs using the RADIUS protocol. On the VPN side using Cisco ASDM: Create new AAA Server Group. Add AAA Server. Create Remote Access Connection Profile. On the PortalGuard side using the PortalGuard Configuration Editor: Enable 'RADIUS' Configuration
- Enable Authy Push Support in PortalGuard
Problem You wish to utilize a Authy Push token with your PortalGuard website for MFA or Self-Service functionality. Solution Enable support for Authy Push authentication within PortalGuard. Quick Navigation Authy Initial Configuration Steps PortalGuard Initial Configuration Steps!--#PortalGuard_Initial_Configuration_Steps
- Enable Twilio Voice MFA in PortalGuard
Problem You wish to utilize Twilio Voice with your PortalGuard website for MFA. Solution Enable support for Twilio Voice MFA authentication within PortalGuard. Quick Navigation: Twilio Initial Configuration Steps Twilio Voice MFA Configuration Steps - Twilio Twilio Voice MFA Configuration Steps - PortalGuard
- Require Users to Perform 2FA For Password Change
Problem For additional security, you want users to provide their username, current password and a One-Time Passcode to change their password. Solution Open the PortalGuard Configuration Editor. Navigate to Security Policies. Highlight desired policy and click edit. Navigate to the ‘Actions’ tab, then select the 'PW Change' tab. Change the Password Change dropdown
- Adding Two-Factor (2FA) to Password Change (Known Password)
Problem Users need to be able to change a password they already know. Solution Changing 'Actions' settings in the PortalGuard Configuration Editor under the 'PW Change' Tab Open the PortalGuard Configuration Editor Navigate to the 'Security Policies' tab Highlight 'Default' and click edit NOTE: If you are enabling this on a secondary Security Policy, make sure
- Office 365 2FA on Mobile Devices
Problem Looking to force 2FA on mobile devices using the O365 mobile applications. Solution The full Outlook 2013 and 2016 clients support Microsoft's "Modern Authentication" which honors identity federation settings at the domain level and allows an IdP to fully control
- Configure VPN 2FA Support via RADIUS
Problem You need to utilize PortalGuard to provide 2FA functionality for your VPN Users. Solution Enable the RADIUS feature within PortalGuard. Caveats PortalGuard currently only supports the PAP Protocol for RADIUS. 2FA Methods must be enrolled prior to attempting 2FA Via RADIUS/VPN. RADIUS does not support enrollment prompting. The user must have enrolled
- PortalGuard Support For YubiKey®
Problem You need to integrate your existing YubiKey® or recently purchased YubiKey® with PortalGuard for Two-Factor Authentication. Solution Integrate your specific YubiKey® within PortalGuard for 2FA. Purchase a YubiKey from Yubico. Register for a Yubico API key using the YubiKey (link ). You will receive a Client ID
- Require 2FA Only When End-Users Are Outside the LAN
Problem Your LAN is a trusted network so users should only be required to authenticate to PortalGuard using just a username & password or via Kerberos. When they are coming into PortalGuard from the internet, they should be required to login using 2FA. Solution This can be achieved by differentiating these scenarios based on the user's IP address. The LAN network
- How To Change the Default OTP Method for Two-Factor Authentication
Problem You want to change the default OTP method utilized by PortalGuard during Two-Factor Authentication (2FA). Solution Properly configure the security policy within the PortalGuard Configuration Editor, and select a new 'Default OTP Method'. Navigate to the PortalGuard server and open the PortalGuard Configuration Editor. Navigate to the Security Policies