MultiOTP Authentication Server

From SecuTech Wiki
Revision as of 06:25, 19 June 2018 by Mapril (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

MultiOTP Authentication server installation, integration and testing guide

Guide Version: 1.0 MultiOTP package at time of writing: 5.1.1.2

Introduction

MultiOTP is a 3rd party, OATH certified, open source authentication server for HOTP (UniOTP300 and UniOTP310) and TOTP (UniOTP500 and UniOTP510) with both free and paid versions.

The free version supports unlimited users but the paid version has a variety of additional features.

Download free MultiOTP here: https://download.multiotp.net/multiotp.zip For the paid version of MultiOTP please go here: https://www.multiotp.com/ For more information about paid vs free versions and source code, go here: https://github.com/multiOTP/multiotp/wiki

You must use the administrator account on the computer to install MultiOTP.

Please see UniOTP seed portal for downloading UniOTP secret key files.

Requirements

To be able to use the MultiOTP Authentication server, you must have an XML PSKC token file ready. An example file can be created following the instructions here: Virtual_OTP_token.

Installation on Windows

After downloading the zip package from https://download.multiotp.net/multiotp.zip, extract the content to a location with no spaces. It is recommended to be extracted in the root directory of the hard drive, eg. "C:\multiotp". This is to eliminate the possibility of a filename error, all future references to the install location will follow this location.

After extracting the package, please navigate to "C:\multiotp\windows".

Right click on "radius_install.cmd" and run as administrator. Command prompt will appear and a message with "Please run this script as administrator ... Press any key to continue". Press enter and it will disappear after a few seconds.

Right click on "webservice_install.cmd" and run as administrator. Command prompt will appear and a message with "Please run this script as administrator ... Press any key to continue". Press enter and it will disappear after a few seconds, then your default web browser will open to the page: http://127.0.0.1:8112/.

Additional: To check if both services installed correctly, open the run window (windows button + r), type: services.msc and press ok. Sort alphabetically and look for "multiOTP Radius Server" and "multiOTP Web Server", if both appear then installation was successful.

For versions of Windows newer then Windows 7

The in-built Radius server provided by MultiOTP has an issue starting with versions of Windows newer then Windows 7, and must be run in compatibility mode.

Windows services and MultiOTP RADIUS and webserver entry

To correct this, first open the run window (windows button + r), type: "services.msc", then click on "OK". In the list of services, please sort by name then scroll down to "multiOTP Radius server". It should have the status "Started". Please right click on this and "Stop" the service, after a few seconds the "Started" status should be blank. Please minimize this, do not close.

Radius server in compatibility mode

In the folder "C:\multiotp\windows\radius\sbin" (note "sbin", not "bin"), please right click on "radiusd.exe" and select "Properties". In the "Compatibility" tab, enable "run in compatibility mode" and select "Windows 7" in the drop down, then click apply and ok.

Back in Windows services, right click on "multiOTP Radius server" and start the service.

If this step is not taken, the Radius server will not be reachable.

Integration

In your web browser, on the multiOTP web admin page (default: http://127.0.0.1:8112/) log in with the default credentials: Username: admin Password: 1234

MultiOTP web server login screen

After logging in, select "Import new hardware tokens".

MultiOTP web server login screen

For this step you must use a .xml PSKC file. To convert a uinf file or for more information about how to retrieve the xml file from an order from SecuTech, please see Seed_portal.

Selecting "Choose File" opens a window, navigate to the XML file and click "Import". For this guide, the virtual uinf token from the page: Virtual_OTP_token is used, and can be generated following the instructions given.

Once the token has been added, it will appear in the "List of hardware token".

XML token successfully added to MultiOTP

Please navigate to "Add a new user", then input the required details, but please take note of "Username" and "Specific prefix PIN".

For testing MultiOTP, the "Specific prefix PIN" is not necessary, but for release it is recommended as it significantly increases the effectiveness of OTP protection, for example in the event that the OTP token is stolen.

In the "select a token" drop down, select the hardware token that was imported. If the token was not successfully imported, it will not appear here.

New user and token binding added to MultiOTP

After clicking on "Add this user", the fields go blank and after a second the user appears at the bottom with the buttons "Delete", "Print" and "Resync".

  • Delete will remove the user and free the token for re-use
  • Print generates a page with QR codes and instructions for the user to setup their mobile device to be used as an authenticator
  • Resync synchronizes the user account with the OTP

Please select "Resync" or "Resync a user" on the left hand side. Make sure the newly created username is filled in, and input the next 2 OTP's generated.

Using the example provided from Virtual_OTP_token and the Seed_portal, the first 2 OTP's are: 190745 and 106127.

Synchronizing the new user and token

To test if the synchronization process was successful, go to "Check a user" The 3rd OTP is: 450094

After clicking "Check now", the messages "succeeded" should appear. If the same code is re-used, "Error 26" should appear, as OTP codes can only be used once.

Testing the new user and token

Testing Authentication

To test a RADIUS authentication server, the simplest tool is to use the 3rd party software NTradping, a free tool from Mastersoft for Windows. As of writing this guide, NTRadPing is at version 1.5

NTRadping allows input of the shared secret, username, OTP, ports and can perform account operations, all with an intuitive interface and is also extremely light weight. It is the fastest/simplest way to test the RADIUS server.

There are 2 files in this download: NTRadPing.exe and raddict.dat.

Extract this zip to a location of your choice, and launch NTRadPing. No installation is necessary.

  • Input the IP address of the RADIUS authentication server
  • Input the shared secret, default: multiotpsecret
  • Input the username of the account that was synchronized
  • Input the port number used, by default multiOTP uses 1812 (normal port for RADIUS servers)
    • Note other old/special servers can use 1813, 1645 or 1646

The 4th OTP is: 536422.

Testing RADIUS authentication

If all settings are as above, please check that the RADIUS server is running in "services.msc". Additionally please check the version of Windows, if it is greater then Windows 7, please see the chapter: #For versions of Windows newer then Windows 7

Alternative server testing tools

Many other free RADIUS testing software alternatives exists, for example: RadLogin, which supports Windows, Linux, FreeBSD and Sparc Solaris.