Is two-factor authentication (2FA) supported?

Yes, all Opengear products support two-factor authentication via remote AAA server, such as RADIUS. This enables administrators to centrally manage and synchronize a user's two-factor device, such as Duo authenticator smartphone app or RSA SecurID token.

Two-factor authentication requires the user to enter both their regular password plus a dynamically generated passcode, when logging in via the UI, CLI, or to a managed device or port.

Configuration

No special setup is required on the Opengear beyond configuring it to use the remote authentication method under Serial & Network -> Authentication, for details see the Authentication chapter in the User Manual.

Often to achieve 2FA, the authentication server (e.g. Cisco ACS) does the regular password authentication against a local database (e.g. Active Directory), then contacts an external system (e.g. cloud service via HTTPS REST API) for the two-factor step.

These transactions are hidden from the Opengear, therefore the Opengear only needs to be configured with the single authentication method used to contact the authentication server in the first instance (e.g. TACACS). The Opengear does not need to be configured with the authentication methods used by the authentication server backend (e.g. Opengear is configured for TACACS, but not configured for Active Directory or HTTPS REST API).

How are two-factor codes entered?

How the password and passcode are entered varies depending on what the remote authentication server expects.

The passcode may be concatenated onto the regular password and entered as a single string at the initial Password/Passcode field (UI) or at the Password prompt (SSH CLI) – e.g. if my password is guessme and my authenticator app generates a passcode of 604291, I would enter guessme604291. This method is common when using TACACS authentication.

If the authentication server supports a multiple challenge-response steps, the Opengear prompts for the passcode as a separate, second step – e.g. at the initial Password/Passcode field (UI) or at the Password prompt (SSH CLI) I enter guessme, then the Opengear displays a second prompt, at which I enter 604291. The precise label of the second prompt is determined by the authentication server. This method is common when using RADIUS authentication.