Is two-factor authentication (2FA) supported?

Overview

Yes, all Opengear products can perform two-factor authentication via remote AAA servers, such as RADIUS. This enables administrators to centrally manage and synchronize a user's two-factor device, such as Duo authenticator smartphone app or RSA SecurID token.

Two-factor authentication requires the user to enter both their regular password plus a dynamically generated passcode, when logging in via the UI, CLI, or to a managed device or port.

Configuration

No special setup is required on the Opengear Appliances or Lighthouse beyond configuring it to use the remote authentication method, for details see the Authentication chapter in the User Manual.

Often to achieve 2FA, the authentication server (e.g. Cisco ACS) manages the first Factor Authentication against a local database (e.g. Active Directory) by checking the user credentials entered, then sends requests to an external system (e.g. cloud service via HTTPS REST API) for the two-factor step.

These transactions are hidden from the Opengear Appliances or Lighthouse, therefore the Opengear Appliances or Lighthouse only needs to be configured with the single authentication method used to contact the authentication server in the first instance (e.g. TACACS). The Opengear Appliances or Lighthouse does not need to be configured with the authentication methods used by the authentication server backend (e.g. Opengear is configured for TACACS, but not configured for Active Directory or HTTPS REST API).

How are two-factor codes entered?

How the password and passcode are entered varies depending on what the remote authentication server expects.

The passcode may be concatenated onto the regular password and entered as a single string at the initial Password/Passcode field (UI) or at the Password prompt (SSH CLI) – e.g. if my password is guessme and my authenticator app generates a passcode of 604291, I would enter guessme604291. This method is common when using TACACS authentication.

Alternatively, If the authentication server supports a multiple challenge-response steps, the Opengear Appliances or Lighthouse prompts for the passcode as a separate, second step – e.g. at the initial Password/Passcode field (UI) (7000 Family and Lighthouse Only) or at the Password prompt (SSH CLI) I enter guessme, then the Opengear Appliances or Lighthouse displays a second prompt, at which I enter 604291. The precise label of the second prompt is determined by the authentication server. This method is common when using RADIUS authentication.