wendy7876 0 Posted May 26, 2016 Share Posted May 26, 2016 Hi In the release notes for the new ESET Secure Auth server version 2.4 it says: Added: Hard token authentication without compound support Does this mean users would be able to enter only the OTP generated from the hard token, versus the current "AD/Windows password + OTP" combination to login? Wanted to verify before upgrading our server. Thanks Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted May 31, 2016 ESET Staff Share Posted May 31, 2016 (edited) Hello, in short: yes. But, please make sure (with your VPN vendor) your VPN is able to validate the AD username and password by itself (not all VPNs supports this). If everything is as it should be, user enters username and password and then is prompted for OTP. Edited June 1, 2016 by MichalJ Link to comment Share on other sites More sharing options...
wendy7876 0 Posted May 31, 2016 Author Share Posted May 31, 2016 HiThanks for your response. We use the hard tokens for Cisco Anyconnect VPN Client to connect to a Cisco ASA. And we also use it to connect to a Citrix Netscaler 11.0 to access our XenApp environment. My understanding of the added feature was that under Radius Servers, Properties, Authentication Methods - under Mobile Application you have the choice to leave the Compound Authentication (passwordOTP) UNchecked. Currently Hard Tokens does not have that choice to be UNchecked or turned off. I'm hoping the new version has that additional setting for Compound to be disabled for the Hard Tokens. Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted June 1, 2016 ESET Staff Share Posted June 1, 2016 Please make sure your VPN is able to validate AD username/password by itself. Attached is the screenshot of the setting. Link to comment Share on other sites More sharing options...
wendy7876 0 Posted June 1, 2016 Author Share Posted June 1, 2016 Thank you for the screenshot. Will it work differently than the way the Mobile App currently works? For the Mobile App, users are able to enter ADusername and the mobile OTP for the password for VPN. For Citrix there is a username box and two password boxes. For Mobile App users they enter ADusername, OTP, and ADpassword. For hard token user for Citrix they currently enter ADusername, ADpasswordOTP, then ADpassword. I was hoping with the new version it would work exactly like the Mobile App currently does. Sorry, trying to understand. Link to comment Share on other sites More sharing options...
ESET Staff Solution MichalJ 434 Posted June 2, 2016 ESET Staff Solution Share Posted June 2, 2016 Hello, The hardtoken without compound should work in the same way as mobile app OTPs without compound. However when you will be using VPN which does not validate username and password by itself, then by using only hardtoken OTPs (not compound) you will be able to log in just with the OTP – this would not be considered as a two factor authentication. With mobile apps, there is also PIN protection, which could be theoretically consider as a second factor (emphasis on the “theoretically”), but hardtokens do not have PIN protection. So with VPN that do not validate ADpassword we recommend using hardtokens with compound turned ON and for those which validate, you can use without compound option. Link to comment Share on other sites More sharing options...
wendy7876 0 Posted June 2, 2016 Author Share Posted June 2, 2016 Thank you for explaining in such detail. Link to comment Share on other sites More sharing options...
Recommended Posts