Configuring One-Time Passwords

One-Time Password (OTP) is a two-factor authentication scheme that utilizes system generated, random passwords in addition to standard user name and password credentials. Once users submit the correct basic login credentials, the system generates a one-time password which is sent to the user at a pre-defined email address. The user must retrieve the one-time password from their email, then enter it at the login screen. Select the Require one-time passwords checkbox to enable this functionality requiring SSL VPN users to submit a system-generated password for two-factor authentication.

Each one-time password is single-use. Whenever a user successfully enters a valid user name and password, any existing one-time password for that account is deleted. Unused one-time passwords time out according to the time-out value set on the Users | Settings | User Session Settings interface. Administrators can enable one-time password on a Local User or Local Group basis.

CAUTION: OTP cannot be configured for Global VPN Client (GVC) users. Instead, GVC users can use RSA token for two-factor authentication. Please refer  to Two Factor Authentication Using RSA Radius And SecurID For SonicWall GVC And NetExtender Clients

This article describes how to configure One-Time password.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Configure Mail Server Settings
To use the one-time password, the appliance must have access to a correctly configured SMTP server.

1. Login to the SonicWall management GUI.
2. Click Device , navigate to Log | Automation.
3. Under the Mail Server Settings ,Click on Advanced and enter email Information.
                

In order to Enforce password complexity for One-Time Password:

1. Navigate to DEVICE | Users | Settings
2. Under Authentication, ONE-TIME PASSWORD section
3. Enable the option Enforce password complexity for One-Time Password
4. Click Accept
   

TIP: One time password format can include characters and numbers combined. Also you can set the minimum and maximum length of the password

Enable OTP for a Local User

1. On the same Device Page, navigate to the Users | Local Users and Groups page.
2. Click Add User (or edit an existing user).
3. Enter a name and password for the user (for a new user).
4. Select the OTP via mail method on the drop down of One-time password method.
5. Under the E-mail address field enter the email address where the one-time password must be sent.
6. Click OK .
   
   
   

Alternatively, enable OTP for a Local Group

Enabling one-time password in a group will entail all members of the group to enter a one-time password when connecting. Therefore, each member of the group must be configured with an email address to send the one-time password. LDAP users’ email addresses are retrieved from the server when original authentication is done. Authenticating remote users through RADIUS requires administrators to manually enter enter email addresses in the management interface, unless RADIUS user settings are configured to Use LDAP to retrieve user group information.

1. Navigate to the Users | Local Users and Groups page, click  Local Groups tab on the top.
2. Click Add Group (or edit an existing group).
3. Enter a name for the group.
4. Select the OTP via mail method on the drop down of One-time password method.
   
   
   

Testing

When a user enabled with one-time password tries to login to SSL-VPN, the following prompt will appear after the user has been authenticated with the local username and password.

Simultaneously, a temporary password will be sent to the email address configured under the user. Copy and paste the password in the above page. On being authenticated, the following message will be displayed on the browser page.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Configure Mail Server Settings
To use the one-time password, the appliance must have access to a correctly configured SMTP server.

1. Login to the SonicWall management GUI.
2. Click MANAGE , navigate to Log Settings | Automation.
3. Under the Mail Server Settings , enter email Information.
     

In order to Enforce password complexity for One-Time Password:

1. Navigate to MANAGE | Users | Settings
2. Under Authentication, One-Time Password section
3. Enable the option Enforce password complexity for One-Time Password
4. Click ACCEPT
   
   
   TIP: One time password format can include characters and numbers combined. Also you can set the minimum and maximum length of the password 
   
   

Enable OTP for a Local User

1. On the same Manage Page, navigate to the Users | Local Users and Groups page.
2. Click Add User (or edit an existing user).
3. Enter a name and password for the user (for a new user).
4. Enable check box Require one-time passwords.
5. Under the E-mail address field enter the email address where the one-time password must be sent.
6. Click OK .
   

Alternatively, enable OTP for a Local Group

Enabling one-time password in a group will entail all members of the group to enter a one-time password when connecting. Therefore, each member of the group must be configured with an email address to send the one-time password. LDAP users’ email addresses are retrieved from the server when original authentication is done. Authenticating remote users through RADIUS requires administrators to manually enter enter email addresses in the management interface, unless RADIUS user settings are configured to Use LDAP to retrieve user group information.

1. Navigate to the Users | Local Users and Groups page, click  Local Groups tab on the top.
2. Click Add Group (or edit an existing group).
3. Enter a name for the group.
4. Enable check box Require one-time passwords.
     

Testing

When a user enabled with one-time password tries to login to SSL-VPN, the following prompt will appear after the user has been authenticated with the local username and password.

Simultaneously, a temporary password will be sent to the email address configured under the user. Copy and paste the password in the above page. On being authenticated, the following message will be displayed on the browser page:

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

Configure Mail Server Settings
To use the one-time password, the appliance must have access to a correctly configured SMTP server.

1. Login to the SonicWall management GUI.
2. Navigate to the Log | Automation page.
3. Enter mail server information under Mail Server Settings.
   

Enable OTP for a Local User

1. Navigate to the Users | Local Users page.
2. Click Add User (or edit an existing user).
3. Enter a name and password for the user (for a new user).
4. Enable check box Require one-time passwords.
5. Under the E-mail address field enter the email address where the one-time password must be sent.
6. Click OK .
   
   
   

Alternatively, enable OTP for a Local Group
Enabling one-time password in a group will entail all members of the group to enter a one-time password when connecting. Therefore, each member of the group must be configured with an email address to send the one-time password. LDAP users’ email addresses are retrieved from the server when original authentication is done. Authenticating remote users through RADIUS requires administrators to manually enter enter email addresses in the management interface, unless RADIUS user settings are configured to Use LDAP to retrieve user group information.

1. Navigate to the Users | Local Groups page.
2. Click Add Group (or edit an existing group).
3. Enter a name for the group.
4. Enable check box Require one-time passwords.
    

Testing

When a user enabled with one-time password tries to login to SSL-VPN, the following prompt will appear after the user has been authenticated with the local username and password.

Simultaneously, a temporary password will be sent to the email address configured under the user. Copy and paste the password in the above page. On being authenticated, the following message will be displayed on the browser page.