Token2 TOTPRadius 0.2.3-N2

A simple and cost-effective way to provide secure, policy-compliant and user-friendly on-premises two-factor authentication solution with self-enrollment

User friendly self-enrollment API
LDAP Proxy feature
Hardware and software token support

Latest changes
[0.2.3 N2] Setting to hide passwords in realtime log added
[0.2.3 N2] Advanced settings UI bug fixed [0.2.3] Configuration import possibility
[0.2.3] Multi-domain configuration (for Netscaler integrations with more than one AD forest)
[0.2.3] Possibility to create usernames in UPN format ([email protected])
[0.2.3] Local passwords authentication support
[0.2.3] LDAPS authentication support
[0.2.2] Custom modules feature
[0.2.2] High availability in Master/Slave mode
[0.2.2] Strict SSL verification (CA import tool)
[0.2.1] LDAP authentication and enrolment support

Documentation The latest version of TOTPRadius is 0.2.3-N2. Information about previous versions is available here: v0.1, v0.2 , v0.2.1 , v0.2.2

Token2 TOTPRadius provides the RADIUS RFC-2865 for TOTP RFC-6238 based authentication. With TOTPRadius you can integrate a large variety of third-party products and systems with multi-factor authentication. A number of enterprise products and services like VPNs, Citrix XenApp/XenDesktop, VMWare View and many others provide support for RADIUS servers to validate second factor of user authentications. In addition to standard RADIUS protocol, you can also benefit from Web API or ready CMS Plugins that operate over RESTful API.

TOTPRadius supports OTP-only authentication based on RFC-2865 algorithm (TOTP: Time-Based One-Time Password Algorithm), LDAP authentication as well as LDAP+TOTP combined authentication. It provides a web based administration panel and an HTTPS REST based API service designed to enable users' self-enrollment.

TOTPRadius also allows enabling two-factor authenticaton with systems supporting single authentication source only. This is done by enabling LDAP component of the appliance - users will supply their regular passwords together with one-time passwords, TOTPRadius will split the password into two parts and validate OTP part locally and send the regular password to a LDAP server (e.g. an Active Directory controller); so, basically, acting as an LDAP proxy. You can view TOTPRadius web based administration panel screenshots here.

Self-enrollment using RESTFul API

The main advantage of TOTPRadius is the RESTFul API that allows users to self-enroll with their software tokens such as Google Authenticator and Token2 Mobile OTP. An example of such an integration is self-enrollment mechanism with Citrix Netscaler/StoreFront. The integration can be done by installing our Storefront integration package and adding a new RADIUS authentication server on the Netscaler. It usually takes not more than five minutes to implement. Refer to Citrix integration manual for more details.

Self-enrollment using LDAP Enroll web interface

You can configure TOTPRadius to allow users to log in without second factor (e.g. using AD password only) for the first1 time and then navigate2 to TOTPRadius LDAP Enroll web interface (accessible only within your local network or VPN), where they can enroll the second factor independently. Administrators can also allow modifying (reenrolling) via LDAP Enroll web interface.
[1] - also configurable, i.e. administrators can allow first several logins without second factor provided.
[2] - manually or automatically, e.g. upon VPN connection is established.

LDAP Proxy

The principle behind LDAP Proxy mode is that users will provide their AD or LDAP password together with the one-time passwords in the password field. TOTPRadius will then parse the password, split it into two parts and authenticate the OTP and if correct will send the AD/LDAP password part further to the AD/LDAP server configured. The order of authentication is exactly as stated above, OTP is checked first and AD after OTP is confirmed correct; this is done in order to prevent account lockouts during brute force attacks. Enabling LDAP Proxy on your TOTPRadius appliance allows to implement two-factor authentication for systems that do not natively support it, such as Cisco Meraki VPN, Cisco WLC and many others. read more ...

TOTPRadius High availability

Starting from version 0.2.2 TOTPRadius appliances can be configured in high availabilty mode. Appliances in slave mode will only contain a read-only database will periodically synchronize with the their master appliance via HTTPS REST API

Integration guides

Citrix Netscaler & StoreFront
Full integration including built-in self-service user enrollment integration package for StoreFront based on RESTFul API.
Read more ...
Cisco Meraki MX
Enabling two-factor authentication for Meraki Client VPN. Self-enrollment is possible via LDAP Enroll web interface.
Read more ...
Cisco ASA
This guide will document how to configure 2 factor authentication on a Cisco ASA, using Microsoft Active Directory as the first factor and TOTPRadius Server as the second.
Read more ...
Fortigate VPN
RADIUS authentication source without built-in self-enrollment feature. Self-enrollment is possible via LDAP Enroll web interface.
Integration manual


TOTPRadius is deployed as a software-based virtual appliance that run on two hypervisors: VMWare ESXi and Microsoft Hyper-V. Upon request, virtual appliances for other hypervisors can be provided. It is free to use with up to 5 users. You need to obtain a license to increase the number of allowed users.

VM Version: 11
Zipped OVA file
Size: 1.2G
Download VMWare Appliance

In addition to VMware vSphere (ESXi) OVA format can also be imported and used with Oracle VirtualBox and Citrix XenServer

Configuration version: 8.0*
Zipped VM Folder
Size: 1.2G
Download Hyper-V Appliance

* Requires Hyper-V v.10 or higher (Win10 or Win2016). For lower version, create the VM manually with default settings and connect the IDE0 to the VHDX file in the archive. No further configuration changes are required.

remember to change default passwords