TOTPRadius - Installation and initial configuration

TOTPRadius is deployed as a software-based virtual appliance that runs on two hypervisors: VMWare ESXi and Microsoft Hyper-V. Upon request, virtual appliances for other hypervisors can be provided. It is free to use with up to 5 users. You need to obtain a license to increase the number of allowed users.

Download

Download one of the versions from the download page. The appliance is available in 2 versions:

  • VMware OVA format. In addition to VMware vSphere (ESXi), OVA format can also be imported and used with Oracle VirtualBox
  • HyperV Appliance. A zip file with the virtual machine exported from a Hyper-V host. Requires Hyper-V v.10 or higher (Win10 or Win2016/2019). For earlier versions, create the VM manually with default settings and connect the IDE0 to the VHDX file in the archive. No further configuration changes are required


Installation

Import OVF to VMWare or VirtualBox

TOTPRadius is deployed in standard OVF format. Follow usual OVF import procedures to install the appliance.

Import VM to Hyper-V

TOTPRadius has been tested on standard Windows 2012 R2 and Windows 2016 and 2019 based Hyper-V hosts and has been exported using Hyper-V manager. To import, unzip the downloaded archive to a location visible from Hyper-V manager and import the appliance. Initial configuration of the appliance Power on the virtual machine and open its console.

XenServer

While there is no official image released for XenServer, a number of clients managed to import and use the VMWare image by editing the grub options in the boot menu to make the root file system /dev/xvda1 (what XenServer looks for) instead of /dev/sda1 (what VMware presents).

Initial configuration

Once imported and started, the appliance will boot and launch the initial configuration wizard. Please note that this wizard is only available from the console and allows changing the appliance's IP address. If the network is configured with DHCP available, the appliance will show the assigned address. You can open the IP in a web browser to access the web admin panel.

TOTPRadius - Installation and initial configuration


Complete the configuration by filling the requested information, such as hostname, IP, Subnet and DNS servers. 

TOTPRadius - Installation and initial configuration

Hit "OK" at the last window to complete the process. The appliance will restart to apply the new network configuration.  If there was a mistyped address during the configuration, you can always rerun the wizard again - it will be available from the hypervisor console unless disabled in the Web interface. You can press "Ctrl+C" to exit the wizard and proceed to regular Linux login prompt.

Admin Web Interface - first login

Once the configuration is completed, navigate to the IP address set during the initial configuration (or assigned by DHCP) and log in using default admin credentials (default username : admin, default password : totpradius).

TOTPRadius - Installation and initial configuration

Upon initial login, the system will ask you to change the Web admin and console (ssh) password. Once this is done, you can proceed with the configuration by clicking on "Settings".

TOTPRadius - Installation and initial configuration

You can change the Web admin password directly on the admin panel by clicking on "Change password" button. The system password should be changed from the console:
- Open the console and close the configuration wizard by pressing Ctrl+C
- Log in using default credentials (username: totpradius, password: totpradius)
- Issue passwd command and enter the new password
TOTPRadius - Installation and initial configuration

Admin panel - overview of the important settings

All the settings of TOTPRadius appliances (except IP and console password) can be configured via the admin Web interface. Each setting has a description that are displayed when clicking on the question mark icon next to it as shown on the example below.

TOTPRadius - Installation and initial configuration

In this section, we will bring your attention to only some of the settings that are important and need to be adjusted before you start using the appliance in production.

TOTPRadius - Installation and initial configuration


Allow initial login

Pay attention to "Allow initial login" value. If set to a non-zero value, first n RADIUS attempts will be accepted even if the password or OTP provided as a password is wrong. This is needed for allowing users to log in for the first time and enroll their second factor independently without using the public web portal (i.e. via Citrix XenApp with Netscaler configuration). If such self-service methods are not planned to be used, keep this value as zero.

API Key and Allow HTTP

API key is used to access the API interface to check or enable 2FA as well as to allow user database replication from this host to slave appliances. This key is used for different integrations, including ADFS credential provider and WordPress 2FA. If you have already configured the web certificate for your appliance, you can set Allow HTTP as "Disabled" - this will ensure the admin panel is accessed via secure HTTPS protocol only.

RADIUS Secret

This is the "shared secret" parameter used as a part of RADIUS authentication scheme and is required to set up the endpoints that will authenticate users against TOTPRadius. The RADIUS Server reads the shared secret and ensures that the Access-Request message is from an authorized Client. 

Endpoint IP and Subnet

If you want to further restrict access to RADIUS authentication, you can set the Endpoint IP and subnet to a range that you expect the authentication messages to come from (i.e. your VPN Server/ Meraki MX / FortiGate etc.). Having these values as 0.0.0.0 (IP) and 0 (subnet) will allow any connection as its source.


These are the general settings. Other settings are use-case specific and are described in the integration guides
Currency
Large Volume Orders
For large orders, Token2 offers volume discounts.If you are interested in larger volume orders, please contact us and we will get back with a quote immediately
Burner apps