User authentication Local users
IX30 User Guide
719
9. (Optional) Configure two-factor authentication for SSH, telnet, and serial console login:
a. Change to the user's two-factor authentication node:
(config auth user new_user)> 2fa
(config auth user new_user 2fa)>
b. Enable two-factor authentication for this user:
(config auth user new_user 2fa)> enable true
(config auth user new_user 2fa)>
c. Configure the verification type. Allowed values are:
n
totp: Time-based One-Time Password (TOTP) authentication uses the current time
to generate a one-time password.
n
hotp: HMAC-based One-Time Password (HOTP) uses a counter to validate a one-
time password.
The default value is totp.
(config auth user new_user 2fa)> type totp
(config auth user new_user 2fa)>
d. Add a secret key:
(config auth user new_user 2fa)> secret key
(config auth user new_user 2fa)>
This key should be used by an application or mobile device to generate passcodes.
e. For time-based verification only, enable disallow_reuse to prevent a code from being
used more than once during the time that it is valid.
(config auth user new_user 2fa)> disallow_reuse true
(config auth user new_user 2fa)>
f. For time-based verification only, configure the code refresh interval. This is the amount of
time that a code will remain valid.
(config auth user new_user 2fa)> refresh_interval value
(config auth user new_user 2fa)>
where value is any number of weeks, days, hours, minutes, or seconds, and takes the
format number{w|d|h|m|s}.
For example, to set refresh_interval to ten minutes, enter either 10m or 600s:
(config auth user name 2fa)> refresh_interval 600s
(config auth user name 2fa)>
The default is 30s.
g. Configure the valid code window size. This represents the allowed number of concurrently
valid codes. In cases where TOTP is being used, increasing the valid code window size may
be necessary when the clocks used by the server and client are not synchronized.
To Next Page
Loading...
Need help?
General
