Multi-Factor Authentication

MFA Configuration

You configure one-time password (OTP) MFA from the A3 administration user interface at the following location: Configuration > Integration > Multi-Factor Authentication > New MFA > TOTP.

Authentication Rule

Portal Configuration Work Flows

The following descriptions assume that you configure MFA in the A3 portal. Configuration work flow varies by MFA provider.

Akami Bind v2

• Connection profile: The profile must use the Internal Source where you defined an authentication rule that is assigned the Trigger Portal MFA action. The profile must also use the Default portal policy Root Portal Module, for which an MFA policy is already defined.
• Akamai Bind v2 portal: After you access the A3 portal and register with your credentials, the portal forwards you to the Akamai Bind v2 web interface. From here, you can onboard your device and also trigger any type of MFA. When these tasks are completed and authenticated, Akamai Bind v2 portal forwards you to the A3 portal and grants you access.
  

  Note

  You must onboard your device before you can use Akamai MFA in the RADIUS flow.

TOTP

• Connection profile: The profile must use the Internal Source where you defined an authentication rule that is assigned the Trigger Portal MFA action. The profile must also use the Default portal policy Root Portal Module, for which an MFA policy is already defined.
• A3 portal: After you access the A3 portal and register with your credentials, the portal displays a QR code that you must scan with your Akamai, Google, Microsoft, or DUO device. This action configures an account in which you can see username.A3 and the OTP PIN code.

  You then can use this OTP on the portal to register your device.

  

  Note

  You must onboard your device before you can use OTP MFA in the RADIUS flow.

RADIUS

The RADIUS flow depends on the features of the MFA provider and the RADIUS client.

• Simple RADIUS client: Only the user name and password are sent in the RADIUS request, for which the only method available is the "push" notification. After the user is authenticated, a push notification is sent to their phone. The user must validate to grant access.
• Simple RADIUS with password.<code>: The user name and password are sent, but the password is split with a special character to obtain the code.
  • OTP code (123456): The code you read on your device. This code changers every 30 seconds.
  • Push code (push): The code can be pushed to the default phone or pushx (where x represents the telephone index in the list if you have multiples of one). Push1 triggers a push on the first phone, push2 on the second one. The user must validate on their phone to grant access.
  • SMS code (sms): The code can be SMSed to the default phone or smsx (where x represents the telephone index in the list if you have multiples of one). SMS1 triggers a push on the first phone, SMS2 on the second one. The RADIUS request is rejected and the RADIUS client prompts again for the credentials. After the user receives the code by SMS, they must re-authenticate with their user name and password and append the code, for example password,code.
  • Phone code (phone): The code can be phoned to the default phone or phonex (where x represents the telephone index in the list if you have multiples of one). Phone1 triggers a push on the first phone, phone2 on the second one. The RADIUS request is rejected and the RADIUS client prompts again for the credentials. After the user receives the code by phone, they must re-authenticate with their user name and password and append the code, for example password,code.
• Simple RADIUS client with second password: The VPN client presents a log-in page with a user name field and two password fields. In this second password field, you can configure the same options as in Simple RADIUS client with password.<code>.