Configuring Mobile OTP Login Verification
A mobile OTP is a mobile application that can generate a dynamic password for identity verification.
In mobile OTP verification method, both your static login password and a 6-digit one-time password are required for login.
After mobile OTP authentication, the bastion host can be used in a non-public network environment as long as the bastion host time is the same as the mobile phone time.
 
 
  If you want to enable MFA for the admin account, you need to configure the mobile phone token first, or the admin account cannot log in to the system in MFA mode.
If the mobile OTP expires and the login fails, reset the login method for user admin. For details, see Resetting Login Method for User admin.
Currently, built-in mobile OTPs and Remote Authentication Dial In User Service (RADIUS) mobile OTPs are supported.
- Built-in mobile OTPs support Time-based One-Time Password (TOTP). You need to bind a mobile OTP to a user in the Profile module in your bastion host system. You can bind a mobile OTP through a WeChat applet or other similar programs, such as Google Authenticator and FreeOTP Authenticator, that support TOTP.
- RADIUS mobile OTPs also support TOTP. You need to connect to the RADIUS server you have created and bind the mobile OTP on the RADIUS server. You can bind the mobile OTP through a WeChat applet or similar programs, such as Google Authenticator and FreeOTP Authenticator, that support TOTP.
Constraints
Ensure that your bastion host and mobile phone have the same system time, accurate to the seconds. Otherwise, the system may prompt that the mobile OTP fails to be bound.
Synchronize the bastion host system time to the mobile phone time. Refresh the page, scan the new QR code, and try again.
Step 1: Configure the Mobile OTP Type
- Log in to your bastion host.
- Choose System > System Config > Security.
- In the Mobile Token Settings area, click Edit.
- In the displayed Mobile Token Settings dialog box, select a mobile OTP type.
    
    You can select Built-in or RADIUS. If you select RADIUS, the parameters are described as follows:Table 1 RADIUS mobile OTP parameters Parameter Description Server Enter the IP address of the RADIUS server. Port Enter the port number of the RADIUS server. Protocol The options are PAP and CHAP. Password Enter the shared key for RADIUS server authentication. Timeout Configure an authentication timeout. The value ranges from 5 to 30, in seconds. A maximum of three authentication attempts are allowed, and each attempt must be within the configured authentication timeout. 
- Click OK. You can then check the mobile token settings of the current system user on the Security tab.
Step 2: Bind a Mobile OTP as a Common User
Built-in Mobile OTP
- Log in to your bastion host using your static password.
- On the Dashboard page, click the user name in the upper right corner and choose Profile.
- On the displayed Profile page, click the Mobile OTP tab.
    
    On the displayed page, follow the instructions to bind a mobile OTP.  If you do not have the WeChat app, use the Google verification code program to scan the second QR code. 
- (Optional) To unbind the mobile OTP, click Unbind on the Mobile OTP tab.
RADIUS Mobile OTP
Step 3: Enable Mobile OTP Authentication for a User as the Administrator
Built-in Mobile OTP
- Log in to your bastion host as the administrator.
- Choose User > User to go to the User management page.
- Select a user having mobile OTP bound and click its LoginName.
- In the User Setting area, click Edit.
- In the displayed Edit user settings dialog box, select Mobile OTP for Multifactor Verification.
- Click OK.
    
    The next time the user logs in to the system, they will have to provide a mobile OTP. 
RADIUS Mobile OTP
- Create a user in the bastion host system. The login name of the user must be the same as that of the user created on the RADIUS server in 1.
    
    - Log in to your bastion host as the administrator.
- Choose User > User to go to the User management page.
- Click New. In the displayed New User dialog box, complete required parameters. 
      Table 2 Parameters for creating a user Parameter Description LoginName The login name must be the same as the name of the user created on the RADIUS server. The LoginName must be unique in a system and cannot be changed once created. Authentication Type Select Local. Local: The user is verified against the account management system of the bastion host. This method is the default method. Password/Confirm Password You need to specify a custom password for logging in to the system. UserName User-defined username. This name indicates the name of the person who uses the account so that system users can be distinguished from each other. Mobile Enter the mobile phone number. This number is used for SMS authentication logins and password resetting. Email Enter an email address. The bastion host sends notifications to this email address. Role Specifies the role to be assigned to the user. Only one role can be assigned. By default, system roles include DepartmentManager, PolicyManager, AuditManager, and User. - DepartmentManager: responsible for managing departments. Except the User and Role modules, this role has the configuration permissions for all other modules.
- PolicyManager: responsible for configuring policy permissions. This role has the configuration permissions for the User Group, Account Group, and ACL Rules modules.
- AuditManager: responsible for auditing system and maintenance data. This role has the configuration permission for Live Session, History Session, and System Log modules.
- User: common system users and resource operators. This role has the permissions for the Host Operations, App Operations, and Ticket approval modules.
- User-defined role: Only the admin user can customize a new role or edit permissions of a default role.
 Department Select the department that the user belongs to. For details about how to create a department, see Creating a Department. Remarks Brief description of the user. 
- Click OK.
      On the User page, you can view the created user. 
 
- Configure mobile OTP authentication for the same user in the bastion host system.
    
    - Go to the User page.
- Select the same user and click its LoginName.
- In the User Setting area, click Edit.
- In the displayed Edit user settings dialog box, select Mobile OTP for Multifactor Verification.
- Click OK.
      The next time the same user logs in to the system, they will have to provide a mobile OTP. 
 
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot 
    