Updated on 2025-09-29 GMT+08:00

Configuring Mobile OTP Login Verification

A mobile OTP is a mobile application that can generate a dynamic password for identity verification.

In mobile OTP verification method, both your static login password and a 6-digit one-time password are required for login.

After mobile OTP authentication, the bastion host can be used in a non-public network environment as long as the bastion host time is the same as the mobile phone time.

If you want to enable MFA for the admin account, you need to configure the mobile phone token first, or the admin account cannot log in to the system in MFA mode.

If the mobile OTP expires and the login fails, reset the login method for user admin. For details, see Resetting Login Method for User admin.

Currently, built-in mobile OTPs and Remote Authentication Dial In User Service (RADIUS) mobile OTPs are supported.

  • Built-in mobile OTPs support Time-based One-Time Password (TOTP). You need to bind a mobile OTP to a user in the Profile module in your bastion host system. You can bind a mobile OTP through a WeChat applet or other similar programs, such as Google Authenticator and FreeOTP Authenticator, that support TOTP.
  • RADIUS mobile OTPs also support TOTP. You need to connect to the RADIUS server you have created and bind the mobile OTP on the RADIUS server. You can bind the mobile OTP through a WeChat applet or similar programs, such as Google Authenticator and FreeOTP Authenticator, that support TOTP.

Constraints

Ensure that your bastion host and mobile phone have the same system time, accurate to the seconds. Otherwise, the system may prompt that the mobile OTP fails to be bound.

Synchronize the bastion host system time to the mobile phone time. Refresh the page, scan the new QR code, and try again.

Step 1: Configure the Mobile OTP Type

  1. Log in to your bastion host.
  2. Choose System > System Config > Security.
  3. In the Mobile Token Settings area, click Edit.
  4. In the displayed Mobile Token Settings dialog box, select a mobile OTP type.

    You can select Built-in or RADIUS. If you select RADIUS, the parameters are described as follows:
    Table 1 RADIUS mobile OTP parameters

    Parameter

    Description

    Server

    Enter the IP address of the RADIUS server.

    Port

    Enter the port number of the RADIUS server.

    Protocol

    The options are PAP and CHAP.

    Password

    Enter the shared key for RADIUS server authentication.

    Timeout

    Configure an authentication timeout. The value ranges from 5 to 30, in seconds.

    A maximum of three authentication attempts are allowed, and each attempt must be within the configured authentication timeout.

  5. Click OK. You can then check the mobile token settings of the current system user on the Security tab.

Step 2: Bind a Mobile OTP as a Common User

Built-in Mobile OTP

  1. Log in to your bastion host using your static password.
  2. On the Dashboard page, click the user name in the upper right corner and choose Profile.
  3. On the displayed Profile page, click the Mobile OTP tab.

    On the displayed page, follow the instructions to bind a mobile OTP.

    If you do not have the WeChat app, use the Google verification code program to scan the second QR code.

  4. (Optional) To unbind the mobile OTP, click Unbind on the Mobile OTP tab.

RADIUS Mobile OTP

  1. Create a user on the RADIUS server and bind a mobile OTP for the user as prompted.

Step 3: Enable Mobile OTP Authentication for a User as the Administrator

Built-in Mobile OTP

  1. Log in to your bastion host as the administrator.
  2. Choose User > User to go to the User management page.
  3. Select a user having mobile OTP bound and click its LoginName.
  4. In the User Setting area, click Edit.
  5. In the displayed Edit user settings dialog box, select Mobile OTP for Multifactor Verification.
  6. Click OK.

    The next time the user logs in to the system, they will have to provide a mobile OTP.

RADIUS Mobile OTP

  1. Create a user in the bastion host system. The login name of the user must be the same as that of the user created on the RADIUS server in 1.

    1. Log in to your bastion host as the administrator.
    2. Choose User > User to go to the User management page.
    3. Click New. In the displayed New User dialog box, complete required parameters.
      Table 2 Parameters for creating a user

      Parameter

      Description

      LoginName

      The login name must be the same as the name of the user created on the RADIUS server.

      The LoginName must be unique in a system and cannot be changed once created.

      Authentication Type

      Select Local.

      Local: The user is verified against the account management system of the bastion host. This method is the default method.

      Password/Confirm Password

      You need to specify a custom password for logging in to the system.

      UserName

      User-defined username.

      This name indicates the name of the person who uses the account so that system users can be distinguished from each other.

      Mobile

      Enter the mobile phone number.

      This number is used for SMS authentication logins and password resetting.

      Email

      Enter an email address.

      The bastion host sends notifications to this email address.

      Role

      Specifies the role to be assigned to the user. Only one role can be assigned.

      By default, system roles include DepartmentManager, PolicyManager, AuditManager, and User.

      • DepartmentManager: responsible for managing departments. Except the User and Role modules, this role has the configuration permissions for all other modules.
      • PolicyManager: responsible for configuring policy permissions. This role has the configuration permissions for the User Group, Account Group, and ACL Rules modules.
      • AuditManager: responsible for auditing system and maintenance data. This role has the configuration permission for Live Session, History Session, and System Log modules.
      • User: common system users and resource operators. This role has the permissions for the Host Operations, App Operations, and Ticket approval modules.
      • User-defined role: Only the admin user can customize a new role or edit permissions of a default role.

      Department

      Select the department that the user belongs to. For details about how to create a department, see Creating a Department.

      Remarks

      Brief description of the user.

    4. Click OK.

      On the User page, you can view the created user.

  2. Configure mobile OTP authentication for the same user in the bastion host system.

    1. Go to the User page.
    2. Select the same user and click its LoginName.
    3. In the User Setting area, click Edit.
    4. In the displayed Edit user settings dialog box, select Mobile OTP for Multifactor Verification.
    5. Click OK.

      The next time the same user logs in to the system, they will have to provide a mobile OTP.