Two-factor authentication for systems that only support single-factor authentication

LDAP Proxy

The principle behind it is that users will provide their AD or LDAP password together with the one-time passwords in the password field. TOTPRadius will then parse the password, split it into two parts and authenticate the OTP and if correct will send the AD/LDAP password part further to the AD/LDAP server configuration.
The order of authentication is exactly as stated above, OTP is checked first and AD after OTP is confirmed correct; this is done in order to prevent account lockouts during brute force attacks. Enabling LDAP Proxy on your TOTPRadius appliance allows to implement two-factor authentication for systems that do not natively support it, such as Cisco Meraki VPN, Cisco WLC and many others.


Configuring LDAP Proxy

LDAP Feature of TOTPRadius can be enabled on the "General settings" page. There are 6 LDAP related settings:
  • LDAP (Enable/Disable) - Enables LDAP verification. This parameter is to be used for systems not supporting 2FA natively. If enabled the system will expect the OTP to be sent together with LDAP password. This setting controls authentication only, not enrollment.
  • LDAP server - IP or FQDN of the LDAP server; if you need to specify multiple servers for redundancy, full URIs separated by space must be used. Example ldap://192.168.200.208 ldap://192.168.200.209. Starting from version 0.2.3 LDAPS is also supported, use ldaps:// protocol in the server address
  • LDAP username format - Username format. UPN suffix or leading domain name. %username% will be replaced by the actual username. Examples: %username%@domain.local or DOMAIN\%username%.
  • Allow ldap enrollment (Enable/Disable) - Allow users to self-enroll their second factor (i.e. generate a QR key) by logging in with LDAP credentials.
  • Allow ldap key change (Enable/Disable) - Allow users to re-enroll their second factor (i.e. generate a new QR key) by logging in with LDAP credentials.
  • Ldap intro text - This text will appear on LDAP web enrollment page. HTML tags are allowed.