The OTP users are defined in the OTP user accounts table. For EAP-OTP, the user must be created with his normal password in the table of RADIUS user accounts, as well as additionally created in this table with the OTP secret.
The configuration of the OTP user accounts is done via
.- Username
- Enter the name of the OTP user here. This must already be contained in the RADIUS user accounts table with the same name.
- Hash algorithm
-
Defines the hash algorithm used.
Note: Note that the Authenticator app supports the maximum possible hash algorithm. For example, Google Authenticator currently supports only SHA1 on certain Android platforms.
- Time step
- Defines the interval in seconds after which a new OTP is calculated. Default: 30 seconds
- Network delay
- Defines the maximum number of time steps by which the client's clock may deviate. The RADIUS server checks the OTP that is older or newer by this value.
- Secret
-
Defines the actual shared secret that must be shared with the Authenticator app. The secret must be different for each user.
There are currently three possible entries in the table:
- Base32 (Default)
- Prefix "base32:" followed by the base32 encoded secret. The prefix "base32:" may also be omitted.
- Hexadezimal
- Prefix "hex:" followed by an even number of hex digits.
- Plain text passphrase
- Prefix "ascii:" and then the characters.
Note: For Google Authenticator, the secret must be 16 characters long (80 bit, Base32 encoded), e.g. E3U5IDWEE3KFCJ7G - Issuer
- Freely definable text used in Authenticator to keep multiple keys apart when the same username is used. Must not contain a colon.
- Number digits
-
Length of OTPs. Default: 6.
Note: For Google Authenticator, the value 6 should be used.
- Calling station id mask
- This mask restricts the validity of the entry to certain IDs transmitted by the calling station.
- Called station id mask
- This mask restricts the validity of the entry to certain IDs transmitted by the called station.