This section describes how to configure multifactor authentication profiles using CLI. You configure MFA profiles at the users mfa-profiles level. You can create multiple types of profiles:
-
MFA by TOTP: use a Time-based One Time Password (TOTP) token as the second authentication factor.
-
MFA by email: use a one-time password received by email as the second authentication factor.
-
MFA by SMS: use a one-time password received by SMS as the second authentication factor.
To delete a multifactor authentication profile, use the following command:
Admin@UGOS# delete users mfa-profiles <mfa-name>To display information about all or individual MFA profiles, use the following commands:
Admin@UGOS# show users mfa-profiles Admin@UGOS# set users mfa-profilesz <mfa-name>12.8.8.1. Configuring MFA by TOTP¶
Depending on the selected method to receive the initial code to initialize TOTP (on the Captive portal page, by email, or by SMS), there is a different list of parameters to specify. You can receive the code:
-
by email:
Admin@UGOS# create users mfa-profiles mfa-totp smtp
-
by SMS:
Admin@UGOS# create users mfa-profiles mfa-totp smpp
-
on the Captive portal page after the first successful authentication:
Admin@UGOS# create users mfa-profiles mfa-totp key-on-captiveportal
Provide the following parameters:
|
Parameter |
Description |
|---|---|
|
name |
The name of the MFA profile. |
|
description |
A description of the MFA profile. |
|
totp-qr-code |
QR code on the Captive portal page or in an email to facilitate configuring the device or the TOTP client software. |
|
notification-sender |
Sender of the notification. Specify a name (if using an SMPP profile) or an email (if using an SMTP profile). |
|
notification-subject |
Subject of the notification, if using email notifications. |
|
notification-body |
Body of the email. In the message body, you can use a special variable named {2fa_auth_code} that will be replaced by the one-time password. The notification text is separated by quotation marks (""). |
To update the parameters, use the following command:
Admin@UGOS# set users mfa-profiles mfa-totp <mfa-totp-name>The parameters available to update are identical to those used to create a profile.
12.8.8.2. Configuring MFA by email¶
To add a new profile for multifactor authentication via email, use the following command:
Admin@UGOS# create users mfa-profiles mfa-email smtp <smtp-profile>Provide the following parameters:
|
Parameter |
Description |
|---|---|
|
name |
The name of the MFA profile. |
|
description |
A description of the MFA profile. |
|
notification-sender |
Email of the notification sender. |
|
notification-subject |
Notification subject. |
|
notification-body |
Body of the email. In the message body, you can use a special variable named {2fa_auth_code} that will be replaced by the one-time password. The notification text is separated by quotation marks (""). |
|
code-lifetime |
One-time password validity period (in seconds). |
To update the parameters, use the following command:
Admin@UGOS# set users mfa-profiles mfa-email <mfa-email-profile>The parameters available to update are identical to those used to create a profile.
12.8.8.3. Configuring MFA by SMS¶
To add a new profile for multifactor authentication via SMS, use the following command:
Admin@UGOS# create users mfa-profiles mfa-sms smpp <smpp-profile>Provide the following parameters:
|
Parameter |
Description |
|---|---|
|
name |
The name of the MFA profile. |
|
description |
A description of the MFA profile. |
|
notification-sender |
Name of the notification sender. |
|
notification-body |
Body of the email. In the message body, you can use a special variable named {2fa_auth_code} that will be replaced by the one-time password. The notification text is separated by quotation marks (""). |
|
code-lifetime |
One-time password validity period (in seconds). |
To update the parameters, use the following command:
Admin@UGOS# set users mfa-profiles mfa-sms <mfa-sms-profile>The parameters available to update are identical to those used to create a profile.