5.2 Authenticators for Linux Client

Advanced Authentication provides the following authenticators for logging in to Linux Client:

NOTE:On SUSE Linux Enterprise, do not specify anything until a message Please wait is displayed, else you will not be able to unlock the operating system.

NOTE:When you log in to SLES 12 Service Pack 3 as a domain user and pass all the authentication methods in the chain, if you are prompted with an error message Sorry that didn't work then see Domain Users Are Unable to Log In Even After Authenticating All the Methods In a Chain to resolve the issue and login to the machine successfully.

NOTE:Sometimes in Ubuntu 18.04 LTS, a current logged in user is unable to login as another user with Log in as another user option in the locked screen or after performing the following steps:

  1. Click System Menu on the upper-right corner.

  2. Click user name > Switch User.

    This issue occurs even when the Linux PAM Client is not installed on Ubuntu 18.04.

5.2.1 Bluetooth

The Bluetooth method enables you to authenticate using any Bluetooth enabled device that is within the range. When you initiate authentication, the Advanced Authentication server searches for the enrolled Bluetooth device. If the enrolled device is within the range, you are authenticated successfully.

For example, Susanne, who is a doctor, attends many in-patients in the hospital. She accesses the computer located in each room to monitor and update the health status of the patient. In this case, Susane can specify her first-factor authentication details and use her Bluetooth enabled mobile phone to log in to the computer automatically when she is within range of a particular room.

NOTE:To use the Bluetooth method for authentication, you must install the Advanced Authentication Device Service. For more information on Device Service, see the Advanced Authentication - Device Service guide.

To authenticate using the Bluetooth method, perform the following steps:

  1. Ensure that Bluetooth is turned on in your device and is discoverable to the paired devices.

  2. The Device Service detects your bluetooth device and authenticates.

    If the paired bluetooth device is within the range, the bluetooth authentication is successful.

5.2.2 Authentication Agent

Authentication Agent enables you to perform multi-factor authentication on one computer to get authorized access to another computer, where it is not possible to display the user interface or connect any external authentication devices. You can install the Authentication Agent on Windows system. When an authentication is initiated from a computer using the Authentication Agent chain, the Authentication Agent on another computer prompts a restricted browser where you must perform the authentication.

NOTE:You can install the Authentication Agent only on Windows workstation.

IMPORTANT:If both the Windows Client and Authentication Agent are installed on the same workstation, the Authentication Agent is logged in automatically through the SSO feature. If the Windows Client is not installed, you must log in to the Authentication Agent manually.

To log in to Linux using the Authentication Agent on Windows, perform the following steps:

  1. Specify User name in the Linux computer.

  2. Click Next and specify the chain number corresponding to the Authentication Agent in the list.

    For more information about enabling the Authentication Agent chain in the Linux computer, see Enabling the Authentication Agent Chain.

  3. The Authentication Agent that is active on a Windows computer launches a restricted browser.

    IMPORTANT:If a restricted browser is not launched automatically, place the cursor on the Authentication Agent icon in System tray and ensure that the agent is logged in. If the agent is not logged in, double click the Authentication Agent icon to log in.

    The restricted browser prompts the login page. The user name that you have specified in the Linux computer is set in the login page by default.

  4. Click Next.

  5. Select and authenticate the preferred chain to log in to Linux computer in the restricted browser.

    For more information, see Logging In to Authentication Agent for Windows.

  6. After the successful authentication in the restricted browser, you are logged in to the Linux computer automatically.

5.2.3 Card

The Card method enables you to authenticate using the contactless smart card (with the card serial number) and Near-Field Communication (NFC) cards in the following ways:

  • While using contactless cards, when you try to authenticate on any device, the recorded serial number of the card is compared with the actual serial number. If the card serial numbers are identical, you are authenticated successfully.

  • In the case of NFC cards, when you place your NFC tag near the NFC reader (smartphone), the NFC reader (smartphone) identifies your NFC tag, and you are authenticated successfully.

NOTE:To use the card for authentication, you must install the Advanced Authentication Device Service.

To authenticate using the contactless card, perform the following steps:

  1. Ensure that the card reader is connected to your machine.

    A message Waiting for card is displayed.

  2. Tap your card on the reader.

    If the Card Serial Number in the card matches with enrolled card, the card authentication is successful.

The following table describes the possible error messages along with the workaround for the Card authentication.

Table 5-1 Card authenticator - error messages

Error

Possible Cause and Workaround

Wrong card

The card you have placed on the reader is incorrect. Try again with another card or re-enroll the authenticator in the Self-Service portal or contact your helpdesk administrator.

Connect reader

The reader is not connected properly. Try to connect it to a different USB slot and authenticate again.

<Your user name> has no authenticator for Card

You have not enrolled the card method. You must enroll the authenticator in the Self-Service portal or contact your helpdesk administrator.

Using Card Method on Ubuntu LightDM

NOTE:When you specify the chain number corresponding to the Card method and try to authenticate to Ubuntu LightDM, the hints are not prompted. Tap your card on the reader to continue authentication.

  1. Ensure that the card reader is connected to your machine.

  2. Tap your card on the reader.

    A message Waiting for card is displayed.

    If the Card Serial Number in the card matches with enrolled card, the card authentication is successful.

5.2.4 Device Authentication

The Device Authentication method enables you to authenticate using a unique key pair stored in the workstation and PIN. During the enrollment process, a key pair is generated in the workstation and the same is used for further authentication. Device Authentication supports authentication to the Linux workstation and verifies the key pair to authenticate users.

To authenticate with the Device Authentication method, perform the following steps:

  1. Specify the PIN.

  2. Click Next.

    If the PIN matches with the enrolled PIN, the Device authentication is successful.

5.2.5 Email OTP

The Email OTP method enables you to authenticate using the one-time password (OTP) that is sent to the registered email address. When you try to authenticate on any device, the server sends an email to the registered email address with the OTP. You can use this OTP for single authentication within a short time frame.

To authenticate using the Email method, perform the following steps:

  1. Check your email. You must receive an email with OTP.

  2. Specify the OTP from Email in Password.

  3. Click Next.

    If the OTP matches with the server generated OTP, the Email OTP authentication is successful.

The following table describes the possible error messages along with the workarounds for the Email OTP authentication.

Table 5-2 Email OTP authenticator - error messages

Error

Possible Cause and Workaround

Wrong answer

The specified OTP is incorrect or is expired. Specify a valid OTP within the time frame.

Cannot send OTP. User does not have an email

Your email address is not set in the profile of the repository. Contact your system administrator to add your email address to the profile.

5.2.6 Emergency Password

The Emergency Password method enables you to authenticate using a temporary password with the help of helpdesk administrator if you have lost a smart card or forgot your smart phone. The emergency password is valid for certain days and is set to 3 days by default. When you try to authenticate on any device, the submitted emergency password is compared with the enrolled password in the appliance. If the emergency passwords are identical, you are authenticated successfully.

To authenticate by using the Emergency Password method, perform the following steps:

  1. Specify the Emergency Password.

  2. Click Next.

    If the Emergency Password matches with the enrolled password, the Emergency Password authentication is successful.

The following table describes the possible error messages along with the workaround for the Emergency Password authentication.

Table 5-3 Emergency password - error messages

Error

Possible Cause and Workaround

Wrong password

The specified emergency password is incorrect.

Specify a valid emergency password and try to authenticate again.

<Your user name> has no authenticator for Emergency Password

You have not enrolled for Emergency Password method.

Enroll the authenticator on the Self-Service portal or contact your helpdesk administrator.

5.2.7 Facial Recognition

The Facial Recognition method enables you to get automatically authenticated by presenting your face. You need to register your facial image using the web camera. When you try to authenticate on an application, the recorded image is compared with the actual image. If the images match, you are successfully authenticated.

The Facial Recognition method works with both integrated and external web cameras.

NOTE:To use the Facial Recognition method for authentication, you must install the Advanced Authentication Device Service. For more information about the Device Service, see the Advanced Authentication - Device Service guide.

To authenticate by using the Facial Recognition method, perform the following steps:

  1. Ensure that a camera is connected to your device.

  2. Present your face to the camera.

    If your face matches with the enrolled face, the face authentication is successful.

The following table describes the possible error messages along with the workaround for the Facial Recognition authentication.

Table 5-4 Facial Recognition - error messages

Error

Possible Cause and Workaround

Failed to open camera

The camera is not connected properly. Check your camera settings and try again.

Mismatch

The enrolled face and presented face does not match. You must present your face again for the authentication.

Face service is not available

The Device Service is not installed. Ensure that the Device Service is installed.

Using Facial Recognition Method on Ubuntu LightDM

NOTE:When you specify the chain number corresponding to the Facial Recognition method and try to authenticate to Ubuntu LightDM, the hints are not prompted. Present your face to the camera to continue authentication.

  1. Ensure that a camera is connected to your device.

  2. Present your face to the camera.

    A message Detecting a face is displayed.

    If your face matches with the enrolled face, the face authentication is successful.

5.2.8 Flex OTP

The Flex OTP authenticator facilitates you to authenticate by using your otp password from any of HOTP, TOTP and Smartphone (Offline) authenticator. When you try to authenticate to any device, the OTP in the token is compared with the OTP generated in any of HOTP, TOTP and Smartphone (Offline) authenticators. If the OTPs are valid, you are authenticated successfully.

To authenticate using the Flex OTP method, perform the following steps:

  1. Specify the One-Time Password from any of HOTP, TOTP and Smartphone (Offline) authenticators

  2. If the password is valid, the Flex OTP authentication is successful.

5.2.9 Fingerprint

The Fingerprint method enables you authenticate using your finger print. The fingerprint scanner captures the fingerprint. When you try to authenticate on an application, the recorded fingerprint(s) are compared with the actual fingerprint. If the fingerprints match, you are authenticated successfully.

NOTE:To use the Fingerprint method for authentication, you must install the Advanced Authentication Device Service. For more information on Device Service, see the Advanced Authentication - Device Service guide.

To authenticate with the Fingerprint method, perform the following steps:

  1. Ensure that a fingerprint reader is connected to the required device.

  2. Place enrolled finger on the reader when using a touch sensor or swipe your finger when using a swipe sensor.

    If the fingerprint matches with the enrolled fingerprint, the authentication is successful.

5.2.10 HOTP

HOTP is a counter-based one-time password. his method enables you to authenticate using the counter-based one-time password generated on the HOTP token. The counter on the token must be is in sync with the server. You can use generic HOTP tokens that adhere to RFC 4226. You can use the static secret key and three consequent OTP generated from the token to enroll. When you try to authenticate on any device, the OTP in the token is compared with the OTP generated in the server. If both the OTPs are identical, you are authenticated successfully.

To authenticate by using the HOTP method, perform the following steps:

  1. Specify the HOTP when using software token or connect the USB token, press button on the token.

  2. Click Next.

    If the OTP on the token matches with the server generated OTP, the HOTP authentication is successful.

The following table describes the possible errors along with the workaround for the HOTP authentication.

Table 5-5 HOTP - error messages

Error

Possible Cause and Workaround

Wrong answer

The OTP you have provided is incorrect or the OTP on the token and server are out of sync.

Specify a valid OTP and try to authenticate again.

<Your user name> has no authenticator for HOTP

You have not enrolled for HOTP method.

You must enroll the authenticator in the Self-Service portal or contact your helpdesk administrator.

5.2.11 LDAP Password

The LDAP password method enables you to authenticate using the password of your corporate account. When you try to authenticate on an application, the submitted password is compared with the actual password in the corporate directory. If both passwords are same, you are authenticated successfully.

To authenticate by using the LDAP Password method, perform the following steps:

  1. Specify your domain password.

  2. Click Next.

    If the LDAP Password matches with the password on the directory, the LDAP Password authentication is successful.

If the specified domain password is incorrect an error message Invalid credentials is displayed. Specify a valid password and try to authenticate again.

5.2.12 Out-of-Band

The Out-of-band method facilitates you to authenticate using the push notification that is sent to the Out-of-band portal or OOB agent. When you initiate the authentication, a push notification is sent to the portal or agent. You can accept the request and get authenticated.

To authenticate by using the Out-of-band method, perform the following steps:

When you specify the chain number corresponding to the Out-of-band method, a message Continue at https://<AdvancedAuthenticationServerdomainname>/oob/ui is displayed on your computer.

  1. Open the OOB agent installed on your mobile or navigate to the OOB portal.

    A push notification is displayed.

    NOTE:If the push notification does not appear after 5 seconds, tap the Refresh icon to view the push notification for the initiated authentication.

  2. Tap Accept.

    If the response to authentication request is from a secured origin, the authentication is successful.

5.2.13 Password

The Password method enables you to authenticate using a secret string. The enrolled password is stored locally in the Advanced Authentication. When you try to authenticate on any device, the specified password is compared with the actual password. If the passwords are identical, you are authenticated successfully.

To authenticate by using the Password (PIN) method, perform the following steps:

  1. Specify the password for your Advanced Authentication account.

  2. Click Next.

    If the password matches with the enrolled password, the Password authentication is successful.

The following table describes the possible error messages along with the workaround for the Password authentication.

Table 5-6 Password authenticator - error messages

Error

Possible Cause and Workaround

Wrong password

The password you have provided is incorrect. Specify a valid password and try to authenticate again.

<Your user name> has no authenticator for Password

You have not enrolled for Password method. You must enroll the authenticator in the Self-Service portal or contact your helpdesk administrator.

5.2.14 PKI

The PKI method enables you authenticate using any PKI device, such as a contact card and USB token that contains the digital certificate. The PKI reader validates the digital certificate and the identity of users. When you try to authenticate on any device, the certificate in the device is compared with the actual certificate. If the certificates match, you are authenticated successfully.

NOTE:You must install the Advanced Authentication Device Service for the PKI method enrollment.

To authenticate by using the PKI method, perform the following steps:

  1. Insert the card in the reader or connect token to your machine.

  2. Specify the PIN.

    If the digital certificate in the card or token and enrolled certificate are identical, the PKI authentication is successful.

The following table describes the possible error messages along with the workaround for the PKI authentication.

Table 5-7 PKI authenticator - error messages

Error

Possible Cause and Workaround

Wrong card

The card that is used is incorrect. Try authenticating with another valid card or token. You can enroll the authenticator again in the Self-Service portal or contact your helpdesk administrator.

Present card

The PKI device is not connected properly. Try to connect it to a different USB slot and authenticate again.

<Your user name> has no authenticator for PKI

You have not enrolled for PKI method. You must enroll the authenticator in the Self-Service portal or contact the helpdesk administrator.

5.2.15 RADIUS Client

The RADIUS Client method enables Advanced Authentication to forward the authentication request to a third-party RADIUS server. This can be any RADIUS server.

For example, you can use the RADIUS Client as an authentication method for token solutions such as RSA or Vasco.

To authenticate using the RADIUS Client method, perform the following steps:

  1. Specify the RADIUS password.

  2. Click Next.

If you get an error Wrong answer, it could be an incorrect RADIUS password.

5.2.16 Security Questions

Security Questions method enables you to enroll answers to a pre-defined set of security questions. When you authenticate using security questions, Advanced Authentication prompts you the configured security questions or a subset of the security questions. You must answer the appropriate questions and based on the correctness of the answers, you are authenticated successfully.

To authenticate using the Security Questions method, perform the following steps:

  1. Specify the answer for the security question.

  2. Click Next.

  3. Repeat steps 1 to 2 for all the required security questions.

The following table describes the possible error messages along with the workaround for the Security Questions authentication.

Table 5-8 Security Questions authenticator - error messages

Error

Possible Cause and Workaround

Wrong answer

The answer that you have provided is incorrect. Specify the correct answer and try to authenticate again.

<Your user name> has no authenticator for TOTP

You have not enrolled the Security Questions method. You must enroll the authenticator in the Self-Service portal or contact your helpdesk administrator.

5.2.17 Smartphone

The Smartphone method facilitates you to enroll and authenticate using the smartphone app. When you initiate the authentication, a push notification is sent to the app. You can accept the request and get authenticated.

To authenticate with the Smartphone method, perform the following steps:

When you specify the chain number corresponding to the Smartphone method, a message Accept on smartphone or enter the one-time password is displayed on your computer.

  1. Open the Advanced Authentication smartphone app.

    A push notification is displayed to your smartphone.

  2. Tap Accept.

    If the smartphone matches with the enrolled smartphone, the authentication is successful.

To authenticate with the Smartphone method using the offline authentication, perform the following steps:

  1. Open the Advanced Authentication smartphone app.

  2. Click Enrolled Authenticators from Menu in the smartphone app.

  3. Specify the OTP from the smartphone app in Password.

  4. Click Next.

    If the OTP on the smartphone app matches with server generated OTP, the authentication is successful.

The following table describes the possible error messages along with the workaround for the Smartphone authentication.

Table 5-9 Smartphone authenticator - error messages

Error

Possible Cause and Workaround

Auth rejected

You have declined the authentication request.

<Your user name> has no authenticator for TOTP

You have not enrolled for the Smartphone method. You must enroll the authenticator in the Self-Service portal or contact your helpdesk administrator.

5.2.18 SMS OTP

The SMS OTP method facilitates you to generate a single-use password or OTP and send it to the registered mobile number for authentication. You can use this OTP to authenticate within a short time frame.

NOTE:The OTP period is set to 120 seconds by default. An administrator has the privilege to change the OTP period.

To perform authentication using the SMS OTP method, perform the following steps:

  1. You will receive an SMS message with an OTP on your phone.

  2. Specify the OTP from the SMS.

  3. Click Next.

The following table describes the possible error messages along with the workaround for the SMS OTP authentication.

Table 5-10 SMS OTP authenticator - error messages

Error

Possible Cause and Workaround

Cannot send OTP. User does not have a cell phone

Your phone number is not registered in the repository.

Contact your system administrator to add your mobile phone number to the account properties.

Login failed

Either the OTP that you have specified is incorrect or you have specified the expired OTP. Try to authenticate again.

5.2.19 TOTP

The TOTP method enables you to authenticate using the time-based-one-time password. TOTP is generated on the hardware token or the mobile app, such as NetIQ Advanced Authentication app or Google Authenticator app. The TOTP is valid for a short duration. This method uses a predefined period. The default value is 30 seconds.

To authenticate using the TOTP method, perform the following steps:

  1. Specify the TOTP from your hardware or software token.

  2. Click Next.

    If the OTP on the token matches with the server generated OTP, the TOTP authentication is successful.

The following table describes the possible error messages along with the workaround for the TOTP authentication.

Table 5-11 TOTP authenticator - error messages

Error

Possible Cause and Workaround

Wrong answer

The OTP you have provided is incorrect. Specify a valid OTP and try to authenticate again.

<Your user name> has no authenticator for TOTP

You have not enrolled for TOTP method. You must enroll the authenticator in the Self-Service portal or contact your helpdesk administrator.

5.2.20 FIDO U2F

The FIDO U2F authentication method facilitates you to connect the FIDO U2F compliant token to the computer or laptop and touch the flashing token to authenticate. When you try to authenticate on any device, token connected to the device is compared with the actual device. If the device details match, you are authenticated successfully.

NOTE:You must install the Advanced Authentication Device Service for the FIDO U2F authentication.

To authenticate using the FIDO U2F method, perform the following steps:

  1. Ensure that the FIDO U2F token is connected to your computer.

    A message Please connect a U2F token. Please touch the flashing U2F device now is displayed.

  2. Touch the button on the token when there is a flash.

    If the token and attestation certificate in the token matches with the enrolled U2F token, the FIDO U2F authentication is successful.

    If there is no flash, wait for few seconds. If there is no flash for more than a minute then try to reconnect your token and repeat the steps.

The following table describes the possible error messages along with the workaround for the FIDO U2F authentication.

Table 5-12 FIDO U2F authenticator - error messages

Error

Possible Cause and Workaround

Wrong token. Try another one

The token that you have connected is incorrect. Try to authenticate with another token or re-enroll the authenticator in Self-Service portal or contact your helpdesk administrator.

Connect a token

The token is not connected properly. Try to connect it to a different USB slot and authenticate again.

<Your user name> has no authenticator for U2F

You have not enrolled for U2F method. You must enroll the authenticator in the Self-Service portal or contact your helpdesk administrator.

NOTE:To use U2F on Google Chrome, you must perform the following steps:

  1. Download or create a copy of the file 70-u2f.rules in the Linux directory: /etc/udev/rules.d/ from https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules.

    If the file is already available, ensure that the content is similar to that specified in https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules.

    NOTE:If your version of UDEV is lower than 188, use the rules specified at https://github.com/Yubico/libu2f-host/blob/master/70-old-u2f.rules.

  2. Save the 70-u2f.rules file and reboot the system.

Using FIDO U2F on Ubuntu LightDM

NOTE:When you specify the chain number corresponding to the FIDO U2F method and try to authenticate to Ubuntu LightDM, the hints are not prompted. Connect the U2F token to the computer and touch the button when there is a flash on the token.

  1. Ensure that the FIDO U2F token is connected to your computer.

  2. Touch the button on the token when there is a flash.

    A message Please connect a U2F token. Please touch the flashing U2F device now is displayed.

    If the token and attestation certificate in the token matches with the enrolled U2F token, the FIDO U2F authentication is successful.

5.2.21 Voice

The Voice method initiates a call to your registered phone number. The phone call requests you to specify the PIN in the dial pad of your mobile to authenticate. When you try to authenticate on any device, the recorded PIN is compared with the actual PIN. If both PINs are identical, you are authenticated successfully.

To authenticate using the Voice method, perform the following steps:

When you specify the chain number corresponding to the Voice method, a message Wait a phone call is displayed on your computer.

  1. Check your mobile phone.

    You will receive a phone call.

  2. Answer the phone call, listen to the request on the phone.

  3. Specify your PIN code followed by the hash symbol (#) in the dial pad of your mobile phone.

    If the PIN matches with enrolled PIN, the Voice authentication is successful.

Using Voice Method on Ubuntu LightDM

NOTE:When you specify the chain number corresponding to the Voice method and try to authenticate to Ubuntu LightDM, the hints are not prompted. Receive the phone call and specify your PIN followed by hash symbol in the dial pad to continue authentication.

  1. Check your mobile phone.

    You will receive a phone call.

  2. Answer the phone call, listen to the request on the phone.

  3. Specify your PIN code followed by the hash symbol (#) in the dial pad of your mobile phone.

    A message Wait a phone call is displayed on your computer.

    If the PIN matches with enrolled PIN, the Voice authentication is successful.

5.2.22 Voice OTP

The Voice OTP method enables you to authenticate using the OTP that is sent through the phone call to your registered phone number. You can use this OTP for authentication within a short time frame. When you try to authenticate on any device, the specified OTP is compared with the OTP generated on the server. If both the OTPs are identical, you are authenticated successfully.

To authenticate using Voice OTP method, perform the following steps:

When you specify the chain number corresponding to the Voice OTP method, a message Wait a phone call is displayed on your computer.

  1. Check you mobile phone.

    You will receive a phone call.

  2. Answer the call on your phone and listen to the voice OTP.

  3. Specify the OTP in Password.

  4. Click Next.

    If the OTP matches with the server generated OTP, the Voice OTP authentication is successful.