FIDO2 - TOTPRadius VPN Portal - Easy and secure access to corporate VPN
FIDO VPN Portal
Starting from v0.2.5 TOTPRadius provides new ways of connecting to your corporate VPN systems based on L2TP, such as Meraki Client VPN or Fortinet VPN . The new web-based VPN portal allows logging in using additional methods, such as FIDO Security keys, both in Passwodless mode (if FIDO2 keys are used) and using the keys as the second factor (allowing to use legacy U2F FIDO hardware), as well as Azure AD (Microsoft Entra ID) SSO via OAuth2 protocol.

Demos
The videos below show the user experience when using FIDO2 VPN portal in different configuration modes:2FA mode (without passwordless, makes legacy devices compatible with the solution)
Passwordless mode (only FIDO2 keys can be used)
The network setup and required firewall rules for different usage modes of TOTPRadius are described in this article. It is also important to set-up an FQDN and HTTPS web certificate for the VPN Web portal.
FIDO VPN Portal
Enable FIDO VPN portal in the Admin portal, General settings. The settings may look like shown below:
The settings shown on this example are explained in the table below:
Setting |
Description and possible values |
Allow FIDO2 Interface |
Enables this functionality. If disabled, the FIDO2-VPN Web Interface will not function at all |
FIDO-VPN enabled by default per user |
If this setting is set to Enabled, any user in your database or Active Directory will have access to the portal and can use this method to generate VPN connection files |
FIDO2 VPN Settings |
A configuration file template used to generate the connection files. The one on the screenshot above is showing the connectivity for Meraki Client VPN |
FIDO2 only |
If this setting is enabled, TOTP-based VPN access will be denied. Please note that this does not restrict Oauth2 login functionality (it has to be controlled separately) |
Advanced FIDO security keys settings
FIDO-VPN portal can support legacy FIDO devices (u2f) as well as Passwordless login if FIDO2 devices are used. FIDO2 offers full password-less authentication while FIDO U2F is designed to be used with a password as a traditional second factor only, therefore these settings cannot co-exist, only one of these options can be chosen. The settings are as shown below:
The settings shown on this example are explained in the table below:
Setting |
Description and possible values |
Allow legacy keys |
Allow using legacy U2F FIDO keys. If enabled, Passwordless method cannot be enabled or used |
Enable passwordless |
Allow Passwordless login method. It Is not compatible with legacy U2F FIDO keys option enabled and only FIDO2 security keys can be used. The system will check if the security key is protected by a PIN code or a fingerprint and prompt to protect if it is not the case. |
Once the settings are configured, you can test by visiting the configured FQDN. The OAuth2 interface is located in "fido2" folder (i.e. https://vpn-portal-fqdn/fido2/index.php)
Please note that versions prior to 0.3 allowed using only one FIDO2 key. More recent versions allow enrolling multiple keys per user.
About
Installation and configuration
- Installation and initial configuration
- Network configuration
- Migrating from older versions
- LDAP Configuration
- Azure AD Configuration
- Self-service enrollment portal
- Web and LDAPS Certificates
- Syslog configuration
- Single-factor authentication exceptions
- Slave appliance mode
- Dynamic RADIUS Attributes
Integration guides
Blog
17-10-2023
Automating programmable token provisioning tasks with token2-config.exe
The Token2 Configuration Tool (token2-config.exe) is a versatile and robust command-line utility specifically designed for configuring Token2 TOTP NFC Programmable tokens. This feature-rich tool is engineered to seamlessly integrate into batch files, allowing you to effortlessly automate an array of token programming and management tasks, ensuring enhanced efficiency and control over your token deployment and maintenance procedures.
18-08-2023
Introducing the New Python-Powered TOTP tool for Token2 FIDO2 Security Keys!
Manage and use TOTP/HOTP codes via Python CLI script using a PC/SC device (USB NFC) or directly via USB. A cross-platform solution that works under Windows, macOS and Linux platforms.
Python-based tools are essential not only for their cross-platform compatibility, but also because their source-available nature allows experts/developers to examine the source code, ensuring transparency and minimizing the risk of hidden vulnerabilities or malicious elements. A GUI wrapper for the script is also available.
23-06-2023
Mass Production of Token2's PIN+ Series: Enhanced FIDO2 Security Keys
Token2 is excited to announce the upcoming mass production of their revolutionary PIN+ series, a line of FIDO2 Security keys. These security keys feature advanced PIN complexity rules that set a new standard for security. The firmware development for the PIN+ series is now complete, and the company is currently making preparations for mass production.