FIDO2 - TOTPRadius VPN Portal - Easy and secure access to corporate VPN
FIDO VPN Portal
Starting from v0.2.5 TOTPRadius provides new ways of connecting to your corporate VPN systems based on L2TP, such as Meraki Client VPN or Fortinet VPN . The new web-based VPN portal allows logging in using additional methods, such as FIDO Security keys, both in Passwodless mode (if FIDO2 keys are used) and using the keys as the second factor (allowing to use legacy U2F FIDO hardware), as well as Azure AD SSO via OAuth2 protocol.

Demos
The videos below show the user experience when using FIDO2 VPN portal in different configuration modes:2FA mode (without passwordless, makes legacy devices compatible with the solution)
Passwordless mode (only FIDO2 keys can be used)
The network setup and required firewall rules for different usage modes of TOTPRadius are described in this article. It is also important to set-up an FQDN and HTTPS web certificate for the VPN Web portal.
FIDO VPN Portal
Enable FIDO VPN portal in the Admin portal, General settings. The settings may look like shown below:
The settings shown on this example are explained in the table below:
Setting |
Description and possible values |
Allow FIDO2 Interface |
Enables this functionality. If disabled, the FIDO2-VPN Web Interface will not function at all |
FIDO-VPN enabled by default per user |
If this setting is set to Enabled, any user in your database or Active Directory will have access to the portal and can use this method to generate VPN connection files |
FIDO2 VPN Settings |
A configuration file template used to generate the connection files. The one on the screenshot above is showing the connectivity for Meraki Client VPN |
FIDO2 only |
If this setting is enabled, TOTP-based VPN access will be denied. Please note that this does not restrict Oauth2 login functionality (it has to be controlled separately) |
Advanced FIDO security keys settings
FIDO-VPN portal can support legacy FIDO devices (u2f) as well as Passwordless login if FIDO2 devices are used. FIDO2 offers full password-less authentication while FIDO U2F is designed to be used with a password as a traditional second factor only, therefore these settings cannot co-exist, only one of these options can be chosen. The settings are as shown below:
The settings shown on this example are explained in the table below:
Setting |
Description and possible values |
Allow legacy keys |
Allow using legacy U2F FIDO keys. If enabled, Passwordless method cannot be enabled or used |
Enable passwordless |
Allow Passwordless login method. It Is not compatible with legacy U2F FIDO keys option enabled and only FIDO2 security keys can be used. The system will check if the security key is protected by a PIN code or a fingerprint and prompt to protect if it is not the case. |
Once the settings are configured, you can test by visiting the configured FQDN. The OAuth2 interface is located in "fido2" folder (i.e. https://vpn-portal-fqdn/fido2/index.php)
Please note that this solution currently allows using only one FIDO2 key.
About
Installation and configuration
- Installation and initial configuration
- Network configuration
- Migrating from older versions
- LDAP Configuration
- Azure AD Configuration
- Self-service enrollment portal
- Web and LDAPS Certificates
- Syslog configuration
- Single-factor authentication exceptions
- Slave appliance mode
- Dynamic RADIUS Attributes
Integration guides
Blog
03-01-2022
molto2.py - Molto2 USB Config tool
molto2.py is a solution developed by Token2 to program and configure the Molto2v2 TOTP hardware tokens using pyscard python library. It works under Linux, macOS and Windows.
15-12-2022
Introducing Passwordless Login for Our Website!
At Token2, we are always looking for ways to improve the user experience and make it as convenient and secure as possible. That's why we are excited to announce the addition of a passwordless login option for our website.
05-12-2022
Provisioning Token2 TOTP programmable tokens - a universal guide
We have a lot of integration guides describing the process of enrolling our programmable tokens with different systems, such as Google, Microsoft, Facebook and many others.