Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

MFA Settings

MFA can be enable/disable system-wide from the PBX MFA module. (PBX MFA> Multi-factor Authentication)

By default MFA will be disabled.

        

           

When enabling MFA user has to test whether email client (If MFA type is Email or all) or call setup (If MFA type is call or all) is working or not by sending a test mail / by making a test call

Ref : PBX Email setup validator Ref : PBX Call setup validator

All email's from address would be <AMPUSERMANEMAILFROM>

All email' subject will have PBX brand and the configured server details. (FREEPBX_SYSTEM_IDENT)

After enabling MFA, the admin can view other MFA settings such as
   

  1. Type of MFA

    1. If the MFA type is set to "Email" - an OTP will be sent to the user via email.

    2. If the MFA type is set to "Call" - a call will be made to the extension which is associated with the user and the user has to receive the call and should press the "#" key to authenticate.

      1. When enabling MFA via Call, admin has to validate that the PBX extension setup is good by making a test call. Ref : PBX Call setup validator

    3. If the MFA type is set to "Authenticator Apps" - an OTP is generated from the linked authenticator app. Users have to use these OTP every time they log in. We recommend using authenticator apps such as Microsoft Authenticator / Google Authenticator Apps.

    4. If the MFA type is set to "All" - all the MFA authentication methods will be displayed to the user during login and the user can pick one of the methods to verify their identity.

Note

MFA via Authenticator apps also works with all other authenticator apps available in Google Play Store or Apple App Store since all Authenticator Apps use the same algorithms.

There are two commonly used protocol for authenticator apps:

  1. HOTP (HMAC-based one time password), which is specified in RFC 4226

  2. TOTP (Time-based one time password), which is specified in RFC 6238

  1. Type of Users : Enable / Disable MFA for all users / only for all admins (Including ucp users who had administrator GUI access) / only for all UCP users.

  2. Email Settings : This setting will be visible only when the MFA type is set to Email, App, or All. Email settings are used for re-designing emails related to MFA. Here are some steps you can follow to use email templates:

    1. Enable custom email settings. Default email templates will be used if this setting is disabled (Default email templates are OTP Email Template and Steps to configure Authenticator app Template )

    2. After enabling Custom Email Template, admin can re-design email templates for OTP verification email and steps to configure authenticator app email

    3. Admin can include predefined variables inside the Subject and Body. The predefined variables will be replaced with specific values when the template is used.  For example, you might use a variable like "{{displayname}}" to represent the recipient's full name.

Predefined Variables

Definitions

OTP Mail Subject

brand

Brand Name

machine

PBX System Identifier

OTP Mail Body

displayname

User full name

brand

Brand Name

username

Username

otp

One Time Password

QR Code Mail Subject

brand

Brand Name

machine

PBX System Identifier

QR Code Mail Body

displayname

User full name

brand

Brand Name

secretcode

Authenticator app secret code

secretcodeimg

Authenticator app QR code image

The predefined variables must be enclosed with curly braces

  • If the userman user has PBX Administration GUI access then those users will be displayed under "Administrator" tabs. 

  • If Type of MFA is "Email" or "App" or "All" then MFA will be enabled only for the users who have an email address. If the user is not associated with the email address admin can manually enable each user by entering the user's email address as shown in the below screenshots.

          

          

If Type of MFA is "Call" or "All" then MFA will be enabled only for the users who are linked with extension.

  1. If the administrator users are not linked with extension, then admin can manually enable each user by entering the admin's extension as shown in the below screenshots.

  2. If the userman users are not linked with extension, then admin has to link extension to that user from userman module before enabling MFA.

  • Admin can enable / disable multiple users

  • Admin MFA and UCP MFA can also be enabled for the users in userman module           

Note

To enable administrator MFA, FreePBX Administration GUI must be enabled for that user and should have MFA admin license pack

Recovery/Backup Codes

  • If users can't get codes or OTP by email, call, or by any authenticator app due to some connectivity or delivery issues, then they can use 1 set of 6-digit backup code to sign in to the PBX.

  • Administrator can create / refresh set of 10 backup codes for each users from MFA settings page or Userman users can generate / regenerate / delete / download backup codes from UCP Settings. When a new set of codes is created, the old set is automatically removed.

    • Once the user uses a backup code to sign in, that code becomes inactive.


Note

To use backup codes, MFA must be enabled.

Reset MFA

  • Admin can reset MFA settings for the users using the refresh icon next to backup codes or Userman users can reset MFA from UCP Settings. 



  • After resetting the MFA the affected user will no longer be able to use backup codes that are saved and are currently used for authentication. New backup codes have to be generated and saved for this user.

  • If this user has previously configured the authenticator app, then they will receive the authenticator app configuration mail again the next time they sign in.

Note

To reset MFA, MFA must be enabled.

PBX Email setup validator 

MFA via Email or Authentication apps both require proper email setup in the PBX,

Hence, this step is important to confirm aka validate that the PBX email setup is good.

From the MFA landing page, as soon as we enable system-wide MFA via Authenticator app or via email then one dialog will come up, which will ask you to enter your email address.

As soon as we enter an email address, PBX will send OTP to that email and will ask you to validate the OTP.

If the OTP verification process -

  • Finish successfully then that will validate that PBX Email setup is working fine and then only we can proceed further with the MFA setup.  

  • If this fails then MFA setup process will not continue because for MFA , PBX should have working EMAIL setup. Please fix PBX Email setup and then re-try this process.

PBX Call setup validator

MFA via Call require proper extension setup in the PBX,

Hence, this step is important to confirm aka validate that the PBX extension setup is good.

From the MFA landing page, as soon as we enable system-wide MFA via call then one dialog will come up, which will ask you to enter extension number where test call will be made, Admin has to answer the call and press # to verify the call setup.

Fwconsole Commands to unlock session

  • New command is added to unlock UCP user session. This is important for the admin to unlock the UCP user session if in any situation user is not able to log in via OTP.
    Highlight the textual area near the middle of the page in your web browser to copy the "hidden" session ID. Then, use below command to unlock the web UI session and log you in as an UCP user.

    • fwconsole unlockucp --username=<username> --key=<session-id>

Unlocking PBX admin UI via SSH will continue to work and that will by pass the OTP functionality. 

Note

fwconsole unlock <session-id>

MFA User License

PBX MFA module purchase via the Sangoma Portal, will include option to enable MFA for 1 admin user and can enable MFA for infinite userman users. If customer needs additional admin MFA users, they have to purchase additional MFA Users licenses.

User license expires

If admin user MFA license expires then MFA will be automatically gets disabled for that users but userman users MFA will remain enabled

  • No labels