Freedom2Roam - OTP Authentication

After creating a group and adding some users to it, you will need to set the level of authentication (i.e. how stringent the security requirements are when logging in) required for that group. You can then amend these settings at any time (and as many times as necessary) after a group has been created. To define a group's security settings click Select to the left of the group's name.

The following will then appear at the bottom of the web page (below the DNS settings box) when the Users tab is selected.

Scroll down to the section titled OTP Authentication. Click on one of the radio buttons to select the desired option.

Definition of OTP Authentication options:

Not required - this is the least stringent type of login. Users will be allowed to log in to your system with only their USO username and password.
Required if available - this is a more secure login that will require those users who have a registered OTP tag to log in using the tag. Users who do not have a registered OTP tag but are members of this group will be able to log in with just a username and password.
Compulsory - this is the most stringent type of login requirement that will allow only those users who have a registered OTP tag to log in and access the specified resources. If a user who does not have an OTP tag is placed in a group where this option is selected, those users will be unable to access those resources when they login.

Login requirements and group priority

A single user may be made a member of more than one group. The different groups to which that user belongs may have different levels of authentication required to login and consequently, different levels of network access.

For example: a user is in a group with Priority 0 (the highest), where an OTP tag is Compulsory for login. The same user is also a member of a second group with Priority 1 where OTP Authentication is set as Not required.

If this user tries to login but does not have an OTP tag in their possession at the time, the user may still be able to login but through their membership in the second group rather than the first. This would mean that although the user has managed to log in, what they can access will be dictated by what the lower priority group can access and is likely to be more limited than what the higher priority group can access.

If the same user is only a member of one group or multiple groups that require an OTP tag to log in and does not have an OTP tag to hand, they will not be able to access those resources when they login. However, if the user is a member of different groups and one of those groups does not require an OTP code, the user's login details will be checked against the different groups to see whether that user can be allowed in and what they can access.

Logging in to Remote Access with an OTP tag

Please note that users will need to be made aware of the required format for logging in with an OTP tag as there will be no additional prompt for an OTP code after the initial login screen.

To login with an OTP code the password must be entered as MyPassword.xxxxxx (where xxx is the OTP code generated for that login and the password is the user's usual USO account password).

Access Log

It is possible for Nominated Contacts to see who from their school has attempted to login to Freedom2Roam via the AnyConnect client.

The access logs are found at the bottom of the Remote Access resources page.

You can search through the logs by date range or use one of the provided search buttons.

The results shown provide the following information:

Username - the username that was used during the login attempt.
Name - the name of the person who attempted to login (this will only be shown if the username was valid).
Establishment: the establishment the username is associated to. This will be the main association of the account and will only be shown if the username that was used is valid.
Group ID - this only shown if the login attempt was successful, this relates to the ID of the group that the person has logged in to access.
Group name - this is only shown if the login attempt was successful, shows the name of the group that the person has logged in to access.
Login - the date and time of the login attempt.
Logout - the date and time the login session finished.
IP addr - when the login attempt is successful the IP address of the machine being used to get the connection is shown.

All of this information can be exported to Excel by clicking the Export to Excel button.