How to import and enroll Feitian Hardware Keys (HOTP)Last modified on 18 Jan, 2021. Revision 6
|Up to date for||
Preparingkey to be imported toEasyAccess
First we must gather the serial number and key from the Feitian key. This can be done with the Feitian OTP Tool. Start the tool and plugin your Feitian key, it should look something like this:
Nextweneed to generate a new HOTP, click the “Random data” buttonfollowed by “Save”. It shouldnowlook likethis:
Next the Serialnumber and Keyneeds to be saved to a .csvfile in the following format:HOTP;serial;key;counterExample:HOTP;0001161175088;D9B24C68B3FCD22909CECD2A0C235D831EF3253F;0
Importing the CSV file in EasyAccess
On the filesystem in /server foldertherearetwo folders /tokensin and /tokensout. To import a token the CSV filecreated in the first step needs to be placed in the /tokensin folder. The import willautomatically and when the import is done the filewill be moved to the /tokensout folder. Therewillalso be a log event generated and it looks like this:2021-01-11 13:23:03,832 [EVENT] INFO: Jan 11 2021 13:23:03.819 CET mfa-node1 CEF:0|PhenixID|PAS|3.2.0|EVT_000101|Hardware Tokens imported from CSV file|2|The import is nowdone and all is leftnow is to enrollthe token on a user.
Enrolling the Feitian token.
Therearetwowaysofenrolling a hardware token:<ol><li>Via self service i.e. the end userenrolls the token themselves.</li><li>An adminenrolls the token on behalf of the end user.</li></ol>Here is how it looks via Self Service:
Click the “Register hardware token”button:
Fill in theSerialNumberthatwasgeneratedbeforeeither byentering theserialmanually or byholding thebutton/touch on theFeitiankey for 3seconds.Clicknext.
Nextenter a OTP from theFeitiankey bypressing thebutton/touch on theFeitiankey.Clicknext and the tokenshouldnow beenrolled
Here ishow it looks from MFAAdmin under the “Hardware tokenAdmin”tab:
Click thepentoedit a token,youcansearch onserialnumber.
Hereyoucan set the statusof the token andwhatuser the token isassigned to.Click save toactivate.
Other alternatives to enroll a Feitian key
Therearetwomoremethods to enroll a Feitian key:<ol><li>Whenimporting the key on EasyAccess</li></ol><ol><li>Firsttime the user authenticates.</li></ol>Thesemethodsaremoreautomatic for the end user and adminof the system. In methodnumberoneweneed to add the user information to the CSV file, insteadofthis format:HOTP;serial;key;counterWe use:HOTP;serial;key;counter; assigned_usernameExample:HOTP;0001161175088;D9B24C68B3FCD22909CECD2A0C235D831EF3253F;0:testuser2Thiswouldautomaticallyassign the token to testuser2 and activate it. It would look like this on the Hardware Token Tabwhen the token has been imported:
Second methodrequires the end user to enter the serialnumber and OTP at first login. Thisrequires the token to have the Status “Active” and weneed to addsomeconfiguration to the authentication flow.First set the token status to active via Hardware Token Admin and click save:
Add the followingconfiguration to your “Verify token otp” pipe:
Set “Enable auto enroll” to true and add a TokenAutoEnrollment valve. Next the end usermust login to complete the enrollment.
No related articles found.