Adding a OTP profile to a supplicant is easy. Just access the VPN road warrior list page and select the supplicant (click the spoke icon next to the user):
Next click the +1 icon in the "One Time Password" section:
This will redirect you to the "Add OTP' page for the supplicant:
OTP Name: Provide a name that describes what this OTP is used for.
Period: This is how long each code is valid for. When using Google authenticator only 30 seconds is valid, but you can use FreeOTP or Yubico and customize this value if you want it longer or shorter. For example if the code is set to 30 seconds and the OTP profile is used as part of a VPN profile, the user would need to enter a new code if they were disconnected at some point. This could cause friction with the user, however increasing the period makes the profile less secure. This is because a 6 digit code only has 1 million combinations, if a threat actor knows the user password and the period is set to one day the they could brute force the code. If the code is only valid for 30 seconds it is far more unlikely a brute force attack would be successful.
Digits: How many digits in the code. Google authenticator only supports 6, but other allow for customization.
Max Clock drift: TOTP is "Time based One Time Password". Time based means the supplicant clock and server clocks must be in agreement on what time it is for the codes to match up. If the supplicant smart phone clock is off by 31 seconds and the period is 30 seconds authentication will always fail. However, by setting a allowed clock drift you can compensate for this by allowing the server to check against codes that were valid +/- the drift you selected. e.g. if you have a 30 second period and a 30 second max drift the server will allow the code to match the previous, current and next code (3 codes are valid). Drift of 0 means the supplicant must be in the same 30 second window as the server.
Algorithm: This is the digest algorithm used to derive the code, Google authenticator only supports SHA1, others provide choice.
Click "Add" to save the OTP profile.
You will need to send the profile to the user as a Challenge. To do this click the "Secret Challenge" (1) button and confirm.
Note: The "Secret Reset" is not yet implemented.
This will send the user a reset email valid for one day. If they successfully complete the challenge they will be provided a new OTP secret that can be scanned on their smart phone.
This is what the user sees when you trigger a reset:
If they click "Reset OTP' they will be taken to the challenge page, were they can enter their username:
If the username matches the challenge, they will get the following page detailing the OTP profile that was created: