Secure Admin Access to Anybus Defender (MFA)

USE-CASE DESCRIPTION

This use case demonstrates how to strengthen administrative access control for Anybus Defender by integrating it with a RADIUS authentication backend hosted on the Anybus Defender, enhanced with One-Time Password (OTP) using the Google Authenticator in your phone. The setup introduces multi-factor authentication (MFA), combining something the user knows (PIN/password) with something the user has (mobile OTP app).

APPLICABLE PRODUCTS 

Anybus Defender 4000, 6000 and 8000 series. 

VERSIONS USED IN THIS ARTICLE

• Anybus Defender 2.5.2-2025111723
• FreeRADIUS package version 0.15.8_32 on Anybus Defender
• Google Authenticator app on Android or iOS

Install and Configure FreeRADIUS with Google Authenticator OTP on Anybus Defender

1. Install FreeRADIUS

Go to:

System → Package Manager → Available Packages

Install FreeRADIUS.

2. Configure FreeRADIUS Interfaces

Go to:

Services → FreeRADIUS → Interfaces → Add

Authentication Interface

• Interface IP: 127.0.0.1
• Port: 1812
• Interface Type: Authentication
• IP Version: IPv4

Save.

Accounting Interface

Add a second interface with:

• Interface IP: 127.0.0.1
• Port: 1813
• Interface Type: Accounting
• IP Version: IPv4

Save.

3. Add NAS Client

Go to:

Services → FreeRADIUS → NAS/Clients → Add

• Client IP Address: 127.0.0.1
• Client IP Version: IPv4
• Client Shortname: defenderlocal
• Client Shared Secret: secret
• Client Protocol: UDP
• Client Type: other
• Require Message Authenticator: No

Save.

4. Add RADIUS Authentication Server as authentication server 

Go to:

System → User Manager → Authentication Servers → Add

• Descriptive Name: radius_google
• Type: RADIUS
• Protocol: PAP
• Hostname or IP address: 127.0.0.1
• Shared Secret: secret
• Services offered: Authentication and Accounting
• Authentication Port: 1812
• Accounting Port: 1813
• Authentication Timeout: 5
• RADIUS NAS IP Attribute: WAN

Save.

System → User Manager → Settings

• Authentication Server: radius_google
• Shell Authentication: Make sure to check it.

5. Create a User with One Time Password (OTP)

Go to:

Services → User Manager → Users → Add

• Scope: Local
• Disabled: Make sure it is checked (This will disable the ability to login using the password)
• Username: Jim
• Password: >Choose yourself<
• Group Membership: Select admins and click >>Move to “Member of” list

Save.

Hereafter the user must be created in the RADIUS server. 

Services → FreeRADIUS → Users → Add

• Username: Jim
• Password: None
• Password Encryption: Cleartext-Password
• Enable: One-Time Password (OTP)
• OTP Auth Method: Google-Authenticator
• Init-Secret: click "Generate OTP Secret"
• PIN: Enter a 4–8 digit PIN
• QR Code: Generate QR Code

Open Google Authenticator on your phone and scan the QR code.

Scroll down and Save.

Note: OTP works for local users only. LDAP and similar backends are not supported for this method.

6. How to Log In

Username: Jim

Password = PIN + OTP code

Example:

• PIN: 1234
• OTP: 556677
• Password entered: 1234556677

NOTE: 

Instead of Google Authenticator you can use Microsoft Authenticator or Apple's Password app, Just scan the QR code and enable the code generation. If you have multiple defender make sure you rename them by swiping on the code and editing the name in the authenticator app.