product icon

Server mode default authentication methods

    When logging in to LastPass Universal Proxy 4.0 or later, if the authentication mode is not provided by the user, default authentication methods define the authentication process.

    The following table contains the supported default authenticaion methods for server modes:

    Table 1. Default authentication methods for server modes
    Server mode

    LastPass MFA Authentication

    (LP)

    LastPass MFA or password authentication

    (PLP)

    Both LastPass MFA and password authentication

    (SFA)
    Default authenticaion method enabled push or call NOT enabled push, call, or totp
    Restriction: When using the LP or SFA server mode and one of the following policies is enabled, authentication with phone calls is not supported as LastPass Universal Proxy cannot identify your location:
    • Restrict LastPass Authenticator usage by location
    • Accept only LastPass Authenticator login requests
    • Starting from 4.0, LastPass Universal Proxy provides the following SFA methods:
      • Push
      • Call
      • Time-based One-Time Password (TOTP) consisting of 6 digits
    • The default authentication method in LastPass MFA Authentication (LP) mode can be overwritten if the user enters push/call in the password field.
    • When using the LastPass MFA or password authentication (PLP) mode for the RADIUS PAP/LDAP/LDAPS protocol, you must enter the required authentication method, that is, push or call in the VPN client password field to opt-in to use the LastPass Authenticator app. If the password contains the *push or *call text, it will be considered a password.
    • When using the Both LastPass MFA and password authentication (SFA) mode the RADIUS PAP/LDAP/LDAPS protocols, the username and the password is human-readable, and entering push/call as a password results in a failed login attempt. When using the RADIUS CHAP protocol with Both LastPass MFA and password authentication (SFA) mode, the password is non-human-readable, and push/call can be used as a password.
    • The "Restrict access by country" policy is not supported by LastPass Universal Proxy. Enabling this policy in the LastPass new Admin Console will lead to authentication issues.
      Tip: To set a location restriction when using LastPass Universal Proxy, enable the following policies:
      • Restrict LastPass Authenticator usage by location
      • Accept only LastPass Authenticator login requests
    The following tables show a summary of the authentication method options, based on whether the server modes require authentication using the LastPass Authenticator app or using a password (in the following tables testpw is used as a password example).
    Table 2. RADIUS PAP/LDAP/LDAPS authentication methods
    Value of the password field of the VPN client

    LastPass MFA Authentication

    (LP)

    LastPass MFA or password authentication

    PLP

    Both LastPass MFA and password authentication

    (SFA)
      Auth result Auth result Auth result
    testpw Passwordless login with default authentication method Password login with Radius/AD server Password login with Radius/AD server & Passwordless login with CLS and default authentication method
    testpw*push Passwordless login with default authentication method Password login with Radius/AD server Password login with Radius/AD server & Passwordless login with CLS and PN
    testpw*call Passwordless login with default authentication method Password login with Radius/AD server Password login with Radius/AD server & Passwordless login with CLS and call
    testpw*TOTP Passwordless login with default authentication method Password login with Radius/AD server Password login with Radius/AD server & Passwordless login with CLS and TOTP
    push Passwordless login with push authentication method Passwordless login with CLS and PN Login attempt with Radius/AD with "push" password
    call Passwordless login with call Passwordless login with CLS and call Login attempt with Radius/AD with "call" password
    TOTP (example: 114503 or 245728) Passwordless login with default authentication method Password login with Radius/AD server Password login with Radius/AD server & Passwordless login with CLS and default authentication method
    Table 3. RADIUS CHAP authentication methods
    Password field of the VPN client

    LastPass MFA Authentication

    (LP)

    LastPass MFA or password authentication

    PLP

    Both LastPass MFA and password authentication

    (SFA)
    testpw Passwordless login with default authentication method Password login with Radius server Password login with Radius server & Passwordless login with CLS and default authentication method
    testpw*push Passwordless login with default authentication method Password login with Radius server Password login with Radius server & Passwordless login with CLS and default authentication method
    testpw*call Passwordless login with default authentication method Password login with Radius server Password login with Radius server & Passwordless login with CLS and default authentication method
    testpw*TOTP Passwordless login with default authentication method Password login with Radius server Password login with Radius server & Passwordless login with CLS and default authentication method
    push Passwordless login with push authentication method Passwordless login with CLS and PN Password login with Radius server & Passwordless login with CLS and default authentication method
    call Passwordless login with call Passwordless login with CLS and call Password login with Radius server & Passwordless login with CLS and default authentication method
    TOTP (example: 114503 or 245728) Passwordless login with default authentication method Password login with Radius server Password login with Radius server & Passwordless login with CLS and default authentication method