HELP FILE

Server mode default factors

    When logging in to LastPass Universal Proxy 4.0, if the authentication mode is not provided by the user, default factors define the authentication process.

    The following table contains the default factors for server modes:

    Table 1. Default factors for server modes
    Server mode

    LastPass MFA Authentication

    (LP)

    LastPass MFA or password authentication

    (PLP)

    Both LastPass MFA and password authentication

    (SFA)

    Default factor enabled push or call NOT enabled push, call, or totp
    • Starting from 4.0, LastPass Universal Proxy provides the following SFA factors:
      • Push
      • Call
      • Time-based One-Time Password (TOTP) consisting of 6 digits
    • The default factor in LastPass MFA Authentication (LP) mode can be overwritten if the user enters push/call in the password field.
    • When using the LastPass MFA or password authentication (PLP) mode for the RADIUS PAP/LDAP/LDAPS protocol, you must enter the required factor, that is, push or call in the VPN client password field to opt-in to use the LastPass Authenticator app. If the password contains the *push or *call text, it will be considered a password.
    • When using the Both LastPass MFA and password authentication (SFA) mode the RADIUS PAP/LDAP/LDAPS protocols, the username and the password is human-readable, and entering push/call as a password results in a failed login attempt. When using the RADIUS CHAP protocol with Both LastPass MFA and password authentication (SFA) mode, the password is non-human-readable, and push/call can be used as a password.
    The following tables show a summary of the factor options, based on whether the server modes require authentication using the LastPass Authenticator app or using a password (in the following tables testpw is used as a password example).
    Table 2. RADIUS PAP/LDAP/LDAPS factors
    Value of the password field of the VPN client

    LastPass MFA Authentication

    (LP)

    LastPass MFA or password authentication

    PLP

    Both LastPass MFA and password authentication

    (SFA)

      Auth result Auth result Auth result
    testpw Passwordless login with default factor Password login with Radius/AD server Password login with Radius/AD server & Passwordless login with CLS and default factor
    testpw*push Passwordless login with default factor Password login with Radius/AD server Password login with Radius/AD server & Passwordless login with CLS and PN
    testpw*call Passwordless login with default factor Password login with Radius/AD server Password login with Radius/AD server & Passwordless login with CLS and call
    testpw*TOTP Passwordless login with default factor Password login with Radius/AD server Password login with Radius/AD server & Passwordless login with CLS and TOTP
    push Passwordless login with push factor Passwordless login with CLS and PN Login attempt with Radius/AD with "push" password
    call Passwordless login with call Passwordless login with CLS and call Login attempt with Radius/AD with "call" password
    TOTP (example: 114503 or 245728) Passwordless login with default factor Password login with Radius/AD server Password login with Radius/AD server & Passwordless login with CLS and default factor
    Table 3. RADIUS CHAP factors
    Password field of the VPN client

    LastPass MFA Authentication

    (LP)

    LastPass MFA or password authentication

    PLP

    Both LastPass MFA and password authentication

    (SFA)

    testpw Passwordless login with default factor Password login with Radius server Password login with Radius server & Passwordless login with CLS and default factor
    testpw*push Passwordless login with default factor Password login with Radius server Password login with Radius server & Passwordless login with CLS and default factor
    testpw*call Passwordless login with default factor Password login with Radius server Password login with Radius server & Passwordless login with CLS and default factor
    testpw*TOTP Passwordless login with default factor Password login with Radius server Password login with Radius server & Passwordless login with CLS and default factor
    push Passwordless login with push factor Passwordless login with CLS and PN Password login with Radius server & Passwordless login with CLS and default factor
    call Passwordless login with call Passwordless login with CLS and call Password login with Radius server & Passwordless login with CLS and default factor
    TOTP (example: 114503 or 245728) Passwordless login with default factor Password login with Radius server Password login with Radius server & Passwordless login with CLS and default factor