Server mode default authentication methods
When logging in to LastPass Universal Proxy 4.0 or later, if the authentication mode is not provided by the user, default authentication methods define the authentication process.
The following table contains the supported default authenticaion methods for server modes:
Server mode | LastPass MFA Authentication (LP) |
LastPass MFA or password authentication (PLP) |
Both LastPass MFA and password authentication (SFA) |
---|---|---|---|
Default authenticaion method enabled | push or call | NOT enabled | push, call, or totp |
- Restrict LastPass Authenticator usage by location
- Accept only LastPass Authenticator login requests
- Starting from 4.0, LastPass Universal Proxy provides the following SFA methods:
- Push
- Call
- Time-based One-Time Password (TOTP) consisting of 6 digits
- The default authentication method in LastPass MFA Authentication (LP) mode can be overwritten if the user enters push/call in the password field.
- When using the LastPass MFA or password authentication (PLP) mode for the RADIUS PAP/LDAP/LDAPS protocol, you must enter the required authentication method, that is, push or call in the VPN client password field to opt-in to use the LastPass Authenticator app. If the password contains the *push or *call text, it will be considered a password.
- When using the Both LastPass MFA and password authentication (SFA) mode the RADIUS PAP/LDAP/LDAPS protocols, the username and the password is human-readable, and entering push/call as a password results in a failed login attempt. When using the RADIUS CHAP protocol with Both LastPass MFA and password authentication (SFA) mode, the password is non-human-readable, and push/call can be used as a password.
-
The "Restrict access by country" policy is not supported by LastPass Universal Proxy. Enabling this policy in the LastPass new Admin Console will lead to authentication issues.Tip: To set a location restriction when using LastPass Universal Proxy, enable the following policies:
- Restrict LastPass Authenticator usage by location
- Accept only LastPass Authenticator login requests
Value of the password field of the VPN client | LastPass MFA Authentication (LP) |
LastPass MFA or password authentication PLP |
Both LastPass MFA and password authentication (SFA) |
---|---|---|---|
Auth result | Auth result | Auth result | |
testpw | Passwordless login with default authentication method | Password login with Radius/AD server | Password login with Radius/AD server & Passwordless login with CLS and default authentication method |
testpw*push | Passwordless login with default authentication method | Password login with Radius/AD server | Password login with Radius/AD server & Passwordless login with CLS and PN |
testpw*call | Passwordless login with default authentication method | Password login with Radius/AD server | Password login with Radius/AD server & Passwordless login with CLS and call |
testpw*TOTP | Passwordless login with default authentication method | Password login with Radius/AD server | Password login with Radius/AD server & Passwordless login with CLS and TOTP |
push | Passwordless login with push authentication method | Passwordless login with CLS and PN | Login attempt with Radius/AD with "push" password |
call | Passwordless login with call | Passwordless login with CLS and call | Login attempt with Radius/AD with "call" password |
TOTP (example: 114503 or 245728) | Passwordless login with default authentication method | Password login with Radius/AD server | Password login with Radius/AD server & Passwordless login with CLS and default authentication method |
Password field of the VPN client | LastPass MFA Authentication (LP) |
LastPass MFA or password authentication PLP |
Both LastPass MFA and password authentication (SFA) |
---|---|---|---|
testpw | Passwordless login with default authentication method | Password login with Radius server | Password login with Radius server & Passwordless login with CLS and default authentication method |
testpw*push | Passwordless login with default authentication method | Password login with Radius server | Password login with Radius server & Passwordless login with CLS and default authentication method |
testpw*call | Passwordless login with default authentication method | Password login with Radius server | Password login with Radius server & Passwordless login with CLS and default authentication method |
testpw*TOTP | Passwordless login with default authentication method | Password login with Radius server | Password login with Radius server & Passwordless login with CLS and default authentication method |
push | Passwordless login with push authentication method | Passwordless login with CLS and PN | Password login with Radius server & Passwordless login with CLS and default authentication method |
call | Passwordless login with call | Passwordless login with CLS and call | Password login with Radius server & Passwordless login with CLS and default authentication method |
TOTP (example: 114503 or 245728) | Passwordless login with default authentication method | Password login with Radius server | Password login with Radius server & Passwordless login with CLS and default authentication method |