Microsoft UAG easily supports setting up two separate authentication factors, so it is most natural to use AuthLite Split mode users, and the AuthLite RADIUS service to authenticate OTPs.

  • You probably already have Active Directory set up as an authentication service; this does not need to be changed.
  • In Admin->Authentication and Authorization Servers, add a RADIUS authentication server type
  • Configure this to point at the AuthLite RADIUS server and port, and set the shared secret.
  • Follow the AuthLite pdf manual to set up the RADIUS service. You should select "Permit requests that don't send the domain name"
  • In your trunk configuration's Authentication section, select "Require users to authenticate to each server", and "Authenticate to each server with the same user name"

There is one more important change you need to make. By default, password input fields in UAG are limited to 20 characters! AuthLite OTPs require 64 characters. Fortunately you can customize this value in UAG as shown in this technet article.

  • Begin with the file: InternalSite\inc\customDefault.inc
  • Copy it into the subfolder InternalSite\inc\CustomUpdate
  • In a text editor, open the new copy of the file.
  • Remove the comment block at the top, and the code block at the bottom that indicates it should be removed when used with CustomUpdate
  • The value PasswordLimit = 20 should be changed to at least 64
  • Save and close the changed file
  • Save and apply your UAG configuration