Two-factor authentication for VPN
In some areas of central administration, a second verification step is required to use the Cisco Secure Client (VPN) in addition to logging in with the UniAccount. This so-called "two-factor authentication" increases security and can be used via an app (NetIQ Advanced Authenticator) for the smartphone.
Under certain circumstances, it is possible to use a hardware token to authenticate the VPN login instead of the NetIQ app for the smartphone.
You will be informed by your department's IT representative if you are affected by this change. If you do not receive a corresponding notification, nothing will change for you with the VPN login.
Please understand that we cannot activate you for two-factor authentication on request.
Setting up the NetIQ Advanced Authentication App
The required app can only be installed on Android 10 or higher or iOS 10 or higher.
Call up the link < uni-kassel.de/go/2fa > on the smartphone on which the app is to be installed.
Select the option "Click to download and install Smartphone Authenticator for Android/iOS/click to download and install Smartphone Authenticator for Android/iOS" on the website. You will be redirected to the Play/AppStore. Install the "NetIQ Advanced Authentication" app there.
When you start the app for the first time, you will be asked to set a PIN. Select a PIN of your choice here. If your smartphone itself is already protected by a PIN or similar, you can then deactivate the PIN request again within the app under "Settings -> PIN".
Otherwise, the PIN must be entered each time the app is started.
Once the app has been installed, call up the link uni-kassel.de/go/2fa again. Now select "Click to enroll".
The app will now open automatically. Log in here with your UniAccount (e.g. uk012345) and the corresponding password.
The Authenticator app is now set up and shows your UniAccount under "Registered Authenticators". You can now use the two-factor
authentication for the VPN login.
Now click on "Save". A QR code will appear, which you can scan in the NetIQ Authentication app. To do this, click on the plus icon at the bottom right of the app.
You may need to allow the app to use the smartphone camera.
After the QR code has been successfully scanned, your account is stored in the NetIQ app in the "Registered Authenticators" area and you can verify your future VPN logins in this way.
Use of the NetIQ Advanced Authentication App
After setting up your UniAccount in the NetIQ Advanced Authenticator App, it is necessary to confirm the registration of the account with the Cisco Anyconnect VPN Client in the app.
To do this, log in to the VPN client as usual with your UniAccount and the corresponding password. After you click on "Connect", you will not be logged in directly.
The VPN client displays "Contacting vpn.uni-kassel.de".
Instead, confirm the login in the app. If you have activated notifications for the NetIQ app, you can confirm the login via the push notification. Otherwise, open the NetIQ app and confirm the login in the "Authentication requirements" tab.
Procedure for losing/changing your cell phone
Procedure in case of defect/theft/loss
If your smartphone is defective/stolen/lost, it is necessary to administratively remove the authenticator from the affected device.
Please contact the IT service desk for this. A short video ID procedure via Zoom is required to verify your identity. The authenticator of the old device will then be removed and you will be notified by e-mail as soon as you can set it up on a new device.
Procedure for changing your cell phone
If you want to change your smartphone, you can either use the procedure described under "Defect/theft/loss" or you can transfer the Authenticator to the new device yourself.
To do this, you must log in to two-factor management using the old device and then register the new smartphone.
The NetIQ app must be installed manually from the app/playstore on the new smartphone! Otherwise, an error will occur during PIN assignment during automatic installation via the setup wizard ("Install apps from old device automatically on new device").
If the app has been installed automatically on your new device, please uninstall and reinstall it.
After you have manually installed the NetIQ app on the new smartphone, add the authentication again:
Log in with a PC/notebook at < https://auth.its.uni-kassel.de/account > with your UniAccount and password.
Verification via the NetIQ app (with the old smartphone) is required for this login.
After logging in to the registered Authentificator, click on the "Smartphone" tile.
Then click on "Save".
A QR code will be displayed, which you must scan with the NetIQ app on the new smartphone.
To do this, click on the "+" sign at the bottom right of the NetIQ app.
Setting up the hardware token
Under certain circumstances, it is possible to use a hardware token to authenticate the VPN login instead of the NetIQ app for the smartphone. Please contact the IT representative in your department for this.
You will then receive a hardware token, which you can register for your account on the website.
To register the token, go to the website < https://auth.its.uni-kassel.de >. Log in here with your UniAccount (e.g. uk012345) and the corresponding password.
After logging in, click on the "TOTP" tile.
Please note that this tile is only displayed if you are authorized to use the hardware token.
Now enter the serial number of your hardware token. You will find this on the back of the token below the barcode.
Then press the red power button on the front of the token next to the display. You will now be shown a six-digit one-time password. Enter this in the corresponding field on the website.
Now click on "Save".
The hardware token is now registered and can be used for two-factor authentication. You can test the function of the token via the "TOTP" tile in the "Registered authenticators" category. To do this, click on "Test" and then enter the number sequence of the token on the website.
Use of the hardware token
When logging in to the VPN client, first enter your UniAccount user ID and password as usual.
Do not click OK yet!
A six-digit PIN is generated by pressing the button on the token. Now enter an "&" sign followed by the PIN directly after the password you have entered (e.g. "YourUniAccountPassword&123456" for the Password field). Then click on "OK".
You will then be logged in via VPN as usual.
This procedure is necessary for every login to the Cisco Secure Client (VPN).
Procedure in the event of loss/defect of the token
If the token is lost/defective, please contact the IT representative of your department.
Go-Link of this page:www.uni-kassel.de/go/2fa-info