AuthLite Interactive Documentation
Home
Contents
CLOSE
AuthLite Interactive Documentation
Quick Start: Install and protect Domain Admins AuthLite Features Supported Tokens
How AuthLite uses YubiKeys
Installation and Upgrading
What platforms are supported? Prerequisites and Installation Linux systems MacOS machines
Configuration
Licensing AuthLite Set up User Groups
Configuring AuthLite to use your Group Pairs
Setting up the "Group for New Users"
Enforce 2-factor Logons
Use Group Policy to enforce 2-factor on Windows servers/workstations Secure Administrative Accounts with 2-factor Authentication Enforce 2-factor on File Shares using Access Control Lists (ACLs) Permit 1-factor Network Access to a Server Partial enforcement of a server (e.g. Exchange) with "Forced 2-factor Processes" Enforce non-Windows machines with "Forced 2-factor Computers" Enforce 2-factor logon to Office 365 with AuthLite LDAP logon support/enforcement
Windows Workstation (Endpoint) Protection
Cached (Offline) Workstation logon with YubiKeys Cached (Offline) Workstation logon with OATH tokens Zero-client two-factor workstation logons Workstation Safe mode operations
Remote Desktop
2FA over Remote Desktop Protocol 2FA with Remote Desktop Gateway / RemoteApp / RDWeb / RD Web Client
Replay Windows to support RDP and other re-authenticating protocols Replay Behavior setting VPN and RADIUS Configuration
Using IAS/NPS for RADIUS with AuthLite Microsoft VPN Client settings Wireless 802.1x Authentication DirectAccess and NetMotion Mobility XE Configure Watchguard SSL VPN with AuthLite
2FA for File Shares Active Directory Deployment Notes
Token Management
First: Configure Token Settings Provisioning Tokens Administratively
YubiKeys (Soft) OATH Tokens (Hardware) OATH Tokens OnlyKeys
User Self-Service
"Enroll in AuthLite" Windows program SET UP the Self-Service Web Portal USING the Self-Service Web Portal
View/Edit Existing Tokens Delegate Token Management Recovery Tokens Multiple OTP Tokens for the Same User Multiple users with the same OTP Token Password Operations
How to Log In Troubleshooting
CLOSE

Cached (Offline) Workstation logon with OATH tokens

Beginning with version 2.2, you can create “offline” OATH tokens that will be synchronized down to your workstations when the user logs in to the LAN.  The offline OATH token can then be used to authenticate to the workstation in cached mode, when it is away from the LAN. (Normal “Online” OATH tokens cannot be used in this way, because it's not possible to authenticate them without having a connection to the DC.)

Limitations

  • Offline OATH tokens will NOT work when the machine is connected to the LAN.
  • You cannot use an Offline token to access any LAN resources that demand 2-factor authentication.  Unlike with a YubiKey, the offline token does not support both scenarios.  You need to have a separate row for your Offline OATH token in the authenticator app, and only use it when disconnected from the LAN.
  • If you log in to an offline workstation with your Offline OATH token, then connect a VPN, you'll need the Online OATH token for the VPN.  Furthermore, LAN resources that require 2-factor auth won't work because the desktop itself has used the Offline token.  For use cases like this, the YubiKey is a far better choice.