Configure EAP-POTP Settings

Document created by RSA Information Design and Development Employee on Jun 13, 2017Last modified by RSA Information Design and Development Employee on Jan 19, 2021
Version 17Show Document
  • View in full screen mode

Extensible Authentication Protocol (EAP) is an authentication framework that supports multiple authentication methods.

The default values balance security (cryptographic strength) with system responsiveness and are considered satisfactory for most environments. You may increase or decrease EAP-POTP default values, however even slight changes to values used for key generation may cause a large change in response time during authentication. EAP-POTP settings affect the entire deployment.

Before you begin 

You must be a Super Admin.


  1. In the Security Console, click Setup > System Settings.

  2. Under Advanced Settings, click RADIUS.

  3. Under EAP-POTP Settings, do the following:

    1. For Length of the Symmetric Key, select the minimum and maximum bit length for the EAP symmetric key, which is named Pepper. The default minimum value is 1. The default maximum value is 2.

    2. For Symmetric Key Lifetime, specify the number of days that a symmetric key is valid. Enter a number from 1-365. The default value is 30.

    3. For Symmetric Key Refresh, specify when Authentication Manager should create a new symmetric key. Select a number from 1-15. The default value is 4. This number must be smaller than the number specified for Symmetric Key Lifetime.

      Authentication Manager uses this option if the EAP session is active but the symmetric key will expire soon. Authentication Manager creates a refreshed symmetric key with the lifetime value specified for Symmetric Key Lifetime.

    4. For Iteration Count, enter the minimum and maximum number of iterations that the Authentication Manager uses in the algorithm to generate the symmetric key. The default minimum value is 1,000. The default maximum value is 2,000.

      The client randomly selects a number in this range and sends this number to the server, which sends it to Authentication Manager. Authentication Manager then uses the specific iteration count when it generates the symmetric key.

    5. For EAP-POTP Session Lifetime, specify how many hours pass before Authentication Manager prompts the user to provide credentials. Select a number from 1-24. The default value is 10.

    6. For EAP-POTP Session Resumption, accept the default, Allow resumption of user session while the session lifetime is still active, if you want to allow Windows users to resume sessions (for example, when roaming between wireless access points) without entering credentials, as long as the users' computers have not restarted during the session. Deselect this option if you want to require Windows end users to re-enter their credentials to resume sessions. You might deselect this option to meet corporate security requirements.

      Note:   If you disable EAP-POTP Session Resumption, users cannot resume their previously saved EAP-POTP sessions. The next time the users request network access, Authentication Manager must create new symmetric keys for each user.

  4. Click Save.



Related Concepts

EAP-POTP Settings

Related References

RADIUS Settings




Previous Topic:EAP-TTLS Configuration
You are here
Table of Contents > RADIUS > Configure EAP-POTP Settings