Configuring multifactor authentication with Duo Security
The system integrates with Duo Security to provide multifactor authentication for system users.
With Duo Security, security administrators can configure the system as an application that requires two factors for users and user groups to access the system with either the management GUI or CLI.
You can manage every aspect of your Duo two-factor authentication system from the Duo Admin Panel including creating and managing applications, enrolling and activating users, issuing and managing SMS passcodes and bypass codes, managing mobile devices, fine-tuning the user experience of your Duo installation.
Multifactor authentication can be used to protect both local users, including superuser, and remote users.
For information on how to configure directory synchronization for remote users with Duo Security, see Duo Directory Synchronization.
Duo Security configures the management GUI and the command-line interface as separate API clients that require separate credentials. For CLI access, Duo Security communicates with the system through standard REST API requests. For GUI-based logins, the system communicates with Duo Security through the OpenID Connect (OIDC) protocol.
Prerequisites
- Configure a DNS server. To create a DNS server, select . In the command-line interface, use the mkdnsserver command to define a DNS server.
- Configure an HTTP proxy server or configure your firewall to access Duo Security. To create an HTTP proxy
server,
.
For more information, see HTTP proxy server. If your system does not directly connect
to the Internet, you can create a firewall exception to allow your system access to Duo Security.Important: If the proxy server is not configured correctly, the system cannot communicate with Duo Security and the login to the system fails.
- For the management GUI and the command-line interface, ensure that the inactivity logout is equal to or greater than the time it takes for a user to receive a one-time passcode (OTP) from the authentication service. The default value for the inactivity timeout is 30 minutes for the management GUI and 15 minutes for the CLI. To set the inactivity timeout for both interfaces in the management GUI, select . To set the GUI inactivity timeout on the command-line interface, use the chsecurity -guitimeout command. For the CLI timeout, use the chsecurity -clitimeout command.
- Ensure that the SSH grace time for the command-line interface is equal to or greater than the time it takes for a user to receive a one-time passcode (OTP) from the authentication service. The default value for the SSH grace time period is 60 seconds. To set SSH grace time on the system in the command-line interface, use the chsecurity -sshgracetime command.
- Create a subscription for Duo Security. For more information, see Editions & Pricing page on Duo Security website. During subscription creation, you specify a tenant that is used to create a URL to access the Duo Security dashboard.
- To create a Duo Security application, enter
the following:
where XXXXXXXX is unique to your subscription that you specified when you created your subscription.admin-XXXXXXXX.duosecurity.com - On Applications page, click Protect an Application and select Web SDK. The credentials on this page are the OpenID Client ID and Secret required for GUI access.
- On Applications page, click Protect an Application and select UNIX Application. The credentials on this page are the API Client Integration Key and Secret Key required for CLI access.
Using the management GUI
- Select .
- On Multifactor Authentication page, select Duo
Security authentication provider.Note: For IBM Security Verify authentication provider, see Configuring multifactor authentication with IBM Security Verify.
- Enter the hostname and port of the authentication server. For Duo Security, enter the
following:
Where XXXXXXXX is unique to your subscription that you specified when you created your subscription.api-XXXXXXXX.duosecurity.com - For the OpenID Credentials, complete the following steps in the Duo Security interface to add the Client
ID and Client Secret:
- Select .
- Search Web SDK, click Protect.
- Copy Client ID and Client Secret.
- For the API Client Credentials, complete the following steps in the Duo Security interface to add the
Integration Key and Secret Key:
- Select .
- Search UNIX Application, click Protect.
- Copy Integration Key and Secret Key.
- Click Save.
- On the confirmation page, click Confirm to enable multifactor authentication for the system.
Multifactor authentication is enabled for the system. You can configure user groups to use multifactor authentication. Click Navigate to launch the User Groups page.
Using the CLI
- To enable multifactor authentication with Duo Security, enter the following
command:
where parameter -enable enables multifactor authentication service and -hostname is the hostname of the Duo Security tenant. The -openidclientid and the -openidclientsecret are the Open ID Client and Open ID Secret for the system, required to enable multifactor authentication for login to the storage system GUI. The -integrationkey and the -secretkey are the integration key and secret key for the system, required to enable multifactor authentication for login to the Storage Virtualize CLI.chauthmultifactorduo -enable -hostname api-XXXXXXXX.duosecurity.com -openidclientid openid_client_id -openidclientsecret openid_client_secret -integrationkey integration_key -secretkey secret_key