Configuring multi-factor authentication
Multi-factor (or two-factor) authentication (MFA) adds an extra layer of security to your Guardium user accounts.
Multi-factor (two-factor) authentication configuration
Guardium supports DUO and RSA SecurID authentication engines.
To start configuring an authentication service, click Configure to open the Configure multi-factor authentication window. Select an authentication service, and click Save to view the settings for the selected service.
For more information about using DUO, see Configuring multi-factor authentication with DUO.
For more information about using RSA SecurID, see Configuring multi-factor authentication with RSA SecurID.
Configuring multi-factor authentication with DUO
- Determine which users require MFA.
You can configure MFA for GUI users, regular CLI users (that is, CLI users that are created by the
accessmgr), or administrative OS users (cli and guardcli1 - guardcli9
users). Before you configure Guardium®, you
need to protect the application with DUO:
- For the GUI, protect the Web SDK.
- For the CLI, protect the DUO Auth API.
- For SSH, protect the UNIX application. You can configure each DUO application as needed. For more information, see the DUO documentation.
- Within DUO, configure your users for authentication.
- From the Guardium UI, click Configure next to Multi-factor Authentication.
- From the Configure multi-factor authentication window, select DUO as the service.
- To configure the GUI for MFA,
- From the GUI login tab, select Enable multi-factor authentication for GUI logins.
- Copy the Integration key, Secret key, and API hostname from DUO Web SDK application.
- Click Save.
- To configure the CLI for MFA,
- From the CLI login tab, select Enable multi-factor authentication for CLI logins.
- Copy the Integration key, Secret key, and API hostname from DUO Auth API application.
- Click Save.
For more information about logging in to the CLI with multi-factor authentication, see Using GuardAPI commands.
- To configure SSH users for MFA,
- From the SSH login tab, select Enable multi-factor authentication for SSH logins.
- Copy the Integration key, Secret key, and API hostname from the UNIX application.
- Click Save. Note: SSH login supports only password-based authentication with MFA. If your site uses certificate-based authentication, the MFA settings are ignored.
- To add exempt users,
- On the Exemptions tab, all of the users on your system display (including disabled users and users imported from the LDAP server).
- Select the users who you want to exempt from MFA. Exempt users might include accessmgr, admin, and selected trusted users.
- Click Save to add the users to the exempt list.
Note: You cannot exempt administrative OS users (cli and guardcli1 - guardcli9).
Configuring multi-factor authentication with RSA SecurID
For more information, see the RSA SecurID documentation about configuring the RSA SecurID Authentication API.
RSA SecurID uses token-based authentication. The token is either generated on a hardware key fob or as a software token. You can use either token type for MFA with Guardium.
Getting Started with RSA Authentication Managerfrom the RSA website.
rsa_cert.pem
.When you configure Guardium, you can upload the certificate either by using the store certificate rsa_securid CLI command or from the Configure multi-factor authentication page.
- Add users to RSA SecurID. From the RSA security console, select .
- If your site uses software tokens, determine the authentication type that you want to use, and
add a software token profile. Select
RSA SecurID
documentation.Note: If your site uses hardware tokens, do not create a software token profile.
. For more information about
managing software tokens, see the
- Assign tokens to users,
- From the RSA security console, select .
- Click Search to display all of the available users. Leave the search criteria empty to display all users.
- Click a username and then select SecurID Tokens from the drop-down list.
- Select a token from the available tokens list and click Assign. A message displays when a token is assigned.
- Click Cancel to return to the Manage Existing page and assign tokens to other users.
- Set up the authentication agent,
- From the RSA security console, browse to .
- Add a new, unique, hostname for the Guardium machine to which you want to authenticate. The Guardium host can be either a central manager or a managed unit. After you enter the hostname, click Resolve Hostname; the IP address is automatically entered.
- Copy and save the hostname. You will need to enter it in Guardium as the Client ID.
- You can keep the default settings or change the settings as needed and then click Save.
- If you did not save the Access Key earlier, you can find
the value from the RSA security console System Settings window,
- Browse to Authentication Settings, click RSA SecurID Authentication API. . Under
- Copy the value of the Access Key to a secure location.
Configuring RSA SecurID authentication on Guardium
After the RSA Securti ty console is configured, you can configure RSA SecurID on Guardium. Each user requires their own client ID and access key (or token). In addition, you can create a list of users who are exempt from additional authentication.
- Hostname: The hostname of the RSA SecurID Authentication Manager. The hostname is usually a fully qualified domain name.
- Port: The port that RSA SecurID Authentication Manager uses for the authentication service. The default is 5555.
- Client ID: The hostname of the authentication agent that you added to the RSA SecurID security console in Step 4 of Configuring multi-factor authentication with RSA SecurID.
- Access key: The access key that is generated from the RSA SecurID Authentication API. You can find the value of the Access key in the RSA SecurID Security Settings, as described in Step 5 of Configuring multi-factor authentication with RSA SecurID.
- On the Exemptions tab, all of the users on your system display (including disabled users and users imported from the LDAP server).
- Select the users who you want to exempt from MFA. Exempt users might include accessmgr, admin, and selected trusted users.
- Click Save to add the users to the exempt list.
When non-exempt users log in to Guardium, they need to provide a passcode from RSA SecurID. The passcode is either generated on the user's RSA SecurID hardware fob (token) or from the RSA SecurID software token on the users computer or phone.
Logging in to Guardium with RSA SecurID MFA
To log in to Guardium as a user in an environment with RSA SecurID MFA, you need to either acquire a hardware token from your RSA SecurID or download the RSA SecurID software token.
Follow your administrator's instructions for installing the RSA SecurID token. After you have a token (either software or hardware) and MFA is configured for Guardium, you will need to provide a token passcode whenever you log in.
When a passcode is requested, copy the passcode and paste (or type) it into the Passcode box (for the UI) or at the Enter passcode prompt (for the CLI).
Depending on how your environment is configured, you might need to provide a passcode to log in to the GUI, the Guardium CLI, or both.