Configuring multi-factor authentication

Multi-factor (or two-factor) authentication (MFA) adds an extra layer of security to your Guardium user accounts.

Multi-factor (two-factor) authentication configuration

Guardium supports DUO and RSA SecurID authentication engines.

To start configuring an authentication service, click Configure to open the Configure multi-factor authentication window. Select an authentication service, and click Save to view the settings for the selected service.

For more information about using DUO, see Configuring multi-factor authentication with DUO.

For more information about using RSA SecurID, see Configuring multi-factor authentication with RSA SecurID.

Configuring multi-factor authentication with DUO

To enable multi-factor authentication for DUO on Guardium, your site needs a DUO administrator. For more information, see https://duo.com/product/multi-factor-authentication-mfa. After you install DUO, you can enable MFA for your GUI, your CLI, or both. In addition, you can create a list of users who are exempt from additional authentication.
Note: To use MFA, the user's web browser (for GUI) or gmachine (for CLI and SSH) must have access to the DUO cloud service for MFA. If the DUO cloud service is not reachable (via the internet), then the user cannot be authenticated (and cannot log in).
To use MFA with DUO in a centrally managed environment, you must set up MFA on the central manager. The MFA configuration is automatically synchronized to all of its managed units. Even though you can set or change MFA authentication only from the central manager, you can query the configuration from any associated machine.
Note: If you unregister a managed unit in a centrally managed environment, the MFA settings for the unregistered unit are disabled.
  1. Determine which users require MFA. You can configure MFA for GUI users, regular CLI users (that is, CLI users that are created by the accessmgr), or administrative OS users (cli and guardcli1 - guardcli9 users). Before you configure Guardium®, you need to protect the application with DUO:
    • For the GUI, protect the Web SDK.
    • For the CLI, protect the DUO Auth API.
    • For SSH, protect the UNIX application. You can configure each DUO application as needed. For more information, see the DUO documentation.
  2. Within DUO, configure your users for authentication.
After you set up protection in DUO, you can configure multi-factor authentication in Guardium.
  1. From the Guardium UI, click Configure next to Multi-factor Authentication.
  2. From the Configure multi-factor authentication window, select DUO as the service.
  3. To configure the GUI for MFA,
    1. From the GUI login tab, select Enable multi-factor authentication for GUI logins.
    2. Copy the Integration key, Secret key, and API hostname from DUO Web SDK application.
    3. Click Save.
  4. To configure the CLI for MFA,
    1. From the CLI login tab, select Enable multi-factor authentication for CLI logins.
    2. Copy the Integration key, Secret key, and API hostname from DUO Auth API application.
    3. Click Save.

      For more information about logging in to the CLI with multi-factor authentication, see Using GuardAPI commands.

  5. To configure SSH users for MFA,
    1. From the SSH login tab, select Enable multi-factor authentication for SSH logins.
    2. Copy the Integration key, Secret key, and API hostname from the UNIX application.
    3. Click Save.
      Note: SSH login supports only password-based authentication with MFA. If your site uses certificate-based authentication, the MFA settings are ignored.
  6. To add exempt users,
    1. On the Exemptions tab, all of the users on your system display (including disabled users and users imported from the LDAP server).
    2. Select the users who you want to exempt from MFA. Exempt users might include accessmgr, admin, and selected trusted users.
    3. Click Save to add the users to the exempt list.
    Note: You cannot exempt administrative OS users (cli and guardcli1 - guardcli9).
When non-exempt users next login, they are asked to authenticate based on your configuration selections in DUO.
Note: You can use GuardAPIs or REST APIs to manage multi-factor authentication. For more information, see Multi-factor authentication APIs.

Configuring multi-factor authentication with RSA SecurID

Your site can use MFA with RSA SecurID for Guardium GUI users, regular CLI users (that is, CLI users who are created by the accessmgr), or SSH users (cli and guardcli1 - guardcli9 users). Before you can use RSA SecurID for multi-factor authentication, you need to install and configure the RSA Authentication Manager on a central manager or stand-alone machine.
Note: When you install RSA Configuration Manager, you must enable the RSA SecurIDAuthentication API. When you enable the API, RSA SecurID generates and displays the Access Key. Copy the Access Key value to a secure location where you can access it when you configure the authentication agents later.

For more information, see the RSA SecurID documentation about configuring the RSA SecurID Authentication API.

RSA SecurID uses token-based authentication. The token is either generated on a hardware key fob or as a software token. You can use either token type for MFA with Guardium.

For more information about RSA SecurID and the RSA Authentication Manager, see Getting Started with RSA Authentication Manager from the RSA website.
Note: If you plan to require MFA for SSH users, you need a signed SSL certificate from a trusted certificate authority (CA). The certificates are not required for GUI and CLI users. The certificate must be in PEM format, for example, rsa_cert.pem.

When you configure Guardium, you can upload the certificate either by using the store certificate rsa_securid CLI command or from the Configure multi-factor authentication page.

To configureRSA SecurID on a Guardium central manager, log in to the RSA security console, and then take the following steps,
  1. Add users to RSA SecurID. From the RSA security console, select Identity > Users > Add New.
  2. If your site uses software tokens, determine the authentication type that you want to use, and add a software token profile. Select Authentication > Software Token Profiles > Add New. For more information about managing software tokens, see the RSA SecurID documentation.
    Note: If your site uses hardware tokens, do not create a software token profile.
  3. Assign tokens to users,
    1. From the RSA security console, select Identity > Users > Manage Existing.
    2. Click Search to display all of the available users. Leave the search criteria empty to display all users.
    3. Click a username and then select SecurID Tokens from the drop-down list.
    4. Select a token from the available tokens list and click Assign. A message displays when a token is assigned.
    5. Click Cancel to return to the Manage Existing page and assign tokens to other users.
  4. Set up the authentication agent,
    1. From the RSA security console, browse to Access > Authentication Agents > Add New.
    2. Add a new, unique, hostname for the Guardium machine to which you want to authenticate. The Guardium host can be either a central manager or a managed unit. After you enter the hostname, click Resolve Hostname; the IP address is automatically entered.
    3. Copy and save the hostname. You will need to enter it in Guardium as the Client ID.
    4. You can keep the default settings or change the settings as needed and then click Save.
  5. If you did not save the Access Key earlier, you can find the value from the RSA security console System Settings window,
    1. Browse to Setup > System Settings. Under Authentication Settings, click RSA SecurID Authentication API.
    2. Copy the value of the Access Key to a secure location.

Configuring RSA SecurID authentication on Guardium

After the RSA Securti ty console is configured, you can configure RSA SecurID on Guardium. Each user requires their own client ID and access key (or token). In addition, you can create a list of users who are exempt from additional authentication.

To enable MFA, you need the following information from the RSA SecurID Authentication Manager:
  • Hostname: The hostname of the RSA SecurID Authentication Manager. The hostname is usually a fully qualified domain name.
  • Port: The port that RSA SecurID Authentication Manager uses for the authentication service. The default is 5555.
  • Client ID: The hostname of the authentication agent that you added to the RSA SecurID security console in Step 4 of Configuring multi-factor authentication with RSA SecurID.
  • Access key: The access key that is generated from the RSA SecurID Authentication API. You can find the value of the Access key in the RSA SecurID Security Settings, as described in Step 5 of Configuring multi-factor authentication with RSA SecurID.
In addition, you can include a signed SSL server certificate. Select Validate server certificate and then click Upload certificate. Browse to the location of the certificate and click Open.
Note: A signed certificate, in PEM format, is required for SSH logins only.
To add exempt users,
  1. On the Exemptions tab, all of the users on your system display (including disabled users and users imported from the LDAP server).
  2. Select the users who you want to exempt from MFA. Exempt users might include accessmgr, admin, and selected trusted users.
  3. Click Save to add the users to the exempt list.
Note: You cannot exempt administrative OS users (cli and guardcli1 - guardcli9 ).

When non-exempt users log in to Guardium, they need to provide a passcode from RSA SecurID. The passcode is either generated on the user's RSA SecurID hardware fob (token) or from the RSA SecurID software token on the users computer or phone.

Logging in to Guardium with RSA SecurID MFA

To log in to Guardium as a user in an environment with RSA SecurID MFA, you need to either acquire a hardware token from your RSA SecurID or download the RSA SecurID software token.

Follow your administrator's instructions for installing the RSA SecurID token. After you have a token (either software or hardware) and MFA is configured for Guardium, you will need to provide a token passcode whenever you log in.

When a passcode is requested, copy the passcode and paste (or type) it into the Passcode box (for the UI) or at the Enter passcode prompt (for the CLI).

Depending on how your environment is configured, you might need to provide a passcode to log in to the GUI, the Guardium CLI, or both.