configure_mfa
This command configures multi-factor authentication.
Before you run this command, make sure that your authentication application is configured. For DUO, define applications and users. For RSA SecurID, configure the RSA SecurID Authentication Manager.
This API is available in Guardium V11.2 and later.
REST API syntax
POST
method. Call this API as
follows:
POST https://[Guardium hostname or IP address]:8443/restAPI/configure_mfa
GuardAPI syntax
configure_mfa parameter=value
Parameters
Parameter | Value type | Description |
---|---|---|
accessKey | String | RSA SecurID
only. From the RSA SecurID Console, generate the access key from the RSA SecurID Authentication API under Authentication Settings. |
apiHost | String | The API host string.
|
clientId | String | RSA SecurID
only. The Hostname from the Add New Authentication Page of the RSA Security Console. |
enable | Boolean | Required. Valid values:
|
exemptUsers | String | A comma-separated list of users to exempt from secondary authentication. You cannot exempt administrative OS (SSH) users. |
iKey | String | DUO only. The integration key. |
loginPath | String | Required. Determines whether to provide multi-factor authentication to the Guardium GUI, CLI,
or SSH. Valid values:
|
mfaType | String | Required. The authentication type. .
For valid values, call configure_mfa from the command line
with |
port | Integer | RSA SecurID
only. The communication port from the Add New Authentication Page of the RSA Security Console. The default is 5555. |
sKey | String | DUO only. The secret key (from DUO). |
verifySSL | Boolean | RSA SecurID
only. Required for SSH users only. Determines whether to verify the server-side certificate for the RSA SecurID Authentication Manager. Before you run this command with verifySSL='true' , you need to upload the CA or self-signed certificate, which must be in PEM format. For more information, see either Configuring multi-factor authentication with RSA SecurID or store certificate rsa securid. Valid values:
|
api_target_host | String |
Specifies the target hosts where the API executes. Valid values:
IP addresses must conform to the IP mode of your network. For dual IP mode, use the same IP protocol with which the managed unit is registered with the central manager. For example, if the registration uses IPv6, specify an IPv6 address. The hostname is independent of IP mode and can be used with any mode. |
GuardAPI examples with DUO
This example configures multi-factor authentication for the Guardium GUI with DUO.
grdapi configure_mfa loginPath=GUI mfaType=DUO exemptUsers="admin, accessmgr" enable=true iKey=DIATOT8H1OXXXX sKey=2gMRXVj2iQXXXX apiHost=api-ccccc.duosecurity.com
grdapi configure_mfa loginPath=SET_GUIUSER mfaType=DUO exemptUsers="admin, accessmgr" enable=true iKey=DINT141B9I2N91SXXXXX sKey=3gMRXVj2iQXXXX apiHost=api-ddddd.duosecurity.com
grdapi configure_mfa loginPath=SSH mfaType=DUO enable=false
GuardAPI examples with RSA SecurID
grdapi configure_mfa loginPath=GUI mfaType="RSA SecurID" exemptUsers="admin, accessmgr"
port=5555 verifySSL=false clientId=platform-vm10.mycompany.com
accessKey=t0qx4zg7agcd2gqtad414a353318i85808r428p5pbwcgc33gn8381234567
apiHost=rsa88.mycompany.com enable=true
grdapi configure_mfa loginPath=SSH mfaType="RSA SecurID" enable=false