Configuring multi-factor authentication

Multi-factor (or two-factor) authentication (MFA) adds an extra layer of security to your Guardium user accounts.

Multi-factor (two-factor) authentication configuration

Guardium supports the DUO authentication engine.

Configuring multi-factor authentication with DUO

To enable multi-factor authentication for DUO on Guardium, your site needs a DUO administrator. For more information, see https://duo.com/product/multi-factor-authentication-mfa. After you install DUO, you can enable MFA for your GUI, your CLI, or both. In addition, you can create a list of users who are exempt from additional authentication.
Note: To use MFA, the user's web browser (for GUI) or gmachine (for CLI and SSH) must have access to the DUO cloud service for MFA. If the DUO cloud service is not reachable (via the internet), then the user cannot be authenticated (and cannot log in).
To use MFA in a centrally managed environment, you must set up MFA on the central manager. The MFA configuration is automatically synchronized to all of its managed units. Even though you can set or change MFA authentication only from the central manager, you can query the configuration from any associated machine.
Note: If you unregister a managed unit in a centrally managed environment, the MFA settings for the unregistered unit are disabled.
  1. Determine which users require MFA. You can configure MFA for GUI users, regular CLI users (that is, CLI users that are created by the accessmgr), or administrative OS users (cli and guardcli1 - guardcli5 users). Before you configure Guardium®, you need to protect the application with DUO:
    • For the GUI, protect the Web SDK.
    • For the CLI, protect the DUO Auth API.
    • For SSH, protect the UNIX application. You can configure each DUO application as needed. For more information, see the DUO documentation.
  2. Within DUO, configure your users for authentication.
After you set up protection in DUO, you can configure multi-factor authentication in Guardium.
  1. From the Guardium UI, click Configure next to Multi-factor Authentication.
  2. From the Configure multi-factor authentication window, select DUO as the service.
  3. To configure the GUI for MFA,
    1. From the GUI login tab, select Enable multi-factor authentication for GUI logins.
    2. Copy the Integration key, Secret key, and API hostname from DUO Web SDK application.
    3. Click Save.
  4. To configure the CLI for MFA,
    1. From the CLI login tab, select Enable multi-factor authentication for CLI logins.
    2. Copy the Integration key, Secret key, and API hostname from DUO Auth API application.
    3. Click Save.

      For more information about logging in to the CLI with multi-factor authentication, see Using GuardAPI commands.

  5. To configure SSH users for MFA,
    1. From the SSH login tab, select Enable multi-factor authentication for SSH logins.
    2. Copy the Integration key, Secret key, and API hostname from the UNIX application.
    3. Click Save.
      Note: SSH login supports only password-based authentication with MFA. If your site uses certificate-based authentication, the MFA settings are ignored.
  6. To add exempt users,
    1. On the Exemptions tab, all of the users on your system display (including disabled users and users imported from the LDAP server).
    2. Select the users who you want to exempt from MFA. Exempt users might include accessmgr, admin, and selected trusted users.
    3. Click Save to add the users to the exempt list.
    Note: You cannot exempt administrative OS users (cli and guardcli1 - guardcli5).
When non-exempt users next login, they are asked to authenticate based on your configuration selections in DUO.
Note: You can use GuardAPIs or REST APIs to manage multi-factor authentication. For more information, see Multi-factor authentication APIs.