Configuring multi-factor authentication
Multi-factor (or two-factor) authentication (MFA) adds an extra layer of security to your Guardium user accounts.
Multi-factor (two-factor) authentication configuration
Guardium supports the DUO authentication engine.
Configuring multi-factor authentication with DUO
- Determine which users require MFA.
You can configure MFA for GUI users, regular CLI users (that is, CLI users that are created by the
accessmgr), or administrative OS users (cli and guardcli1 - guardcli5
users). Before you configure Guardium®, you
need to protect the application with DUO:
- For the GUI, protect the Web SDK.
- For the CLI, protect the DUO Auth API.
- For SSH, protect the UNIX application. You can configure each DUO application as needed. For more information, see the DUO documentation.
- Within DUO, configure your users for authentication.
- From the Guardium UI, click Configure next to Multi-factor Authentication.
- From the Configure multi-factor authentication window, select DUO as the service.
- To configure the GUI for MFA,
- From the GUI login tab, select Enable multi-factor authentication for GUI logins.
- Copy the Integration key, Secret key, and API hostname from DUO Web SDK application.
- Click Save.
- To configure the CLI for MFA,
- From the CLI login tab, select Enable multi-factor authentication for CLI logins.
- Copy the Integration key, Secret key, and API hostname from DUO Auth API application.
- Click Save.
For more information about logging in to the CLI with multi-factor authentication, see Using GuardAPI commands.
- To configure SSH users for MFA,
- From the SSH login tab, select Enable multi-factor authentication for SSH logins.
- Copy the Integration key, Secret key, and API hostname from the UNIX application.
- Click Save. Note: SSH login supports only password-based authentication with MFA. If your site uses certificate-based authentication, the MFA settings are ignored.
- To add exempt users,
Note: You cannot exempt administrative OS users (cli and guardcli1 - guardcli5).
- On the Exemptions tab, all of the users on your system display (including disabled users and users imported from the LDAP server).
- Select the users who you want to exempt from MFA. Exempt users might include accessmgr, admin, and selected trusted users.
- Click Save to add the users to the exempt list.