Cybersecurity
DevOps Cloud
IT Operations Cloud
Multi-Factor Authentication (MFA) provides enhanced security in which at least two factors of verification are required for authentication. This extra layer of security helps prevent fraudulent access. For example, a cybercriminal might know a stolen username and password. However, the perpetrator is require to provide an additional form of identification known as a second factor. In general, there are three types of authentication factors commonly used:
1. Something You Know – This is typically your username and password. This is anything remembered, but can be stolen through social compromise or sophisticated cybercriminal techniques.
2. Something You Have – This includes anything you have in your physical possession for additional verification, such as smart phones, smart cards, USB drives, soft or hard tokens, push notifications, and more.
3. Something You Are – This is also known as biometric identification. This includes any part of the physical human body used for verification, such as fingerprints, palm scanning, facial recognition, retina scans, iris scans, and voice verification.
This article will cover the “Something You Have” factor of MFA by describing steps to integrate Cisco Duo with NetIQ Access Manager (NAM) and NetIQ Advanced Authentication Framework (AAF). This article assumes you are familiar with Access Manager along with how to configure authentication methods and contracts. It also assumes you are familiar with Advance Authentication framework and how to configure methods and chains. For detailed administration guidance on these products, please refer to the latest product documentation located at https://support.microfocus.com.
Prerequisites
Solution Process Flow
Overview
The Duo Authentication Proxy is an on-premises software service that receives authentication requests from your local devices and applications via RADIUS or LDAP, optionally performs primary authentication against your existing LDAP directory or RADIUS authentication server, and then contacts Duo to perform secondary authentication. Once the user approves the two-factor request (received as a push notification from Duo Mobile, or as a phone call, etc.), the Duo proxy returns access approval to the requesting device or application. You may find detailed installation instructions for the Duo Authentication Proxy by visiting the Duo reference guide at https://duo.com/docs/authproxy-reference.
System Requirements
The Duo Authentication Proxy can be installed on the latest versions of the following operating systems:
- Windows 2012 or later (Server 2016 or 2019 are recommended)
- SLES 12 or later
- Red Hat Enterprise 7 or later
- CentOS 7 or later
- Ubuntu 16.04 or later
- Debian 7 or later.
Installation Instructions
The Duo Authentication Proxy can be installed on virtual or physical hosts. The recommended system specifications are at least 1 CPU, 200 MB disk space, and 4 GB RAM (although 1 GB RAM is sufficient).
General installation instructions are as follows:
Windows
1. Install a Windows Server using the recommended versions listed above.
2. Download the latest software using the following link - https://dl.duosecurity.com/duoauthproxy-latest.exe
3. Launch the Duo Authentication Proxy installer on the target Windows server as a user with administrator rights and follow the on-screen prompts.
Linux
1. Install a Linux Server using the recommended distributions and versions listed above.
2. Install the following dependencies including Perl, Python 2.6 or 2.7 (including development headers and libraries), and a compiler toolchain installed. On most recent RPM-based distributions — like Fedora, RedHat Enterprise, and CentOS — you can install these by running (as root):
$ yum install gcc make python-devel libffi-devel perl zlib-devel |
On Debian-derived systems, install these dependencies by running (as root):
$ apt-get install build-essential python-dev libffi-dev perl zlib1g-dev |
3. Download the latest software using the following link - https://dl.duosecurity.com/duoauthproxy-latest-src.tgz
4. Extract the Authentication Proxy files and build it as follows:
$ tar xzf duoauthproxy-latest-src.tgz $ cd duoauthproxy-version-src $ make |
5. Install the authentication proxy (as root):
$ cd duoauthproxy-build $ ./install |
6. Follow the prompts to complete the installation. The installer creates a user to run the proxy service and a group to own the log directory and files. You can accept the default user and group names or enter your own. Instructions for configuring and starting/stopping the service will be explained later in this solution.
Overview
Integrating Duo Authentication Proxy with the Advanced Authentication server requires using a RADIUS Client / Server interaction. The Advanced Authentication server will act as the RADIUS Client and the Duo Authentication Proxy will host the RADIUS server.
Enroll a RADIUS application on the Duo Authentication Proxy
1. Login to your Duo administration account
2. On the left-side navigation menu, click on Applications | Protect an Application
3. From the list of applications, scroll down and find the RADIUS application. Click the Protect button for the RADIUS application.
4. An application Integration Key, Secret Key and API hostname will be generated. Take note of these values as you will need them when setting up the RADIUS server configuration on the Duo Authentication Proxy and on the AAF server.
Configure the RADIUS settings on the Duo Authentication Proxy
1. Login to the Duo Authentication Proxy server as the Administrator (or root on Linux).
2. Edit the Duo Authentication Proxy configuration file:
Windows - <Install Location\Duo Security Authentication Proxy\conf\authproxy.cfg
Linux - /opt/duoauthproxy/conf/authproxy.cfg
3. Remove all of the default settings and add the following configuration using the generated RADIUS application settings from the step above:
[duo_only_client] [radius_server_auto] ikey=< RADIUS application Integration Key > skey=< RADIUS application Secret Key > api_host=< RADIUS application API Hostname > radius_ip_1=< IP Address of your AAF server > radius_secret_1=netiqsecret
|
Startup the Duo Authentication Proxy service
Open a Windows command prompt or Linux terminal window and start the Duo Authentication Proxy:
Windows - net start DuoAuthProxy
Linux - /opt/duoauthproxy/bin/authproxyctl start
Note: You can also stop the service by replacing the “start” directive with “stop”.
Overview
1. Open the Advanced Authentication Administration portal.
2. Click Methods > RADIUS Client.
3. Specify the IP address of DUO Proxy server in Server.
4. Specify the secret key for DUO Authentication Proxy in the Secret field.
5. Specify the port for the RADIUS authentication request. The default port is 1812.
6. Click Save.
Create a New Chain for the RADIUS Client
1. Click Chain > New Chain.
2. Specify Radius Client in Name.
3. Set “Is enabled” to ON.
4. Move the RADIUS Client from Available to Used list
5. Specify the repositories, roles and groups in Repos, Roles and Groups.
6. Click Save.
2. Click on the RADIUS Client available under the Enrolled Authenticators.
3. Enter the <Repository Name>\<Username>. For example: EDIRECTORY\ggilbert
4. Click the Test button.
5. The following prompt will ask for a Password.
IMPORTANT: The password is required to perform primary authentication against the Duo Authentication Proxy. Since we did not setup an authentication source on the Duo Authentication Proxy, the server will instead verify the user by using the Duo passcode (i.e. RADIUS duo_only_client).
During a real production setup, the Duo Authentication server should be setup using AD with users synchronized to the LDAP directory. The user would then authenticate by entering their LDAP password. Alternatively, when using NAM, single sign-on would pass the LDAP password to AAF and allow for a seamless login.
6. Enter the passcode displayed in the Duo Authenticator application using your mobile device. If accepted, the Duo Authentication Proxy will forward the request to the Duo Security Service. If you enrolled in push notification, you will receive a push notification. If everything worked successfully, you will be granted access and you will get a popup showing a successful test.
Overview
1. Click Events | New Event.
2. Specify a name for the event.
3. Select OAuth2 from Event type.
4. Select the Duo Radius Client chain that you created earlier and optionally any other required chains you wish to use with NAM.
5. Enter the Redirect URI: https://<identity server-url>:<port>/nidp/oauth/nam/callback
Configure the Advanced Authentication Server Details in Access Manager
1. Login to the Access Manager Console.
2. Click Devices | Identity Servers | Shared Settings | Advanced Authentication.
3. Specify the domain name or IP address of the Advanced Authentication server and port in Server Domain.
4. Select Integrate using OAuth under OAuth Event Configuration.
5. Specify the Event Name, Client ID, and Client Secret.
6. Click Apply.
7. Verify that the /etc/aaplugin/config.xml file is available on each Identity Server node.
8. Verify that the endpoint has been created in the Advanced Authentication server. Go to the Advanced Authentication administration portal and verify that the hostname or domain name of the Identity Server cluster is displayed as the endpoint under Endpoints.
9. In Access Manager, go to Dashboard and click Certificates | Trusted Roots to verify if the Advanced Authentication server certificate is available. If the certificate is not available, then perform the following steps to import the certificate:
a. Click Certificates | Trusted Roots | Auto-Import from Server.
b. Specify the server IP/DNS, port, and certificate name.
c. Click OK.
10. Make sure the same user store or repository is being used in the Advanced Authentication server.
Configure Multi-Factor Authentication with Access Manager
1. Login to the Access Manager Console.
2. Create a new class.
3. Click Devices | Identity Servers | Edit | Local | Classes.
4. Click New, then specify the name for the class and select Advanced Authentication Generic Class for the Java class
5. Click Next | Finish.
Create a new Method
1. Click Devices | Identity Servers | Edit | Local | Methods | New.
2. Select a chain you created in Advanced Authentication Chains on the AAF server. If you do not specify any chain, the user is prompted to select the preferred chain for authentication.
Create a new Contract
1. Click Devices | Identity Servers | Edit | Local | Contracts | New.
2. In URI, specify a value that uniquely identifies the contract from all other contracts. This value is used to identify this contract for external providers and is a unique path value that you create.
3. In Methods, first add an Access Manager's authentication method (for example, Secure Name/Password - Form) and then the Advanced Authentication method that you created in the preceding step.
NOTE: You can use more than one Advanced Authentication methods.
4. Click Apply | OK.
5. On the Authentication Card tab (or next from the wizard), enter the display Text and Select an Image.
6. Update Identity Servers.
1. Launch a new browser and enter the URL for you IDP – https://<idp.yourdomain.com>:<port>/nidp.
2. Click on the triple horizontal bars at the top-left of the login page, select the new contract that you setup in the previous step.
3. You will first be prompt for your LDAP credentials as the first factor, specified in the contract. Enter your Username and Password.
4. Click Sign In.
5. Next, the request will be forwarded to the Advanced Authentication server, in which you will be prompt for the RADIUS Password.
NOTE: The password is required to perform primary authentication against the Duo Authentication Proxy. Since we did not setup an authentication source on the Duo Authentication Proxy (i.e. RADIUS duo_only_client), the server will instead verify the user by using the Duo passcode.
During a real production setup, the Duo Authentication server should be setup with AD with users synchronized to the LDAP directory. The user would then authenticate by entering their LDAP password. If using an Access Gateway to protect the AAF URL, you can use web single sign-on to automatically inject the password and allow a seamless login experience.
6. Enter the passcode displayed in the Duo Authenticator application using your mobile device. If accepted, the Duo Authentication Proxy will forward the request to the Duo Security Service. If you enrolled in push notification, you will receive a push notification. If everything worked successfully, you will be granted access to the Identity Applications portal.
1. Open the Advanced Authentication administration console.
2. Click on the Logs navigation menu.
3. Click on the RADIUS tab