You can configure NIOS to use the two-factor authentication method to authenticate users based on X.509 client certificates. In two-factor authentication, NIOS first negotiates SSL/TLS client authentication to validate client certificates. It then authenticates the admins based on the configured authentication policy. You must first configure an authentication policy, and then configure and enable the certificate authentication service for the two-factor authentication to take effect. NIOS uses certificate authentication service as the authentication policy. For information about how to set up an authentication policy, see Defining the Authentication Policy .
Using the certificate authentication service, you can choose how the client certificate associates with the CA certificate. NIOS allows you to associate the client certificate manually and automatically. With manual certificate binding option, you must associate a certificate for a particular user manually, which is verified with the CA certificate. With automatic match policy, NIOS extracts the username from the client certificate, which is then matched with the certificate authentication service. When you configure certificate authentication service, NIOS searches the CA certificates associated with each admin group to detect a valid certificate authentication service for the client's certificate. You can either select a direct match or an automatic match for a certificate authentication service.
The Infoblox certificate authentication service uses the OCSP, which is an internet protocol that validates certificate status for X.509 digital certificates that are assigned to specific admins. NIOS allows you to choose Authority Information Access (AIA) extension from a certificate as a source of OCSP configuration or define OCSP servers manually. You can also disable OCSP check for a particular certificate authentication service. For more information about OCSP, refer to RFC 2560 at {_}http://tools.ietf.org/html/rfc2560_.
The status of these client certificates is stored on OCSP responders to which NIOS sends requests about certificate status. A certificate status can be "good," revoked," or "unknown." After a successful SSL/TLS client authentication, NIOS authenticates the admin based on the configured authentication policy. If the authentication fails at this point, the appliance denies access to the admin. If the authentication policy has passed, the appliance sends a request to the OCSP responder for client certificate status about the admin. If the appliance receives a "good" status from the OCSP responder, the two-factor authentication is successful. The admin can now access the appliance. If the appliance receives a "revoked" or "unknown" status from the OCSP responder, the two-factor authentication fails. The admin cannot access the appliance even though the admin authentication policy has passed.
When there are multiple OCSP responders configured, the appliance contacts the responders based on their configured order. For the same client certificate, the appliance always takes the status reported by the first responder on the list that actually responds, even when there are different OCSP replies from different responders. When the appliance cannot contact the first responder or if the first responder does not reply, the appliance then takes the OCSP reply from the second responder and so on.
Note: Authentication for both the admin authentication policy and OCSP validation must be successful on NIOS.
230NIOS Administrator Guide (Rev. A)NIOS 8.1
Authenticating Admins Using Two-Factor Authentication
Figure 4.7 illustrates the two-factor authentication and authorization process.
Administrator NIOS Appliance Certificate Authentication
1User inserts a smart card, establishes a
successful SSL/TLS client authenticated HTTPS connection to the appliance (through the client certificate and private key from the smart card), and sends a username, password, and client certificate.2 NIOS verifies if the user is authenticated
by searching for a valid CAS that is associated with a CA certificate.3 If password request is enabled, NIOS
fetches the username, checks whether
direct/auto match is configured.4a Based on the match type, it authenticates the user. Authentication
servers send responses indicating the admin is successfully authenticated.The appliance does not allow the admin
to log in.4b Authentication servers send messages indicating authentication and/or authorization is unsuccessful.5When the authorization is successful,
NIOS performs an OCSP check, if OCSP is enabled and verifies admin group ACL restrictions and displays the login page.NIOS allows the admin to log in and
assigns it to the admin group that matches the smart card user and applies the authorization profile.6bThe OCSP responder returns a "good"
certificate status indicating authentication is successful. In a Direct trust model, the appliance uses the OCSP responder certificate to validate the OCSP reply. In a Delegated trust model, it uses the CA certificate to validate the reply.The appliance does not allow the admin
to log in.6bThe OCSP responder returns a
"revoked" or "unknown" certificate status indicating authentication is unsuccessful.
NIOS 8.1NIOS Administrator Guide (Rev. A)231
Managing Administrators You can configure NIOS to use the two-factor authentication method to authenticate users based on X.509 client certificates. In two-factor authentication, NIOS first negotiates SSL/TLS client authentication to validate client certificates. It then authenticates the admins based on the configured authentication policy. You must first configure an authentication policy, and then configure and enable the certificate authentication service for the two-factor authentication to take effect. NIOS uses certificate authentication service as the authentication policy. For information about how to set up an authentication policy, see Defining the Authentication Policy.
Using the certificate authentication service, you can choose how the client certificate associates with the CA certificate. NIOS allows you to associate the client certificate manually and automatically. With manual certificate binding option, you must associate a certificate for a particular user manually, which is verified with the CA certificate. With automatic match policy, NIOS extracts the username from the client certificate, which is then matched with the certificate authentication service. When you configure certificate authentication service, NIOS searches the CA certificates associated with each admin group to detect a valid certificate authentication service for the client's certificate. You can either select a direct match or an automatic match for a certificate authentication service.
The Infoblox certificate authentication service uses the OCSP, which is an internet protocol that validates certificate status for X.509 digital certificates that are assigned to specific admins. NIOS allows you to choose Authority Information Access (AIA) extension from a certificate as a source of OCSP configuration or define OCSP servers manually. You can also disable OCSP check for a particular certificate authentication service. For more information about OCSP, refer to RFC 2560 at http://tools.ietf.org/html/rfc2560.
The status of these client certificates is stored on OCSP responders to which NIOS sends requests about certificate status. A certificate status can be "good," revoked," or "unknown." After a successful SSL/TLS client authentication, NIOS authenticates the admin based on the configured authentication policy. If the authentication fails at this point, the appliance denies access to the admin. If the authentication policy has passed, the appliance sends a request to the OCSP responder for client certificate status about the admin. If the appliance receives a "good" status from the OCSP responder, the two-factor authentication is successful. The admin can now access the appliance. If the appliance receives a "revoked" or "unknown" status from the OCSP responder, the two-factor authentication fails. The admin cannot access the appliance even though the admin authentication policy has passed.
When there are multiple OCSP responders configured, the appliance contacts the responders based on their configured order. For the same client certificate, the appliance always takes the status reported by the first responder on the list that actually responds, even when there are different OCSP replies from different responders. When the appliance cannot contact the first responder or if the first responder does not reply, the appliance then takes the OCSP reply from the second responder and so on.
...
Note: Authentication for both the admin authentication policy and OCSP validation must be successful on NIOS.
...
Figure 4.7 illustrates the two-factor authentication and authorization process.
| Drawio | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
Only superusers and limited-access users with the correct permissions can configure two-factor authentication. For information about admin roles and permissions, see Managing Admin Groups and Admin Roles. To configure two-factor authentication, consider the following:
- You must first set up an certificate authentication service and enable it.
- You can configure only one certificate authentication service that contains one or multiple OCSP responders to which NIOS sends requests about client certificate status. The appliance supports IPv4 and IPv6 OCSP responders.
- When you configure multiple OCSP responders, you can put them in an ordered list. The appliance contacts the first responder on the list. If the connection fails, it moves on to the second one, and so on. The result of the status check for a client certificate is based on the status reported by the first responder that replies.
- You can configure the timeout value and retry attempts that the appliance waits and tries before it moves on to the next OCSP responder.
- You can upload server certificates for each responder for OCSP response validation. You must upload an OCSP server certificate if you select the direct trust model.
- You can disable a specific responder if the server is out of service for a short period of time.
- Before you add an OCSP responder to the server group, you can test the server credentials.
To configure and enable two-factor authentication, complete the following tasks:
- For local and remote authentication, ensure that the admin names for smart card users match the CNs (Common Names) used in the client certificates. For information about local and remote authentication, see About Admin Accounts8.
- Upload the CA (Certificate Authority) certificate, as described in About CA Certificates. The CA-signed certificates are used to validate OCSP server certificates and admin OCSP client certificates. Ensure that the CA certificate is in .PEM format. The .PEM file can contain more than one certificate.
...
Note: The uploaded CA certificates must be the ones that issued the client certificates to be authenticated. Otherwise, clients such as browsers, cannot establish a successful SSL/TLS client authenticated HTTPS session to the appliance.
...
3. Configure a certificate authentication service and enable it, as described in Configuring Certificate Authentication Services
...
.
4. View certificate authentication services, as described in Viewing Certificate Authentication Services
...
.
5. Modify certificate authentication services, as described in Modifying Certificate Authentication Services
...
.
6. Delete certificate authentication services, as described in Deleting Certificate Authentication
...
Note that once you save the certificate authentication service configuration, the appliance terminates administrative sessions for all admin users. After you enable the certificate authentication service, you can verify whether two-factor authentication is enabled. Go to the Administration -> Administrators -> Authentication Policy tab, Grid Manager displays the "Two-Factor Authentication Enabled" banner in this tab.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...
- From the Administration tab, click the Authentication Server Groups tab.
- Click the Certificate Authentication Services subtab and click the Add icon.
- In the Add Certificate Authentication Service wizard, complete the following:
- Name: Enter a name for the certificate authentication service.
...
...
- Username/password request: Select the check box if the certificate authentication service must request username and password from the user. When you select this check box, NIOS populates the username from the certificate and requests password from the user. If you do not select the check box, only the certificate is necessary to log in to the appliance. The appliance ignores the username and password when the user provides both. You can only see the login button and do not have to provide the password. The appliance displays the username when you click the login button.
- Auto-populate username: Select a value from the drop-down list. You can define how the appliance must authenticate a particular user and its associated group. The values in the list are Auto-match and
...
- Direct-match. When you select Direct-match, NIOS searches for users with directly assigned certificates, which contains issuer details and serial attributes, in the local database. Users with directly assigned certificates can use certificate based authentication only.
- Auto match by: Select a value from the drop-down list. This field is enabled only when you select
...
- Auto-match for Auto-populate username. NIOS extracts the username from the certificate and searches for it in effective authorization policies based on the configured match policies. The values in the list are:
- AD Issuer Subject: Select this from the drop-down list to authenticate the user based on the Active Directory mentioned by the user.
- SAN Email: Select this from the drop-down list to authenticate the user based on the email address in the SAN (Subject Alternative Name).
- SAN UPN: Select this from the drop-down list to authenticate the user based on the UPN (User Principal Name) in the SAN (Subject Alternative Name).
- Serial Number: Select this from the drop-down list to authenticate the user based on the serial number.
- Subject DN Common Name: Select this from the drop-down list to authenticate the user based on the subject DN (Distinguished Name) common name. A Subject DN can include information about the user who is being authenticated, including common name, name of the organization, country code, and so on.
- Subject DN Email: Select this from the drop-down list to authenticate a user based on the subject DN email address.
- Enable remote lookup for user membership: Select the check box to enable lookup on remote servers. NIOS performs lookup against local users by default. For a remote lookup, you must specify the username and password for the authentication service. You can perform a look up for a user membership only if the remote service admin that is configured for remote lookup has enough permissions to read other user's membership information. You must also select the remote service that must be used for lookup. Note that NIOS supports remote lookup for Active Directories only.
- Auto-match for Auto-populate username. NIOS extracts the username from the certificate and searches for it in effective authorization policies based on the configured match policies. The values in the list are:
...
Note: You can select the above check box, Authentication Service and Service Account Credentials fields only when you select Auto-match for Auto-populate username. You must not select the Username/password request check box when you select the check box for Enable remote lookup for user membership.
...
- Authentication Service: Select an authentication service from the drop-down list.
- Service Account Credentials: Enter a username and password for authenticating lookup on remote servers.
- Comment: Optionally, enter additional information about the certificate authentication service.
- Disable: Select this check box to disable the record. Clear the check box to enable it.
4. Click Next to save the configuration and add OCSP responders to the table.
5. You can add multiple OCSP responders for failover purposes.
- OCSP Check Type: Select a value from the drop-down list to perform OCSP checks. The values in the drop-down list are:
- AIA and Manual: Select this from the drop-down list to use AIA (Authority Information Access) extension of X.509 certificate, when it is present, to authenticate the user. Note that AIA points to the certificate authentication service that is used to verify the certificate. If AIA is not available, then the authentication fails. If the certificate does not contain AIA, then the appliance uses manual OCSP for authentication
- OCSP Check Type: Select a value from the drop-down list to perform OCSP checks. The values in the drop-down list are:
...
- .
...
- AIA only: Select this from the drop-down list to use AIA only to authenticate the user. AIA points to the certificate authentication service that is used to verify the certificate. By selecting this option you restrict NIOS to use AIA only. If the certificate does not contain AIA or it is not complete, then the authentication fails.
- Disabled: Select this from the drop-down list if you do not want to perform an OCSP check.
- Manual: Select this from the drop-down list to define OCSP settings and upload CA certificates manually. When you select this option, NIOS ignores AIA even though it is present.
- OCSP Responders: Click the Add icon and complete the following in the Add OCSP Responder section:
- Server Name or IP Address: Enter the FQDN or the IP address of the OCSP responder that is used for authentication. The appliance supports IPv4 and IPv6 OCSP responders.
- Comment: Enter useful information about the OCSP responder.
- Port: Enter the port number on the OCSP responder to which the appliance sends authentication requests. The default is 80.
- Server Certificate: Click Select to upload a server certificate. In the Upload dialog box, click Select to navigate to the certificate, and then click Upload. The appliance validates the certificate when you save the configuration. A server certificate is required for the direct trust model.
- Disable Server: Select this check box to disable the OCSP responder if, for example, the connection to the server is down and you want to stop the NIOS appliance from trying to connect to this server.
...
Note: You cannot save the OCSP configuration when you disable all OCSP responders, thus the certificate authentication service is disabled and two-factor authentication is no longer in effect. You cannot add OCSP responders when you select AIA only or Disabled from the drop-down list for OCSP Check Type.
...
Click Add to save the configuration and add the responder to the table. You can add multiple OCSP responders for failover purposes. You can use the up and down arrows to place the responders in the order you desire. The appliance tries to connect with the first responder on the list. If the connection fails, it tries the next responder on the list, and so on. Grid Manager displays the following for each responder:
- Responder: The FQDN or the IP address of the OCSP responder.
- Comment: Information you entered about the OCSP responder.
- Port: The port number on the OCSP responder to which the appliance sends authentication requests.
- Disabled: Indicates whether the OCSP responder is disabled or not. Note that you must enable at least one responder to enable the certificate authentication service.
You can also click Test to test the configuration. If the appliance connects to the responder using the configuration you entered, it displays a message confirming the configuration is valid. If it is unable to connect to the responder, the appliance displays a message indicating an error in the configuration.
- Response Timeout (s): Enter the time the appliance waits for a response from the specified OCSP responder.
The default is 1 second. You can select the time unit from the drop-down list.
- Retries: Enter the number of times the appliance tries to connect to the responders after a failed attempt.
The default is 5. - Recovery Interval: Enter the time the appliance waits to recover from the last failed attempt in connecting to an OCSP responder. Select the time unit from the drop-down list. The default is 30 seconds. This is the time interval that NIOS waits before it tries to contact the responder again since the last attempt when the appliance could not connect with the responder or when the responder did not send a reply within the configured response timeouts and retry attempts.
- Trust Model: Select Direct or Delegated from the drop-down list as the trust model for OCSP responses. In a direct trust model, OCSP responses are signed with an explicitly trusted OCSP responder certificate. You must upload the OCSP responder certificate if you select Direct. In a delegated trust model, OCSP responses are signed with a trusted CA certificate. A server certificate is not required when you select Delegated. The default is Direct.
- Retries: Enter the number of times the appliance tries to connect to the responders after a failed attempt.
6. Click Next to save the configuration and associate CA Certificates with the respective certificate authentication service. You can associate multiple CA certificates with
...
234NIOS Administrator Guide (Rev. A)NIOS 8.1
Authenticating Admins Using Two-Factor Authentication
the service.
Note that enabling the certificate authentication service terminates administrative services for all users. Ensure that you have uploaded the correct CA certificates before enabling the service. Your login names must also match the common name used in the certificate. When you configure multiple OCSP responders, ensure that you place them in the correct order because the status check for a client certificate is based on the OCSP reply sent by the first OCSP responder that replies.
NIOS detects a valid certificate authentication service for a client's certificate by searching through the assigned CA certificates for each group. NIOS matches issuer field in the client's certificate with the CA certificate to find the appropriate match. Note that the subject in CA certificate must match the issuer in the client's certificate and corresponding certificate authentication service. You cannot assign several CA certificates with the same issuer to the same certificate authentication service.
Note the following about the certificate authentication service:
- You cannot assign various CA certificates with the same issuer to the same certificate authentication service.
- You cannot assign the same CA certificate to the same group twice or to a different certificate authentication service. However, different certificate authentication services can contain CA certificates with the same subject. To distinguish such groups you can use Client Subject name to determine which certificate must match the CA certificate to be associated with the certificate authentication service. If the client certificate does not match any certificate authentication service, then the authentication fails. A CA certificate verifies the client certificate.
7. Click Add to associate CA certificates with the certificate authentication service. The following information is displayed when you associate a CA certificate:
- Subject: The name of the certificate.
- Issuer: The name of the trusted CA that issued the certificate.
- Valid From: The date from which the certificate becomes valid.
- Valid To: The date until which the certificate is valid. You can do the following:
- Select a certificate and click the Delete icon to delete it.
- Print the data or export it in .csv format.
You can also do the following for a certificate authentication service:
- Use Global Search to search for certificate authentication services. For information, see Global Search on page68.
- View audit log entries for the certificate authentication service. For information, see Viewing the Audit Log onpage 1407.
- Select a certificate authentication service and click the Delete icon to delete it. In the Delete Confirmation dialog box, click Yes to confirm deletion.
- Modify a certificate authentication service as mentioned in Modifying Certificate Authentication Services onpage 236.
- Print the data or export it in .csv format.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...
- From the Administration tab, click the Administrators tab -> Admins tab -> admin_account check box, and then click the Edit icon.
- In the Administrator editor, click the General tab, and then click the Advanced tab.
- In the General Advanced tab, complete the following:
...
- Enable Certificate Authentication: Select this check box to enable certificate authentication for the selected user. You must configure certificate authentication service and associate a valid client CA certificate with the selected user. This is disabled by default.
- Client Certificate Number: You can specify a client certificate number only when you select the Enable Certificate Authentication check box. This is disabled by default. Enter the serial number as mentioned in the certificate. Examples: 397F9435000100000032 (hexadecimal format), 123 (decimal format), and so on.
- Client CA Certificate: You must associate a CA certificate that signs the client certificate. Click Select to associate a CA certificate. When you select a CA certificate from the list, NIOS displays the subject of the selected CA certificate. The CA Certificate Selector dialog box displays the following information about CA certificates:
- Issuer: The name of the trusted CA that issued the certificate.
- Valid From: The date from which the certificate becomes valid.
- Valid To: The date until which the certificate is valid.
- Subject: The name of the certificate.
Click OK to select and associate the client CA certificate with the selected admin user.
4. Save the configuration.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...
You can also display the following column:
- Disabled: Indicates if the certificate authentication service is enabled or disabled.
You can do the following in this tab:
- Sort the data in ascending or descending order by column.
- Select the certificate authentication service and click the Edit icon to modify data, or click the Delete icon to delete it.
- Print and export the data in this tab.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...
- From the Administration tab, click the Authentication Server Groups tab -> Certificate Authentication Services subtab -> select a certificate authentication service, and then click the Edit icon.
- The Certificate Authentication Service editor provides the following tabs from which you can modify data:
- General: In this tab, modify certificate authentication service data, as described in Configuring Certificate Authentication Services2.
- OCSP: Modify associated OCSP responders. For more information, see Configuring Certificate Authentication Services2.
- CA: Add and delete CA certificates that are associated with the certificate authentication service. For more information, see Configuring Certificate Authentication Services.
- Save the configuration.
...
- .
...
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...