Document toolboxDocument toolbox

Authenticating Admins Using Two-Factor Authentication

Owned by Panna .
Oct 03, 2024
7 min read

Multi-Grid Manager can authenticate users, such as U.S. Department of Defense CAC users, with smart cards that contain X.509 client certificates. The status of these certificates is stored remotely on OCSP responders. You can configure NIOS to use the two-factor authentication method to authenticate these users. In two-factor authentication, NIOS first negotiates SSL/TLS client authentication to validate client certificates. It then authenticates the admins based on the configured authentication policy. Finally, NIOS validates the status of the client certificate through the OCSP service. Note that you cannot add OCSP validation as part of the authentication policy. You must first configure the authentication policy, and then configure and enable the OCSP service for the two-factor authentication to take effect. For information about how to set up an authentication policy, see /wiki/spaces/mgmadminguide/pages/911181205 /wiki/spaces/mgmadminguide/pages/911181205.
OCSP is an internet protocol that validates certificate status for X.509 digital certificates that are assigned to specific admins. For more information about OCSP, refer to RFC 2560 at http://tools.ietf.org/html/rfc2560. The status of these client certificates is stored on OCSP responders to which NIOS sends requests about certificate status. A certificate status can be "good," revoked," or "unknown." After a successful SSL/TLS client authentication, NIOS authenticates the admin based on the configured authentication policy. If the authentication fails at this point, the appliance denies access to the admin. If the authentication policy has passed, the appliance sends a request to the OCSP responder for client certificate status about the admin. If the appliance receives a "good" status from the OCSP responder, the two-factor authentication is successful. The admin can now access the appliance. If the appliance receives a "revoked" or "unknown" status from the OCSP responder, the two-factor authentication fails. The admin cannot access the appliance even though the admin authentication policy has passed.
When there are multiple OCSP responders configured, the appliance contacts the responders based on their configured order. For the same client certificate, the appliance always takes the status reported by the first responder on the list that actually responds, even when there are different OCSP replies from different responders. When the appliance cannot contact the first responder or if the first responder does not reply, the appliance then takes the OCSP reply from the second responder and so on.

Note: Authentication for both the admin authentication policy and OCSP validation must be successful before a smart card admin can access the appliance.

/wiki/spaces/mgmadminguide/pages/911181274 illustrates the two-factor authentication and authorization process.

Best Practices for Configuring Two-Factor Authentication

Only superusers and limited-access users with the correct permissions can configure two-factor authentication. For information about admin roles and permissions, see /wiki/spaces/mgmadminguide/pages/911180955. To configure two-factor authentication, consider the following:

  • You must first set up an OCSP authentication server group and enable it.
  • You can configure only one OCSP authentication server group that contains one or multiple OCSP responders to which Multi-Grid Manager sends requests about client certificate status. The appliance supports IPv4 and IPv6 OCSP responders.
  • When you configure multiple OCSP responders, you can put them in an ordered list. The appliance contacts the first responder on the list. If the connection fails, it moves on to the second one, and so on. The result of the status check for a client certificate is based on the status reported by the first responder that replies.
  • You can configure the timeout value and retry attempts that the appliance waits and tries before it moves on to the next OCSP responder.
  • You can upload server certificates for each responder for OCSP response validation. You must upload an OCSP server certificate if you select the direct trust model.
  • You can disable a specific responder if the server is out of service for a short period of time.
  • Before you add an OCSP responder to the server group, you can test the server credentials. To configure and enable two-factor authentication, complete the following tasks:
  1. For local and remote authentication, ensure that the admin names for smart card users match the CNs (Common Names) used in the client certificates. For information about local and remote authentication, see /wiki/spaces/mgmadminguide/pages/911180788 /wiki/spaces/mgmadminguide/pages/911180788
  2. Upload the CA (Certificate Authority) certificate, as described inAbout CA Certificates. The CA-signed certificates are used to validate OCSP server certificates and admin OCSP client certificates. Ensure that the CA certificate is in .PEM format. The .PEM file can contain more than one certificate.
    Note: The uploaded CA certificates must be the ones that issued the client certificates to be authenticated. Otherwise, clients such as browsers, cannot establish a successful SSL/TLS client authenticated HTTPS session to the appliance.
  3. Configure an OCSP authentication server group and enable it, as described in 19282597 19282597

Note that once you save the OCSP authentication server group configuration, the appliance terminates administrative sessions for all admin users. After you enable the OCSP service, you can verify whether two-factor authentication is enabled. Go to the Administration -> Administrators -> Authentication Policy tab, Grid Manager displays the "Two-Factor Authentication Enabled" banner in this tab.

Configuring the OCSP Authentication Server Group

To configure and enable the OCSP authentication service, complete the following:

  1. From the Administration tab, click the Authentication Server Groups tab.
  2. Click the OCSP Services subtab and click the Add icon.
  3. In the Add OCSP Service wizard, complete the following:
    • Name: Enter a name for the service.
    • OCSP Responders: Click the Add icon and complete the following in the Add OCSP Responder section:
      • Server Name or IP Address: Enter the FQDN or the IP address of the OCSP responder that is used for authentication. The appliance supports IPv4 and IPv6 OCSP responders.
      • Comment: Enter useful information about the OCSP responder.
      • Port: Enter the port number on the OCSP responder to which the appliance sends authentication requests. The default is 80
      • Server Certificate: Click Select to upload a server certificate. In the Upload dialog box, click Select to navigate to the certificate, and then click Upload. The appliance validates the certificate when you save the configuration. A server certificate is required for the direct trust model.
      • Disable: Select this checkbox to disable the OCSP responder if, for example, the connection to the server is down and you want to stop the NIOS appliance from trying to connect to this server.
        Note: You cannot save the OCSP configuration when you disable all OCSP responders, thus the OCSP service is disabled and two-factor authentication is no longer in effect.
        Click Add to save the configuration and add the responder to the table. You can add multiple OCSP responders for failover purposes. You can use the up and down arrows to place the responders in the order you desire. The appliance tries to connect with the first responder on the list. If the connection fails, it tries the next responder on the list, and so on. Grid Manager displays the following for each responder:
      • Responder: The FQDN or the IP address of the OCSP responder.
      • Comment: Information you entered about the OCSP responder.
      • Port: The port number on the OCSP responder to which the appliance sends authentication requests.
      • Disable: Indicates whether the responder is disabled or not. Note that you must enable at least one responder to enable the OCSP service.
        You can also click Test to test the configuration. If the appliance connects to the responder using the configuration you entered, it displays a message confirming the configuration is valid. If it is unable to connect to the responder, the appliance displays a message indicating an error in the configuration.
    • Response Timeout(s): Enter the time the appliance waits for a response from the specified OCSP responder. The default is 1 second. You can select the time unit from the drop-down list.
    • Retries: Enter the number of times the appliance tries to connect to the responders after a failed attempt. The default is 5.
    • Recovery Interval: Enter the time the appliance waits to recover from the last failed attempt in connecting to an OCSP responder. Select the time unit from the drop-down list. The default is 30 seconds. This is the time interval that NIOS waits before it tries to contact the responder again since the last attempt when the appliance could not connect with the responder or when the responder did not send a reply within the configured response timeouts and retry attempts.
    • Trust Model: From the drop-down list, select Direct or Delegated as the trust model for OCSP responses. In a direct trust model, OCSP responses are signed with an explicitly trusted OCSP responder certificate. You must upload the OCSP responder certificate if you select Direct. In a delegated trust model, OCSP responses are signed with a trusted CA certificate. A server certificate is not required when you select Delegated. The default is Direct.
    • SSH Remote Console Authentication: Select a method for admins to log in to the appliance through the CLI. From the drop-down list, select No Login to disable SSH remote connection through CLI, or select Login no Certificate to authenticate admins using their user names and passwords without authenticating their client certificates through the OCSP service. The default is No Login.
      Note: To enable SSH remote console authentication, you must also enable remote console access in the Grid or member settings.
      Enable Super user login when all responders are unavailable: Select this checkbox to enable superuser login when all OCSP responders are unavailable. As long as the superusers are authenticated through the configured authentication policy, enabling this allows superusers to log in to the appliance if all OCSP responders were disconnected or did not reply within the configured response timeouts and retry attempts.
    • Comment: Enter useful information about the OCSP authentication service.
    • Disable: Select this to retain an inactive OCSP authentication service profile.

Note that enabling the OCSP authentication service terminates administrative services for all users. Ensure that you have uploaded the correct CA certificates before enabling the service. Your login names must also match the CN (Common Name) used in the certificate. When you configure multiple OCSP responders, ensure that you place them in the correct order because the status check for a client certificate is based on the OCSP reply sent by the first OCSP responder that replies.

Viewing the OCSP Authentication Server Group

To view the OCSP authentication server group, complete the following:

  1. From the Administration tab, click the Authentication Server Groups tab.
  2. Grid Manager displays the following about the OCSP authentication server group:
    • Name: The name of the OCSP server group.
    • Comment: Comments about the OCSP server group You can also display the following column:
    • Disabled: Indicates if the OCSP server group is enabled or disabled.

You can do the following in this tab:

  • Sort the data in ascending or descending order by column.
  • Select the OCSP server group and click the Edit icon to modify data, or click the Delete icon to delete it.
  • Print and export the data in this tab. Create a bookmark for this page.