Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Current »

You can configure NIOS to use the two-factor authentication method to authenticate users based on X.509 client certificates. In two-factor authentication, NIOS first negotiates SSL/TLS client authentication to validate client certificates. It then authenticates the admins based on the configured authentication policy. You must first configure an authentication policy, and then configure and enable the certificate authentication service for the two-factor authentication to take effect. NIOS uses certificate authentication service as the authentication policy. For information about how to set up an authentication policy, see Defining the Authentication Policy.
Using the certificate authentication service, you can choose how the client certificate associates with the CA certificate. NIOS allows you to associate the client certificate manually and automatically. With manual certificate binding option, you must associate a certificate for a particular user manually, which is verified with the CA certificate. With automatic match policy, NIOS extracts the username from the client certificate, which is then matched with the certificate authentication service. When you configure certificate authentication service, NIOS searches the CA certificates associated with each admin group to detect a valid certificate authentication service for the client's certificate. You can either select a direct match or an automatic match for a certificate authentication service.
The Infoblox certificate authentication service uses the OCSP, which is an internet protocol that validates certificate status for X.509 digital certificates that are assigned to specific admins. NIOS allows you to choose Authority Information Access (AIA) extension from a certificate as a source of OCSP configuration or define OCSP servers manually. You can also disable OCSP check for a particular certificate authentication service. For more information about OCSP, refer to RFC 2560 at https://tools.ietf.org/html/rfc2560.
The status of these client certificates is stored on OCSP responders to which NIOS sends requests about certificate status. A certificate status can be "good," revoked," or "unknown." After a successful SSL/TLS client authentication, NIOS authenticates the admin based on the configured authentication policy. If the authentication fails at this point, the appliance denies access to the admin. If the authentication policy has passed, the appliance sends a request to the OCSP responder for client certificate status about the admin. If the appliance receives a "good" status from the OCSP responder, the two-factor authentication is successful. The admin can now access the appliance. If the appliance receives a "revoked" or "unknown" status from the OCSP responder, the two-factor authentication fails. The admin cannot access the appliance even though the admin authentication policy has passed.
When there are multiple OCSP responders configured, the appliance contacts the responders based on their configured order. For the same client certificate, the appliance always takes the status reported by the first responder on the list that actually responds, even when there are different OCSP replies from different responders. When the appliance cannot contact the first responder or if the first responder does not reply, the appliance then takes the OCSP reply from the second responder and so on.

Note

  • Authentication for both the admin authentication policy and OCSP validation must be successful on NIOS.

  • Certificate-based authentication does not work on Cloud Platform members for WAPI calls.

The following figure Authenticating Admin Accounts Using TACACS+ illustrates the two-factor authentication and authorization process.

Best Practices for Configuring Two-Factor Authentication

Only superusers and limited-access users with the correct permissions can configure two-factor authentication. For information about admin roles and permissions, see Managing Admin Groups and Admin Roles. To configure two-factor authentication, consider the following:

  • You must first set up an certificate authentication service and enable it.

  • You can configure only one certificate authentication service that contains one or multiple OCSP responders to which NIOS sends requests about client certificate status. The appliance supports IPv4 and IPv6 OCSP responders.

  • When you configure multiple OCSP responders, you can put them in an ordered list. The appliance contacts the first responder on the list. If the connection fails, it moves on to the second one, and so on. The result of the status check for a client certificate is based on the status reported by the first responder that replies.

  • You can configure the timeout value and retry attempts that the appliance waits and tries before it moves on to the next OCSP responder.

  • You can upload server certificates for each responder for OCSP response validation. You must upload an OCSP server certificate if you select the direct trust model.

  • You can disable a specific responder if the server is out of service for a short period of time.

  • Before you add an OCSP responder to the server group, you can test the server credentials.

To configure and enable two-factor authentication, complete the following tasks:

  1. For local and remote authentication, ensure that the admin names for smart card users match the CNs (Common Names) used in the client certificates. For information about local and remote authentication, see About Admin Accounts.

  2. Upload the CA (Certificate Authority) certificate, as described in About CA Certificates ,see Managing Certificates. The CA-signed certificates are used to validate OCSP server certificates and admin OCSP client certificates. Ensure that the CA certificate is in .PEM format. The .PEM file can contain more than one certificate.

    Note that the uploaded CA certificates must be the ones that issued the client certificates to be authenticated. Otherwise, clients such as browsers, cannot establish a successful SSL/TLS client authenticated HTTPS session to the appliance.

     3. Configure a certificate authentication service and enable it, as described in Configuring Certificate Authentication Services below.
     4. View certificate authentication services, as described in Viewing Certificate Authentication Services below.
     5. Modify certificate authentication services, as described in Modifying Certificate Authentication Services below.
     6. Delete certificate authentication services, as described in Deleting Certificate Authentication Services below.

Note that once you save the certificate authentication service configuration, the appliance terminates administrative sessions for all admin users. After you enable the certificate authentication service, you can verify whether two-factor authentication is enabled. Go to the Administration -> Administrators -> Authentication Policy tab, Grid Manager displays the "Two-Factor Authentication Enabled" banner in this tab.

Configuring Certificate Authentication Services

To configure and enable the certificate authentication service, complete the following:

  1. From the Administration tab, click the Authentication Server Groups tab.

  2. Click the Certificate Authentication Services subtab and click the Add icon.

  3. In the Add Certificate Authentication Service wizard, complete the following:

    • Name: Enter a name for the certificate authentication service.

    • Username/password request: Select the checkbox if the certificate authentication service must request username and password from the user. When you select this checkbox, NIOS populates the username from the certificate and requests password from the user. If you do not select the checkbox, only the certificate is necessary to log in to the appliance. The appliance ignores the username and password when the user provides both. You can only see the login button and do not have to provide the password. The appliance displays the username when you click the login button.

    • Auto-populate username: Select a value from the drop-down list. You can define how the appliance must authenticate a particular user and its associated group. The values in the list are Auto-match and Direct-match. When you select Direct-match, NIOS searches for users with directly assigned certificates, which contains issuer details and serial attributes, in the local database. Users with directly assigned certificates can use certificate based authentication only.

    • Auto match by: Select a value from the drop-down list. This field is enabled only when you select Auto-match for Auto-populate username. NIOS extracts the username from the certificate and searches for it in effective authorization policies based on the configured match policies. The values in the list are:

      • AD Issuer Subject: Select this from the drop-down list to authenticate the user based on the Active Directory mentioned by the user.

      • SAN Email: Select this from the drop-down list to authenticate the user based on the email address in the SAN (Subject Alternative Name).

      • SAN UPN: Select this from the drop-down list to authenticate the user based on the UPN (User Principal Name) in the SAN (Subject Alternative Name).

      • Serial Number: Select this from the drop-down list to authenticate the user based on the serial number.

      • Subject DN Common Name: Select this from the drop-down list to authenticate the user based on the subject DN (Distinguished Name) common name. A Subject DN can include information about the user who is being authenticated, including common name, name of the organization, country code, and so on.

      • Subject DN Email: Select this from the drop-down list to authenticate a user based on the subject DN email address.

    • Enable remote lookup for user membership: Select the checkbox to enable lookup on remote servers. NIOS performs lookup against local users by default. For a remote lookup, you must specify the username and password for the authentication service. You can perform a look up for a user membership only if the remote service admin that is configured for remote lookup has enough permissions to read other user's membership information. You must also select the remote service that must be used for lookup. Note that NIOS supports remote lookup for Active Directories only.
      Note that You can select the above checkbox, Authentication Service and Service Account Credentials fields only when you select Auto-match for Auto-populate username. You must not select the Username/password request checkbox when you select the checkbox for Enable remote lookup for user membership.

    • Authentication Service: Select an authentication service from the drop-down list.

    • Service Account Credentials: Enter a username and password for authenticating lookup on remote servers.

  • Comment: Optionally, enter additional information about the certificate authentication service.

  • Disable: Select this checkbox to disable the record. Clear the checkbox to enable it.

   4. Click Next to save the configuration and add OCSP responders to the table.
   5. You can add multiple OCSP responders for failover purposes.

  • OCSP Check Type: Select a value from the drop-down list to perform OCSP checks. The values in the drop-down list are:

    • AIA and Manual: Select this from the drop-down list to use AIA (Authority Information Access) extension of X.509 certificate, when it is present, to authenticate the user. Note that AIA points to the certificate authentication service that is used to verify the certificate. If AIA is not available, then the authentication fails. If the certificate does not contain AIA, then the appliance uses manual OCSP for authentication.

    • AIA only: Select this from the drop-down list to use AIA only to authenticate the user. AIA points to the certificate authentication service that is used to verify the certificate. By selecting this option you restrict NIOS to use AIA only. If the certificate does not contain AIA or it is not complete, then the authentication fails.

    • Disabled: Select this from the drop-down list if you do not want to perform an OCSP check.

    • Manual: Select this from the drop-down list to define OCSP settings and upload CA certificates manually. When you select this option, NIOS ignores AIA even though it is present.

  • OCSP Responders: Click the Add icon and complete the following in the Add OCSP Responder section:

    • Server Name or IP Address: Enter the FQDN or the IP address of the OCSP responder that is used for authentication. The appliance supports IPv4 and IPv6 OCSP responders.

    • Comment: Enter useful information about the OCSP responder.

    • Port: Enter the port number on the OCSP responder to which the appliance sends authentication requests. The default is 80.

    • Server Certificate: Click Select to upload a server certificate. In the Upload dialog box, click Select to navigate to the certificate, and then click Upload. The appliance validates the certificate when you save the configuration. A server certificate is required for the direct trust model.

    • Disable Server: Select this checkbox to disable the OCSP responder if, for example, the connection to the server is down and you want to stop the NIOS appliance from trying to connect to this server.
      Note that you cannot save the OCSP configuration when you disable all OCSP responders, thus the certificate authentication service is disabled and two-factor authentication is no longer in effect. You cannot add OCSP responders when you select AIA only or Disabled from the drop-down list for OCSP Check Type.

Click Add to save the configuration and add the responder to the table. You can add multiple OCSP responders for failover purposes. You can use the up and down arrows to place the responders in the order you desire. The appliance tries to connect with the first responder on the list. If the connection fails, it tries the next responder on the list, and so on. Grid Manager displays the following for each responder:

  • Responder: The FQDN or the IP address of the OCSP responder.

  • Comment: Information you entered about the OCSP responder.

  • Port: The port number on the OCSP responder to which the appliance sends authentication requests.

  • Disabled: Indicates whether the OCSP responder is disabled or not. Note that you must enable at least one responder to enable the certificate authentication service.

You can also click Test to test the configuration. If the appliance connects to the responder using the configuration you entered, it displays a message confirming the configuration is valid. If it is unable to connect to the responder, the appliance displays a message indicating an error in the configuration.

  • Response Timeout (s): Enter the time the appliance waits for a response from the specified OCSP responder.

The default is 1 second. You can select the time unit from the drop-down list.

  • Retries: Enter the number of times the appliance tries to connect to the responders after a failed attempt.
    The default is 5.

  • Recovery Interval: Enter the time the appliance waits to recover from the last failed attempt in connecting to an OCSP responder. Select the time unit from the drop-down list. The default is 30 seconds. This is the time interval that NIOS waits before it tries to contact the responder again since the last attempt when the appliance could not connect with the responder or when the responder did not send a reply within the configured response timeouts and retry attempts.

  • Trust Model: Select Direct or Delegated from the drop-down list as the trust model for OCSP responses. In a direct trust model, OCSP responses are signed with an explicitly trusted OCSP responder certificate. You must upload the OCSP responder certificate if you select Direct. In a delegated trust model, OCSP responses are signed with a trusted CA certificate. A server certificate is not required when you select Delegated. The default is Direct.

  6. Click Next to save the configuration and associate CA Certificates with the respective certificate authentication service. You can associate multiple CA certificates with the service.
Note that enabling the certificate authentication service terminates administrative services for all users. Ensure that you have uploaded the correct CA certificates before enabling the service. Your login names must also match the common name used in the certificate. When you configure multiple OCSP responders, ensure that you place them in the correct order because the status check for a client certificate is based on the OCSP reply sent by the first OCSP responder that replies.
NIOS detects a valid certificate authentication service for a client's certificate by searching through the assigned CA certificates for each group. NIOS matches issuer field in the client's certificate with the CA certificate to find the appropriate match. Note that the subject in CA certificate must match the issuer in the client's certificate and corresponding certificate authentication service.
Note the following about the certificate authentication service:

  • You cannot assign the same CA certificate to the same group twice or to a different certificate authentication service. However, different certificate authentication services can contain CA certificates with the same subject. To distinguish such groups you can use Client Subject name to determine which certificate must match the CA certificate to be associated with the certificate authentication service. If the client certificate does not match any certificate authentication service, then the authentication fails. A CA certificate verifies the client certificate.

   7. Click Add to associate CA certificates with the certificate authentication service. The following information is displayed when you associate a CA certificate:

  • Subject: The name of the certificate.

  • Issuer: The name of the trusted CA that issued the certificate.

  • Valid From: The date from which the certificate becomes valid.

  • Valid To: The date until which the certificate is valid. You can do the following:

  • Select a certificate and click the Delete icon to delete it.

  • Print the data or export it in .csv format.

You can also do the following for a certificate authentication service:

  • Use Global Search to search for certificate authentication services. For information about Global search, see About the Grid Manager Interface.

  • View audit log entries for the certificate authentication service. For information about viewing the audit log, see Monitoring Tools.

  • Select a certificate authentication service and click the Delete icon to delete it. In the Delete Confirmation dialog box, click Yes to confirm deletion.

  • Modify a certificate authentication service as mentioned in Modifying Certificate Authentication Services below.

  • Print the data or export it in .csv format.

Enabling Certificate Authentication Service for a User

You can restrict users to use certificate based authentication only. Note that certificate authentication service with a direct-match searches only for users with certificate authentication service enabled. Such users are successfully authenticated by the certificate authentication service using auto-match.

  1. From the Administration tab, click the Administrators tab -> Admins tab -> admin_account checkbox, and then click the Edit icon.

  2. In the Administrator editor, click the General tab, and then click the Advanced tab.

  3. In the General Advanced tab, complete the following:

  • Enable Certificate Authentication: Select this checkbox to enable certificate authentication for the selected user. You must configure certificate authentication service and associate a valid client CA certificate with the selected user. This is disabled by default.

  • Client Certificate Number: You can specify a client certificate number only when you select the Enable Certificate Authentication checkbox. This is disabled by default. Enter the serial number as mentioned in the certificate. Examples: 397F9435000100000032 (hexadecimal format), 123 (decimal format), and so on.

  • Client CA Certificate: You must associate a CA certificate that signs the client certificate. Click Select to associate a CA certificate. When you select a CA certificate from the list, NIOS displays the subject of the selected CA certificate. The CA Certificate Selector dialog box displays the following information about CA certificates:

    • Issuer: The name of the trusted CA that issued the certificate.

    • Valid From: The date from which the certificate becomes valid.

    • Valid To: The date until which the certificate is valid.

    • Subject: The name of the certificate.
      Click OK to select and associate the client CA certificate with the selected admin user.

    4. Save the configuration.

Viewing Certificate Authentication Services

To view the certificate authentication service, complete the following:

  1. From the Administration tab, click the Authentication Server Groups tab.

  2. Click the Certificate Authentication Services subtab.

  3. Grid Manager displays the following about the certificate authentication service:

    • Name: The name of the certificate authentication service.

    • Comment: Comments about the certificate authentication service.

You can also display the following column:

  • Disabled: Indicates if the certificate authentication service is enabled or disabled.

You can do the following in this tab:

  • Sort the data in ascending or descending order by column.

  • Select the certificate authentication service and click the Edit icon to modify data, or click the Delete icon to delete it.

  • Print and export the data in this tab.

Modifying Certificate Authentication Services

To modify a certificate authentication service:

  1. From the Administration tab, click the Authentication Server Groups tab -> Certificate Authentication Services subtab -> select a certificate authentication service, and then click the Edit icon.

  2. The Certificate Authentication Service editor provides the following tabs from which you can modify data:

    • General: In this tab, modify certificate authentication service data, as described in Configuring Certificate Authentication Services above.

    • OCSP: Modify associated OCSP responders. 

    • CA: Add and delete CA certificates that are associated with the certificate authentication service.

  3. Save the configuration.

Deleting Certificate Authentication Services

You can delete a certificate authentication service any time after you have created it. To delete a certificate authentication service:

  1. From the Administration tab, click the Authentication Server Groups tab -> Certificate Authentication Services subtab, select a certificate authentication service and then click the Delete icon.

  2. In the Delete Confirmation dialog box, click Yes.

  • No labels