Protect cOS core Remote Management with two factor authentication using PhenixID MFA server.

Security Gateway Articles and How to's
Post Reply
Anton
Posts: 24
Joined: 16 Jun 2016, 18:50
Location: Clavister HQ - Örnsköldsvik

Protect cOS core Remote Management with two factor authentication using PhenixID MFA server.

Post by Anton » 10 Aug 2017, 09:45

This How-to applies to:
  • Clavister Security Gateway 12.x. and MFA 2.x
Table of contents:
• Objectives with this article.
• Configuring HTTPS management with Radius authentication in the NGFW.
• Configuring the MFA server.
• Testing the login.

Objectives with this article:
This article will assume that you have a PhenixID MFA server installed and have some basic knowledge of MFA. Guide on how to install the MFA server can be found here: http://document.phenixid.net/m/69842/l/ ... on-windows

This article will also assume that you have a working Active Directory.

In this article we will discuss how to use two factor authentication to grant access to the remote management of the NGFW with the help of PhenixID MFA server.

cOS core does not support radius access-challenge per default so the One Time Password has to be entered on the same line as the password. That means that we have do split the password and OTP based on index when the request comes to the MFA server.

Example:
“Password123456” is entered by the user and we know that the OTP is 6 digits long so we need to split the string into two pieces, password and 123456.

We also have to instruct MFA to send back the correct user groups to the Next Generation Firewall.

We will only show how to configure two factor authentication for HTTPS management but this will also work for HTTP and SSH management.

Configuring the NGFW:

First of all we need to add the user that should be able to login and configure the NGFW to the local user database. We need to do this since if for example the MFA server is not responding then we need to fallback to local authentication, otherwise the Administrator risks getting locked out from the NGFW.

This can be done under System – > Local User Databases. Click the database you want to use and then add user.
adduser.png
adduser.png (46.58 KiB) Viewed 1209 times
adduser2.png
adduser2.png (19.15 KiB) Viewed 1209 times

1. The username must be the same as in the Active Directory.
2. The user needs to be a part of the administrators group.

After that we need to add a new Radius “Directory”. This can be found under Policies -> User Authentication -> RADIUS, click add a new Radius server.
addradius1.png
addradius1.png (27.12 KiB) Viewed 1209 times
addradius2.png
addradius2.png (45.45 KiB) Viewed 1209 times


1. The IP address where the MFA server is located.
2. Chose the port that the MFA server listens to.
3. Chose a suiting shared secret.

Next we need to either add a new Management rule or edit the old one. Go to System-> Remote Management and add a new one or edit the already existing remote management rule.
editmgmt2.png
editmgmt2.png (49.05 KiB) Viewed 1065 times

1. Set the Authentication Source to RADIUS.
2. Chose “Local Last” on Authentication Order, meaning that the Local user database will only be consulted if the MFA server is not responding.
3. Select the already created RADIUS server “MFA”.
4. RADIUS Method must be set to PAP.
5. We also need to specify administrators as "Admin Groups".

That was all the configuration that we needed to do in the NGFW. Keep in mind that it can be good to have either serial access or SSH access to the firewall while doing this otherwise you risk getting locked out from remote management.

Now “save & activate”.

Configuring the MFA server:

Now we need to configure the MFA server to listen for incoming radius request on port 1814 and returning the correct user groups back to the NGWF. We also need to deal with the password and OTP being in the same string, so we need to split them up into two attributes.

The user should also be able to activate their Token in order to be able to generate OTPs. The user will be able to activate their token via Selfservice and we will use PhenixID Pocket Pass to generate OTPs.

Configuring Selfservice:

Go to https://<IP of MFA server>:8443/config and login the configuration manager and go to Scenarios -> Applications, click the plus sign to add a new selfservice.
selfservice1.png
selfservice1.png (15.83 KiB) Viewed 1209 times

After that select create a new User Store, if you have one already select that one.
selfservice2.png
selfservice2.png (5.06 KiB) Viewed 1209 times

Click next.
next.png
next.png (2.19 KiB) Viewed 1209 times
Chose a suiting name for your User Store and click next. After that specify where the Active Directory is.
selfservice4.png
selfservice4.png (8.81 KiB) Viewed 1209 times

1. My AD is installed on the same host as the MFA server so 127.0.0.1 or localhost.
2. In this example we will use the standard LDAP port.

Next we must specify the credentials for the “directory manager”
selfservice5.png
selfservice5.png (10.03 KiB) Viewed 1209 times


1. Make sure the account has appropriate access rights in the data source, in this example we will use the Administrator account.
2. Password for the Administrator account.

We will not use SSL so we can skip the next page, click next. Test the connection, if everything is correct the test till be Successful.

After that we will specify where we should search for the user.
selfservice8.png
selfservice8.png (12.3 KiB) Viewed 1209 times

1. My user is located in CN=Users,DC=antonlab,DC=se
2. We are going to look for the sAMAccountName.

In this example we will only enable Pocket Pass for self-administration under selfservice.
selfservice9.png
selfservice9.png (8.15 KiB) Viewed 1209 times

On the next page you can also change the issuer for the Token and for how long the Token should be valid this can be left as standard.

Next click “Create”.
create.png
create.png (2.87 KiB) Viewed 1209 times
Configuring the Radius scenario:

Go to Scenarios -> Radius and click the plus sign to add a new Username and Password scenario.
Radius1.png
Radius1.png (11.94 KiB) Viewed 1209 times

Chose a name for you scenario and click next.

Chose which data store that should be used:
Radius3.png
Radius3.png (7.77 KiB) Viewed 1209 times
1. Since we previously created a User store we can use the same.


Next we need to specify what we should search for and where.
Radius4.png
Radius4.png (10.67 KiB) Viewed 1209 times
On next page we should select create a new Radius connection.
Radius5.png
Radius5.png (5.92 KiB) Viewed 1209 times

Click next.
Radius6.png
Radius6.png (9.52 KiB) Viewed 1209 times


1. This can be left untouched, 0.0.0.0 means listening on all IPs.
2. 1814 should be used on port, since we previously configured the NGFW to send Radius request to port 1814.

Next we need specify from where we should allow radius requests.
Radius7.png
Radius7.png (12.44 KiB) Viewed 1209 times

1. The IP address of the NGFW.
2. The shared secret that we previously configured the NGFW.

Click next and then create.

We now need to add a few things to our configuration since we have not configured any two factor authentication yet. First under the advanced tab on your scenario add 5089:1:filtered_groups to Vendor specific attributes:
Radius9.png
Radius9.png (10.15 KiB) Viewed 1209 times

Next we need to add three more valves under the “execution flow“ tab, PropertySplitByIndexValve, TokenValidationValve and LDAPGroupFiltering.

Click Add valve:
Radius10.png
Radius10.png (18.4 KiB) Viewed 1209 times


First we will add the PropertySplitByIndexValve:
Radius11.png
Radius11.png (25.26 KiB) Viewed 1209 times

1. Click JSON
2. Add the following text to the configuration.
3. Click add valve.

Do the same for the TokenValidationValve and the LDAPGroupFiltering valve. Keep in mind that the “Connection_ref” for the LDAPGroupFiltering valve has to be same as in the LDAPSearchValve and LDAPBindValve.
Radius12.png
Radius12.png (15.79 KiB) Viewed 1209 times
Radius13.png
Radius13.png (24.17 KiB) Viewed 1209 times

After that change the order of the Valves to be the following:
Radius14.png
Radius14.png (12.05 KiB) Viewed 1209 times

Next we need to modify the “password_parm_name” parameter in the LDAPBindValve to the password attribute of the PropertySplitByIndexValve like this "{{attributes.password}}"
Radius15.png
Radius15.png (26.61 KiB) Viewed 1209 times


We also need to modify the LDAPSearchValve, we need to add "attribute": "memberOf" to the configuration:
attmemberof.png
attmemberof.png (17.44 KiB) Viewed 1156 times
And now we are done with the configuration on the MFA server, click save to commit the changes.
save.png
save.png (2.31 KiB) Viewed 1209 times

Download and install Pocket Pass and enroll the token:

Next we need install Pocket Pass and enroll the token in order to generate OTPs so that the NGFW administrator can login to remote management.

Firstly we need to login to the selfservice page, go to https://<IP of the MFA server>:8443/selfservice in your browser and login with the user account that should manage the NGFW.

Go to the Tokens tab and click Activate PhenixID Pocket Pass:
selfservice13.png
selfservice13.png (7.7 KiB) Viewed 1209 times

Enter a Display name for your device and click next. After that instructions will be shown alongside with a barcode, which you need to scan with the Pocket Pass app to activate your token.
barcode.png
barcode.png (20.19 KiB) Viewed 1209 times

Download PhenixID Pocket Pass from the Google Play store if you have a Android or the Apple Appstore if you have a IPhone and follow the instructions.

Testing the login:

You should now be able to login to the remote management of the NGFW with two factor authentication. This requires that the password and OTP are entered on the same field and also in that order otherwise will the authentication fail.
Login.png
Login.png (23.68 KiB) Viewed 1209 times

1. Enter your Username.
2. Enter the normal password for the user, do not press login. First enter the OTP provided by the Pocket Pass app after the password. And after that you press login.

Anton
Posts: 24
Joined: 16 Jun 2016, 18:50
Location: Clavister HQ - Örnsköldsvik

Re: Protect cOS core Remote Management with two factor authentication using PhenixID MFA server.

Post by Anton » 10 Aug 2017, 10:10

Configuration for the extra Valves that we added:

Make sure to change “connection_ref” according to your configuration.

TokenValidationValve:

Code: Select all

{
    "otp_length": "6",
    "hotp_lookahead": "10",
    "provided_otp_param_name": "{{attributes.otp}}"
}
PropertySplitByIndexValve:

Code: Select all

{
	"source": "{{request.User-Password}}",
	"destination_attribute_one": "password",
	"destination_attribute_two": "otp",
	"position": "-6"
}
LDAPGroupFiltering:

Code: Select all

{
	"connection_ref": "dea60e51-228c-4ce4-a1af-7613e32fefd0",
	"separator": ",",
	"samaccountname_attribute": "",
	"response_attribute_name": "filtered_groups",
	"group_attribute": "memberOf",
	"send_clean_group_dn": "false",
	"groups_to_add": "Administrators"
}

Post Reply