RH362 - ch07s05

Bookmark this page

Implementing Two-factor Authentication

Objectives

Configure the two-factor authentication capabilities implemented in IdM.

Two-factor Authentication

Two-factor authentication (2FA) is an authentication mechanism that requires you to provide a combination of two forms (factors) of information to authenticate to a service, application, or system. A factor can be a device-generated passcode, a secret on a smart card, or something that you know, such as a password or personal identification number (PIN).

One approach to two-factor authentication is to combine something you know, such as a PIN or password, with something you have, such as a device-generated passcode.

One-time Passwords

A one-time password (OTP) is a random password token that is valid for only one authentication session and becomes invalid after use. Unlike a traditional static password, an OTP keeps changing. OTPs are used as part of two-factor authentication:

After you have generated an OTP, IdM allows you to choose between the following authentication methods:

Two-factor authentication (password + OTP): Users are always required to enter both a password and an OTP.
Password: Users have the option to authenticate using a password only.
RADIUS proxy server authentication: You can configure IdM as a client to one or more RADIUS servers.

IdM supports the following two standard OTP mechanisms:

The HMAC-based One-time Password (HOTP) algorithm is based on a counter. Hash-based message authentication code (HMAC) is a specific type of message authentication code.
The Time-based One-time Password (TOTP) algorithm is an extension of HOTP that replaces the counter with a time-based value. These codes are only valid for a limited time.

Using Tokens for OTP Authentication

IdM supports both software and hardware tokens for OTP.

For a software token, you can use an existing mobile device, such as your phone, with an application such as FreeOTP to generate an OTP code. You can download FreeOTP to your mobile device from the Apple App Store or from Google Play. FreeOTP represents an alternative software token method for generating OTP codes.

Users can manage their own tokens, or the administrator can manage their tokens for them.

With an administrator-managed token, administrators add administrator-managed tokens to the users' accounts. Users have read-only access to administrator-managed tokens but they do not have the necessary permissions to manage or modify the tokens and they are not required to configure them in any way.

The following steps outline the process for creating and adding a software token as an administrator using the web UI:

Ensure that the FreeOTP Authenticator application is installed on the mobile device.
Log in to the IdM web UI as an administrative user.
Navigate to Authentication → OTP Tokens.
At the top of the list of OTP tokens, click Add.
In the Add OTP Token dialog, choose user as the owner of the token, and then click Add.
Figure 7.1: Creating and adding an administrator-managed software token

You can also create the token from the command line by using the ipa otptoken-add command with the --owner option:

[user@host ~]$ ipa otptoken-add --owner=user

A QR code is displayed in the web UI or on the command line. Scan the QR code with FreeOTP Authenticator to provision the token to the mobile device.

Configuring Two-factor Authentication

OTPs are used as part of two-factor authentication:

Users authenticate with a password.
Users provide a PIN combined with an OTP passcode, generated by a recognized OTP token.

Two-factor authentication is considered safer than authentication using a traditional password alone. Even if a potential intruder intercepts the OTP during login, the intercepted OTP is already invalid at that point because it can only be used for successful authentication one time.

You can create a global authentication method for two-factor authentication in the IdM web UI.

As an administrative user, navigate to IPA Server → Configuration. In the User Options section on the right, scroll to the Default user authentication types options list and select Two factor authentication (password+OTP). Navigate to the top of the Configuration page and click Save.

Figure 7.2: Default authentication methods

You can also create an individual authentication method for two-factor authentication in the IdM web UI.

As an administrative user, navigate to Identity → Users → Active users. In the Active users section, click the appropriate User login. In Account Settings, scroll to the User authentication types options list and select Two factor authentication (password+OTP).

Figure 7.3: User Authentication Methods

Restricting Access to a Specific Authentication Method

You can restrict access to critical systems by configuring a host or service to require a specific authentication method.

The following steps describe the process for requiring a specific authentication method using the web UI:

As an administrative user, navigate to Identity → Hosts or Identity → Services.
Click the name of the host or service that you want to restrict.
From the Authentication indicators list, select the required authentication method that users must use when they want to access the restricted host or service.
- Select OTP to require two-factor authentication. This ensures that only users who use a valid OTP code with their password can access the host or service.
- If you select both OTP and RADIUS, then either OTP or RADIUS are enough to allow access.
Click Save at the top of the page to apply your changes.

The following steps describe the process for requiring a specific authentication method using the CLI:

Use the ipa host-find or ipa service-find command to identify the host or service you want to configure for restricted authentication.

Use the ipa host-mod or ipa service-mod command with the --auth-ind option to specify the authentication method you want to require.

For example, to restrict access to only two-factor authentication for a host:

[user@host ~]$ ipa host host_name --auth-ind=otp
---------------------------------------------------------
Modified host "server.example.com"
---------------------------------------------------------
  Host name: host_name
...output omitted...
  Authentication Indicators: otp
...output omitted...

If indicators for both OTP and RADIUS are added, then either OTP or RADIUS are enough to allow access.

Configuring a RADIUS Proxy

All two-factor servers provide the ability to authenticate using the RADIUS protocol. IdM administrators can configure IdM as a client to one or more RADIUS servers.

An authentication policy for a user can be set to use a specific RADIUS server. After the policy is set to use RADIUS for a user, IdM ignores user passwords or tokens and instead sends user credentials to a particular RADIUS server. After it gets a response from the RADIUS server, assuming successful authentication, it replies to its client with a Kerberos ticket; otherwise, it denies user access.

This proxy approach enables a simple and gradual migration from a third-party solution to an IdM-based solution. Such a migration might be considered because of IdM's unique Kerberos integration capability and the cost of the solution.

Migrating from a Proprietary OTP Solution

To enable migrating a large deployment from a proprietary OTP solution to the IdM-native OTP solution, IdM offers a way to offload OTP validation to a third-party RADIUS server for a subset of users.

First, create a set of RADIUS proxies where each proxy can contain multiple individual RADIUS servers. Then, assign one of these proxy sets to a user. As long as the user has a RADIUS proxy set assigned, IdM bypasses all other authentication mechanisms.

Use the following procedure to configure a RADIUS server for OTP validation and to add a user to the proxy server:

Make sure that the RADIUS user authentication method is enabled, as presented earlier in this section.
Run the ipa radiusproxy-add proxy_name command to add a RADIUS proxy. The command prompts you for the required information.
Run the ipa user-mod radiususer --radius=proxy_name command to assign a user to the added proxy.
If required, configure the username to be sent to RADIUS by running the ipa user-mod radiususer --radius-username=radius_user command.

After it has been configured, the user OTP authentication is processed through the RADIUS proxy server. When the user is ready to be migrated to the IdM native OTP system, remove the RADIUS proxy assignment for the user.

References

For more information on OTP authentication see the Managing IdM Users, Groups, Hosts, and Access Control Rules guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/managing_idm_users_groups_hosts_and_access_control_rules/index#role-of-idm-kdc_managing-kerberos-ticket-policies

For more information on Kerberos authentication see the Configuring the Browser for Kerberos Authentication in the Accessing Identity Management Services guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/accessing_identity_management_services/index#configuring-the-browser-for-kerberos-authentication-login-web-ui-krb

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8