PhenixID

Step by Step – RSA Forward

Summary

This document will guide you through the steps to configure PhenixID MFA for RSA Radius forward.

 

System Requirements

  • PhenixID Server installed
  • RSA Server configured to act as a radius server
  • RSA Server ip/hostname, port and secret.

Instruction

NB! The scenario below describes a radius authentication flow where RSA is the only OTP delivery mechanism.

Configuration logic, such as “use RSA if a specific AD attribute is set”, is also feasible. This is not described here. Please view the valves configuration documentation to achieve such logic or contact PhenixID Support.

 

Login to PhenixID Administration Portal

We will use one of the scenarios included in the administration portal.
Open a browser and go to https://PhenixidServerIP:8443/config/.
Use e.g. the default administrator user called phenixid with the default password password to login.

Configure PhenixID Server as a RADIUS server with username, password and OTP authentication.

This is explained in another Step-by-Step document, please read through it and then return to this document to continue the setup for RSA.

The step-by-step document to configure PhenixID server to act as a RADIUS server:
http://document.phenixid.net/m/71787/l/782246-username-password-otp-delivered-by-sms

 

Guide to configure PhenixID Server for RSA Radius forward

  1. Login to Configuration Manager
  2. Click the Advanced Tab
  3. Click Authenticators – Radius
  4. Locate the authenticator added by the previous step (scenario).
    (Hint: name=UsernamePasswordAndOTPAuthenticator. Make sure you find the correct authenticator, you might have multiple authenticators with that name).
  5. Change the name to ForwardOTPAuthenticator. Remove guide_ref and guide_id parameters. Example:
    {
    
     "id" : "f2c823bf-fe82-4fa0-a25b-75e3dc318e2f",
    
     "name" : "ForwardOTPAuthenticator",
    
     "config" : {
    
     "uid_pwd_pipe" : "840b38af-b335-457c-80d3-ebd056b59709",
    
     "validate_otp_pipe" : "1487ca1b-5c93-45eb-ae5d-6ebe4caf9c29X",
    
     "clientIP" : "192.168.98.1",
    
     "ar_attributes" : "",
    
     "resp_attributes" : "",
    
     "secret" : "{enc}SxAgMujPHb2YkmcMEeOZUmGhisxWyfo0OVbCz4FaBWM=",
    
     "radius_config" : "ce56ae21-6325-43fb-8fb0-0ae821b8dcec"
    
     },
    
    
     "created" : "2016-05-23T17:57:48.009Z"
    
     }
  6. Click Stage changes and then Commit changes.
  7. Locate Pipes
  8. Locate the pipe with the id matching the authenticator uid_pwd_pipe value.
    “uid_pwd_pipe” : “840b38af-b335-457c-80d3-ebd056b59709
  9. Remove the valves OTPGeneratorValve and OTPBySMSValve.
  10. Add a valve to be executed last in the pipe.
    {
    
     "name" : "PropertyAddValve",
    
     "config" : {
    
     "name" : "forward_auth_method",
    
     "value" : "rsa"
    
     }
    
     }
  11. Click Stage changes and then Commit changes.
  12. Locate the pipe with the id matching the authenticator validate_otp_pipe value.
    “validate_otp_pipe” : “1487ca1b-5c93-45eb-ae5d-6ebe4caf9c29X
  13. Remove all current valves (SessionLoadValve, PINValidationValve and OTPValidationValve) from the pipe.
  14. Add new valves to the pipe.  Change RSA Server (RadiusOTPValidator) and LDAPSearchValve settings to suite your environment. Example below.
    {
    
     "id" : "1487ca1b-5c93-45eb-ae5d-6ebe4caf9c29X",
    
     "guide_ref" : "b99c1112-8236-46fa-9d98-c2fa345d0a28",
    
     "created" : "2016-05-23T17:57:47.884Z",
    
     "valves" : [{
    
     "name" : "LDAPSearchValve",
    
     "config" : {
    
     "connection_ref" : "b88bf6a2-7d5e-4230-a5f2-0551d9f59833",
    
     "base_dn" : "dc=bjorken,dc=local",
    
     "scope" : "SUB",
    
     "size_limit" : "0",
    
     "filter_template" : "uid={{request.User-Name}}",
    
     "attributes" : "departmentNumber"
    
     }
    
     }, {
    
     "name" : "PINValidationValve",
    
     "config" : {
    
     "stored_pin_param_name" : "",
    
     "provided_otp_attribute_name" : "otp",
    
     "provided_pin_param_name" : "User-Password",
    
     "pin_placement" : "before",
    
     "pin_length" : "",
    
     "skip_if_expr" : "true === true"
    
     }
    
     }, {
    
     "name" : "SessionResolveValve",
    
     "config" : {
    
     "alias" : "{{request.User-Name}}"
    
     }
    
     }, {
    
     "name" : "RADIUSOTPValidator",
    
     "config" : {
    
     "host" : "{{item.departmentNumber}}",
    
     "default_host" : "192.168.98.196XXXXXX",
    
     "default_port" : "1645",
    
     "default_secret" : "{enc}nra7X8I7QS95DxDR3x7IuonLbeOu91MXjI/s8Ux0n3c=",
    
     "username_param" : "User-Name",
    
     "password_param" : "User-Password",
    
     "forward_state" : "{{session.radius_packet_type}}",
    
     "radiusstate" : "State"
    
     }
    
     }, {
    
     "name" : "SessionPropertyAddValve",
    
     "config" : {
    
     "name" : "radius_packet_type",
    
     "value" : "{{item.radius_packet_type}}"
    
     }
    
     }, {
    
     "name" : "SessionPersistValve",
    
     "config" : { }
    
     }, {
    
     "name" : "SessionRemoveValve",
    
     "config" : {
    
     "exec_if_expr" : "flow.getPropertyValue('radius_packet_type').equals('access-accept')"
    
     }
    
     } ]
    
     }
  15. Click Stage changes and Commit Changes.
  16. Test it out!

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se