topic Re: Devices with MFA in NSO Developer Hub Discussions

Devices with MFA

sm000x — Mon, 18 Dec 2023 20:23:47 GMT

Hi:

My company will convert the devices to MFA (Multi Factor Authentication) soon.
My question is how to make NSO use MFA to the device?

I searched the src/ncs/yang and found that in tailf-ncs-devices.yang there is
container devices {
container authgroups {
    list group {
      grouping remote-user-remote-auth {
        leaf callback-node {...}
        leaf action-name {...}
      }
    }
}
}

will that help to have NSO to use MFA to the device?

I need some example java code how to use callback-node and action-name.
Does any one have experience?

THX
sm000x

Re: Devices with MFA

perander — Mon, 08 Jan 2024 15:15:04 GMT

Hi!

This is probably not supported out of the box with NSO today.
I asked around at the department, and it doesn't seem like it
is possible to give a proper short answer on devhub at least.

However, it looks like an interesting use case and I suggest
raising a case to discuss it further so we can help you properly.

Re: Devices with MFA

sm000x — Mon, 08 Jan 2024 15:29:08 GMT

Hi, Perander:

Thank you so much for the reply.

"....I suggest raising a case ...."
How do I create a case?

THX
sm000x

Re: Devices with MFA

perander — Mon, 08 Jan 2024 15:35:50 GMT

Hi!

Through your NSO support channel, raise a feature request or a support case.

EDIT: There is actually a link on the right you can use "Open a TAC case".

Re: Devices with MFA

sm000x — Mon, 08 Jan 2024 15:38:08 GMT

I see.

Thank you
sm000x

Re: Devices with MFA

cohult — Wed, 10 Jan 2024 16:06:40 GMT

A quick MFA example:

$ source /path/to/nso/ncsrc $ ls -1 Makefile auth.pl response.pl $ make all start

Browse to 127.0.0.1:8080

Username: admin
Password: admin
challenge: sendSMScode
challenge: secretSMScode

user/pass oper will login using local authentication.

Makefile:

NSO_RUN_DIR=nso-rundir EXTRA_NCS_LOG_CONFIG=\n\ \ \ \ \<webui-browser-log>\n\ \ \ \ \ \ <enabled>true</enabled>\n\ \ \ \ \ \ <filename>./logs/webui-browser.log</filename>\n\ \ \ \ </webui-browser-log>\n\ \ \ EXTRA_AAA_CONFIG=\ \ <auth-order>external-authentication local-authentication pam</auth-order>\n\ \ \ \ <external-authentication>\n\ \ \ \ \ \ <enabled>true</enabled>\n\ \ \ \ \ \ <executable>./auth.pl</executable>\n\ \ \ \ \ \ <use-base64>false</use-base64>\n\ \ \ \ </external-authentication>\n\ \ \ \ <challenge-order>external-challenge</challenge-order>\n\ \ \ \ <external-challenge>\n\ \ \ \ \ \ <enabled>true</enabled>\n\ \ \ \ \ \ <executable>./response.pl</executable>\n\ \ \ \ \ \ <use-base64>false</use-base64>\n\ \ \ \ </external-challenge>\n\ \ \ all: ncs-setup --no-netsim --dest $(NSO_RUN_DIR) sed -i.bak -e '/<external-authentication>/I,+3 d' \ -e "s|</logs>|$(EXTRA_NCS_LOG_CONFIG)</logs>|" \ -e "s|</aaa>|$(EXTRA_AAA_CONFIG)</aaa>|" \ $(NSO_RUN_DIR)/ncs.conf cp *.pl $(NSO_RUN_DIR)/ clean: rm -rf $(NSO_RUN_DIR) stop: ncs --stop || true start: stop cd $(NSO_RUN_DIR); \ ncs

auth.pl:

#!/usr/bin/perl $base64 = 0; $extra = 0; while (@ARGV) { if ($ARGV[0] eq "-b") { $base64 = 1; } elsif ($ARGV[0] eq "-e") { $extra = 1; } shift @ARGV; } if ((!$extra && (<STDIN> =~ /^\[([^;]+);([^;]+);\]$/)) || ($extra && (<STDIN> =~ /^\[([^;]+);([^;]+);([^;]+);([^;]+);([^;]+);([^;]+);\]$/))) { if ($base64) { $user = decode_b64($1); $pass = decode_b64($2); } else { $user = $1; $pass = $2; } if ($extra) { $ip = $3; $port = $4; $ctx = $5; $proto = $6; } if ($user eq "admin") { if ($extra && ($ip ne "0.0.0.0" || $port ne "0" || $ctx ne "maapi" || $proto ne "unknown")) { print "abort Bad extra $ip $port $ctx $proto\n"; } else { if ($pass eq "admin") { #2> base64:encode("bla bla\nbla bla\nChallenge prompt1\n"). #<<"YmxhIGJsYQpibGEgYmxhCkNoYWxsZW5nZSBwcm9tcHQxCg==">> print "challenge challengeId1 YmxhIGJsYQpibGEgYmxhCkNoYWxsZW5nZSBwcm9tcHQxCg==\n"; } else { print "reject Bad password for admin\n"; } } } } # else exit silently sub decode_b64 { my $str = shift; my $res = ""; $str =~ tr|A-Za-z0-9+/||cd; # remove non-base64 chars (padding) $str =~ tr|A-Za-z0-9+/| -_|; # convert to uuencoded format while ($str =~ /(.{1,60})/gs) { my $len = chr(32 + length($1)*3/4); # compute length byte $res .= unpack("u", $len . $1 ); # uudecode } $res; }

response.pl:

#!/usr/bin/perl $base64 = 0; $extra = 0; while (@ARGV) { if ($ARGV[0] eq "-b") { $base64 = 1; } elsif ($ARGV[0] eq "-e") { $extra = 1; } shift @ARGV; } if ((!$extra && (<STDIN> =~ /^\[([^;]+);([^;]+);\]$/)) || ($extra && (<STDIN> =~ /^\[([^;]+);([^;]+);([^;]+);([^;]+);([^;]+);([^;]+);\]$/))) { if ($base64) { $challenge_id = decode_b64($1); $response = decode_b64($2); } else { $challenge_id = $1; $response = $2; } if ($extra) { $ip = $3; $port = $4; $ctx = $5; $proto = $6; } if ($challenge_id eq "challengeId1") { if ($extra && ($ip ne "0.0.0.0" || $port ne "0" || $ctx ne "maapi" || $proto ne "unknown")) { print "abort Bad extra $ip $port $ctx $proto\n"; } else { if ($response eq "sendSMScode") { print "challenge challengeId2 U01TIENvZGUKU01T44Kz44O844OJ\n"; } else { print "reject Bad response\n"; } } } elsif ($challenge_id eq "challengeId2") { if ($extra && ($ip ne "0.0.0.0" || $port ne "0" || $ctx ne "maapi" || $proto ne "unknown")) { print "abort Bad extra $ip $port $ctx $proto\n"; } else { if ($response eq "secretSMScode") { print "accept external admin 1000 1000 /home/admin admin\n"; } else { print "reject Bad response\n"; } } } else { print "reject Unknown challenge_id $challenge_id\n"; } } # else exit silently sub decode_b64 { my $str = shift; my $res = ""; $str =~ tr|A-Za-z0-9+/||cd; # remove non-base64 chars (padding) $str =~ tr|A-Za-z0-9+/| -_|; # convert to uuencoded format while ($str =~ /(.{1,60})/gs) { my $len = chr(32 + length($1)*3/4); # compute length byte $res .= unpack("u", $len . $1 ); # uudecode } $res; }

Re: Devices with MFA

sm000x — Wed, 10 Jan 2024 16:13:08 GMT

Hi, Cohult:

Thank you for this example. This is very helpful. I will study it.

Thank you
sm000x

Re: Devices with MFA

cohult — Thu, 11 Jan 2024 08:00:12 GMT

Sorry, I did not read your question properly. The example is for MFA north of NSO through the WebUI. Not MFA to devices south of NSO through NEDs.

Re: Devices with MFA

sm000x — Thu, 11 Jan 2024 13:28:19 GMT

Hi, Cohult:

Thank you for the correction. But it is still helpful for my work.

Thank you again.
sm000x

Re: Devices with MFA

rogaglia — Fri, 12 Jan 2024 10:48:39 GMT

Hi,

Support in NSO for MFA towards the devices is kind of anti-intuitive as the idea of automation is to remove any manual activities. Also, if you have a NaaS kind of setup where there is no operator involved, who should perform the MFA? The end-customer user? not clear to me,

Removing the architecture question, we could ask if it is technically possible. I think there is a possibility (did not tested myself). In NSO authgroups definition, you can can call an arbitrary action using the "callback-node" options:

                  "Invoke a standalone action to retrieve login credentials for
                  managed devices on the 'callback-node' instance.

                  The 'action-name' action is invoked on the callback node that
                  is specified by an instance identifer.";

This is well explained in the guides: https://developer.cisco.com/docs/nso/guides/#!the-nso-device-manager/authentication-groups

Inside your action, you can do what you want like interacting with a MFA system.

There is clearly a performance impact of this option that I did not analyse but you probably would need to enable commit queues.

Re: Devices with MFA

sm000x — Fri, 12 Jan 2024 13:26:23 GMT

Hi, rogaglia:

Thank you for this information.
I agree that there is performance impact. However, that is the company's direction and the company is currently asking all the network device vendors to have MFA.
I will read the "action" URL, thank you for providing this URL.

Thx
sm000x

Re: Devices with MFA

snovello — Fri, 12 Jan 2024 15:39:48 GMT

Hello,

while introducing MFA for users to log into devices makes sense to me. It would be good to understand the security benefit for introducing MFA to enhance the security of 2 software systems communicating via an NBI, NSO and device in this case.

How would the different factors look like in this case? Just to make it concrete, say NSO starts to login to a device, soon after an email user receives an email with a unique URL. NSO has to log into the mail server retrieve the URL and access it before the device enables the connection. Did we really gain much in security? We now have 2 different passwords that NSO needs to know, but I think the risk of compomise is likely to be correlated. I think that's why we don't hear about MFA much for machine to machine communication.

If you decide to implement such a scheme I think those callback in the authgroup might be able to do it. They would return the password (first factor) but leave a process in the background that takes care of the other factor.

There are other ways to enhance the security of the authentication between NSO and device you can look at including having unique randomly generated password per device, and changing them frequently for the userid that NSO employs toward the device. The callback actions can also be used for NSO to retrieve credentials externally - so storing any secrets in a centralised store that is carefully managed. I created an example of that with terraform vault.

https://gitlab.com/nso-developer/nso-secrets-in-vault/

Re: Devices with MFA

rogaglia — Fri, 12 Jan 2024 15:43:29 GMT

Performance is of course one piece but remember that I was challenging the policy your company is trying to invoke because it is based on the assumption that you have an operator performing the tasks somewhere. However, in many automation scenarios, there is no operator involved. Some examples are user portals, closed-loop logics, etc.

Re: Devices with MFA

rogaglia — Fri, 12 Jan 2024 15:56:35 GMT

Just for completion regarding NORTHBOUD MFA. NSO now supports SSO and SAMLv2. I would claim that a better way to enable MFA northbound support is to use a SAMLv2 identity provider such as Cisco Duo and centralize your MFA needs across all your applications. More info on Duo/SAMLv2/MFA: https://duo.com/docs/sso-generic.

NSO SSO/SAMLv2 video: https://www.youtube.com/watch?v=XhoJQgTP_6A

Guide: https://developer.cisco.com/docs/nso/guides/#!single-sign-on

Re: Devices with MFA

sm000x — Fri, 12 Jan 2024 20:55:30 GMT

Hi, Snovello:

Thank you for this suggestion. I am not MFA person and I know some of my company's project have already implemented the machine-to-machine MFA automation.
I do not know the details, but here is what I know:
When application login to the device, device return some token to application.
Application uses the token to my company's security server and gets a 2nd password back.
Application then uses that 2nd password to login to the device.

I will study the URL you provided and see if I can use NSO to achieve my company's MFA implementation.

THX
sm000x

Re: Devices with MFA

sm000x — Fri, 12 Jan 2024 21:17:30 GMT

Hi, Rogaglia:

Thank you for this response.
I do not know much details but as far as I know, my company's MTA for automation has no operator involves.

THX
sm000x

Re: Devices with MFA

sm000x — Fri, 12 Jan 2024 21:18:30 GMT

Hi, Rogaglia:

Thank you for the information. I will study the links. I am sure they are helpful.

THX
sm000x

Re: Devices with MFA

rogaglia — Sun, 14 Jan 2024 12:41:24 GMT

I can confirm that this is exactly the case why callback-node was created and you can find the examples in the dev guides that you saw abocve.. I would not call what you described as MFA but rather an external vault or password storage as you are not providing any second piece of evidence.

Re: Devices with MFA

sm000x — Sun, 14 Jan 2024 16:36:43 GMT

Hi, Rogaglia:

Thank you for this good news. I will study the Links you sent and give it a try.

THX
sm000x