Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1442
Views
1
Helpful
18
Replies

Devices with MFA

Go to solution
sm000x
Level 1
Level 1

‎12-18-2023 12:23 PM

Hi:

My company will convert the devices to MFA (Multi Factor Authentication) soon.
My question is how to make NSO use MFA to the device?

I searched the src/ncs/yang and found that in tailf-ncs-devices.yang there is
container devices {
  container authgroups {
    list group {
      grouping remote-user-remote-auth {
        leaf callback-node {...}
        leaf action-name {...}
      }
    }
  }
}

will that help to have NSO to use MFA to the device?

I need some example java code how to use callback-node and action-name.
Does any one have experience?

THX
sm000x

Labels:
18 Replies 18

Go to solution
snovello
Cisco Employee
Cisco Employee

‎01-12-2024 07:39 AM

Hello,

while introducing MFA for users to log into devices makes sense to me. It would be good to understand the security benefit for introducing MFA to enhance the security of 2 software systems communicating via an NBI, NSO and device in this case.

How would the different factors look like in this case? Just to make it concrete, say NSO starts to login to a device, soon after an email user receives an email with a unique URL. NSO has to log into the mail server retrieve the URL and access it before the device enables the connection. Did we really gain much in security? We now have 2 different passwords that NSO needs to know, but I think the risk of compomise is likely to be correlated. I think that's why we don't hear about MFA much for machine to machine communication.

If you decide to implement such a scheme I think those callback in the authgroup might be able to do it. They would return the password (first factor) but leave a process in the background that takes care of the other factor.

There are other ways to enhance the security of the authentication between NSO and device you can look at including having unique randomly generated password per device, and changing them frequently for the userid that NSO employs toward the device.  The callback actions can also be used for NSO to retrieve credentials externally - so storing any secrets in a centralised store that is carefully managed. I created an example of that with terraform vault.

https://gitlab.com/nso-developer/nso-secrets-in-vault/

 

 

0 Helpful

Go to solution
sm000x
Level 1
Level 1
In response to snovello

‎01-12-2024 12:55 PM

Hi, Snovello:

Thank you for this suggestion. I am not MFA person and I know some of my company's project have already implemented the machine-to-machine MFA automation.
I do not know the details, but here is what I know:
When application login to the device, device return some token to application.
Application uses the token to my company's security server and gets a 2nd password back.
Application then uses that 2nd password to login to the device.

I will study the URL you provided and see if I can use NSO to achieve my company's MFA implementation.

THX
sm000x
0 Helpful

Go to solution
rogaglia
Cisco Employee
Cisco Employee
In response to sm000x

‎01-14-2024 04:41 AM

I can confirm that this is exactly the case why callback-node was created and you can find the examples in the dev guides that you saw abocve.. I would not call what you described as MFA but rather an external vault or password storage as you are not providing any second piece of evidence.

 

 

0 Helpful

Go to solution
sm000x
Level 1
Level 1
In response to rogaglia

‎01-14-2024 08:36 AM

Hi, Rogaglia:

Thank you for this good news. I will study the Links you sent and give it a try.

THX
sm000x
0 Helpful
Customers Also Viewed These Support Documents