Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1289
Views
5
Helpful
3
Replies

Web UI Multi-factor authentication

ryan-hitch
Level 4
Level 4

‎12-28-2018 06:57 AM - edited ‎03-01-2019 04:15 AM

Looking for suggestions to support multi-factor authentication via Yubikey/RSA SecureID for the Web UI. The customer is currently using PAM authentication with NSO. Network devices use multi-factor authentication (through Cisco ISE) for direct CLI logins, but NSO users are mapped to a common network device user which does not require multi-factor as an interim solution. So that multi-factor is still in the "path" to device access the customer wants to ensure that the Web UI supports it in some fashion.

Any suggestions are greatly appreciated.

 

Somewhat related: Cisco has some pretty good documentation for setting up multi-factor device authentication using ISE using RADIUS RFC-3865 Compliant token servers for Yubikey/RSA SecureID...

https://community.cisco.com/t5/security-documents/two-factor-authentication-on-ise-2fa-on-ise/ta-p/3636120

 

0 Helpful
3 Replies 3

joepak
Cisco Employee
Cisco Employee

‎01-02-2019 01:21 PM

Hi,

 

You could take a look at /ncs-config/aaa/external-authentication/

 

In the tailf-ncs-config.yang file:

 

1762       container external-authentication {
1763         presence "";
1764         leaf enabled {
1765           type boolean;
1766           default false;
1767           description "
1768               When set to 'true', external authentication is used.";
1769         }
1770         leaf executable {
1771           type string;
1772           description "
1773               If we enable external authentication, an executable on the
1774               local host can be launched to authenticate a user.  The
1775               executable will receive the username and the cleartext
1776               password on its standard input. The format is
1777               '[${USER};${PASS};]\\n'. For example if user is 'bob' and
1778               password is 'secret', the executable will receive the line
1779               '[bob;secret;]' followed by a newline on its standard
1780               input. The program must parse this line.
1781
1782               The task of the external program, which for example could
1783               be a RADIUS client is to authenticate the user and also
1784               provide the user to groups mapping. So if 'bob' is member
1785               of the 'oper' and the 'lamers' group, the program should
1786               echo 'accept oper lamers' on its standard output.  If the
1787               user fails to authenticate, the program should echo
1788               'reject ${reason}' on its standard output.";

 

and for the external-validation:

 

1842       container external-validation {
1843         presence "";
1844         leaf enabled {
1845           type boolean;
1846           default false;
1847           description
1848             "When set to 'true', external token validation is used.";
1849         }
1850         leaf executable {
1851           type string;
1852           description
1853             "If we enable external token validation, an executable on the
1854              local host can be launched to validate a user.  The
1855              executable will receive a cleartext token on its standard
1856              input. The format is '[${TOKEN};]\\n'. For example if the token is
1857              '7ea345123', the executable will receive the string '[7ea345123;]'
1858              followed by a newline on its standard input. The program must parse
1859              this line.
1860
1861              The task of the external program, which for example could
1862              be a FUSION client, is to validate the token and also provide
1863              the token to user and groups mappings. Refer to the External
1864              validation section of the AAA chapter in the User
1865              Guide for the details of how the program should report the
1866              result back to NSO.";
1867         }

 

So, when you configure external auth, as it prompts for user/pass in the WebUI, it should communicate to the external server to validate authentication.

 

Let me know if this helps.

ryan-hitch
Level 4
Level 4
In response to joepak

‎01-03-2019 09:24 AM

Thanks. I will look into this. I am also looking into the RSA Authentication Agent for PAM or running an NGINX web proxy with support for Yubikey PIV certificate/SecureID OTP authentication in front of NSO.

0 Helpful

joepak
Cisco Employee
Cisco Employee
In response to ryan-hitch

‎01-03-2019 09:16 PM

Another thing worth mentioning, take a look at the NSO Admin guide for

External token validation

This information should also elaborate more on what you are looking for 😊
0 Helpful
Customers Also Viewed These Support Documents