Your enterprise has implemented two-factor authentication for all access to computer systems. In a nutshell, two-factor authentication is something you know and something you have. The ‘something you know’ can be a password. The ‘something you have’ can be a token card or a certificate. A cyber criminal would need both to gain access. Knowing the password is not enough.
You can configure NIOS to use the two-factor authentication method to authenticate users based on X.509 client certificates. In two-factor authentication, NIOS first negotiates SSL/TLS client authentication to validate client certificates. It then authenticates the admins based on the configured authentication policy. You must first configure an authentication policy, and then configure and enable the certificate authentication service for the two-factor authentication to take effect. NIOS uses certificate authentication service as the authentication policy.
Prerequisites
- (Optional) OCSP (online certificate status protocol) responder.
- Microsoft Active Directory server with Certificate Authority.
Please consult with your PKI (public key infrastructure) expert on the certificates.
Authentication data flow for 2-factor authentication on the Infoblox appliance
- The client workstation issues an HTTPS request to the FQDN or IP address of the Infoblox appliance.
- The Infoblox appliance sends a certificate request to the client.
- Optionally, the certificate on the client is sent to the Infoblox appliance.
- Infoblox appliance then sends the public part of the certificate to the OCSP responder to determine certificate validity.
- If successful, the Infoblox appliance will generate a nuance (i.e. random bits of characters) and encrypt that with the public part of the certificate.
- The Infoblox appliance will send that nuance to the client to decrypt.
- If the client decrypts the nuance and sends the decrypted nuance back to the Infoblox appliance and is matched up successfully, then that proves the client has the exact public and private key.
- The Infoblox appliance will use a user group lookup against the Active Directory server.
- Depending upon the attribute passed in the certificate (i.e. SAN, Subject Alternate Name) account name or SAN UPN (User Principle Name) passed to the Active Directory server.
- The Infoblox appliance talks with the Active Directory server via a service account.
- Authentication successful.
Setting up 2 factor authentication on NIOS appliances
- Log into the Infoblox GUI.
- Navigate to Grid à Grid Manager à Toolbar à Certificates à Manage Certificates.
- Click on the ‘+’ button to upload the certificates from the Certificate Authority chain.
- If different from step 3, upload the OCSP CA chain from your OCSP responder.
- Navigate to Toolbar à Grid Properties à Edit à DNS Resolver.
- Click on the button to enable DNS resolver.
- Click on the ‘+’ button to add the IP address of the Active Directory server.
- Click Save and Close.
- Navigate Administration à Authentication Server Groups à Active Directory Services.
- Hit the ‘+’ to add an entry.
- Enter the name of the Active Directory Service.
- Enter the name of the Active Directory Domain.
- In the Domain Controllers section, click on the + button to add a server. Use the fully qualified domain name of the server.
- Change the encryption to SSL.
- Click on the ‘test’ button. If it is successful, click on the ‘add’ button.
- Click ‘Save and Close’.
- Navigate to Certificate Authentication Services.
- Click on the ‘+’ button to add Certificate Authentication Service.
- Add a name for the service.
- Uncheck Username/password request.
- Click on the button to Enable remote lookup for user membership.
- In Authentication service, add the name of the active directory service.
- Add the username that was created in AD server for the Infoblox appliance to log into the AD server. The username is a service account. The service account user needs to be able to search the user attributes to get the member of objects.
- Click on Next.
- Click on the ‘+’ button to add and an OSCP responder IP address. In this example, the OCSP Check Type is set to manual. However, you most likely will use AIA and manual, defining some local OCSP responders and using AIA from the user’s certificate.
- Enter the port number that was configured on the OCSP server. This port number would come from your PKI (public key infrastructure) expert.
- Add the certificate for the OCSP server if you want to use the test button.
- Click on the test button.
- If successful, click Add.
- Click Next.
- Click on the ‘+’ button to add the CA certificates from the certificate store that will used to authenticate users.
- Click save and close.
- Navigate to Administration à Administrators à Authentication Policy.
- Click on the ‘+’ in Authenticate users section.
- Click on the Certificate Authentication Service button.
- Choose the Authentication Server Group that was created before.
- Click the Add button.
- You should get a message stating 2-factor authentication enabled.
The last thing that needs to be done is to install your certificate onto your browser. Please consult your PKI expert to install certificates onto your browser.
Summary
Many network enterprises and service providers are implementing 2-factor authentication to increase security access to applications. This blog shows how the 2 factor authentication data flow works between the Infoblox appliance and OCSP responders and/or Microsoft Active Directory servers. In addition, the steps to configure 2-factor authentication on the Infoblox appliance are documented in this blog.