Configuring RSA Authentication - BeyondTrust18. Click Download Certificate and save this on the BeyondInsight server in C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\Certificates

$Page 1: Configuring RSA Authentication - BeyondTrust18. Click Download Certificate and save this on the BeyondInsight server in C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\Certificates$
WHITE PAPER

Configuring RSA Authentication Quick Guide for PBPS, PBW and PBUL

Configuring RSA Authentication: Quick Guide for PBPS, PBW and PBUL © 2018. BeyondTrust Software, Inc.

1

Contents Configuring RSA SecurID Authentication for PowerBroker Password Safe using RADIUS..........................2

Configuring RSA SecurID Authentication for PowerBroker for Windows using RADIUS .......................... 10

Configuring RSA SecurID Authentication for PowerBroker for Unix and Linux, and PBIS, using RADIUS... 15

Configuring PBUL....................................................................................................................... 15

Testing the Configuration........................................................................................................... 17

Configuring RSA SecurID Authentication for PowerBroker Password Safe Direct Connect...................... 20

Configuring RSA SecurID Authentication for PowerBroker Password Safe using SAML........................... 23


2

Configuring RSA SecurID Authentication for PowerBroker Password Safe

using RADIUS

1. In RSA Security console, assign Soft Token to a user.

2. Distribute Soft Token so the user can install it on their device.


3

3. Import the Soft Token on your device. Windows is used in example.

4. You can try to log on to Security Console with the user to confirm the Soft Token is working as

expected. You can grant a role to the user.


4

5. Select Passcode for the authentication method.

6. Get the Tokencode from Soft Token. Depending on your policy, you may need to prefix use

PIN+Tokencode for Passcode. The first time you use the Soft Token, you may be asked to select a

PIN. Make sure you know how to use the PIN and Tokencode.


5

7. Once you provide the right Passcode, you should be able to login.

8. You can use the Dashboard for the user in Security Console to troubleshoot.


6

9. You need to create a RADIUS Client for the BeyondInsight server, and select a shared secret.

An Agent is also needed with the Client.


7

10. In BeyondInsight, configure RADIUS Authentication for RSA

11. Assign RADIUS Method to a test user in BeyondInsight.


8

12. Log on to BeyondInsight with your test user.

13. Enter the passcode and click Submit.

You should be logged on to Password Safe or the BeyondInsight Home page for the user.


9


10

Configuring RSA SecurID Authentication for PowerBroker for Windows

using RADIUS

1. Using Group Policy Editor, or Policy Editor, create the Multifactor record. Increase timeout to 30

seconds, enter the shared secret you selected in RSA Security Console, and leave the default for

Initial Request (Username and Token).


11

2. Create a user message.


12

3. Create a test Privileged Identity rule for an application.

4. Create a shortcut for C:\Windows\system32\MRT.exe on your desktop


13

Now when you start the application, you should see the User Message and the Passcode Challenge.


14

The test application should start after you provide your passcode.


15

Configuring RSA SecurID Authentication for PowerBroker for Unix and

Linux, and PBIS, using RADIUS

If you want to configure your Unix or Linux host for PAM/RADIUS authentication, you can take a look at the RSA web site:

https://community.rsa.com/community/products/securid/authentication-agent-pam

1. Copy the pam_radius_auth module from /usr/lib/beyondtrust/pb to

/lib64/security/pam_radius_auth.so

2. Create a config file for your PAM server: /etc/raddb/server

Format is: ip_address:port sharedsecret timeout

For example: am8.company.com:1812 btlab16* 30

3. Edit /etc/pam.d/sshd as follows:

auth required pam_radius_auth.so

account required pam_radius_auth.so

password required pam_radius_auth.so

auth substack password-auth

auth include postlogin

----------------------

4. You may need to change /etc/ssh/sshd_config to allow for PAM (UsePam yes).

If PAM is not yet available on the Unix or Linux host, follow the steps in above document to install it

using yum.

5. Restart sshd for ssh configuration to take effect: service sshd restart

Note: If you plan to use Password Safe with RSA SecurID, configuring the host for PAM/RADIUS will be redundant.

Configuring PBUL

We will configure and test a Use Case around pbrun and a privileged command. These steps are based on CentOS 64 bit.

1. Copy the pam_radius_auth module from /usr/lib/beyondtrust/pb to

/lib64/security/pam_radius_auth.so

2. Create a config file for your PAM server: /etc/raddb/server

3. Create file pbul_pam_radius under /etc/pam.d:

#task control module

auth required pam_radius_auth.so

account required pam_radius_auth.so

password required pam_radius_auth.so

-----------

Then you can configure a role, e.g. DemoRole, to allow elevated commands and use PAM.

https://community.rsa.com/community/products/securid/authentication-agent-pam


16

4. In /etc/pb/pbul_functions.conf, add this section:

# Procedure DemoRole:

# If 'EnableDemoRole' is enabled, it allows any user in DemoUsers (default all users) to run

commands in DemoCommands (default 'id' and 'whoami') as 'root'

#

procedure DemoRole()

{

if ( EnableDemoRole && user in DemoUsers && (runhost in DemoHosts ||

TargetRunHostShortName in DemoHosts) && basename(command) in DemoCommands )

{

SetRunEnv("root", true);

accept;

}

}

-----------

5. In /etc/pb/pbul_policy.conf, add this section:

# This enables "Demo role", which allows any user in DemoUsers (default all users) to run

commands in DemoCommands (default 'id' and 'whoami') as 'root'

# on any host in DemoHosts (default all hosts)

# By default, this role is disabled. To ensable this set EnableDemoRole to true below.

#

# IMPORTANT: note that ANY command in the list of DemoCommands will run as 'root'.

#

EnableDemoRole = true;

DemoUsers = {"amiller","jsmith1"};

DemoCommands = {"id", "whoami","useradd","userdel"};

DemoHosts = {runhost, TargetRunHostShortName};

runconfirmuser = "btuapi";

runconfirmpasswdservice = "pbul_pam_radius";

DemoRole();

-----------

6. Create a user on your Unix or Linux host to match the user in RSA, e.g. jsmith1 in above example.


17

Testing the Configuration

You are ready to test the configuration.

1. Use Putty to log on to Linux server as jsmith1

2. Privileged command useradd: Permission denied.


18

3. Using pbrun, PAM/RADIUS authentication is triggered. Once authenticated, command executes and

user backdoor is created. For the password, provide your Passcode obtained using the Soft Token

(PIN+Tokencode in the example).


19

Then you should be authenticated.

Since userdel command is also included in policy, we can follow the same steps for userdel.


20


Direct Connect

For Direct Connect, we can use the RSA SecurID Authenticate app on a mobile, which offers us the Push or Approve method.

For SSH Sessions, we can configure Putty or the tool of our choice with a SSH link similar to the following:

btlab\bt-user1@mdavis_uadmin@lserver01@bi01

Port is 4422 by defaut, which is the port for the PBPS Proxy, not 22, which is the port behind the prox y, for the target host.

mdavis_uadmin is the managed account for lserver01, and bi01 is my PBPS Proxy.

My RSA user with the app on its mobile is an Active Directory user in my lab.

1. RADIUS configuration for test user bt-user1.


21

2. Putty configuration.

3. Direct Connect session. 1(Approve) was provided for the method.


22

4. Approve notification on mobile app (RSA Authenticate).

For RDP Direct Connect, it only supports the PUSH (Approve) method. The user must enter the password in the password field, a delimiter (default is ,), and the response for the interaction (1) with our configuration. Version 6.4.4 (BeyondInsight) and above is required. Please refer to the documentation for more information, and how to set a custom delimiter.


23


using SAML

This section is incomplete

1. Log on to the RSA admin portal.

2. Click Add Application.

3. Click Create New App.

4. Select SAML 2.0 as the sign in method.

5. Click Create.

6. Enter an application name.

7. Click Next.

8. Enter Single sign on URL

https://ServerURL/eEye.RetinaCSSAML/saml/AssertionConsumerService.aspx

9. Select the check box Use this for Recipient and Destination URL.

10. Enter Audience URI (SP Entity ID)

https://ServerURL/eEye.RetinaCSSAML

11. Select RSA username from the Application username menu.

12. Add attributes:

• Group (required) set as literal. This must match the group created in BeyondInsight.

• Name (required)

• Email (Optional)

• Surname (optional)

• GivenName (Optional)

13. Click Next.

14. Select appropriate settings for RSA support and click Finish.

15. Click View Setup Instructions.

16. Copy the Identity Provider Single Sign-On URL. Save the value to be used in step 21.

17. Copy the Identity Provider Issuer. Save the value to be used in next step 21.

18. Click Download Certificate and save this on the BeyondInsight server in

C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\Certificates

19. Rename the certificate to “RSA.cer”.

20. Open the saml.config file:

C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\saml.config

21. In Notepad, edit ServiceProvider Name:

• edit PartnerIdentityProvider Name: Identity Provider Issuer from step 17.

• edit SingleSignOnServiceUrl: Identity Provider Single Sign-On URL from step 16.

• edit SingleLogoutServiceUrl: Identity Provider Single Sign-On URL from step 16.


24

22. Save the saml.config file.

23. Open the web.config file:

C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\web.config

24. In Notepad, edit the PartnerIdP value: Identity Provider Issuer from step 17.

25. Save the web.config file.

Documents

Configuring RSA Authentication - BeyondTrust18. Click Download Certificate and save this on the BeyondInsight server in C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\Certificates