IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Cloud Identity "MFA Everywhere" cookbook

  • 1.  Cloud Identity "MFA Everywhere" cookbook

    Posted Tue September 03, 2019 05:32 AM
    Hello All,

    My "Multi-Factor Everywhere with Cloud Identity" cookbook has just been published on the Security Learning Academy.  This cookbook explores the new Cloud Identity Gateways for Windows Login, *IX PAM, and RADIUS.

    You can access the cookbook here.

    Cheers... Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------


  • 2.  RE: Cloud Identity "MFA Everywhere" cookbook

    Posted Wed September 04, 2019 09:04 AM
    ​Jon,

    Thank you for the cookbook.  Very well written.

    I am having an issue with "add a new authentication factor, click Add new method" on page 13.  For me, there is no "Add new method".

    Any suggestions as to how to get the "Add new method" to display so I can select the Verify app as a verification option?

    I have added some images to this replay for showing my environment settings.

      My security access policies - security_access_policies.PNG

      My security authentication factors settings - security_authentication_factors_settings1.PNG and security_authentication_factors_settings2.PNG

    My security registration profiles - security_registration_profiles.PNG

      My Two-step verification options.  Notice I'm missing the "Add new method" option - Two-step_verification_Choose_a_method_actual.PNG

    Your (expected) Two-step verification options - Two-step_verification_Choose_a_method_expected.PNG

    ------------------------------
    Mike Tarkowski
    ------------------------------

    Original Message


  • 3.  RE: Cloud Identity "MFA Everywhere" cookbook

    Posted Wed September 04, 2019 12:31 PM

    Hi Mike,

    Looking at the cookbook, I think there is one screenshot missing.

    When you initially click on the "Security" tab as an end user, you must complete 2FA using an existing registered factor (likely e-mail or SMS OTP).  This page DOES NOT show the link to add a new method.

    Once you have completed the 2FA, you'll get to the Authentication Factors management page where you will see the link to add new methods.

    Can you confirm that you got to the management page?

    Thanks... Jon.



    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 4.  RE: Cloud Identity "MFA Everywhere" cookbook

    Posted Wed September 04, 2019 03:02 PM
    ​Thanks Jon for the quick response,

    Yes, the first MFA page I get is the current MFA setting (no Verify).  Once I complete the original MFA then I go the MFA setup and then I can add Verify.  After that, I get Verify as MFA all the time.  Great document.  Keep them coming!

    ------------------------------
    Mike Tarkowski
    ------------------------------

    Original Message


  • 5.  RE: Cloud Identity "MFA Everywhere" cookbook

    Posted Thu September 05, 2019 09:35 AM
    Jon,

    Got the Verify working, very impressive.  Thanks again for the guide.

    New question, in step 2.2 of the guide you show how to setup the Verify Registration Profile.  Lets say we have multiple groups of people all using Verify as MFA when authenticating at the portal.  Each group has different Verify requirements so I create several Verify Registration Profiles.  How do I configure Verify Registration Profile A to be used by certain people, and Verify Registration Profile B to be used by others?

    From the testing we have done, it appears whichever Verify Registration Profile is listed at the top of the portal web page becomes the default.  Ideally we would want to set a Verify Registration Profile as part of a user profile detail or user group.​


    Thanks in advance.

    ------------------------------
    Mike Tarkowski
    ------------------------------

    Original Message


  • 6.  RE: Cloud Identity "MFA Everywhere" cookbook

    Posted Thu September 05, 2019 02:34 PM
    Hi Mike,

    I don't believe there is currently a way to handle multiple Registration Profiles when using the IBM Verify method with the Web UI.  As you saw, it will always pick whichever is returned first from the list.  To make this work in the way you suggest, there would have to be some logic to determine which Profile to invoke for a given user (and potentially offer a choice if a user has more than one registered).

    Obviously if you were writing your own application against the Cloud Identity APIs, it would be able to implement whatever selection logic you needed and specify the Registration Profile during initiation of the method.

    If you feel strongly about this, you should probably submit a Request For Enhancement. (https://ibm.biz/cloudidentityrfe)

    Jon.


    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 7.  RE: Cloud Identity "MFA Everywhere" cookbook

    Posted Wed August 26, 2020 07:05 AM
    Edited by Prashant Narkhede Wed August 26, 2020 09:14 AM

    Hi Jon,

    Thank you for the cookbook.

    I am configuring the IBM Verify Gateway for Windows Login. For this, I am using Windows Server 2016.
    I did the configurations suggested in the cookbook.

    However, the issue I am facing is that I am not able to see any Sign in options on the Windows Login screen. I checked the configurations again but those look fine to me.
    The other question is do I need to create demouser as windows local user.  I tried with and without the user but it didn't help.

    I progressed with other use cases for IBM Verify Gateway for PAM and facing issues for that too.
    The commands are configurations have been completed successfully but when accessing Linux machine using ssh it is repeatedly prompting for the password.

    Also, after the configurations, the SSH access to root has been blocked even root is member of nomfa group.




    Can you please help me with this?





    ------------------------------
    Prashant Narkhede
    ------------------------------

    Original Message


  • 8.  RE: Cloud Identity "MFA Everywhere" cookbook

    Posted Wed August 26, 2020 10:11 AM

    Prashant,

    I can't tell what the issue is from information provided. Both Windows Login and PAM login have ability to write a trace log. You should turn that on and see if these logs give a clue on the problem. If not, post here and hopefully it can help with debug.

    For Windows issue, not seeing the Verify login option means the credential provider didn't initialise correctly. This is likely related to a configuration issue. Maybe provide your config here (with keys redacted).  Creation of demouser is not required to see the credential provider option so that is not the issue. 


    For SSH issue, make sure the SSHD configuration has been updated to allow multi-step login - and that sshd Service has been restarted after change.

    Jon.

    P.S. I am on vacation this week. I will only be checking the forum infrequently.



    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 9.  RE: Cloud Identity "MFA Everywhere" cookbook

    Posted Wed September 02, 2020 02:07 AM

    Hi Jon,

    I have checked the configurations again and observed that I am using obf-client-secret. I guess this needs additional encryption using some tool. So changed it to client-secret and 2FA with windows login worked for me. However, I had to create demouser on the windows machine as a local user.

    For, 2FA for Linux SSH, I have turned on the logs and observed permission denied error while calling v1.0/endpoint/default/token endpoint from the Linux machine.

    I have enabled all for the MFA-Client created in CI. Also, tried to call the token endpoint from the same Linux machine via CURL and it's working fine.

    I think I am missing something in the configuration. Can you please guide me on this?




    ------------------------------
    Prashant Narkhede
    ------------------------------

    Original Message


  • 10.  RE: Cloud Identity "MFA Everywhere" cookbook

    Posted Wed September 02, 2020 12:52 PM
    Prashant,

    On windows login:
    If you prefer to use the obf-client-secret, you can generate the obfuscated value using the obfuscate.exe utility provided in the installation directory.
    The first part of the Windows Login is done against the local machine (or AD) so all users must exist there as well as in the Verify cloud directory.

    On Linux login:
    I'm not sure why you would get a permission denied error from the token endpoint.  To me that would indicate a bad host, client ID or secret.  The configuration is quite simple so should be easy to check.  The top of the configuration has this format:

    {
    "ibm-auth-api":{
    "client-id":"xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "client-secret":"xxxxxxxxxx",
    "protocol":"https",
    "host":"xxxx.verify.ibm.com",
    "port":"443",
    "authd-port":12,
    "max-handles":"16"
    },

    Make sure you have set the host, client-secret, and client-id correctly.  When I set up SSH I had to make a change to SELinux policy to allow the sshd process to communicate on port 12 (where the verify daemon is listening).  I also had to modify the sshd configuration to allow for multi-step authentication.  I did cover all of this in my MFA Everywhere cookbook.

    When you say you called the token endpoint via cURL, did you send the client-id and secret and successfully get back an Access Token? If so, then I can't explain the issue... perhaps you will need to open a support case.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message