Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.2.0 - RADIUS Multi-Factor Authentication - Tutorial

Introduction

This document describes how you can use the services of RADIUS server (for example, RSA SecurID Access and FreeRADIUS) to authenticate the sessions of your privileged users with One Identity Safeguard for Privileged Sessions (SPS).

One Identity Safeguard for Privileged Sessions:

One Identity Safeguard for Privileged Sessions (SPS) controls privileged access to remote IT systems, records activities in searchable, movie-like audit trails, and prevents malicious actions. SPS is a quickly deployable enterprise device, completely independent from clients and servers — integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill down for forensic investigations.

SPS acts as a central authentication gateway, enforcing strong authentication before users access sensitive IT assets. SPS can integrate with remote user directories to resolve the group memberships of users who access nonpublic information. Credentials for accessing information systems can be retrieved transparently from SPS's local Credential Store or a third-party password management system. This method protects the confidentiality of passwords as users can never access them. When used together with RADIUS server (or another Multi-Factor Authentication (MFA) provider), SPS directs all connections to the authentication tool, and upon successful authentication, it permits the user to access the information system.

Integrating RSA with SPS:

SPS can interact with your RSA Authentication Manager and can automatically request strong Multi-Factor Authentication for your privileged users who are accessing the servers and services protected by SPS. When used together with RSA SecurID Access, SPS prompts the user for a second factor authentication, and upon successful authentication, it permits the user to access the information system.

The integration adds an additional security layer to the gateway authentication performed on SPS. If the user has an RSA SecurID Hardware Token, the user can generate a One-Time Password (OTP) using the device. This will be used for the authentication to the One Identity platform. The one-time password is changed after 60 seconds.

Integrating a generic RADIUS server with SPS:

SPS can interact with your RADIUS server and can automatically request strong multi-factor authentication for your privileged users who are accessing the servers and services protected by SPS.

The integration adds an additional security layer to the gateway authentication performed on SPS. Your RADIUS server can use any hardware or software token as long as it provides standard RADIUS interface.

Meet compliance requirements

ISO 27001, ISO 27018, SOC 2, and other regulations and industry standards include authentication-related requirements, (for example, Multi-Factor Authentication (MFA) for accessing production systems, and the logging of all administrative sessions). In addition to other requirements, using SPS and RADIUS server helps you comply with the following requirements:

  • PCI DSS 8.3: Secure all individual non-console administrative access and all remote access to the cardholder data environment (CDE) using MFA.

  • PART 500.12 Multi-Factor Authentication: Covered entities are required to apply MFA for:

    • Each individual accessing the covered entity’s internal systems.

    • Authorized access to database servers that allow access to nonpublic information.

    • Third parties accessing nonpublic information.

  • NIST 800-53 IA-2, Identification and Authentication, network access to privileged accounts: The information system implements MFA for network access to privileged accounts.

Technical requirements

In order to successfully connect SPS with RADIUS server, you need the following components.

In RSA:
  • An RSA Authentication Manager deployed.

  • RADIUS access parameters, (for example, host, port, and an RSA shared secret). You will need it to configure the SPS plugin.

  • Your users must be enrolled in RSA Authentication Manager.

  • The users must be able to perform the authentication required for the factor (for example, possess the required RSA SecurID Hardware Token).

  • Only CHAP and PAP authentication methods are supported.

In a generic RADIUS server:
  • RADIUS access parameters, (for example, host, port, and a shared secret). You will need it to configure the SPS plugin.

  • Your users must be enrolled in the RADIUS server or its backend.

  • Only CHAP and PAP authentication methods are supported.

In SPS:
  • A One Identity Safeguard for Privileged Sessions appliance (virtual or physical), at least version 5 F11.

  • A copy of the SPS RADIUS (RSA) Multi-Factor Authentication plugin. This plugin is an Authentication and Authorization (AA) plugin customized to work with the RADIUS (RSA) multi-factor authentication service.

Availability and support of the plugin

The SPS RADIUS (RSA) Multi-Factor Authentication plugin is available for download as-is, free of charge to every SPS customer from the RADIUS Multi-Factor Authentication plugin for Safeguard for Privileged Sessions page. In case you need any customizations or additional features, contact our Support Team.

Caution:

Using custom plugins in SPS is recommended only if you are familiar with both Python and SPS. Product support applies only to SPS: that is, until the entry point of the Python code and passing the specified arguments to the Python code. One Identity is not responsible for the quality, resource requirements, or any bugs in the Python code, nor any crashes, service outages, or any other damage caused by the improper use of this feature, unless explicitly stated in a contract with One Identity. If you want to create a custom plugin, contact our Support Team for details and instructions.

How SPS and RADIUS server work together in detail

Figure 1: How SPS and RADIUS server work together

  1. A user attempts to log in to a protected server.

  2. Gateway authentication on SPS

    SPS receives the connection request and authenticates the user. SPS can authenticate the user to a number of external user directories, (for example, LDAP, Microsoft Active Directory, or RADIUS). This authentication is the first factor.

  3. Check if the user is exempt from multi-factor authentication

    You can configure SPS using whitelists and blacklists to selectively require multi-factor authentication for your users, (for example, to create break-glass access for specific users).

    • If multi-factor authentication is not required, the user can start working, while SPS records the user's activities. The procedure ends here.

    • If multi-factor authentication is required, SPS continues the procedure with the next step.

    For details on creating exemption lists, see [WHITELIST].

  4. Determining the RADIUS username

    If the gateway usernames are different from the RADIUS usernames, you must configure the SPS RADIUS plugin to map the gateway usernames to the RADIUS usernames. The mapping can be as simple as appending a domain name to the gateway username, or you can query an LDAP or Microsoft Active Directory server. For details, see [USERMAPPING].

  5. Authentication using a RADIUS server

    If gateway authentication is successful, SPS connects to the RADIUS server. Then SPS requests the second authentication factor from the user and sends it to the RADIUS server for verification.

  6. If multi-factor authentication is successful, the user can start working, while SPS records the user's activities. (Optionally, SPS can retrieve credentials from a local or external Credential Store or password vault, and perform authentication on the server with credentials that are not known to the user.)

    Alternatively, the RADIUS server can request Access-Challenge response. The challenge is displayed to the user and they have to respond to the challenge. After a successful response, the user can start working. In RSA SecurID, this process is used for next token mode. This means that if the password is entered incorrectly several times, two subsequent RSA SecurID tokens have to be entered for a successful authentication.

  7. If the user opens a new session within a short period, they can do so without having to perform multi-factor authentication again. After this configurable grace period expires, the user must perform multi-factor authentication to open the next session. For details, see [authentication_cache].

Notable features

This section contains the notable features of this plugin.

  • To map the gateway usernames to the RADIUS server usernames if the gateway usernames are different from the RADIUS server usernames, configure the [USERMAPPING] section of the plugin.

  • The [WHITELIST] section allows configuring authentication whitelists and blacklists for example to create break-glass access for specific users to allow them to bypass RADIUS server authentication.

  • The [authentication_cache] section contains the settings that determine how soon after performing a RADIUS server authentication must the user repeat the authentication when opening a new session.

  • The [connection_limit by=client_ip_gateway_user] section contains the options related to limiting parallel sessions.

  • This plugin supports the RADIUS Access-Challenge response and therefore the RSA SecurID next token mode. For details, see How SPS and RADIUS server work together in detail.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents