2-Factor Authentication

Enabling 2-Factor Authentication on the Appliance is currently supported with External Authentication to IPA.

In this guide we will cover how to manually configure a 7.1 Appliance’s external authentication to work with 2-Factor Authentication with IPA. This provides IPA Users access to the Appliance Administrative UI and the REST API using their IPA Password followed by a One-Time-Password.

Requirements

The following is needed in order to enable 2-Factor-Authentication to the Appliance:

  • A CentOS/RHEL 7.1 based Appliance

  • IPA Server based on FreeIPA 4.1.0 or later

Configure Administrative UI

Login as admin, then in Configure→Configuration→Authentication

  • Set mode to External (httpd)

  • Check: Get User Groups from External Authentication (httpd)

  • Do Not Check: Enable Single Signon

    • Note: Kerberos SSO with OTP is not supported in the current release of FreeIPA 4.1.0 on CentOS/RHEL 7.1

  • Click Save.

The above steps need to be done on each UI and WebService enabled appliance.

in Configure→Configuration→Access Control

  • Make sure the user’s groups are created on the Appliance and appropriate roles assigned to those groups.

Configure External Authentication

Using the Appliance Console, simply enable external authentication as you currently would to IPA.

  1. Login to console as root

  2. Run appliance_console

  3. Summary screen should show External Auth as not configured, Press any key

  4. From the Advanced Setting menu, select the menu item Configure External Authentication (httpd)

  5. Enter the FQDN of the IPA Server, i.e. ipaserver.test.company.com

  6. Enter the IPA Server domain, i.e. test.company.com

  7. Enter the IPA Server realm, i.e. TEST.COMPANY.COM

  8. Press enter to select the default IPA Server Principal, i.e. admin

  9. Enter the Password of the IPA Server Principal

  10. Review details, and Enter y to proceed.

Enabling 2-Factor Authentication

Enabling 2-Factor Authentication is done using the IPA administrative UI.

  • The IPA administrator needs to change the User authentication types for the user from Password or Radius to Two factor authentication (password + OTP)

  • The previous can be done either per user or for all users from the IPA Server global Configuration under User Options.

  • The user logs into IPA, then from the OTP Tokens tab, add an OTP token - Time-based (TOTP) or Counter-based (HOTP).

  • Specifying a Description for the OTP, then clicking add, brings up a QR Code which can then be scanned into an app like FreeOTP for example.

  • Then from the main IPA login screen, the user can Synchronize the OTP Token by specifying their Username, password and then two OTP’s generated from the FreeOTP app.

  • After which, the user can login to FreeIPA using their Password+OTP.

Using 2-Factor Authentication

Once the above is done, the user now needs to specify their IPA Username and their Password followed by their One-Time-Password as generated by the FreeOTP app, when:

  • Logging into the Appliance Administrative UI

  • Accessing the REST API