29
June 2018

Multi-factor Authentication Improvements in PxM Platform Version 6.1.0

Andy Harris

Since the PxM Platform is an ‘Identity In – Role Out’ product, the quality of identity proof is crucial in highly secure environments.

We’ve improved our Multi-factor Authentication implementation in the PxM Platform Release 6.1.0 such that it can use authentication services in series.

For example, you can define ‘Active Directory then Radius’ or ‘Local then Radius’.

For the demonstration in the video below, we used Active Directory and then freeradius with Google Authenticator in a Docker container.

It works by creating a login queue for the user that sends the username and password to Active Directory. When this is successful, the first part of the queue is cleared. Then the username and token are sent to freeradius, if this returns ‘accept’ then the queue is complete and the user is logged in.

MFA works by combining ‘Something you Know – [password]’ with ‘Something you Have – [App on your Mobile]’ and ‘Something you Are – [Biometrics]’.

Multiple Authentication services add both an extra level of security, and more complexity for debug and auditing.

To simplify this, we’ve enhanced both the syslog messages we emit, and the ‘external.log’ where authentication service interactions are recorded.

Here’s some examples:

Fail Radius

2018-07-02T15:00:54.491039+00:00 localhost EXTERNAL: INFO [osirium.models.user_auth.auth_methods] Attempting to authenticate “alice.smith” via AD LDAPS.
2018-07-02T15:00:54.491629+00:00 localhost EXTERNAL: INFO [osirium.models.user_auth.auth_methods] Attempting to authenticate “alice.smith” via AD LDAPS.
2018-07-02T15:00:54.492745+00:00 localhost EXTERNAL: INFO [osirium.models.user_auth.auth_methods] Binding with “alice.smith@2012.osirium.tom”
2018-07-02T15:00:54.516523+00:00 localhost EXTERNAL: INFO [osirium.models.user_auth.auth_methods] Attempting to authenticate alice.smith via radius.
2018-07-02T15:00:55.542036+00:00 localhost EXTERNAL: INFO [osirium.models.user_auth.auth_methods] Failed RADIUS authentication for user alice.smith
2018-07-02T15:00:55.542761+00:00 localhost EXTERNAL: ERROR [osirium.external.sessions] User u’alice.smith’ at address ‘12.11.10.9’ failed to login to the PxM Platform this could mean an incorrect password or an unavailable authentication service.

Fail Active Directory

2018-07-02T15:07:45.481045+00:00 localhost EXTERNAL: INFO [osirium.models.user_auth.auth_methods] Attempting to authenticate “alice.smith” via AD LDAPS.
2018-07-02T15:07:45.481713+00:00 localhost EXTERNAL: INFO [osirium.models.user_auth.auth_methods] Attempting to authenticate “alice.smith” via AD LDAPS.
2018-07-02T15:07:45.482911+00:00 localhost EXTERNAL: INFO [osirium.models.user_auth.auth_methods] Binding with “alice.smith@2012.osirium.tom”
2018-07-02T15:07:45.498751+00:00 localhost EXTERNAL: INFO [osirium.models.user_auth.auth_methods] Failed to authenticate “alice.smith” against AD LDAPS server ldaps://12.11.10.9 2012.osirium.tom
2018-07-02T15:07:45.500593+00:00 localhost EXTERNAL: INFO [osirium.models.user_auth.auth_methods] Failed LDAPS password check for user alice.smith
2018-07-02T15:07:45.501223+00:00 localhost EXTERNAL: ERROR [osirium.external.sessions] User u’alice.smith’ at address ‘12.11.10.9’ failed to login to the PxM Platform this could mean an incorrect password or an unavailable authentication service.

Success

2018-07-02T15:07:24.236787+00:00 localhost EXTERNAL: INFO [osirium.models.user_auth.auth_methods] Attempting to authenticate “alice.smith” via AD LDAPS.
2018-07-02T15:07:24.237108+00:00 localhost EXTERNAL: INFO [osirium.models.user_auth.auth_methods] Attempting to authenticate “alice.smith” via AD LDAPS.
2018-07-02T15:07:24.237833+00:00 localhost EXTERNAL: INFO [osirium.models.user_auth.auth_methods] Binding with “alice.smith@2012.osirium.tom”
2018-07-02T15:07:24.250313+00:00 localhost EXTERNAL: INFO [osirium.models.user_auth.auth_methods] Attempting to authenticate alice.smith via radius.
2018-07-02T15:07:24.278626+00:00 localhost EXTERNAL: INFO [osirium.models.user_auth.auth_methods] Successfully authenticated alice.smith on server PxM Platform RADIUS configuration 1 28/06/2018 09:37 via RADIUS
2018-07-02T15:07:24.323775+00:00 localhost EXTERNAL: INFO [osirium.external.sessions] Expiring existing sessions for user “alice.smith”
2018-07-02T15:07:24.326789+00:00 localhost EXTERNAL: INFO [osirium.external.sessions] Looking for existing session token for user alice.smith on address 12.11.10.9
2018-07-02T15:07:24.327746+00:00 localhost EXTERNAL: INFO [osirium.external.sessions] Generating new session token for user “alice.smith”
2018-07-02T15:07:24.336673+00:00 localhost EXTERNAL: INFO [osirium.external.sessions] Queueing device list cast to logged in user “alice.smith”
2018-07-02T15:07:24.337064+00:00 localhost EXTERNAL: INFO [osirium.external.sessions] Adding to queue unicast_devices for user “alice.smith”
2018-07-02T15:07:24.337623+00:00 localhost EXTERNAL: INFO [osirium.external.sessions] Unicasting device list to “alice.smith”

The ‘radtest’ tool is available at the command line when your superadmin is logged in to the PxM platform as osirium_support. This tool can be used to pre-test the link between the PxM platform and any radius based service. Here’s some examples using good and bad Google Authentication tokens:

GOOD

osirium_support@osirium-br-69:~$ radtest alice.smith 476108 12.11.10.918120 <******></******>
Sending Access-Request of id 168 to 12.11.10.9 port 1812
User-Name = “alice.smith”
User-Password = “476108”
NAS-IP-Address = 127.0.0.1
NAS-Port = 18120
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 12.11.10.9 port 1812, id=168, length=20

BAD

osirium_support@osirium-br-69:~$ radtest alice.smith 123456 12.11.10.9 18120 <******></******>
Sending Access-Request of id 207 to 12.11.10.9 port 1812
User-Name = “alice.smith”
User-Password = “123456”
NAS-IP-Address = 127.0.0.1
NAS-Port = 18120
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 12.11.10.9 port 1812, id=207, length=20

We still support the previous Active Directory based Multi-factor Authentication methods. If you’d like to know more, please get in touch.

Multi-Factor Authentication (MFA) for Privileged Access Management

Kev Pearce demonstrates the improvements in multi-factor authentication for v6.1. He shows Active Directory running in series with Google Authenticator and freeradius.

Launch Video