Symantec Privileged Access Management

Expand all | Collapse all

2 factor authentication - additional options?

Jump to Best Answer
  • 1.  2 factor authentication - additional options?

    Posted 03-30-2020 04:45 AM
    Morning

    We are currently reviewing our current set-up and one area we are looking at is the 2 factor authentication.

    Currently only RSA is supported, are there any plans to bring on board alternative products like google authenticator?

    Thanks,

    M


  • 2.  RE: 2 factor authentication - additional options?
    Best Answer

    Posted 03-30-2020 06:27 AM
    Hello,

    You are correct, currently as of now out-of-the-box only RSA is authenticated is supported.

    But there are customization options for which you would need to work with the field services team to know more on this.

    Thanks,
    Reatesh.

    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------



  • 3.  RE: 2 factor authentication - additional options?

    Posted 03-30-2020 08:33 AM
    Thanks Reatesh, would you happen to know how we engage with these teams? Would it normally be via an account manager?


  • 4.  RE: 2 factor authentication - additional options?

    Posted 04-01-2020 12:27 AM
    Yes, you will need to work with the account management team for engaging the on field services team.
    Thanks,
    Reatesh.

    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------



  • 5.  RE: 2 factor authentication - additional options?

    Posted 03-31-2020 08:36 AM
    Hello,

    The documentation suggests LDAP+RADIUS authentication is possible
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/implementing/configuring-your-server/authenticate-users-logging-in-to-the-server/configure-ldap-and-radius-in-combination-to-authenticate-users.html

    One possibility here is a token tool which supports RADIUS.  It would be interesting to mess around with.

    Chris


  • 6.  RE: 2 factor authentication - additional options?

    Posted 03-31-2020 10:18 AM
    RSA is not the only two factor authentication.

    Smartcard/certificate based authentication is also possible and widely used.  You can even use a cheap $45 yubikey: https://www.youtube.com/watch?v=5mr779SP8m4

    PAM can also be configured as a SAML service provider: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/implementing/configuring-your-server/authenticate-users-logging-in-to-the-server/using-saml-2-0-to-authenticate-users.html.   You should be able to have PAM authenticate against a google apps account.  If that account is configured for 2 factor using Google Authenticator, then you have met your goal.  Here is another vendor's description of what is required in Google Apps: https://help.receptive.io/hc/en-us/articles/212188369-How-to-set-up-Google-G-Suite-as-your-SAML-Identity-Provider

    I believe you could also use SAML to authenticate against other identity providers that support google authenticator.  So while we don't support Google Authenticator directly, you should be able to do it indirectly using SAML.


  • 7.  RE: 2 factor authentication - additional options?

    Posted 04-02-2020 11:31 AM
    Hi Josheph,

    The following message has been sent to you in response to your Discussion message

    Message From: Samarendra Routray

    Hi Andreas,

    I am trying to implement multifactor authentication for PAM, so trying to integrate CA SSO (Siteminder) with PAM before integrating SSO with Advance/Strong Authentication.
    I have completed the integration steps for CA SSO(Siteminder) and CA PAM production as given in below support url. 
    CA Single Sign-On Integration

    I am also able to get SSO page/prompt for authentication while trying PAM application url.

    But the issue is after SSO login successful, I am again getting PAM login page where I have to login again, which is not SSO behavior. Could you please help me for this to get a proper SSO configuration for PAM, where once I login to SSO get access to PAM Admin UI directly on
    browser.

    I am using Active Directory as user store and integrated Active directory with PAM properly as given for PAM LDAP integration.








    Broadcom remove preview





















    CA Single Sign-On Integration
    Before you set up Layer7 SiteMinder (formerly CA Single Sign-On) on PAM, configure these objects in the SiteMinder Administrative UI. As a security administrator, you can integrate Privileged Access Manager with (formerly CA Single Sign-On). You can use as a second layer of protection for Privileged Access Manager .
    View this on Broadcom >



    Thank you,
    Regards,
    Samarendra Routray


  • 8.  RE: 2 factor authentication - additional options?

    Posted 04-03-2020 11:26 AM
    I believe what you are seeing is expected behavior.  In the first paragraph of the link you provided:

    "You can use Layer7 SiteMinder as a second layer of protection for Privileged Access Manager. First you authenticate to Privileged Access Manager, then to Layer7 SiteMinder..."

    I believe, though I have never done it myself, that to authenticate to PAM using siteminder, you would need to use SAML.  Even then, I believe the user will still need to authenticate against siteminder to get into PAM.  To the best of my knowledge, PAM does not support true SSO with SAML, it always makes you re-authenticate during PAM login (for security reasons).

    Hopefully someone with more experience using PAM, SiteMinder, and SAML will respond and confirm/correct what I am saying.



  • 9.  RE: 2 factor authentication - additional options?

    Posted 04-04-2020 12:30 PM
    Edited by joseph lutz 04-04-2020 05:11 PM

    Joe

     

    You are correct. The use case for the Siteminder integration is not authentication per say. It is "step-up" authentication and it was originally designed to be used on certain pages within the program and cannot replace the initial login. Assume you have an administrator user that is responsible for accessing target machines in the network but also responsible for configuring and maintaining CA PAM itself. These are effectively two distinct roles. You could provide 2 separate logins for this user  but then this limits the user and requires different passwords and user accounts. With the Siteminder authentication feature you can protect the configuration pages or any distinct page inside CA PAM so a admin user can access targets with the normal login but force them to reauthenticate separately once they try to access these particular pages.. If you do use SAML Authentication you may be able to configure the SAML to handle the step up auth automatically  but that would defeat the whole purpose of step up authentication. You do not need to use SAML as there is a Siteminder WebAgent built in the CA PAM product so you can configure any authentication method the standard Apache Webagent can be configured with in Siteminder. Since most PAM environments do not require such a separation of Roles I have not seen many customers using this feature.

    As for using Siteminder as the Single Sign on.... Simply configure CA PAM to use SAML authentication with your AD users and disable Siteminder Integration. You can configure Siteminder as the Identity Provider and it will authenticate your AD users and pass CA PAM the authentication token as the relying party . This is a common configuration with CA PAM and many use Siteminder as the IDP and will avoid your double authentication.

     

    Joe Lutz