The Advanced Authentication tool supports the use of one-time passwords (OTPs) for two-factor authentication of users as they access applications through CloudAccess. It works with the NetIQ Advanced Authentication Framework running on a member server in a domain configured as an Active Directory identity source.
With two-factor authentication, users must provide two categories of authentication factors before they can access the applications:
Something the user knows: The first authentication factor requires something the user knows, such as the password for the user’s single-sign-on user name.
Something the user has: The second authentication factor requires something the user has, such as a device to uniquely generate or receive one-time passwords or authentication requests that can be used only for that access moment.
Two-factor authentication provides an additional layer of security that helps ensure the identity of a user and reduce the risk of unauthorized access to your applications. Users still enjoy the convenience of single sign-on, but the access is more secure.
The Advanced Authentication tool supports four types of authentication providers for OTP in the NetIQ Advanced Authentication Framework: OATH OTP, Smartphone, SMS, and Voice Call. For a brief overview of each authentication method, see Section 3.13.2, Understanding the Authentication Providers.
You configure a separate instance of the tool for each authentication provider type you want users to use. For each authentication provider type, you can enable one or more applications, but they must be mutually exclusive of the applications that you enable in other instances. The applications must also be mutually exclusive of applications configured to use the Time-Based One-Time Password tool with Google Authenticator.
At a user’s next login, the tool prompts the user for additional authentication, according to the authentication provider type enabled for the application. If you enable all applications for a single authentication provider type, the prompt occurs immediately after CloudAccess validates the user’s credentials. Otherwise, the prompt occurs when the user first selects any one of the applications enabled for Advanced Authentication. The authentication automatically applies to all applications for that session that were also enabled for the same type of authentication provider.
For more information about using the NetIQ Advanced Authentication Framework and the supported authentication providers, see the NetIQ Advanced Authentication Framework documentation website.
Use the information in the following sections to configure your system for Advanced Authentication:
Ensure that your system meets the following requirements before you configure the Advanced Authentication tool:
A CloudAccess appliance, installed and configured.
An Active Directory identity source, with the identity source connector enabled and configured.
A server running NetIQ Advanced Authentication Framework that is an Active Directory member server in the same domain as the Active Directory identity source.
The Advanced Authentication tool supports only the following authentication providers: OATH OTP, Smartphone, SMS, and Voice Call. For a brief overview of each authentication method, see Section 3.13.2, Understanding the Authentication Providers.
Before you configure the Advanced Authentication tool, ensure that you install and configure the authentication providers that you want to use on the NetIQ Advanced Authentication Framework server. For more information, see the following resources:
For SMS and Voice Call, the user's telephone number that will be used for authentication should be specified in the user’s properties in Active Directory.
The users in the domain must use the NetIQ Advanced Authentication Framework client or web user interface to enroll or re-enroll for the authenticator providers that you want them to use.
Identify the type of authentication provider that you want to use for each of your destination applications.
Use the information in this section to understand the supported authentication providers for NetIQ Advanced Authentication Framework.
For the OATH OTP authentication provider, the user enters a 6-digit code as a one-time password on the authentication page. The user commonly generates the time-based one-time passwords (TOTPs) with an OATH TOTP-compliant hardware token (key fob or card) that is associated with the user. A user can alternatively generate TOTPs with the NetIQ Smartphone Authenticator app running on a mobile device. If the code is valid, the user can access the application.
To use software tokens, the user downloads and installs the NetIQ Smartphone Authenticator app on their mobile device. Using the NetIQ Advanced Authentication Framework client or web service, the user must enroll the device for the OATH OTP authentication provider by manually entering a 40-hex digits random code as the shared secret key, or by scanning its related QR (quick response) code. In OATH OTP mode, the Smartphone Authenticator app generates the 6-digit code, without requiring an Internet connection or cellular service.
For more information about supported devices and platforms, see the NetIQ Advanced Authentication Framework documentation for the OATH OTP authentication provider.
For the Smartphone authentication provider, the user receives a push notification message in the Smartphone Authenticator app running on a mobile device, and can accept or reject the authentication request. If the user accepts the request within the valid interval, the user can access the application.
The user downloads and installs the NetIQ Smartphone Authenticator app on their mobile device. Using the NetIQ Advanced Authentication Framework client or web service, the user must enroll the device for the Smartphone authentication provider by scanning a QR Code. In Smartphone mode, the Smartphone Authenticator app requires an Internet connection or cellular service for the mobile device to receive the push notification message.
For more information about supported devices and platforms, see the NetIQ Advanced Authentication Framework documentation for the Smartphone authentication provider.
The SMS authentication provider generates a 6-digit software token for the user, and sends it in an SMS text message to the mobile phone number that is stored in the user's properties in Active Directory. The user’s phone receives and displays the message. The user enters the code on the authentication page. If the code is valid, the user can access the application.
You can configure any Internet gateway that supports POST messages to deliver the SMS messages, such as Twilio or Messagebird. To receive the SMS message, the mobile device must have an Internet connection or cellular service, as well as a text-messaging plan. The user’s properties in Active Directory must contain a mobile phone number.
For more information, see the NetIQ Advanced Authentication Framework documentation for the SMS authentication provider.
The Voice Call authentication provider calls the mobile phone number that is stored in the user's properties in Active Directory. The user accepts the call, then enters their personal PIN number to verify the authentication. If the PIN is valid, the user can access the application.
Using the NetIQ Advanced Authentication Framework client or web service, the user must enroll for the Voice Call authentication provider by creating a dedicated unique PIN code to use when confirming an authentication request. The Advanced Authentication Framework administrator configures the required length of the PIN code.
To receive the call, the mobile device must have an Internet connection or cellular service, as well as a voice calling plan. The user’s properties in Active Directory must contain a mobile phone number. Because the Voice Call Server works with Twilio Voice, the phone number must be in a country supported by the Twilio Voice platform.
For more information, see the NetIQ Advanced Authentication Framework documentation for the Voice Call authentication provider.
Before you configure the Advanced Authentication tool, ensure that your setup meets the requirements described in Section 3.13.1, Requirements for Advanced Authentication.
Log in with an appliance administrator account to the Admin page at
https://appliance_dns_name/appliance/index.html
In the Identity Sources panel, verify that you have configured one Active Directory identity source for a domain where a member server is running NetIQ Advanced Authentication Framework.
Drag and drop the Advanced Authentication tool from the Tools palette to the Tools panel.
The Configuration window opens automatically for the initial configuration. To view or reconfigure the settings later, click the Advanced Authentication tool, then click Configure.
Configure the Advanced Authentication feature:
Authentication type: Select the type of authentication provider that you want to enable for the specified server running the NetIQ Advanced Authentication Framework. For more information, see Section 3.13.2, Understanding the Authentication Providers.
NAAF host name/port: Specify the hostname of the Active Directory member server running NetIQ Advanced Authentication Framework. The default port number is 8232.
Click the Applications tab, then select the check box next to one or more applications that require the specification authentication provider.
You can enable one or more applications for the specified type of authentication provider. However, you must assign each application to only one type of authentication provider.
Click OK to save the settings and enable the tool.
Click Apply to activate the configuration.
Wait while the service is activated across all nodes in the cluster. Do not attempt other configuration actions until the activation completes successfully.