Configuring Ping Authentication - BeyondTrust · Configuring Ping Authentication for PowerBroker...

WHITE PAPER

Configuring Ping Authentication Quick Guide for PBPS, PBW, PBUL and PBIS

Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.

1

Contents Configuring Ping Authentication for PowerBroker Password Safe Using RADIUS .....................................2

Configuring Ping Authentication for PowerBroker for Windows Using RADIUS .......................................9

Configuring Ping Authentication for PowerBroker for Unix and Linux, and PBIS, Using RADIUS .............. 14

Configuring PBUL....................................................................................................................... 14

Testing the Configuration........................................................................................................... 16

Configuring Ping Authentication for PowerBroker Password Safe Direct Connect ................................. 18

Configuring Ping Authentication for PowerBroker Password Safe Using SAML ...................................... 21


2

Configuring Ping Authentication for PowerBroker Password Safe Using

RADIUS

Download and install the PingFederate server, and access the console.

1. Ping Console.

For more information, see https://documentation.pingidentity.com/pingfederate/pf90/#gettingStartedGuide/concept/gettingStarted.html

For configuring RADIUS, see https://docs.pingidentity.com/bundle/pid_sm_VPN_pingid/page/configuringRADIUSServerOnPingFederate.html

https://documentation.pingidentity.com/pingfederate/pf90/#gettingStartedGuide/concept/gettingStarted.html

https://documentation.pingidentity.com/pingfederate/pf90/#gettingStartedGuide/concept/gettingStarted.html

https://docs.pingidentity.com/bundle/pid_sm_VPN_pingid/page/configuringRADIUSServerOnPingFederate.html

https://docs.pingidentity.com/bundle/pid_sm_VPN_pingid/page/configuringRADIUSServerOnPingFederate.html


3

2. Configure clients.

3. Configure port and copy properties file (obtained via PingOne dashboard). You may need to request

an evaluation for PingOne.


4

4. Configure Active Directory. You should see a Credential Validation instance like the one shown.

5. In BeyondInsight, configure RADIUS Authentication.


5


6

6. Create a test Group in AD, add test user, and import in BeyondInsight. Configure test user for

RADIUS.

7. Log on to BeyondInsight with your test user.


7

8. Use the mobile or another version of the Ping App (Windows is shown) to obtain the passcode.


8

After providing the passcode and clicking OK, you should be logged on to Password Safe.


9

Configuring Ping Authentication for PowerBroker for Windows Using

RADIUS

1. Using Group Policy Editor, or Policy Editor, create the Multifactor record. Increase timeout to 30 or

60 seconds, enter the shared secret you selected for Ping RADIUS Server, and select Username and

Password for Initial Request.


10

2. Create a user message.


11

3. Create a test Privileged Identity rule for an application.

4. Create a shortcut for C:\Windows\system32\xwizard.exe on your desktop.


12

5. When you start the application, you should see the User Message for Ping. Enter the code and click

OK.


13

The test application starts.


14

Configuring Ping Authentication for PowerBroker for Unix and Linux,

and PBIS, Using RADIUS

To configure your Unix or Linux host for PAM/RADIUS authentication, you can follow the steps below.

1. Copy the pam_radius_auth module from /usr/lib/beyondtrust/pb to

/lib64/security/pam_radius_auth.so

2. Create a config file for your PAM server: /etc/raddb/server

Format is: ip_address:port sharedsecret timeout

For example: dc01:1812 btlab16* 60

3. Edit /etc/pam.d/sshd as follow:

auth required pam_radius_auth.so

account required pam_radius_auth.so

password required pam_radius_auth.so

auth substack password-auth

auth include postlogin

----------------------

4. You may need to change /etc/ssh/sshd_config to allow for PAM(UsePam yes).

If PAM is not yet available on the Unix or Linux host, follow the steps in above document to install it

using yum.

5. Restart sshd for ssh configuration to take effect: service sshd restart

Note: If you plan to use Password Safe with Ping, configuring the host for PAM/RADIUS will be redundant.

Configuring PBUL

We will configure and test one Use Case around pbrun and a privileged command. These steps are

based on CentOS 64 bit.

1. Copy the pam_radius_auth module from /usr/lib/beyondtrust/pb to

/lib64/security/pam_radius_auth.so

2. Create a config file for your PAM server: /etc/raddb/server

3. Create file pbul_pam_radius under /etc/pam.d :

#task control module

auth required pam_radius_auth.so

account required pam_radius_auth.so

password required pam_radius_auth.so

-----------

Then you can configure a role, e.g. DemoRole, to allow elevated commands and use PAM.

4. In /etc/pb/pbul_functions.conf, add this section:


15

# Procedure DemoRole:

# If 'EnableDemoRole' is enabled, it allows any user in DemoUsers (default all users) to run

commands in DemoCommands (default 'id' and 'whoami') as 'root'

#

procedure DemoRole()

{

if ( EnableDemoRole && user in DemoUsers && (runhost in DemoHosts ||

TargetRunHostShortName in DemoHosts) && basename(command) in DemoCommands )

{

SetRunEnv("root", true);

accept;

}

}

----------------------

5. In /etc/pb/pbul_policy.conf, add this section:

# This enables "Demo role", which allows any user in DemoUsers (default all users) to run

commands in DemoCommands (default 'id' and 'whoami') as 'root'

# on any host in DemoHosts (default all hosts)

# By default, this role is disabled. To ensable this set EnableDemoRole to true below.

#

# IMPORTANT: note that ANY command in the list of DemoCommands will run as 'root'.

#

EnableDemoRole = true;

DemoUsers = {"amiller","jsmith1"};

DemoCommands = {"id", "whoami","useradd","userdel"};

DemoHosts = {runhost, TargetRunHostShortName};

runconfirmuser = "btuapi";

runconfirmpasswdservice = "pbul_pam_radius";

DemoRole();

6. Create a user on your Unix or Linux host to match the user in Ping, e.g. jsmith1 in above example.


16

Testing the Configuration

You are ready to test the configuration.

1. Use Putty to log on to Linux server as jsmith1.

2. Privileged command useradd: Permission denied.


17

3. Using pbrun, PAM/RADIUS authentication is triggered. Once authenticated, command executes and

user backdoor is created.

4. Then you should be authenticated.

Since userdel command is also included in policy, we can follow the same steps for userdel.


18

Configuring Ping Authentication for PowerBroker Password Safe Direct

Connect

For Direct Connect, we can use the Ping. In our lab, we used Phone/Standard, so we only need to answer the call and press # to get authenticated.

For SSH Sessions, we can configure Putty or the tool of our choice with a SSH link similar to the following:

btlab\jping@mdavis_uadmin@lserver01@bi01

Port is 4422 by defaut, which is the port for the PBPS Proxy, not 22, which is the port behind the proxy, for the target host.

mdavis_uadmin is the managed account for lserver01, and bi01 is my PBPS Proxy.

My test user with the app on its mobile is an Active Directory user in my lab.

1. RADIUS configuration for test user jping.


19

2. Figure 2: MTPutty configuration.

3. Direct Connect session in Multi-tab Putty.


20

4. Direct Connect RDP. Type password,code.

5. Session starts.


21

Configuring Ping Authentication for PowerBroker Password Safe Using

SAML

This section is generic, steps may be slightly different. Refer to Ping documentation.

1. Log on to the Ping Portal.

2. Click Add Application.

3. Click Create New App.

4. Select SAML 2.0 as the sign in method.

5. Click Create.

6. Enter an application name.

7. Click Next.

8. Enter Single sign on URL

https://ServerURL/eEye.RetinaCSSAML/saml/AssertionConsumerService.aspx

9. Select the check box Use this for Recipient and Destination URL.

10. Enter Audience URI (SP Entity ID)

https://ServerURL/eEye.RetinaCSSAML

11. Select test username from the Application username menu.

12. Add attributes:

• Group (Required) set as literal. This must match the group created in BeyondInsight.

• Name (Required)

• Email (Optional)

• Surname (Optional)

• GivenName (Optional)

13. Click Next.

14. Select appropriate settings for Ping support and click Finish.

15. Click View Setup Instructions.

16. Copy the Identity Provider Single Sign-On URL. Save the value to be used in step 21.

17. Copy the Identity Provider Issuer. Save the value to be used in next step 21.

18. Click Download Certificate and save this on the BeyondInsight server in

C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\Certificates

19. Rename the certificate to “Ping.cer”.

20. Open the saml.config file:

C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\saml.config

21. In Notepad, edit ServiceProvider Name:

• edit PartnerIdentityProvider Name: Identity Provider Issuer from step 17.

• edit SingleSignOnServiceUrl: Identity Provider Single Sign-On URL from step 16.

• edit SingleLogoutServiceUrl: Identity Provider Single Sign-On URL from step 16.


22

22. Save the saml.config file.

23. Open the web.config file:

C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\web.config

24. In Notepad, edit the PartnerIdP value: Identity Provider Issuer from step 17.

25. Save the web.config file.

Date post:	16-Jun-2020
Category:	Documents
Upload:	others
View:	26 times
Download:	0 times

Configuring Ping Authentication - BeyondTrust · Configuring Ping Authentication for PowerBroker...

Documents