Use Cases for MFA on CTE
When using Multifactor Authentication with CipherTrust Transparent Encryption, you can:
Enable Multifactor Authentication on a Single GuardPoint
You can enable Multifactor Authentication for individual GuardPoints on clients.
-
Open CipherTrust Manager
>Transparent Encryption application. -
Select the relevant client.
-
Select the GuardPoints tab.
-
Click the settings icon.
-
Select Multifactor Authentication to enable Multifactor Authentication for the GuardPoints.
-
Click OK. The Multifactor Authentication column displays.
-
Toggle the Multifactor Authentication switch to enable Multifactor Authentication for the selected GuardPoints.
Note
To disable Multifactor Authentication on a GuardPoint, deselect the Multifactor Authentication toggle switches.
Enable Multifactor Authentication on the Entire Client
You can enable Multifactor Authentication for all of the GuardPoints on a client. When Multifactor Authentication is enabled at the client level, CTE enforces the configuration for all GuardPoints configured on the client. It overrides any MFA configuration set for individual GuardPoints.
-
Open CipherTrust Manager > Transparent Encryption application.
-
Select the relevant client.
-
In the upper pane, select Multifactor Authentication.
-
Select Apply. All of the Multifactor Authentication switches are toggled to the on position.
-
If the MFA column doesn't display with all switches set to on, click Refresh GuardPoints to display the Multifactor Authentication column.
Note
To disable Multifactor Authentication on a GuardPoint, deselect Multifactor Authentication in the upper pane and click Apply.
Perform Multifactor Authentication
After you enable Multifactor Authentication on a single or multiple GuardPoints, there are multiple scenarios in which Multifactor Authentication can be authenticated for a user accessing the MFA-enabled GuardPoints on a client.
If Multifactor Authentication is enabled for a user, the user's current shell, and the following commands or programs running in the same shell, are allowed to access MFA-enabled GuardPoints until the user exits the current shell.
Note
-
If you only enable Multifactor Authentication on one GuardPoint, then you can only authenticate for that one GuardPoint. If you enable Multifactor Authentication on all of the GuardPoints on a client, you can then authenticate for all of the GuardPoints.
-
The CTE MFA username and password are created in Keycloak.
-
Thales recommends using OTP (one-time password) to replace the static password. The OTP configuration on KeyCloak refers to KeyCloak configuration section. On CTE client side, the security administrator can run
voradmin mfa set_authto choose either OTP, or password, as the multifactor authentication method. If authentication method is not set up, users need to choose a method during ssh login or voradmin mfa login.
Selecting to run Multifactor Authentication at SSH connection
-
A sys-admin runs the
voradmin mfa ssh_enablecommand and enables Multifactor Authentication for all SSH connections.root@mfa1:~# voradmin mfa ssh_enable -
Another user establishes an SSH connection to the client, and is asked if they want to run Multifactor Authentication. They choose
yes. Multifactor Authentication runs.Do you need CTE MFA (y/n): yResponse
CTE MFA username: <username> CTE MFA password: <password> You passed CTE MFA. Can access CTE MFA-enabled GuardPoints
Note
If the security administrator has not setup an authentication method for the user, the login command prompt displays the following:
Choose authentication method (type p for password, or o for otp, default o):
If the user chooses o, the following prompt displays:
CTE MFA one-time code:
This change also applies when running voradmin mfa login.
Selecting to run Multifactor Authentication post login
-
A sys-admin runs the
voradmin mfa ssh_enablecommand and enables Multifactor Authentication for all SSH connections.root@mfa1:~# voradmin mfa ssh_enable -
Another user establishes an SSH connection to the client, and is asked if they want to run Multifactor Authentication. They choose
no. Multifactor Authentication does not run.Do you need CTA MFA (y/n): nResponse
You skipped CTE MFA. You won't be able to access CTE MFA-enabled GuardPoints. -
When that user wants to run Multifactor Authentication, they use the command:
voradmin mfa login. Multifactor Authentication runs.root@mfa1:~$ voradmin mfa loginResponse
CTE MFA username: <username> CTE MFA password: <password> CTE MFA authentication successful You passed CTE MFA. Can access CTE MFA-enabled GuardPoints
Disabling Multifactor Authentication at SSH connection
-
A sys-admin runs the
voradmin mfa ssh_disablecommand and disables Multifactor Authentication for all SSH connections.root@mfa1:~# voradmin mfa ssh_disable root@mfa1:~# -
When a non-root user wants to run Multifactor Authentication, they use the command:
voradmin mfa login. Multifactor Authentication runs.root@mfa1:~$ voradmin mfa loginResponse
CTE MFA username: <username> CTE MFA password: <password> CTE MFA authentication successful You passed CTE MFA. Can access CTE MFA-enabled GuardPoints
Enable Multifactor Authentication for Client Groups
Multifactor authentication cannot be enabled at the client group level. However, you can enable Multifactor Authentication for individual GuardPoints on client groups.
While propagating the Multifactor Authentication-enabled GuardPoints to the member clients, CipherTrust Transparent Encryption checks the Multifactor Authentication capability of the member clients. If a client is Multifactor Authentication-capable, the GuardPoints are added to the client. If a client is not Multifactor Authentication-capable, the GuardPoints are skipped.
