Transcription
WHITE PAPEROkta VerifyQuick Guide for Configuring PBPS, PBW and PBUL
ContentsConfiguring PowerBroker Password Safe Using RADIUS .2Testing Configuration .7PBPS and PBW Configuration . 11Configuring PowerBroker for Windows Using RADIUS . 13Password Safe Demo . 14PBW Demo . 16Configuring PowerBroker for Unix and Linux Using RADIUS . 17Configuring PBUL. 17Testing the Configuration. 19Configuring PowerBroker Password Safe Direct Connect Using RADIUS . 22 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide1
Configuring PowerBroker Password Safe Using RADIUS1. If you do not have Okta, you can register for a free trial.2. Login and go to Admin mode. Create a user, e.g. login btuapi@btlab.com. Use a working emailaddress for primary email (required for enrollment). 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide2
3. Create a group and add your test user to the group.4. Under Security/Multifactor, select Okta Verify. 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide3
5. Under Security/Authentication/Sign-On, click Add New Okta Sign-On Policy, associate to your testgroup, and create a new Rule.6. Your new Rule should use RADIUS. You can select Every Time.7. Install Okta Verify on your mobile. 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide4
8. Select your test user and click Activate. A registration email is sent to the primary email address.9. Once the user is registered, follow the End User Configuration section (Settings, Extra Verification,Setup Okta Verify mobile nowledge Article/Using-Okta-Verify-1541002451 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide5
10. Choose your device.11. Scan the barcode with the Okta Verify app (Add Account). 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide6
12. Download and install the Okta Radius Agent. This will act as a RADIUS proxy. You need to identifyyour organization (part of the url, e.g. beyondtrust-bateau) and you need to use your admincredentials to authenticate the agent as a service account.Testing ConfigurationAt this point, the Okta configuration should be completed. You can test it with Radius Test Client.1. Test Radius Client agent info. 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide7
2. Test user name with password configured in Okta.3. 1 for Verify, 2 for Push. 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide8
4. Use mobile app to get Okta code. 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide9
Test was successful. You can also test Push. 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide10
PBPS and PBW Configuration1. In BeyondInsight Configure, create Authentication configuration pointing to your Okta Radius Agent.2. Import a group with a test user from Active Directory (Add AD Group). Add Requestor Role for AllManaged Accounts. 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide11
3. Enable user for RADIUS. 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide12
Configuring PowerBroker for Windows Using RADIUS1. For PBW, using Group Policy Editor, create a Multifactor configuration. Increase timeout to 30seconds. Select Initial Request: Username and Password.2. Create a user message for Okta. You can replace Body with: Select 1 for Verify, 2 for Push Verify. 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide13
3. Create a Privileged Identity Rule for pwcreator.exe.Password Safe Demo1. Log on to Password Safe using your test user and password. 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide14
2. You can type 1 for Verify, 2 for Push.3. Now you are authenticated in Password Safe. 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide15
PBW Demo1. Run gpupdate.exe from a Command Line window.2. Create a shortcut for pwcreator.exe or call it from the Command Line.3. 1 for Verify, 2 for Push.4. After successful Verify or Push, pwcreator.exe should start. 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide16
Configuring PowerBroker for Unix and Linux Using RADIUSTo configure your Unix or Linux host for PAM/RADIUS authentication, visit the Okta Help r you deploy the Okta RADIUS agent on a supported Windows host in your environment, you canfollow these high level steps:1. Copy the pam radius auth module from /usr/lib/beyondtrust/pb to/lib64/security/pam radius auth.so2. Create a config file for your PAM server: /etc/raddb/serverFormat is: ip address:port sharedsecret timeoutFor example: 172.16.0.100:1912 btlab16* 303. Then edit /etc/pam.d/sshd as follow:authrequired pam radius auth.soaccount requiredpam radius auth.sopassword requiredpam radius auth.soauthsubstack password-authauthinclude postlogin---------------------4. You may need to change /etc/ssh/sshd config to allow for PAM (UsePam yes).If PAM is not yet available on the Unix or Linux host, follow the steps in above document to install itusing yum.5. Restart sshd for ssh configuration to take effect: service sshd restartNote: If you plan to use PBPS and Password Safe with Okta Multifactor authentication, configuring thehost for PAM/RADIUS will be redundant.Configuring PBULWe will configure and test a Use Case around pbrun and a privileged command. These steps are basedon CentOS 64 bit.1. Copy the pam radius auth module from /usr/lib/beyondtrust/pb to/lib64/security/pam radius auth.so2. Create a config file for your PAM server: /etc/raddb/server3. Create file pbul pam radius under /etc/pam.d :#task control moduleauth required pam radius auth.soaccount required pam radius auth.sopassword required pam radius auth.so---------- 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide17
Then you can configure a role, e.g. DemoRole, to allow elevated commands and use PAM.4. In /etc/pb/pbul functions.conf, add this section:# Procedure DemoRole:# If 'EnableDemoRole' is enabled, it allows any user in DemoUsers (default all users) to runcommands in DemoCommands (default 'id' and 'whoami') as 'root'#procedure DemoRole(){if ( EnableDemoRole && user in DemoUsers && (runhost in DemoHosts TargetRunHostShortName in DemoHosts) && basename(command) in DemoCommands ){SetRunEnv("root", true);accept;}}----------5. In /etc/pb/pbul policy.conf, add this section:# This enables "Demo role", which allows any user in DemoUsers (default all users) to runcommands in DemoCommands (default 'id' and 'whoami') as 'root'# on any host in DemoHosts (default all hosts)# By default, this role is disabled. To ensable this set EnableDemoRole to true below.## IMPORTANT: note that ANY command in the list of DemoCommands will run as 'root'.#EnableDemoRole true;DemoUsers {"amiller","btuapi"};DemoCommands {"id", "whoami","useradd","userdel"};DemoHosts {runhost, TargetRunHostShortName};runconfirmuser "btuapi";runconfirmpasswdservice "pbul pam radius";DemoRole();6. Create a user on your Unix or Linux host to match the user in Okta, e.g. btuapi in above example. 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide18
Testing the ConfigurationNow we are ready to test the configuration.1. Use Putty to log on to Linux server as btuapi.2. Privileged command useradd: Permission denied. 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide19
3. Using pbrun, PAM/RADIUS authentication is triggered. Once authenticated, command executes anduser backdoor is created.4. If Push (2 Enter) is selected, an Approval task is sent to the mobile. 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide20
Since userdel command is also included in policy, you can follow the same steps for userdel. 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide21
Configuring PowerBroker Password Safe Direct Connect Using RADIUSFor SSH Direct Connect, you can use the following string, pointing to proxy server over port 4422:username@managed account@asset@proxyexample: btlab\jjones1@mdavis uadmin@lserver01@bi01For RDP Direct Connect, you can use the following string, pointing to proxy (example BI01) over port4489:username managed account assetexample: btlab.btu.cloud\jjones1 Administrator app01Starting with BeyondInsight 6.4.4, you can answer the RADIUS question for method by adding theresponse to the password field. Default separator is comma, so the password would be li ke:myPassword,22 is the selection for Okta Verify Push. 2018. BeyondTrust Software, Inc.Okta Verify: PBPS, PBW and PBUL Quick Guide22
12. Download and install the Okta Radius Agent. This will act as a RADIUS proxy. You need to identify your organization (part of the url, e.g. beyondtrust-bateau) and you need to use your admin credentials to authenticate the agent as a service account. Testing Configuration At this point, the
