|Applies To||RSA Product Set: SecurID, NetWitness Logs and Packets (formerly Security Analytics)|
RSA Product/Service Type: Authentication Manager, Security Analytics UI
RSA Version/Condition: RSA Authentication Manager 8.2, RSA Security Analytics 10.6.1.1
Platform: SUSE Enterprise Linux/CentOS
|Issue||This article provides information on integrating RSA NetWitness Logs and Packets and RSA SecurID to provide better security when logging in the RSA Security Analytics user interface.|
|Resolution||This topic explains how to configure RSA Security Analytics to use Pluggable Authentication Modules (PAM) RADIUS to authenticate external user logins.|
PAM login capability involves two separate components:
Pluggable Authentication Module
PAM is a Linux-provided library responsible for authenticating users against authentication providers such as RADIUS.
Name Service Switch
NSS is a Linux feature that provides databases that the operating system and applications use to discover information like hostnames; user attributes such as the home directory, primary group, and login shell; and to list users that belong to a given group. Similar to PAM, NSS is configurable and uses modules to interact with different types of providers. RSA Security Analytics uses OS-provided NSS capabilities to authorize external PAM users by looking up whether a user is known to NSS and then requesting from NSS the groups of which that user is a member. RSA Security Analytics compares the results of the request to the RSA Security Analytics External Group Mapping and, if a matching group is found, the user is granted access to log on to SA with the level of security defined in the External Group Mapping.
Configure the PAM module - RADIUS
rpm -qa | grep pam_radius_auth
[root@ ~]# rpm -qa | grep pam_radius_auth
If the pam_radius_auth package is not available, use the following command to install the required PAM RADIUS package:
yum --enablerepo=nwupdates install pam_radius_auth
# server[:port] shared_secret timeout (s)
NOTE: In the example above, the 127.0.0.1 loopback address is commented out as is the other-server line. Add the IP address of the RSA Authentication Manager primary instance with the RADIUS port number (e. g., 192.168.12.200:1812), RADIUS shared secret and a timeout value of 10.
auth sufficient pam_radius_auth.so
NOTE: Adding debug to the end of the line in the /etc/pam.d/securityanalytics file enables PAM debugging (e. g., auth sufficient pam_radius_auth.so debug)
The PAM modules and associated services output information to /var/log/messages and /var/log/secure. These outputs can be used to assist in troubleshooting configuration problems.
This completes the PAM RADIUS configuration.
Adding a RADIUS Client and Associated Agent in the Authentication Manager Security Console
Configure and Test the NSS Service
No configuration is necessary to enable the NSS Unix module; it is enabled in the host operating system by default. To authorize a user for a specific group, simply add that user to the operating system and add them to a group.
adduser -G <groupname> -M -N <externalusername>
This does not permit or allow access to the RSA Security Analytics server console or command line with this username. The <externalusername> must match the user ID in the RSA Authentication Manager database.
The completes the configuration for NSS UNIX.
getent passwd <externalusername>
[root@~]# getent passwd myuser
Enabling PAM on the RSA Security Analytics Server
PAM is enabled and Active Directory is automatically disabled. The Active Directory configuration settings are stored and hidden.
The external username must exist as a User ID in the Authentication Manager database with an authenticator assigned. Remember to have a real-time authentication activity monitor running when performing test authentications. To launch the monitor,
In this example; the operating system group name securid has Operators and Administrators as mapped roles:
|Notes||The RSA Security Analytics login cannot handle New PIN Mode or Next Tokencode Mode for RSA SecurID authentications.|