This article is the third part of a series to show how to integrate Symantec VIP with the Centrify Identity Platform. The first part of this series discussed the value of this integration and walked through the end user experience at a high level. The second part of the series covered the pre-requisites, architecture, and setting up the Symantec VIP solution to act as the RADIUS server for this integration. Please review parts I and II before you read this article to get the full context of the integration and the value it provides to the business.
Part III will cover the following:
- Setting up Centrify Identity Platform to act as the RADIUS client to the Symantec Enterprise Gateway RADIUS server.
- Testing the MFA at portal login to ensure it uses Symantec VIP
- This posting is provided "AS IS" with no warranties and confers no rights.
- This is a lab entry. It is only meant to show the reader one method for this integration and to provide an informal how-to guide on setting it up.
- It's not meant for production design and does not address things like high availability and separation of duties.
- Production designs require planning for people, process and technology.
- Symantec VIP is a registered trademark of Symantec.
- The versions of software used in this guide are supported as of 2018. There is no guarantee that future versions of the software released by the vendors will be compatible for this integration. Its always best practice to validate new versions of the software through official support channels.
- Please review the pre-requisites in part II of this blog series here.
This article focuses on the configuration of Symantec VIP to provide MFA (multi-factor authentication) for the Centrify platform policies and assumes that you have familiarity with Symantec VIP Access manager and the Centrify Identity platform. The article does not go into detail on how to set up the Centrify platform or Symantec VIP because there is a lot of documentation publicly available that covers these topics. This article also assumes that you read parts I and II of this series.
Let's get started by presenting the same diagram we showed you in part II as a refresher. We are going to be configuring the Centrify side of the diagram in this article.
- Let's set up the Centrify portal side of the integration. This step is assuming you have valid Centrify tenant created and you have already installed a Centrify connector that has a line of sight to your Symantec Enterprise Gateway server. Refer back to the architecture diagram above to see what I mean.
- Create a test Authentication profile that is going to use a 3rd party RADIUS server for authentication.
Give the authentication profile a name and select 3rd party RADIUS authentication as one of the challenges. Configure the profile to challenge for the VIP token first and the password 2nd to prevent account lockouts.
- Next, create a connection to the Symantec RADIUS validation server that we will be fulfilling the authentication request. You can do this under the Authentication section in Settings as shown below.
- Give the RADIUS server a name and enter in the hostname or IP address of the Symantec Enterprise Gateway (which is going to be listening for RADIUS connections)
- Specify the RADIUS port that the RADIUS server is listening on and input the server secret that was used in the Symantec Enterprise gateway configuration
- Select a user identifier attribute of EmailAddress. The user identifier attribute is what enables Symantec Enterprise Gateway to look up your user to validate that they are entering the right code. So this setting is important to ensure the lookup occurs accurately. In my case, my user attribute mapped to my Symantec VIP service is my email address in my Active Directory.
- Note: You can use other user attributes and you can configure Symantec Enterprise Gateway to look up an attribute in AD directly. These alternate configuration options are not covered in this blog but there is some flexibility in how you perform the user mapping between the 2 solutions.
At this point, you have created a Centrify authentication profile that will use a 3rd party RADIUS server (i.e. Symantec Enterprise Gateway) and you have also created a 3rd party RADIUS server connection (also Symantec Enterprise Gateway) that is listening for RADIUS authentication requests on the port that we specified. Next, we will create the Centrify authentication policy that will generate the authentication request when we want to use Symantec VIP for authentication.
- Create a new policy that will challenge the user with the new authentication profile we created.
- Under Core Services, create a new policy and under policy settings, apply the policy to a test role in your environment. The members of this test role should have a Symantec VIP token available and registered in the VIP Access manager service. An example policy is shown below:
- Next, under the same policy, find the “Login Policies” section as shown below.
- You have the option of configuring a login policy for login to the Centrify portal, UNIX and Windows Servers, and Windows Workstations.
- We will configure the login policy for the Centrify Portal as an example. Simply enable authentication policy controls and define the Default Profile as the VIP authentication profile that we created earlier.
- NOTE: The Authentication Rules can further define when the user will be challenged using situational awareness. This is also known as adaptive authentication. You can use static rules (i.e. the user is not coming from my corporate IP) or you can use dynamic risk scores (i.e. the user is coming from the right IP and the same machine we registered with the user, but he is logging into an application he has never used before) to adaptively challenge the user for MFA. This is the real power of using the Centrify platform to drive the policy with a 3rd party MFA provider.
- Configure the User security policy to enable 3rd party RADIUS authentication as an available option for the users that this policy applies to.
- With this setting, you are telling Centrify that the specific users that this policy applies to are allowed to use the 3rd party RADIUS authentication server (Symantec VIP in this case). This ensures that not everyone is driven to this authentication server if they don't need to be.
Ok, that's it! Now you should be ready to test. Get your Symantec VIP token out and go to the Centrify portal login page and login with your test user.
Press Next and you should see the option to login with the Symantec VIP authenticator. Enter the passcode displayed by the Symantec VIP authenticator token.
Press Next and you will now be challenged for a password (since this is the order that we set in our authentication profile above).
Press Next after entering your password and voila! If everything worked, you should now be logged into the Centrify portal and you were able to authenticate with the Symantec VIP token for MFA. Now you can go about using single sign on to your corporate applications or go into the Administration section to manage your privileged identity management systems and resources.
Thanks for following along with this three-part blog series. To recap, this blog series walked through the process of using the Centrify Identity platform to drive the authentication policy that leveraged the Symantec VIP infrastructure for MFA. The benefit of this integration is that if you are a Symantec VIP customer, you can maximize your existing Symantec VIP tokens for MFA to provide identity assurance to applications and infrastructure by driving the policy through the Centrify identity platform. This allows you to use a common set of security policy to provide MFA for web applications, server login, workstation login, privilege elevation, password checkout, and much more. It also allows you to take advantage of the Centrify platform without having to rip and replace your existing MFA provider. I hope this blog was helpful.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.