MicroStrategy ONE
Enabling Two-Factor Authentication with MicroStrategy Identity to a VPN
You can provide an additional layer of security for users logging in to your virtual private network (VPN) by configuring MicroStrategy Identity to act as a second factor of authentication. For example, when users log in to your VPN, they enter their username and password, then enter an Badge Code provided via the MicroStrategy Badge app on their smartphone. In this example, the username and password is the primary factor of authentication, and the Badge Code on the user's smartphone is the secondary factor of authentication.
You can also add additional security to your VPN by requiring your users to enter a phrase of their selection when authentication the VPN connection through MicroStrategy Identity. This provides an additional layer of authentication for users logging into your VPN.
Your VPN is integrated with MicroStrategy Identity through a RADIUS server that communicates between your VPN server and MicroStrategy Identity Server. The Identity component that integrates with the RADIUS server and performs this role is called the Identity Module.
After you configure two-factor authentication with MicroStrategy Identity, users logging in to your VPN must authenticate with the MicroStrategy Badge app, in addition to providing their username and password. You can turn off two-factor authentication, and permit users to log in to your VPN by providing their username and password only. For steps, see Turning On or Off Two-Factor Authentication with MicroStrategy Identity.
Setting up Two-Factor Authentication
Perform the following procedure to enable two-factor authentication to your VPN.
You are integrating MicroStrategy Identity with one of the following VPN configurations:
- Firewall hardware and software:
- Cisco ASA 5512 Adaptive Security Appliance�with Cisco Adaptive Security Appliance Software version 9.2(2)4
- Cisco ASA 5520 Adaptive Security Appliance�with Cisco Adaptive Security Appliance Software version 9.1(5)21
- VPN client software: Cisco AnyConnect Secure Mobility Client version 3.1.08009 (Windows or Mac)
-
Firewall hardware and software:
Pulse Secure (formerly Juniper Junos Pulse) Gateway MAG-2600 with Pulse Secure (formerly Juniper Junos Pulse) Secure Access Service 7.4R12 (build 31777)
-
VPN client software:
- iOS: Juniper Junos Pulse 5.0.8.50589
- Android: Juniper Junos Pulse 5.0.8.50337
- Windows (64-bit): Pulse Secure 5.1.4 (60057)
- Windows (32-bit): Pulse Secure 5.1.4 (60057)
- To create the Identity Module for two-factor authentication, the machine that hosts the Identity Module must meet one of the following requirements:
- Red Hat® Enterprise Linux 6.5 operating system (64-bit)
- FreeRADIUS version 2.1.12
- Access to the Red Hat repository, to resolve missing dependencies
- SUSE® Linux Enterprise Server 11 SP1 operating system (64-bit)
- FreeRADIUS version 2.1.9
- Red Hat® Enterprise Linux 6.5 operating system (64-bit)
- To create a certificate signing request (CSR) to secure your connection, you must have a third-party tool to generate CSRs, such as the OpenSSL® utility.
- Users logging in to a VPN that requires two-factor authentication with MicroStrategy Identity must have the MicroStrategy Badge app and a valid badge on their smartphones. For steps to distribute badges to users in your network, see Distributing Badges to Users in Your MicroStrategy Identity Network.
To Create a Certificate Signing Request (CSR)
You enable private communication between the MicroStrategy Identity Server and MicroStrategy Identity components running locally on your system by configuring them to use SSL (secure sockets layer) encryption while communicating with each other. To do this, you must obtain an SSL certificate signed by MicroStrategy Identity. You generate the signed certificate by submitting a certificate signing request (CSR) through MicroStrategy Identity Manager to be signed by MicroStrategy Identity.
Use a third-party tool to create a certificate signing request (CSR) that meets the following requirements:
- RSA key size of at least 3072 bits
- Hash algorithm of SHA-256 or higher
- The CSR uses the following values:
- Organization Name:
Usher
- Organizational Unit Name:
Agent
- Organization Name:
You can create a certificate signing request (CSR) using the OpenSSL® utility. If you have installed MicroStrategy Identity on Windows, the OpenSSL utility is included. Alternatively, you can download the OpenSSL utility from https://www.openssl.org/community/binaries.html. On Linux, an openssl utility is included with many distributions.
The steps below contain only the information required to configure or use OpenSSL with MicroStrategy Identity. See the OpenSSL documentation for the latest information.
To Create a CSR Using OpenSSL
- Depending on your platform, do one of the following:
- Windows: Open a command prompt window as administrator, and navigate to the location where OpenSSL is installed.
- If you use the utility installed with MicroStrategy Identity, the default is
C:\Program Files (x86)\Common Files\MicroStrategy\OpenSSL\openssl-1.0.2e\
.
- If you installed the utility manually, the default is
C:\OpenSSL- Win32\bin
.
- If you use the utility installed with MicroStrategy Identity, the default is
- Linux: Open a terminal window.
-
To create a private key and certificate signing request (CSR), enter the following command:
openssl req -new -newkey rsa:
rsaKeySize
-shaHashAlgorithm
-nodes -subj '/O=Usher/OU=Agent' -keyoutKeyName.key
-out CSRName.csrwhere:
rsa:
= the RSA key size. For example, enter rsa:3072 to create an RSA key size of 3072 bits.rsaKeySize
-sha
= the hash algorithm. For example, enter -sha256 to use the SHA-256 hash algorithm.HashAlgorithm
KeyName.key
= the name that you want to give the private key file. By default, the private key file is created in the current location. To create the file in a different location, include the location path in the KeyName.key parameter.-
CSRName.csr
= the name that you want to give the CSR file. By default, the CSR file is created in the current location. To create the file in a different location, include the location path in theCSRName.csr
parameter.For example:
openssl req -new -newkey rsa:3072 -sha256 -nodes -subj '/O=Usher/OU=Agent' -keyout UsherApp.key -out UsherApp.csr
A CSR (.csr) file and a private key (.key) file are created.
Next, configure your VPN server to use MicroStrategy Identity for two-factor-authentication.
- To create the Identity Module, contact MicroStrategy at support@microstrategy.com. Inform the MicroStrategy representative that you want MicroStrategy to help set up an Identity Module for two-factor authentication when logging in to your VPN.
- Log into MicroStrategy Identity Manager.
- Click Logical Gateways.
- Under VPN Configuration, click the VPN icon .
- Click Create MicroStrategy Identity VPN Proxy.
- You can change the image that is displayed on your VPN login page. Next to the image preview, click Import An Icon. Select an image to display, then click Open.
- In the Enter Display Name field, enter a name to display on your VPN login page.
- From the MicroStrategy Identity Field drop-down list, select the Identity user field that maps users in the Identity Network to users in the VPN client's user repository, either Subject or Email.
- From the Verification Method drop-down list, select how users will authenticate with MicroStrategy Identity:
- Push Notification: When users attempt to log in with their username and password, they receive a smartphone confirmation message which contains their MicroStrategy Badge app installation link. They must use this confirmation message to verify their identity and finish logging in. This authentication method is available with MicroStrategy Cloud Platform for AWS or MicroStrategy Cloud Platform for Azure implementations.
- MicroStrategy Identity Security Token: On the VPN login page, users must enter the Badge Code displayed on the MicroStrategy Badge app on their smartphone.
- Code with Push Fallback: On the VPN login page, users can enter the Badge Code from the MicroStrategy Badge app on their smartphone. If an incorrect Badge Code is entered, or not entered at all, a smartphone confirmation message is received, which contains the MicroStrategy Badge app installation link. They must use this confirmation message to verify their identity and finish logging in. This authentication method is available with MicroStrategy Cloud Platform for AWS or MicroStrategy Cloud Platform for Azure implementations.
- Click Create.
- In the Configure MicroStrategy Identity VPN Proxy dialog box, click Download VPN Proxy Installer for Windows or Download VPN Proxy Installer for Linux, depending on your operating system.
- Click Done.
-
Contact MicroStrategy at support@microstrategy.com for assistance.
By default, two-factor authentication is turned on. Users logging in to your VPN must authenticate with the MicroStrategy Badge app on their smartphone, in addition to providing their username and password.
Turning On or Off Two-Factor Authentication with MicroStrategy Identity
- Log into MicroStrategy Identity Manager.
- Click Logical Gateways.
- Under VPN Configuration, click Edit.
- Set the Enable VPN access with MicroStrategy Identity option:
- On — requires users to authenticate with MicroStrategy Identity in addition to providing their username and password.
- Off — allows users to log in with their username and password only.
- Review the confirmation message and click Yes.
- Click Save.
Related Topics
Creating a MicroStrategy Identity Network and Issuing an Administrator Badge
Managing Users from an IDM System that is Synchronized with MicroStrategy Identity