One would think that getting RSA Netwitness working with RSA SecurID in order to login with RADIUS credentials would be a lot easier than it is. But then one would be wrong. When we initially went to set this up, I found a doc on RSA link to setup multiple forms of SSO/MFA authentication, but it was a long doc for multiple things with several if/then blocks, and I don’t feel like it covered everything sufficiently. So, I’m going to collect all of my notes here. The process is the same no matter what RAIDUS server you are using. We use RSA SecurID at work, and I use Cisco ISE in the lab.
We’ll begin by connecting to Node 0 either on the console or via a ssh session, and I’m going to assume that you already have a working Netwitness deployment. First you need to install the pam_radius_auth package
yum install pam_radius_auth
Next, we’ll edit the RADIUS configuration file. Load /etc/raddb/server in your preferred text editor and make the meat if the file look as such. You can add as many external RADIUS servers here as you like.
# server[:port] shared_secret timeout (s)
# server secret 3
radserver1.firewallninja.info 12345 10
radserver2.firewallninja.info 12345 10
Next, we’ll edit the PAM configuration files. If one or more doesn’t exist, create it.
/etc/pam.d/securityanalytics
/etc/pam.d/netwitness
/etc/pam.d/sshd
In these files, add the single line:
auth sufficient pam_radius_auth.so
Copy the RADIUS library to the correct location:
cp /usr/lib/security/pam_radius_auth.so /usr/lib64/security
And finally, execute the following in order to set the correct file permissions on the RADIUS configuration file.
chown netwitness:netwitness /etc/raddb/server
Finally, let’s add some groups and users. In this example, we’ll create a group for administrators and a group for analysts. I’ll add 2 users, alan and bob. These are the external RADIUS users who are controlled by your radius server.
groupadd nw_admin
groupadd nw_analyst
adduser -G nw_admin -M -N alan
adduser -G nw_analyst -M -N bob
You can verify the users and groups with the following commands:
getent group nw_admin
getent group nw_analyst
getent passwd alan
getent passwd bob
Now login to the GUI on Node 0. Navigate to Admin > Security > Settings and scroll down until you find the checkbox for PAM Authentication and check it.
Map the linux user groups to Netwitness user groups. This is the part that definitely needed more discussion in RSA’s documentation.
And then add your user in the GUI (admin > security > users) as a PAM user with the same user name on the RADIUS server and on the Linux CLI. By setting the users group at the CLI and mapping the CLI groups to the Netwitness groups, you’ve already set the users level of access so there’s not much to enter here.
Once you’re done, go back to the CLI and restart the jetty and sshd services for all of this to take effect.
systemctl restart jetty
systemctl restart sshd
At this time, you should be able to login to either the GUI or the console with your RADIUS user.
Installing pam_auth_radius, modifying /etc/raddb/server, changing it’s ownership, moving the pam auth library, editing /etc/pam.d/sshd and then adding the users and groups on other servers in your deployment will allow them to use the same RADIUS users to authenticate via ssh.
And finally, you can add, remove or modify users at any time in the future without restarting any services. Add the user at the CLI while specifying the correct group, then add the same username in the GUI as a PAM user.