Reference Guide
Multi-Factor Authentication
Using MFA for HTTP/HTTPS Proxy
MFA can be used as an enhanced security level for HTTP proxies. When opening a web browser, the user is asked for their Kron PAM credentials to connect to the HTTP Proxy. After the successful login, and if MFA is activated for HTTP Proxy, an MFA token is required. When using the Kron PAM Desktop Client, the MFA token is required when the user opens the webpage. To enable MFA for HTTP Proxy:
- Pre-requisite: Admin and users have the QR code, installed the Kron PAM mobile app, scanned the QR code with the mobile app, and MFA is enabled for the user group that will be using MFA for HTTP connections.
- Establish an SSH connection to Kron PAM as the pamuser user.
- Edit the proxy.properties file with the command: vi /u01/http-proxy/conf/http_proxy.properties Check the configuration file to see if the parameter below is already configured in it. If not, add the lines below. If there is a hash (#) sign in front of the parameters, delete the hash (#) sign to activate the parameter. If the parameter value is โfalseโ, change it to โtrueโ. To type or add anything in the vi editor, first press the Insert button on the keyboard, then type in the necessary line. Press Esc to exit typing mode. To save the file press Esc, then a colon (:), type in wq! and press Enter. If you do not want to save the changes to the file, press Esc, then a colon (:), then type in q! and press Enter. http.proxy.otp.enabled=true http.proxy.connection.initial.otp.enabled=false http.proxy.connection.initial.otp.enabled parameter is set false by default. If this parameter is set to true, then after successful authentication to HTTP Proxy MFA will be requested regardless of the target device if an authenticated user had defined a User Group that MFA enabled.
- Restart the HTTP Proxy with the command: systemctl restart pam-http
After these steps, OTP will be required at the next HTTP Proxy log in.
Enabling MFA for Website Access
๏ปฟ
๏ปฟ