Logon settings
Two-factor Authentication
To strengthen user logon security, Cloud Security Plus supports 2FA. Once enabled, Cloud Security Plus will require users to authenticate using one of the authentication mechanisms below.
Setting up 2FA
- Log in to Cloud Security Plus as an administrator.
- Navigate to Admin → Administration → Logon Settings.
- Click the Two-factor Authentication tab.
- Toggle the Two-factor Authentication switch to the ON position.
- Select the authentication methods of your choice from the list provided.
Note:
- If multiple authentication options are enabled, then the user will be asked to choose one at the time of logging in.
- Make sure you configure the authentication option you’ve chosen by entering all the required details.
- Click Save Settings.
I. Email Verification
When this option is selected, Cloud Security Plus sends a verification code via email to the user’s email address. The user has to enter the verification code to login successfully.
Configuration steps:
- Configure mail server settings if not done already.
- Enter a Subject for the email.
- Enter the Message in the box provided.
- Click Save Settings.
Once enabled, users will be asked to enroll for 2FA by entering their email address during login.
II. SMS Verification
When this option is selected, Cloud Security Plus sends a verification code via SMS to the user’s mobile number. The user has to enter the verification code to login successfully.
Configuration steps:
- Configure SMS server settings if not done already.
- Enter the Message in the box provided.
- Once you are done, click Save Settings.
Once enabled, users will be asked to enroll for 2FA by entering their mobile number during login.
III. Google Authenticator
Google Authenticator adds an extra layer of protection to the reset password and unlock account process. Once enabled, users will be required to enter a six-digit security code generated by the Google Authenticator app for identity verification.
Configuration Steps:
- Click Enable Google Authenticator.
- Click Save Settings.
Once enabled, users can enroll themselves for 2FA using the Google Authenticator app.
IV. RSA SecurID
RSA SecurID is a mechanism developed for performing 2FA for a user to a network resource. Users can use the security codes generated by the RSA SecurID mobile app, hardware tokens, or tokens received via mail or SMS to log in to Cloud Security Plus.
Configuration steps:
- Log in to your RSA admin console (e.g., https://RSA machinename.domain DNS name/sc).
- Go to Applications. Under Authentication Agents, Click Add New.
- Add Cloud Security Plus server as an authentication agent and click Save.
- Go to Access. Under Authentication Agents, click Generate Configuration File.
- Download AM_Config.zip (Authentication Manager config).
- Extract sdconf.rec from the ZIP file.
- In Cloud Security Plus, under RSA SecurID configuration, click Browse and select the sdconf.rec file.
- Click Save Settings.
V. Duo Security
Duo Security is a two-step verification service that provides additional security while accessing applications. Users can use the six digit security codes generated by the Duo mobile app or push notification to log in to Cloud Security Plus.
Configuration Steps:
- Log in to your Duo Security account (e.g., https://admin-325d33c0.duosecurity.com) or sign up for a new one and login.
- Go to Applications. Click Protect an Application.
- Search for Web SDK. Click Protect this Application.
- Copy the Integration key, Secret key, and API hostname to Cloud Security Plus.
- Click Save Settings.
Note: Please make sure you select the exact username pattern you use in Duo Security.
Note: If you are using older versions of Internet Explorer, then add the API hostname (e.g., https://api-325d33c0.duosecurity.com) and admin console (e.g., https://admin-325d33c0.duosecurity.com) as a trusted or intranet site.
VI. RADIUS Authentication
Remote Authentication Dial-In User Service (RADIUS) is an industry standard client/server authentication protocol that enhances security by protecting networks from unauthorized access.
RADIUS based 2FA for Cloud Security Plus can be configured in just two simple steps.
Configuration Steps:
Step 1: Integrate RADIUS with Cloud Security Plus
- Log in to RADIUS server.
- Navigate to clients.conf file.(/etc/raddb/clients.conf).
- Add the following snippet in the clients.conf file.
client CSPServerName
{
ipaddr = xxx.xx.x.xxx
secret = <secretCode>
nastype = other
}
Restart RADIUS server:
Step 2: Configure Cloud Security Plus for RADIUS
- Select RADIUS Authentication option.
- Enter the IP address or the name of the RADIUS server.
- Enter the port number for RADIUS authentication.
- Select the protocol used for RADIUS authentication from the drop-down list.
- Provide the security key that was added to the clients.conf file in RADIUS server.
- Set the RADIUS user name pattern.
- Set a duration for authentication request time-out duration.
- Click Save Settings.
Note: Username pattern is case-sensitive. Please make sure you select the exact pattern (uppercase or lowercase) you use in your RADIUS server.
VII. Backup Verification Codes
Backup verification codes allow users to log in when they don’t have access to their phone or face issues with one of the 2FA method. When enabled, a total of five codes will be generated. A code once used will become obsolete and cannot be used again. Users also have the option to generate new codes.
Enabling backup verification code:
- To enable backup verification code, put a check against the Backup Verification Code box at the bottom of the 2FA settings page.
- Go to My Account profile icon in the top left corner, then select Two-Factor Authentication Tab and user need to click the Manage backup verification codes link to view the codes.
- Users can also download the codes as a text file, print and get them delivered to their email address, or generate new codes.
Using the backup verification code to login:
- To use backup verification codes during login, users need to click the Use backup verification codes link in the Second-Factor Authentication page.
- On the backup verification code page, they need to enter one of their backup verification codes and click Verify Code to login.
Managing users for 2FA:
As an admin, you can view which authentication method users have enrolled for and remove users’ enrollment for 2FA using the Manage Users option. To do so, follow the steps below:
- Under the Setup 2FA tab, click Enrolled Users.
- In the 2FA Enrolled Users pop up, you can view the list of users enrolled for 2FA and the authentication method they have chosen.
- To remove a user, select the user and click the Delete icon.
To personalize 2FA method for users:
The users enrolled in 2FA can modify their preferred authentication method and manage trusted browsers by following the steps below:
- Go to the My Account profile icon in the top left corner.
- Select Two-Factor Authentication tab.
- To modify authentication mode, click Modify Authentication mode.
- To manage trusted browser, click Manage Trusted Browsers.
Block Users Settings
This feature allows you to prevent users or technicians from logging into Cloud Security Plus, temporarily, after the specified number of failed logons within a certain period.
Steps to block users:
- Login to Cloud Security Plus. Navigate to Settings → Logon Settings → Click General tab.
- In Block User Settings, select the Block user after invalid login attempts option.
- In Invalid attempts limit, enter the maximum number of consecutive bad logons that you wish to permit. Enter the period within which the specified number of bad login attempts must happen in within field.
- Specify the time for which the user account must remain blocked in the Block user for field.
- Click Save.