diff options
author | tombil <toma.bilius@enea.com> | 2021-10-05 18:31:35 +0300 |
---|---|---|
committer | Toma Bilius <Toma.Bilius@enea.com> | 2021-10-14 10:42:18 +0100 |
commit | 770f7438e2c6bd813fa8436db65c3e913b4b0139 (patch) | |
tree | bcce774b4a83c403401122419fd0d3b3e4b3d69d | |
parent | 7f0300cf95ac8f5592a6c43792b5b6470b69aaaf (diff) | |
download | nfv-access-documentation-770f7438e2c6bd813fa8436db65c3e913b4b0139.tar.gz |
USERDOCAP-721 Documentation support for MFA feature
Change-Id: I7410824c38166c1a66ffd32cbfb5728c607b744c
Signed-off-by: tombil <toma.bilius@enea.com>
-rw-r--r-- | doc/book-enea-edge-getting-started/doc/book.xml | 5 | ||||
-rw-r--r-- | doc/book-enea-edge-getting-started/doc/security.xml | 129 |
2 files changed, 133 insertions, 1 deletions
diff --git a/doc/book-enea-edge-getting-started/doc/book.xml b/doc/book-enea-edge-getting-started/doc/book.xml index e74ac85..9585329 100644 --- a/doc/book-enea-edge-getting-started/doc/book.xml +++ b/doc/book-enea-edge-getting-started/doc/book.xml | |||
@@ -38,8 +38,11 @@ | |||
38 | 38 | ||
39 | <xi:include href="submaps.xml" xmlns:xi="http://www.w3.org/2001/XInclude" /> | 39 | <xi:include href="submaps.xml" xmlns:xi="http://www.w3.org/2001/XInclude" /> |
40 | 40 | ||
41 | <xi:include href="security.xml" | ||
42 | xmlns:xi="http://www.w3.org/2001/XInclude" /> | ||
43 | |||
41 | <xi:include href="grafana.xml" xmlns:xi="http://www.w3.org/2001/XInclude" /> | 44 | <xi:include href="grafana.xml" xmlns:xi="http://www.w3.org/2001/XInclude" /> |
42 | 45 | ||
43 | <xi:include href="troubleshooting.xml" | 46 | <xi:include href="troubleshooting.xml" |
44 | xmlns:xi="http://www.w3.org/2001/XInclude" /> | 47 | xmlns:xi="http://www.w3.org/2001/XInclude" /> |
45 | </book> \ No newline at end of file | 48 | </book> |
diff --git a/doc/book-enea-edge-getting-started/doc/security.xml b/doc/book-enea-edge-getting-started/doc/security.xml new file mode 100644 index 0000000..9b8ec14 --- /dev/null +++ b/doc/book-enea-edge-getting-started/doc/security.xml | |||
@@ -0,0 +1,129 @@ | |||
1 | <?xml version="1.0" encoding="ISO-8859-1"?> | ||
2 | <chapter id="security"> | ||
3 | <title>Security</title> | ||
4 | |||
5 | <section id="mfa_security"> | ||
6 | <title>Authenticating using Multi-Factor Authentication</title> | ||
7 | |||
8 | <para>Enea Edge Management provides the ability to authenticate using the MFA | ||
9 | authentication method. This is offered as a two-step procedure: first, the | ||
10 | user enters the local user/password credentials. Then the security token generated | ||
11 | by Google Authenticator must be introduced. This is based on a shared secret between the | ||
12 | Enea Edge Management and the Google Authenticator applications. The shared secret is a | ||
13 | 32 character long string that is presented to the user upon first login as a character | ||
14 | sequence and a QR code. | ||
15 | </para> | ||
16 | |||
17 | <section id ="config_mfa"> | ||
18 | <title>Configuring User MFA</title> | ||
19 | |||
20 | <para>The administrator must enable MFA authentication for the | ||
21 | desired new user by:</para> | ||
22 | |||
23 | <orderedlist> | ||
24 | <listitem> | ||
25 | <para>Accessing the <emphasis role="bold">Security</emphasis> tab.</para> | ||
26 | </listitem> | ||
27 | |||
28 | <listitem> | ||
29 | <para>Accessing the <emphasis role="bold">Configuration</emphasis> menu.</para> | ||
30 | </listitem> | ||
31 | |||
32 | <listitem> | ||
33 | <para>Selecting the <emphasis role="bold">Add</emphasis> option, entering the | ||
34 | details for the new user and then enabling the | ||
35 | <emphasis role="bold">Enable MFA Login</emphasis> checkbox.</para> | ||
36 | </listitem> | ||
37 | </orderedlist> | ||
38 | |||
39 | <para>It is also possible to enable/disable MFA for existing users by selecting | ||
40 | the user and checking/unchecking the Enable MFA Login checkbox in the | ||
41 | right-hand side panel. Disabling MFA for a user will also clear the | ||
42 | secret from the database, therefore upon reenabling it the user will be | ||
43 | asked to configure a new shared secret. For more details on how to configure | ||
44 | a new shared secret, please see the following section.</para> | ||
45 | |||
46 | |||
47 | <note><para>All MFA information for enabled users will be preserved upon upgrading the | ||
48 | Enea Edge Management application.</para></note> | ||
49 | </section> | ||
50 | |||
51 | <section id="security_authentication"> | ||
52 | <title>Security Authentication</title> | ||
53 | |||
54 | <para>Before the user logs in, there is no secret set in the Enea Edge | ||
55 | Management database. Initially, the user will enter his credentials as | ||
56 | in a normal, local authentication. He will then be redirected to a | ||
57 | second page that presents the secret as a QR code, that he must scan | ||
58 | using the Google Authenticator application. The secret is also presented | ||
59 | in clear text ready for copying and manual entry, in case scanning | ||
60 | the QR code does not work.</para> | ||
61 | |||
62 | <para>Once the scanning or manual entry is completed successfully, the | ||
63 | Edge Management and Google Authenticator applications have the same | ||
64 | secret configured. The Authenticator application will then offer a security | ||
65 | token as a six digit number that the user must enter on the same page, | ||
66 | in the Enea Edge Management application. If the token is correct, | ||
67 | authentication is successful. The six digit token is available for a maximum of | ||
68 | 30 seconds.</para> | ||
69 | |||
70 | <para>Once the initial login succeeds and the secret is saved in the | ||
71 | database, subsequent logins will still be done using a two-step method. | ||
72 | The user will provide first his classic credentials, and then, on the | ||
73 | second page he will enter the token as generated by Google | ||
74 | Authenticator, this time, however, the secret will no longer be | ||
75 | displayed.</para> | ||
76 | |||
77 | <note> | ||
78 | <para>If the shared secret is ever lost, it can always be regenerated, but | ||
79 | only upon request to the administrator. It is done by accessing | ||
80 | the <emphasis role="bold">Security</emphasis> tab, selecting | ||
81 | the <emphasis role="bold">Configuration</emphasis> menu and choosing | ||
82 | the user, and on the right-hand side panel unchecking the | ||
83 | <emphasis role="bold">Enable MFA Login</emphasis> checkbox. Then | ||
84 | pressing the <emphasis role="bold">Apply</emphasis> button, checking it | ||
85 | again, and clicking <emphasis role="bold">Apply</emphasis> one final time. When | ||
86 | the MFA Login is disabled, the secret is also erased from the database. | ||
87 | </para> | ||
88 | </note> | ||
89 | </section> | ||
90 | |||
91 | <section id="token_generators"> | ||
92 | <title>Supported Token Generators</title> | ||
93 | |||
94 | <para>Multi Factor Authentication in the Enea Edge Management application is | ||
95 | supported only for Google Authenticator. | ||
96 | </para> | ||
97 | |||
98 | <para>The time on the server hosting the Enea Edge Management application | ||
99 | and the device holding the Authenticatior application must be synchronized, | ||
100 | within an error margin of 30 seconds.</para> | ||
101 | </section> | ||
102 | |||
103 | <section id="mfa_limitations"> | ||
104 | <title>MFA Limitations</title> | ||
105 | |||
106 | <para>The following is a brief list of the limitations currently affecting | ||
107 | MF Authentication:</para> | ||
108 | |||
109 | <itemizedlist> | ||
110 | <listitem> | ||
111 | <para>Configuring MFA will only be possible using the Web interface, | ||
112 | and not the REST API.</para> | ||
113 | </listitem> | ||
114 | |||
115 | <listitem> | ||
116 | <para>Users with MFA enabled will not be able to log in using the | ||
117 | REST API. In this case, a <literal>401</literal> HTTP code will be | ||
118 | returned, with the <literal>EMS-Error</literal> header containing | ||
119 | the <literal>EMS_UserMFAEnabled</literal> error.</para> | ||
120 | </listitem> | ||
121 | |||
122 | <listitem> | ||
123 | <para>MFA authentication will not be supported using the RADIUS or | ||
124 | LDAP AAA methods.</para> | ||
125 | </listitem> | ||
126 | </itemizedlist> | ||
127 | </section> | ||
128 | </section> | ||
129 | </chapter> | ||