Configure Smart Card Authentication

Smart cards can be used for authentication when logging into BeyondInsight and Password Safe. Your network must already be configured to use smart card technology to use this feature.

This section is written with the understanding that you have a working knowledge of PKI, Certificate Based Authentication, and IIS. To configure smart card authentication for a user in BeyondInsight and Password Safe, follow the below steps.

Screenshot of Radius two-factor authentication Option on Configuration page.

  1. Select Configuration > Multi-factor Authentication > Smart Card two-factor authentication.

 

Screenshot of option to enable to Smart Card Authentication on the Configuration page.

  1. Click the toggle to Enable Smart Cards.
  2. Click the toggle to enable the Allow UPN Override On User option. This enables a BeyondInsight user with a smart card that has a different Subject Alternative Name to log into BeyondInsight and maps the smart card to the user.
  3. Click Update Smart Card Authentication.

 

Screenshot of User Account Setting to Override Smart Card User

You must also enable the Override Smart Card User setting for the user accounts that use smart cards to authenticate. The User Principal Name is also required. This can be set when creating a new user or editing an existing user.

 

Screen Capture of Verify BeyondInsight Personal Certificate

During the BeyondInsight installation, self-signed certificates are created for client and server authentication. These certificates are placed in your Personal > Certificates store and show as Issued By eEyeEmsCA.

To authenticate using smart cards, the server where BeyondInsight is running also requires a certificate issued and signed by a certificate authority (CA). Verify that your BeyondInsight server has the correct certificates issued before continuing.

During the BeyondInsight installation, a self-signed web server certificate is created. This certificate must be replaced with a CA-issued certificate.

To verify you have a CA-signed certificate issued to the web server:

  1. Open IIS.

    Screen Capture of Select Web Server in IIS

  2. Select your web server.

 

Screen capture of selecting Server Certificates in IIS

  1. Select Server Certificates.

 

Screen Capture to Verify Issued Domain Certificate in Server Certificate

  1. Verify you have a CA-issued certificate. If you do not see one listed, request one from your certificate authority.

 

Once you have a CA-issued certificate in place, you must edit the bindings of the Default Web Site, replacing the self-signed certificate.

  1. Open IIS.
  2. Expand Sites, and then select Default Web Site.

    Screen capture of selecting the Edit Bindings Option for Default Web Site in IIS

  3. Right-click Default Web Site, and then select Edit Bindings.

     

    screenshot of the Site Bindings window

  1. Select https, and then click Edit.

     

    Screen capture of selecting the issued domain SSL Certificate in the Edit Site Bindings Window

  1. Select the issued domain certificate in the SSL certificate list, and then click OK.

 

The next step is to change the domain issued certificate in the BeyondInsight Configuration tool.

Screen capture of selecting the domain issued SSL Certificate in BeyondInsight Configuration Tool

  1. Open theBeyondInsight Configuration tool. The default path is: C:\Program Files (x86)\eEye Digital Security\Retina CS\REMEMConfig.exe.
  2. Scroll to Web Service.
  3. From the SSL Certificate menu, select the Domain Issued certificate.
  4. Click Apply.

 

Screen capture of Smart Card PIN Login Window

With the correct certificates now applied, you can now open the BeyondInsight console or go to https://<servername>/WebConsole/PasswordSafe, where you are prompted to select your certificate and enter your pin. You are logged in using a secure encrypted connection.

 

Configure Two-Factor Authentication Settings for User Accounts

Two-factor authentication can be configured for Local, Active Directory, and LDAP user accounts as follows:

  1. From the left navigation pane in the console, select Configuration.
  2. Under Role Based Access, select User Management.

Configure user account for two-factor authentication - edit user details.

  1. Select the user.
  2. Click the More Options icon, and then select Edit User Details.
  3. On the Edit User page, select RADIUS from the Two Factor Authentication list.
  4. From the Map Two Factor User list, select one of the options listed. The user type selected maps to a user on the RADIUS server. The options displayed in the list change depending on the user logging in.
    •  Local BeyondInsight Users options:
      • As Logged in: Use the BeyondInsight user account login.
      • Manually Specified: Enter the username the user enters when logging in.

     

    Screenshot of Two Factor User Account Details Active Directory User Options

    •  Active Directory and LDAP Users options:

      • SAM Account Name: This is the default value.
      • Manually Specified: This is the username the user enters when logging in.
      • Alternate Directory Attribute: This is the Active Directory or LDAP attribute that you set above when configuring the RADIUS server.
      • Distinguished Name: This is a combination of common name and domain component.
      • User Principal Name: This is a combination of user account name (prefix) and DNS domain name (suffix), joined using the @ symbol.

The information for Active Directory and LDAP user settings is retrieved from the corresponding setting in the directory for the user account logging in.

 

  1. Click Update User.