Network Virtualization: Two-Factor Authentication with VMware NSX-T

In a previous post, I covered how to integrate NSX-T with VMware Identity Manager (vIDM) to achieve remote user authentication and role-based access control (RBAC) for users registered with a corporate Active Directory (AD).

On this post, I’m showing how add two-factor authentication (2FA) for NSX-T administrators/operators on top of that existing integration. Two-factor authentication is a mechanism that checks username and password as usual, but adds an additional security control before users are authenticated. It is a particular deployment of a more generic approach known as Multi-Factor Authentication (MFA).

Throughout this post, I’m providing step-by-step guidance on how to use VMware Verify as that second authentication. I will also highlight what would be different if using third party mechanisms. At the end of the post, you will find a demo showing how to do the configuration and how users authenticate once 2FA is enabled.

What is VMware Verify? Let me quote what my colleague Vikas Jain wrote on this post: “VMware Verify uses modern mobile push tokens, where users get a push notification on their mobile device that they can simply accept or deny. When the user’s device does not have cellular reception, such as in airplane mode when traveling, the user can open the Verify app and use a one-time passcode (aka soft token). Also, if you have users with flip phones, they can receive a one-time passcode over SMS. These three methods cover all types of scenarios, ensuring that the right user can always log in.”

By using VMware Verify, security is increased since a successful authentication does not depend only on something users know (their passwords) but also on something users have (their mobile phones), and for a successful break-in, attackers would need to steal both things from compromised users.

Please note that VMware Identity Manager also integrates with SecurID and RSA Adaptive Authentication. Check the latest information about third party integrations on the vIDM documentation.

Lab details

Once the background is set, let’s go to the details. Let me start by describing the lab environment:

NSX-T version 2.1.0
vIDM version 3.0.0.0 (see note below), integrated with Active Directory
Remote user authentication and access control configured as described on my previous post
An additional user created in AD ([email protected]) that I’ll use to show the two-factor authentication

Note: Please be aware that, at the moment of writing this post, vIDM 3.0.0 is not yet fully validated for its integration with NSX-T. Thus, for a production environment, use the vIDM approved versions 2.9.1 or 2.9.2. Always check VMware Product Interoperability Matrices for the up-to-date information regarding product interoperability.

Process overview

The process to configure two-factor authentication comprises the following steps:

Configure VMware Verify (or your RSA Adaptive Authentication or SecurID servers)
Create a vIDM connector (not required for VMware Verify)
Create/Configure a vIDM built-in provider
Update Access Policies configuration
Download the app in your mobile and register your user details
First login into VMware NSX-T
Subsequent logins into VMware NSX-T

1. Configure VMware Verify

Note: This step applies to VMware Verify only. If you are using RSA Adaptive Authentication or SecurID, follow the vendor instructions to set up the required servers appropriately.

VMware Verify is provided as-a-service, and thus, it does not require to set any on-premise server. To enable VMware Verify, you must contact VMware or Airwatch support. They will provide you a security token which is all you need to enable the integration with vIDM.

Once you get the token, login into vIDM as an admin user and then:

Click on the Identity & Access Management tab
Click on the Manage button
Select Authentication Methods
Click on the configure icon (pencil) next to VMware Verify

A new window will pop-up, on which you need to select the Enable VMware Verify checkbox, enter the security token provided by VMware or Airwatch support, and click on Save.

After that, you will be taken to the previous screen where the status of VMware Verify will now show as Enabled.

2. Create a vIDM connector (not required for VMware Verify)

Note: This is step does not apply to VMware Verify. If it is the solution you are configuring, please continue to step 3.

Once RSA Adaptive Authentication or RSA servers are properly configured, it is required to configure the corresponding vIDM connectors. For that, access vIDM as an admin user and then:

Select the Identity & Access Management tab
Click on the Setup button
Click on the Connectors link
Under the Worker column, select the connector to configure

You will be then taken to a new page. Click on Auth Adapters, and then select either RSAAAIdpAdapter or SecurIDIdpAdapter, depending on which one you want to configure:

A new window will open, on which you’ll be asked to enter details specific to your RSA Adaptive Authentication or RSA SecurID deployment. Complete as required and click on Save. For further details, please review VMware Identity Manager documentation:

Configure RSA SecurID Authentication https://docs.vmware.com/en/VMware-Identity-Manager/3.1/idm-administrator_aw/GUID-44831BB9-2B15-4A56-A5D7-25BA385FABE6.html
Configure RSA Adaptive Authentication in Identity Manager https://docs.vmware.com/en/VMware-Identity-Manager/3.1/idm-administrator_aw/GUID-0AF110E2-0F36-4527-8366-5F10608A9219.html

3. Create/Configure a vIDM built-in provider

Note: This step applies to VMware Verify and RSA Adaptive Authentication. If you are using RSA SecurID, move on to step 4.

Once the second authentication factor is enabled as described on steps 1 and 2, it must next be added as an authentication method to a vIDM built-in provider. If in your environment already exists one, you can re-configure it. Alternatively, you can create a new built-in identity provider as explained below.

Select the Identity & Access Management tab
Click on the Manage button
Click on the Identity Providers link
Click on the Add Identity Provider button and select Create Built-in IDP

This will take you to a new page where you must provide the following details:

A meaningful name describing the Identity Provider (IdP) being created
Which users can authenticate using the IdP – In the example below I am selecting the AD that was added on my previous blog
Network ranges from which users will be directed to the authentication mechanism described on the IdP
The authentication methods to associate with this IdP – In the example, I am selecting VMware Verify.
Click on the Add button

4. Update Access Policies configuration

Note: This step applies to VMware Verify, RSA Adaptive Authentication and RSA SecurID.

The last configuration step on vIDM is to update the default access policy to include the second factor authentication mechanism. For that, login into vIDM as an admin user and then:

Select the Identity & Access Management tab
Click on the Manage button
Click on the Policies link
Click on the Edit Default Policy button

This will take you to a new page showing the details of the default access policy. Scroll down to find the Policy Rules section. On the rule for Web Browser, click on the hyperlink in the Authentication Method column.

A new window will pop-up. Modify as follows the settings right below the line then the user may authenticate using the following method…:

Select Password as the first authentication method – This way users will have to enter their ID and password as defined on the configured Active Directory
Click on the green cross to add a second authentication mechanism. In the example, I am adding VMware Verify – This will make that after a successful password authentication, users will get a notification on their mobile phones to accept or deny the login request (see next steps for details)
I am leaving empty the line If preceding Authentication Method fails or is not applicable, then: – This is because I don’t want to configure any fallback authentication mechanism. In case there were issues, admins can always leverage NSX local user IDs.

If you are using a third party method, configure the authentication options accordingly.

5. Download the app in your mobile and register your user details

Note: This step applies to VMware Verify only. If using third party authentication methods, review their documentation.

Access the app provider on your mobile phone. Search for VMware Verify and download it.

Once it is downloaded, open the application. It will ask for your mobile number and e-mail address. Enter your corporate details. On the screenshot below, I’m providing my mobile number (partially hidden for privacy) and an e-mail which is only valid in my lab.

After clicking OK, you will be provided two options for verifying your identity:

Receiving and SMS message – with a code you can enter on the app and a confirmation link you can click instead
Receiving a Phone Call – after clicking on this option, the app will show a registration code you will need to type on the phone pad once you receive the call

Once your identity has been verified, you will be asked to protect the app by setting a PIN number. After that, the app will show there are not accounts configured yet.

At this moment, we are ready to move to the next step.

6. First login into VMware NSX-T

Once VMware Verify has been enabled, vIDM configured and the mobile app installed and set, it is finally the time to login into NSX-T Manager using 2FA authentication.

Note: The following steps and screenshots are based on the integration between vIDM and VMware Verify. If you are using a third party provider, you may find differences.

Let’s start by navigating to the NSX Manager URL. Here, we simply click on the LOG IN button:

This will take us to the vIDM login page:

First, we need to select our domain – In the example below I am using corp.local, but you should enter your corporate domain
Second, you need to enter your credentials as defined on your domain server – This is the first authentication method

Next, we will be asked to enter the same phone number we used while configuring the VMware Verify mobile app. This way vIDM links the user ID with the corresponding mobile number. This step is only required on the first login after two-factor authentication is set up.

Immediately after that, we will start receiving tokens on the VMware Verify mobile app:

While at the same time, in our browser we are asked to enter such a token:

Step that finishes our first successful login with two-factor authentication, granting us access to NSX:

7. Subsequent logins into VMware NSX-T

Note: The following steps and screenshots are based on the integration of vIDM with VMware Verify. If you are using a third party provider, you may find differences.

As mentioned, the first login requires additional steps because it is used to register the user ID with the corresponding mobile number. Subsequent logins are simpler, leveraging VMware Verify OneTouch functionality.

Let’s navigate back to the NSX Manager URL. After clicking on LOG IN and entering our credentials as described on the previous step, we are asked to approve the authentication Request, but we are not asked to enter a token anymore:

At the same time, in our mobile app, we receive an approval notification:

By tapping on it, or on the OneTouch link in the top-left corner, we get access to the pending authentication requests. By clicking on each of the ones available, we can decide to approve or reject them. In our example, there is only one authentication request and we are going to approve it:

Once the request is approved, we are granted access to NSX:

Bonus: Resetting VMware Verify details for a user

After the first successful login using two-factor authentication, the user’s mobile number is stored in vIDM. If at some point the user changes his/her mobile number, it will be required to have that information updated. This requires to reset the existing information for the user, and then s/he will be required to follow the same process of the first login.

To reset the existing VMware Verify information for a user, access vIDM as an admin user and then: