• Home
• App Integrations
• MFA Integrations
• Two-Factor Authentication (2FA) for Edgecore

Two-Factor Authentication (2FA/MFA) for Edgecore

---

Two Factor Authentication (2FA) or Multifactor Authentication is the process of the authentication in which you have to provide two factors to gain the access. First Factor is the one that you know username and password and Second factor is what you might have as unique like a phone (For OTP) or Fingerprint. This additional layer prevents the unauthorized person from accessing the resources even if they know your username and password. miniOrange provides 15+ authentication methods and solutions for various use cases.

Enable Two-Factor Authentication (2FA)/MFA for Edgecore Client to extend security level.

1. Add the Tacacs Client in miniOrange

• Login into miniOrange Admin Console.
• Click on Customization in the left menu of the dashboard.
• In Basic Settings, set the Organization Name as the custom_domain name.
• Click Save. Once that is set, the branded login URL would be of the format https://<custom_domain>.xecurify.com/moas/login



• Go to Apps Click on Add Application button.



• Choose TACACS as Application type and click on Create App button.



• Click on Edgecore application tab. If you don't find your application click on Custom Tacacs Client application tab.



• Configure the below details to add Tacacs Client.




Client Name:	Any name for your reference.
Client IP:	IP address of network device which will send Tacacs authentication request.
Shared Secret:	Security key. For Eg. "sharedsecret" (Keep this with you, you will need to configure same on netwrok device).

• Click Next.
• Under the Attribute Mappings tab, enable the toggle if you want to Send Groups in response and then click Next



• Configure the following Policy details for the Tacacs Client.




Group Name:	Group for which the policy will apply.
Policy Name:	Any Identifier that specifies policy name.
Login Method	Login Method for the users associated with this policy.
Enable 2-Factor Authentication	Enables Second Factor during Login for users associated with this policy.
Enable Adaptive Authentication	Enables Adaptive Authentication for Login of users associated with this policy.

• After configuring the given above details, Click on Save button.
• Copy and save the Tacacs server IPs which will be required to configure your Tacacs client.


NOTE: For On-Premise version follow the below steps before testing the connectivity.



Only For On-Premise Version

Open Firewall Ports.

• In order to receive the Tacacs request, it is necessary to open UDP traffic on ports 1812 and 1813 for the machine where On-Premise IdP is deployed.
• If the hosting machine is a Windows Machine then you can follow this document.
• If the hosting machine is a Linux Machine then you can follow this document.

NOTE: If your machine is hosted on AWS, then enable the ports from the AWS panel.

2. Configure Authentication for Edgecore via TACACS

• Set the management IP on the switch ([Edgecore SONiC] Management and front port IPv4/IPv6 Address)
• Add the TACACS Server host to the switch
sudo config tacacs add <miniorange-server-ip>

• Set the TACACS authentication key
sudo config tacacs passkey <secretKey>

• Use tacacs+ database for user authentication
sudo config aaa authentication login local tacacs+
Note: Since the restriction, once the authentication priority of the "local" is higher than "tacacs+", Users may enable "fallthrough". sudo config aaa authentication failthrough enable

3 . Configure Authorization for Edgecore via TACACS

• Enable the TACACS+ Authorization.
sudo config aaa authorization tacacs+

Creating User Groups (Recommended)

• AD user group
• miniOrange user group

• This step involves Importing the user group from the Active Directory and Provisioning them.
• Go to Provisioning. Switch to Setup Provisioning tab and select Active Directory from Dropdown menu.



• Select Group Provisioning/Deprovisioning tab, and toggle on Import Group option.
• Enter the Base DN for group sync and click Save.



• If you want to dynamically allocate users to the groups present in the miniOrange, then enable "Assign Users to groups"



• Now switch to Import Groups option and select Active Directory from which you want to import your users.
• Finally, click on Import button. Your group will be imported.




(The Active Directory Group Provisioning (Sync) setup is done. Now, whenever a user is created or modified in LDAP server and if the Assign Users to groups is enabled, then user group attribute from the LDAP server will be automatically synced and the user group will be assigned or changed accordingly in miniOrange.)

• Select Groups >> Manage Groups from left panel.
• Click on the Create Group button on the top.



• Enter an appropriate Group Name and click on Create Group.



• In this guide we have created a Group by name VPN_Group.
• Assign various members to the group using the Assign User option associated with the group in the groups list.



• Select the Users that are required to be assigned to this group. Then Select Assign to Group in Select Action Dropdown and click on Apply button.



• These groups will be helpful in adding multiple 2FA policies on the applications.

8. Setup MFA for

• Here, we will configure a policy for the User Group that we created in this step and associate it with the VPN Application.
• Click on Policies tab >> App Login Policy.



• Click on Add Policy tab.
• In Application section, select the TACACS App that we configured earlier in Step 1.
• Select the required User Group in Group Name and enter the Policy name.
• In this guide, we will configure a Password Only policy for "VPN_Group", so that only the VPN_Group members can access VPN Services without a Second Factor.
• Once done with the policy settings, click on Save to Add Policy.

9. Test miniOrange 2FA for Edgecore Login

• Connect to Edgecore.
• Enter Username and Password.
• It will prompt you for second factor(if enabled from miniorange admin panel), Enter your 2FA code and you should be connected to Edgecore.

Further References

• Multi-Factor authentication
• Adaptive Multi-Factor authentication