Swift Alliance Access
Swift Alliance Access
Swift Alliance Access
The speci cations and information in this WebADM and OpenOTP are trademarks of
document are subject to change without RCDevs. All further trademarks are the
notice. Companies, names, and data used in property of their respective owners.
examples herein are ctitious unless otherwise
noted. This document may not be copied or No guarantee is given for the correctness of
distributed by any means, in whole or in part, the information contained in this document.
for any reason, without the express written Please send any comments or corrections to
permission of RCDevs Security. [email protected].
Limited Warranty - Copyright (c) 2010-2023 RCDevs Security SA. All Rights
Reserved. www.rcdevs.com
Swift Alliance Access
Radius
1. Overview
In this documentation, we will demonstrate how to integrate OpenOTP with Swift Alliance Access 7.2 (AA). LDAP and Radius
protocols can be used to integrate AA with OpenOTP. Here, we will demonstrate the Radius integration. This guide has been
written with the help of the official Swift Alliance Access 7.2 Administrator Guide. So here, we will use RADIUS one-time
passwords authentication method and not the embedded two-factor authentication module implemented in AA. WebADM and
OpenOTP server(s) should be already configured with Radius Bridge component(s).
First, we will configure the Radius servers at the AA level. Log into the AA Web management page with the LSO (Left Security
Officier) account and configure a new authentication server group.
Once you are under Radius Authentication Servers Group, you are able to configure the required information to communicate
with Radius Bridge.
Configure the Primary Server in the Future configuration section.
Port Number : This is the port used by the Radius Bridge service.
Once this configuration is done, you can click on the save button. If you have a WebADM/OpenOTP cluster then configure the
secondary server the same way. These changes should be approved by the RSO (Right Security Officier) account. Once the RSO
has approved the new configuration, the Radius server configuration on Alliance Access is done.
Important note from Swift
The usage of one-time passwords is set per operator. To activate the use of one-time passwords, in the Operator Details for each
security officer, the Authentication Type must be set to RADIUS one-time password and the Authentication Server Group must be
selected. Each change must be approved by RSO and LSO account.
To allow Swift Alliance Access to communicate over Radius protocol, we have to configure the AA Radius client in Radius Bridge
configuration. To configure the client edit /otp/radiusd/conf/clients.conf file. At the end of this file, you will find
the clients definition.
client Swift_AA {
ipaddr = 192.168.3.56
secret = Left_key_1234567Right_key_123456
}
Left_key_1234567Right_key_123456 : Is the concatenation of left and right keys defined in Alliance Access
configuration.
Once the Swift Alliance Access client is configured in clients.conf file, you will have to restart Radius Bridge service:
These changes must be done on each Radius Bridge if you are working with a WebADM/OpenOTP cluster.
To map the User IP information in WebADM WebSrv logs , you will have to configure the attribute used by Swift which
contains the User IP in Radius Bridge configuration in the source_attribute setting.
We will now configure a client policy for Swift authentications. Login on the WebADM Administrator GUI > Admin tab >
Client Policies > Add Client .
Name the client policy object which will be created, on my side Swift and optionally add a description.
You are now in the Swift Client Policy configuration menu. The first setting you will have to configure is the
Client Name Aliases where you will configure the AA IP which will contact the OpenOTP. On my side 192.168.3.56 .
Next step is to configure the authentication policy to require MFA on Swift AA. You will have to edit the
Forced Application Policies under the client policy menu. Please, activate Application Settings and then
click on Edit .
Now, activate Login Mode: LDAPOTP , OTP Type: TOKEN , Challenge Mode Supported: No and
Challenge Password Retry: No . Finally, click on Apply .
You should have this result like below:
Click on the Apply button to save your changes.
Important Note
OpenOTP.ChallengeMode=No is mandatory with Swift AA because Swift didnʼt implement the Radius challenge in their product.
So even with Radius, you will have only 2 fields on the AA login page, one for the Username and the other for the password. In the
password field, you will have to put LDAP password and OTP password in concatenated mode.
Your client policy for Swift is now configured. You can test a login on AA with OpenOTP.
If your Swift users already have an account in your Directory then itʼs possible to do mapping at the LDAP level between the LDAP
account and the Swift local account. This mapping is done by adding the Swift login name value in an LDAP attribute. This
attribute must be configured in /opt/webadm/conf/webadm.conf file in uid_attrs setting. By default with the Active
Directory template, the following ones are available.
If one of these attributes is not used then you can use one of them and configure the Swift username on that attribute. If the
default attributes are already used in your organization, then you can use another one. For example uid , in that case, you have
to add the uid attribute in uid_attrs setting in webadm.conf like below:
When you will perform a login from Swift with your Swift account, then the Swift username will be sent to WebADM/OpenOTP
and will match with the corresponding LDAP account.
6. Authentication Logs
After performing authentication on Swift Alliance Access, you are able to check logs on the WebADM side. Through the WebADM
Admin GUI > Databases > WebADM Server Log Files you should have something like this below:
[2018-12-11 17:43:07] [192.168.3.54] [OpenOTP:4IT5D3I6] New openotpSimpleLogin SOAP request
[2018-12-11 17:43:07] [192.168.3.54] [OpenOTP:4IT5D3I6] > Username: Administrateur
[2018-12-11 17:43:07] [192.168.3.54] [OpenOTP:4IT5D3I6] > Password: xxxxxxxxxxxxxx
[2018-12-11 17:43:07] [192.168.3.54] [OpenOTP:4IT5D3I6] > Options: RADIUS,-U2F
[2018-12-11 17:43:07] [192.168.3.54] [OpenOTP:4IT5D3I6] Enforcing client policy: Swift (matched server
IP)
[2018-12-11 17:43:07] [192.168.3.54] [OpenOTP:4IT5D3I6] Registered openotpSimpleLogin request
[2018-12-11 17:43:07] [192.168.3.54] [OpenOTP:4IT5D3I6] Resolved LDAP user:
CN=Administrateur,CN=Users,DC=yorcdevs,DC=com
[2018-12-11 17:43:07] [192.168.3.54] [OpenOTP:4IT5D3I6] Resolved LDAP groups: master,propriétaires
créateurs de la stratégie de groupe,admins du domaine,administrateurs de l’entreprise,administrateurs
du schéma,utilisateurs du bureau à distance,administrateurs,groupe de réplication dont le mot de passe
rodc est refusé
[2018-12-11 17:43:07] [192.168.3.54] [OpenOTP:4IT5D3I6] Started transaction lock for user
[2018-12-11 17:43:07] [192.168.3.54] [OpenOTP:4IT5D3I6] Found user fullname: administrateur
[2018-12-11 17:43:07] [192.168.3.54] [OpenOTP:4IT5D3I6] Found user language: EN
[2018-12-11 17:43:07] [192.168.3.54] [OpenOTP:4IT5D3I6] Found 1 user mobiles: xxxxxxxxxxx
[2018-12-11 17:43:07] [192.168.3.54] [OpenOTP:4IT5D3I6] Found 1 user emails: [email protected]
[2018-12-11 17:43:07] [192.168.3.54] [OpenOTP:4IT5D3I6] Found 1 user certificates
[2018-12-11 17:43:07] [192.168.3.54] [OpenOTP:4IT5D3I6] Found 43 user settings:
LoginMode=LDAPOTP,ExpireNotify=MAIL,OTPType=TOKEN,OTPLength=6,ChallengeMode=No,ChallengeTimeout=9
1:HOTP-SHA1-6:QN06-
T1M,DeviceType=FIDO2,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOT
And under Databases > WebSrv Logs you should have something like this below:
As you can see here, we only see the host IP which is the Swift AA IP in the audit logs. To map the User IP information, please refer
to 3.2 chapter.
This manual was prepared with great care. However, RCDevs Security S.A. and the author cannot assume any legal or other liability for possible errors and their consequences. No
responsibility is taken for the details contained in this manual. Subject to alternation without notice. RCDevs Security S.A. does not enter into any responsibility in this respect. The
hardware and software described in this manual is provided on the basis of a license agreement. This manual is protected by copyright law. RCDevs Security S.A. reserves all rights,
especially for translation into foreign languages. No part of this manual may be reproduced in any way (photocopies, microfilm or other methods) or transformed into machine-readable
language without the prior written permission of RCDevs Security S.A. The latter especially applies for data processing systems. RCDevs Security S.A. also reserves all communication
rights (lectures, radio and television). The hardware and software names mentioned in this manual are most often the registered trademarks of the respective manufacturers and as
such are subject to the statutory regulations. Product and brand names are the property of RCDevs Security. © 2023 RCDevs Security S.A., All Rights Reserved