Previous Topic: CA AuthMinder IntegrationNext Topic: How to Enforce Strong Authentication


Strong Authentication From the User's Point of View

Inform users in the interactive_restricted group that they must authenticate to the CA ControlMinder endpoint to get write permission to files, and to be able to use sesu to switch users. To authenticate themselves, users run the sepromote utility, and enter a one-time password (OTP).

Note: For more information about the sesu and sepromote utilities, see the Utilities chapter of the CA ControlMinder Reference Guide.

The strong authentication process seen from the user's point of view

How strong authentication works from the user's point of view:

  1. You, a user in the interactive_restricted group, log into the system.

    You receive a message that you are in restricted mode. Users in the Interactive_restricted group can read files and execute commands. They cannot modify any files except for a predefined list of non-files that they are authorized to modify. The message reminds you to run the sepromote utility to remove the restriction.

  2. You want to request write access, and run the sepromote utility to authenticate.
    sepromote -u username
    

    The sepromote utility prompts you for a one-time password.

  3. Run the CA ArcotID OTP desktop client (or the CA ArcotID OTP mobile app). Log on, enter your PIN, and generate a passcode.

    Note: Passcode generation is an offline process. Your OTP client does not need to be connected to CA AuthMinder for generating passcodes.

  4. Enter the passcode at the sepromote prompt.

    CA AuthMinder validates the passcode, and sepromote authenticates you. You now work under regular policy rules.

  5. When you disconnect and start a new session, you must authenticate again.

Note: If authenticated users from a system with a current CA ControlMinder version log in to an older system, they do not retain their strong authentication.