Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

[HOWTO] setup Centrify Cclient for linux to be able to use Offline Passcode for login

Privileged Access Service ,  

30 March,21 at 04:45 PM

Introduction:

Starting with the 21.2 Centrify Cloud Suite release, Centrify Client now supports the ability to do an offline login.  By definition, offline login is an availability control used when the system cannot communicate to the realm that the system has joined ("enrolled" in Centrify terminology).  This may be due to service unavailability, connectivity issues, etc. The result is that the end-user is unable to access the system.

This offline login feature is available for both Windows and Linux for cclient, but for purpose of this article we will just be focusing on the offline login using cclient on Linux.


Requirements:

1. The tenant version needs to be at 21.2 or higher. 
2. Centrify Client for Linux (CentrifyCC) version needs to be 21.2 or higher


Steps to setup offline login:

1. Download and Install the Centrify Client for Linux on the Linux system.  There are a couple of ways this can be done.
 
a. Download the Centrify Client for Linux from the Downloads section in the tenant under Centrify Clients for Linux. As noted above the tenant version will need to be 21.2 or higher.

User-added image


Use native package manager to install the CentrifyCC client.  For example, on a CentOS or RHEL based system, a rpm command similar to below could be used:

rpm -Uvh CentrifyCC-<OS>.<arch>.rpm

User-added image


or 

b. Configure the Centrify yum repo and use command "yum install CentrifyCC" to install the CentrifyCC client.

User-added image


For more information on using the yum repo from Centrify, please see the below documentation:
https://docs.centrify.com/Content/Infrastructure/clients/client-yum-apt.htm

2. Once the client is installed verify the version is at least 21.2. Run command cinfo -v

User-added image


3. Enroll machine to tenant using the cenroll command

User-added image

For more information on the cenroll command and the different options that can be used please see the Centrify documentation:
https://docs.centrify.com/Content/Infrastructure/enroll/svr-mgr-computer-cenroll.htm


4. Run the cinfo command to verify machine is enrolled.

User-added image


5. In the tenant, browse to that newly enrolled system under Resources -> Systems

User-added image


6. Go to the Permissions section and click on the Add button. 

User-added image


7.Search for a user, group or role that you want to be able to access the system, select that user, group, or role, and then click the Add button.

User-added image


8. Give the user, group, or role the Agent Auth and Offline Rescue rights by checking the checkboxes for those rights. Verify the user, group, or role also has the View right. Click the Save button.
Note: You must have the Offline Rescue permission set on a system in order to retrieve the offline passcode.

User-added image


9. Go back to the Linux system where the Centrify Client for Linux was installed. Attempt a login with the user to verify the login works while the system is in a connected state.

User-added image


10. Enter the Password and click Sign In to successfully access the system.

User-added image



Test the offline login:

In this instance, the network cable was unplugged from the Linux system to simulate the machine no longer being connected to the network to be able to test the offline passcode.  For Centrify Client for Linux, the offline passcode from the Admin Portal is the only available option right now. Linux support for mobile offline passcodes will be in an upcoming release.  


1. In order to see the offline passcode, users will need to be able to login to the tenant with enough rights to be able to see the Resources -> Systems section of the tenant and have the View permission for the machine setup with the offline passcode as mentioned above.  The Privilege Access Service User right assigned to a role that user is a member of should be sufficient.
 
a. In this environment, the user has been assigned to the Privilege Access Service User Role.

User-added image


 b. In the Administrative Rights section of that role, the Privilege Access Service User Right has been assigned.

User-added image



2. Login to an offline system with a passcode from the Admin Portal. Enter the username on the system's login screen. Click Next.

User-added image


3. Enter the password in the password prompt. Click Sign In.

User-added image


4. The system will prompt for the OTP (one time passcode).

User-added image


5. Login to the Admin Portal with the same user Account, navigate to Resources -> Systems and check the box next to the system name. 

User-added image


6. From the Actions dropdown menu, click Show Offline Passcode.

User-added image

 7. A screen displays the offline passcode.

User-added image


8. Enter the offline passcode in the OTP screen on the system and click Sign In to gain access to the system.

User-added image
   


For more information on the offline login for Centrify Clients please see the Centrify documentation:
https://docs.centrify.com/Content/Infrastructure/clients/cclient-offline-passcode.htm