Foxpass helps users self-service their SSH key management and provides easy access services for servers. Additionally, Foxpass provides extra features like temporary access and pattern based host matching.

How to Configure Host Access Through Foxpass

Integrate Foxpass with your hosts

Run the Foxpass setup script on your current hosts. Then, see the 'Linux Configuration' section on the left-hand side for further instructions.
Add the script into your startup script or a configuration management tool like Chef or Puppet. That way, whenever you spin up a new instance, it will already be configured with Foxpass.

Generate & upload your SSH key

Follow the instructions on 'Adding your SSH key to Foxpass' to generate and upload an SSH key from your computer to Foxpass. You can upload an existing public key if you have one already.
Make sure your user type is set as 'Engineering' or else the SSH key management feature will not be available.

At this point, you should be able to log into any configured host using the SSH key you uploaded to Foxpass.

3. Next Steps: Extra options for more advanced users.

Set automatic SSH Key expiration. Go to the 'Config' page and go to the 'SSH Key expiration' panel to set an expiry. Users will automatically receive an email when their SSH key is about to expire with a prompt to upload a new one.
Add a 'foxpass-sudo' group. If you'd like to run 'sudo' commands on the host without having to re-enter your password, create a group named 'foxpass-sudo' here. Add yourself or any other users who need easy Sudo access to the host as needed.
Manage your organization. Admins can also manually manage other users' SSH keys from the 'Users' page under the 'More Actions' dropdown. Admins can upload, enable, disable, or 1-click disable all SSH keys for a particular engineering user.
Enable host groups for temporary access controls. Host groups allow you to grant users or groups temporary or permanent access to your infrastructure. They're a great way to enforce the Principal of Least Privilege across your organization.
Integrate with API to automate access. Check out the API endpoints on the left-hand panel.

Set Up a VPN

Foxpass can integrate with your VPN service as an authentication mechanism. We also supply a free VPN you can run that integrates directly with Foxpass.

How to integrate your VPN with Foxpass

Set up your VPN

Run a Foxpass VPN. Foxpass offers a free VPN that integrates with us automatically. Check out the AMI here or read more documentation or build it yourself by checking out the GitHub here.
Integrate Foxpass with your existing VPN. Find your VPN on the left-hand panel under 'LDAP clients' and follow the instructions.

Integrate your client with the VPN.

See the 'VPN client setup' section on the left-hand panel for instructions on integrating the Foxpass VPN with a Mac or Windows machine.

Test your settings

Try logging into your VPN with your Foxpass password. If you haven't set your Foxpass password, go here to do so.

Next Steps. Extra options for more advanced usage.

Integrate with an identity provider. Go to the 'Authentication Settings' page to enable delegated authentication. That way, users can use their regular password in the VPN. To learn more read Integrate with an Identity Provider.
Enable Duo for 2FA. Read the Foxpass VPN docs for information on how to enable 2FA with Duo. Users will be prompted to approve logins from their Duo app whenever they log into the VPN.

Set Up Wi-Fi® Authentication

Foxpass provides a RADIUS endpoint to allow user based logins to your Wi-Fi. This enhances security and visibility within your network.

How to Configure RADIUS

Register your network on Foxpass

Create a RADIUS client on the 'RADIUS Clients' page. Then, copy the Foxpass RADIUS IP addresses and the "secret" created for that RADIUS client entry.

Set up your access point

Follow the instructions for your access point from the 'Access Point Setup' section in the left-hand panel. If you don't see your access point listed, contact us to help you get set up.

Configure your end client

Configure your clients according to the instructions listed in the 'RADIUS Clients' section in the left-hand panel.

Test your connection

Try logging into your Wi-Fi® with your Foxpass password. If you're having trouble, check the 'RADIUS logs' page to see more detail about login attempts.

Next Steps. Extra options for more advanced usage.

Enable a VLAN. You may want to enable extra radius attributes or configure VLAN assignment. Read how to do that from these pages: Enabling RADIUS Attributes & Enabling VLAN via RADIUS Attributes.

Integrate with an Identity Provider

Foxpass integrates with your identity provider to spread SSO across your entire infrastructure. We also set up ongoing syncs with your identity provider, sfao any changes to your directory are instantly reflected in Foxpass. No more cumbersome steps. If you'd like users to maintain one password across the web, Wi-Fi®, VPN, machines, etc., follow these steps to help set it up.

How to integrate with your Identity Provider

Set up sync for users & groups

Go to the 'Directory Sync' page and find your primary identity provider. Enable sync as needed.
You can sync only users or groups or sync them both at the same time. Sync runs every 10-20 minutes on average.
User sync will automatically add new users into Foxpass or update any further information for them. Any users disabled or removed in your identity provider will be disabled in Foxpass.
Group sync will create and manage group memberships in Foxpass according to group membership in your identity provider.
You can check the status of your sync from the page after adding credentials.
If you don't see your identity provider listed, contact us to add it as a source.

Set up delegated authentication

Delegated authentication allows users to maintain one password across their main identity provider and Foxpass. Select your identity provider in the 'Password authentication delegation' panel on the 'Authentication Settings' page.
Subsequent LDAP and RADIUS requests check your identity provider's password instead of the one in Foxpass. Check the LDAP or RADIUS logs to see if the login attempts are succeeding.
Note: Foxpass cannot always integrate with your identity provider if 2FA is turned on for their logins. If you'd like to keep 2FA on but still have users use one password across both services, read below for instructions on enabling Password Sync.

Next Steps. Extra options for more advanced usage.

Enable password sync. Password sync will push changes to a user's Foxpass password back to an identity provider. This allows users to keep one password and also keep 2FA enabled for their main identity provider. Check the bottom panel on the 'Authentication Settings' page to enable password sync. If you don't see the panel, contact us to add support for your identity provider.

Integrate with Foxpass's API

Foxpass provides an API to get logs, test authentication, manage permissions, and more. The API section on the panel on the right provides a comprehensive list of endpoints.

How to integrate with the Foxpass API

Create an API key

Create an API key here. API keys can be set to "Read-Only," which means they can only get data but not modify any settings or information.

Learn About the Endpoints & Capabilities

The API can help you automate access by adding or removing users to groups. You can also automate the downloading and analysis of logs. Check out the API Reference section under the dropdown above.
Some ideas:

A script that checks PagerDuty to see who is on call and adds them to the sudo group
A script that pulls the logs and checks for suspicious activity, removing user access as needed
A plugin that gives a user host group access when their JIRA ticket is approved

Quick Navigation;