Chat now with support
Chat with Support

Defender 6.3.1 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Push Notifications Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

New Object - Defender Policy Wizard reference

 

Table 9:

New Object - Defender Policy Wizard reference

Wizard step

Options

Enter a name and description for this Policy

Provides the following text boxes:

  • Name  Type a name for the Defender Security Policy being created.
  • Description  Type a description for the Defender Security Policy being created.

Select an authentication method

Provides the following elements:

  • Method  Select a primary authentication method for the Defender Security Policy. An authentication method determines the passcode that the user must enter when attempting to authenticate. You can select one of the following authentication methods:
  • Token  The user must use a token response to authenticate.
  • Defender password  The user must enter a valid Defender password to authenticate.
  • Active Directory password  The user must enter a valid Active Directory password to authenticate.
  • Token with Defender password  The user must enter a token response followed by a valid Defender password to authenticate.
  • Defender password with token  The user must enter a valid Defender password followed by a token response to authenticate.
  • Token with Active Directory password  The user must enter a token response followed by a valid Active Directory password to authenticate.
  • Active Directory password with token  The user must enter a valid Active Directory password followed by a token response to authenticate.
  • Active Directory password (rollout mode)  The user can authenticate with the Active Directory password until a security token is assigned or registered to the user’s Active Directory account. After a security token has been assigned or registered for the user, the user must submit the token response to authenticate. For more information, see Defender Rollout Mode
  • GrIDsure token (auto-enrollment mode)  The user must authenticate by using a GrIDsure Personal Identification Pattern (PIP). During the first authentication, the user is prompted to configure a GrIDsure PIP to be used for subsequent authentications.
  • Logon Attempts  Enter the number of times that the user can attempt to log on. If the number of unsuccessful logon attempts exceeds the specified limit, the violation count for the user’s account is incremented.
  • Use Synchronous tokens as event tokens  Enables the use of the same DIGIPASS GO token response for logon to more that one system without generating a new response, provided that the logon process takes less than 36 seconds which is the validity period for a DIGIPASS GO token response.

Select the second authentication method

Specify parameters for the additional authentication method you want the user to use. If you want to disable the additional authentication method, from the Method list, select None.

Other options in the Method list are identical to those available in the Select an authentication method step of the wizard.

Enter account lockout policy details

Provides the following options:

  • Enable Account Lockout  When this check box is selected, it causes the user’s Defender account to be locked out if the user has exceeded the number of violations (failed logon attempts) specified n the Lockout after n violations option.
  • If you select the Lockout Windows account after indicated violations check box, this causes the user’s Windows account to be locked out after the specified number of failed logon attempts has been exceeded by the user. This option requires the Windows account lockout option to be enabled in Domain Security Policy or Domain Controller Security Policy.
  • Locked accounts must be unlocked by an administrator  Specifies that locked accounts can only be unlocked by an administrator. Use the Lockout duration option to set the lockout duration in minutes. The lockout duration period is counted from the moment of most recent logon attempt. That is, if the user attempts to logon while the account is still locked, the lockout duration is recalculated from the moment of that last attempt. If you set the Lockout duration value to 0, the locked user accounts can only be unlocked by an administrator.
  • Automatically reset account after successful login  Resets the count of unsuccessful logon attempts to 0 after the user successfully logs on.

Enter Defender Password and PIN expiry details

Provides the following options:

  • Enable Defender Password Expiry  When this check box is selected, it causes the Defender password to expire after the number of days specified in the Expire after option.
  • Enable PIN Expiry  When this check box is selected, it causes the token PIN to expire after the number of days specified in the Expire after option. This check box is only available if the token selected for authentication has a PIN.

Defender Rollout Mode

This section explains how to configure the rollout option in the following two scenarios:

  • Organizations where limited administration is required: In this scenario, users are switched to token authentication as soon as a token is registered with their user account. No administration is required.
  • Organizations with less Defender users, or where token self-registration is not in use: In this scenario, when a token is registered to the user account, administrative action is required to move users to the correct Active Directory group.

In both the scenarios the following security policies are required:

  • Token
  • Active Directory password (rollout mode)

Automatically Switching to Token Authentication

  1. Configure an access node for your access device (NAS), as a Radius Agent, allowing access for domain users using the Token policy.
  2. Configure a second access node, as a Radius Agent on a different port, using the IP address of the Defender Security Server and allowing access for domain users with the Active Directory password (rollout mode) policy applied.
  3. Configure a third access node as a Radius Proxy, using the IP address of the Defender Security Server on the same port and Shared Secret as configured in step 2.
    NOTE: Do not assign any members or a security policy.
  4. This configuration ensures that:
    • Users with tokens can authenticate using the first access node
    • Users without tokens is redirected to the second access node and authenticated using their Active Directory password.

    Once a user has been assigned a token or has used Defender Self-Registration to register a token, the user is not redirected and can authenticate using the first access node (Token policy).

Manually switching to token authentication

  1. Create two Active Directory security groups. One group with users who are token authenticated, for example, Defender Auth, and the other group with users who require Active Directory password, for example, Defender AD Password.
  2. Assign the Token policy to the Defender Auth group.
  3. Assign the Active Directory password policy to the Defender AD Password group.
  4. Configure an access node for your access device (NAS), adding both AD groups to the members tab without assigning any policy on the access node.

    Users in the Defender Auth security group authenticate with tokens and users in the Defender AD Password group authenticate with Active Directory Passwords.

    When the users of Defender AD Password group are assigned a token, the administrator has to move users to the Defender Auth group and ensure they are removed from the Defender AD Password group.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating