What is a Defender Access Node and how is it defined?
If the Access Node configuration is incorrect you may receive error messages when users attempt to connect using Defender authentication, e.g.:
"Access Denied - No valid route found. Please contact your administrator."
The DSS Log may show the following:
"User not valid for this route"
An Access Node is an IP address or a range of IP addresses from which Defender Authentication requests will be accepted. If an Access Node is misconfigured authentication requests will not be passed to the Defender Security Server.
To configure an Access Node go into Active Directory Users and Computers, expand the "Defender" container, right-click "Access Nodes" and select New | Defender Access Node.
Give the new Access Node a meaningful name and description and leave the defaults of "Radius Agent" for Node Type and "SAM Account Name for User ID.
You then have two options:
1. Add a single IP address or DNS name from which Defender authentication requests will be accepted and passed to the Defender Security Server (DSS). You will also need to specify the port (1812 is the default for Defender 5.5 - 5.6, 1645 is the default in previous versions) and the shared secret. If you specify only one address, subnet mask 255.255.255.255 must be used.
2. Add a network ID (a range of IP addresses) from which Defender authentication requests will be accepted and passed to the Defender Security Server. You do this by specifying the network ID (IP Address or DNS name) e.g. IP Address 192.168.10.0 | Subnet Mask 255.255.255.0 | Port 1812 (default) | shared secret. This will allow all hosts on the 192.168.10.0 subnet to be authenticated by Defender if configured to do so.
Once the Access Node is created you need to assign it to a Defender Security Server, assign the Members, and the Policy controlling access.
For example:
Using Desktop Login to secure access to a number of workstations used by Payroll on the 192.168.34.0 network and the Payroll directors laptop (Fully Qualified Domain Name L112233.Yourdomain.com) which could be connected at various points on the network.
Create an Access Node for the Payroll director's laptop using its DNS name laptop.yourdomain.com so the laptop can login using Defender Authentication when it is connected to the network on various different subnets.
Create another Access Node called Payroll Computers with a description of Network 192.168.34.0 and use IP address range 192.168.34.0, Subnet Mask 255.255.255.0, which would allow the Payroll workstations to authenticate using Defender.
Please also refer to the Quick Start guide regarding defining Defender components, including Access Nodes.
Access Nodes can be configured for one IP address or a subnet. In the case that you have two IPs from different subnets and want to enforce two-factor authentication, consider creating a separate Access Node for each.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center