Chat now with support
Chat con el soporte

Defender 5.9.3 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Integration with Cloud Access Manager Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

SMS Token tab

SMS Token tab

This tab allows you to configure settings for sending SMS messages containing one-time passwords to users’ SMS-capable devices. On this tab, you can use the following options:

  • Enable SMS token  Enables the SMS token for the users to whom this Defender Security Policy applies.
  • Send SMS to user as required  Enables Defender to send an SMS message containing new one-time passwords to the user when the user is about to expend the one-time passwords provided in the previous SMS message.
  • Only send SMS when user enters keyword  Causes the Defender Security Server to send an SMS message containing one-time passwords only when the user enters the specified trigger keyword during authentication.
  • Responses per SMS  Allows you to specify the number of one-time passwords you want to include in each SMS message to be sent to the user. You can specify a value from 1 to 10.
  • Keyword  Specify the keyword that will trigger the sending of an SMS message containing one-time passwords to the user. The keyword works as a trigger when it is entered by the user during authentication. If the SMS token has a PIN assigned, you can specify that PIN as the trigger keyword as well.

    You can select the Use AD Password check box to make the user’s Active Directory password act as the keyword that causes the Defender Security Server to send the SMS message.

    If this check box is selected and an account lockout policy is enforced in the domain, then a number of unsuccessful authentication attempts may lock out the user’s Active Directory account. Use this check box with caution.

  • Phone attribute  Select the Active Directory attribute that stores user’s mobile phone number to which you want to send SMS messages containing one-time passwords.
  • Mobile provider URL  Type the URL of the mobile service provider through which you want to send SMS messages containing one-time passwords.
  • [USERID]  Type the user name of the account under which you want to access the mobile service provider’s Web site.
  • [PASSWORD]  Type the password that matches the user name in the [USERID] text box.
  • POST Data  Click this button to enter the information you want to send to the mobile service provider at the URL specified on this tab. The default POST data provided in this option is only applicable to the 2sms mobile service provider. Contact your mobile service provider for more information about the syntax you need to use in this option.
  • Test  Click to test the settings specified on this tab.

E-mail Token tab

E-mail Token tab

This tab allows you to configure settings for sending e-mail messages containing one-time passwords to the users. On this tab, you can use the following options:

  • Enable e-mail token  Enables the e-mail token for the users to whom this Defender Security Policy applies.
  • Send e-mail to user as required  Enables Defender to send an e-mail message containing new one-time passwords to the user when the user is about to expend the one-time passwords provided in the previous e-mail message.
  • Only send e-mail when user enters keyword  Causes the Defender Security Server to send an e-mail message containing one-time passwords only when the user enters the specified trigger keyword during authentication.
  • Responses per e-mail  Specify the number of one-time passwords you want to include in each e-mail message. The one-time passwords must be used sequentially. The penultimate or last one-time password triggers the sending of a new e-mail containing one-time passwords.
  • Keyword  Specify the keyword that will trigger the sending of an e-mail message containing one-time passwords to the user. The keyword works as a trigger when it is entered by the user during authentication. If the e-mail token has a PIN assigned, you can specify that PIN as the trigger keyword as well.

    You can select the Use AD Password check box to make the user’s Active Directory password act as the keyword that causes the Defender Security Server to send the SMS message.

    If this check box is selected and an account lockout policy is enforced in the domain, then a number of unsuccessful authentication attempts may lock out the user’s Active Directory account. Use this check box with caution.

  • E-mail attribute  Select the Active Directory attribute that stores user’s e-mail address to which you want to send e-mail messages containing one-time passwords.
  • Subject  Type the subject line you want to display in the Subject field of the e-mail messages containing one-time passwords.
  • From address  Type the e-mail address you want to appear in the From field of the e-mail messages containing one-time passwords.
  • Send copy to  Type the e-mail address to which you want to send copies of the e-mail messages containing one-time passwords.
  • Mail Content  Click this button to view and edit the text that will be included in the body of each e-mail message containing one-time passwords. The [RESPONSES] variable indicates the position in the text at which the one-time passwords appear. If the [RESPONSES] variable is missing, the one-time passwords appear at the foot of the text.
  • Mail Server  Click this button to specify the SMTP server you want to use for sending e-mail messages containing one-time passwords. In the dialog box that opens, use the following options:
    • Name  Type the name or IP Address of the SMTP server.
    • Port  Type the port number used by the SMTP server. The default port is 25.
    • Authentication  Select the authentication method required by the SMTP server, and then type the user name and password of the access account you want to use.
  • Test  Click to test the settings on this tab by sending a test e-mail message to the address you specify.

GrIDsure Token tab

GrIDsure Token tab

This tab allows you to enable the use of GrIDsure Personal Identification Pattern (PIP) for authentication via Defender. On this tab, you can use the following options:

  • Enable GrIDsure token  Enables the use of GrIDsure PIP for authentication via Defender.
  • Pattern length between  Allows you to set the minimum and maximum length for the GrIDsure PIP.
  • Block consecutive patters (horizontal, vertial, and diagonal)  Prevents the use of simple GrIDsure PIP.
  • Expire pattern after  Causes the GrIDsure PIP to expire after the specified number of days. Use the drop-down list to set the number of days upon which you want the GrIDsure PIP to expire.
  • Use numbers in grid  Enables the use of numbers in the GrIDsure PIP.
  • Use letters in grid  Enables the use of letters in the GrIDsure PIP.
  • Grid Style  Click to configure the size of the PIP grid and the colors used in the grid.

Default Defender Security Policy

Default Defender Security Policy

If a user is a member of an Access Node and no Defender Security Policy is applied to the user explicitly or implicitly, then a default Defender Security Policy is effective for the user.

The default Defender Security Policy is configured as follows:

  • Primary authentication method is security token.
  • User’s violation count is incremented by one after each 3 unsuccessful authentication attempts.
  • Violation count upon which the user’s account is locked is 4. Lockout duration is 3 minutes.
  • Violation count is reset each time the user successfully authenticates.
  • The user can log on 24 hours a day, 7 days a week.
  • SMS token, e-mail token, and GrIDsure token are disabled for the user.
Documentos relacionados