Defender 5.9.3 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Integration with Cloud Access Manager Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

OATH-HOTP mode

OATH-HOTP mode

When the YubiKey tokens you have purchased are in the OATH-HOTP mode, to enable their use with Defender you need to import the YubiKey token objects into Active Directory by using the .txt import file (also known as the key file) containing token object definitions. Then, you can assign the imported token objects to users as necessary.

Normally, the .txt import file is provided together with the YubiKey tokens. Before importing token objects, you need to modify the .txt import file so that Defender can read its contents.

To enable the use of YubiKey working in OATH-HOTP mode

  1. Change the file name extension of the .txt import file to .csv.
  2. Open the .csv file in Microsoft Excel. The .csv file looks similar to the following:

The columns in the file contain the following:

  • A  YubiKey serial number.
  • B 160-bit secret set
  • C  Moving factor seed value.
  • D Configuration password. Contains zeros if configuration password is not set.
  1. Delete column D.
  2. Save the .csv file. Now the file is ready for import.

NOTE: Keep the initial .txt file containing the passwords associated with each of the Yubikeys, to program the second slot though the Yubico interface later.
  1. Import token objects from the .csv file into Active Directory. For instructions, see Importing hardware token objects.
  2. Assign the imported YubiKey token objects to users as necessary. For instructions, see Assigning a hardware token object to a user.

Defender Token Programming Wizard reference

Defender Token Programming Wizard reference

 

Table 12:

Defender Token Programming Wizard reference

Wizard step

Your action

Select Token Type

You can select one of the following options:

  • Software token  Allows you to program and assign a software token, such as Defender Soft Token, e-mail token, GrIDsure token, or SMS token.
  • Hardware token  Allows you to program and assign a hardware token, such as DIGIPASS or YubiKey. This option does not support hardware VIP credentials.
  • Symantec VIP credential  Allows you to program and assign a software or hardware VIP credential. This option becomes available after you enable the use of VIP credentials. For details, see Enabling the use of VIP credentials.

Select Software Token

Click to select the software token you want to program and assign to the user.

Activation Settings

Select the Expire token activation code after check box if you want to set a validity time period (in days) for the code with which the user must activate the software token. Then, specify the number of days during which you want the token activation code to remain valid.

The token activation code is generated when you complete this wizard.

Leave the Expire token activation code after text box cleared if you do not want to limit the validity time period of the token activation code.

Activation and Passphrase Settings

In this step, you can select the following check boxes:

  • Expire token activation code after  Select this check box if you want to set a validity time period (in days) for the code with which the user must activate the software token. Then, specify the number of days during which you want the token activation code to remain valid. The token activation code is generated when you complete this wizard.
  • Alert user about failed passphrase attempts  Select this check box to notify the user when the user has entered an incorrect passphrase when unlocking the token. Optionally, you can select the Lock token passphrase after check box to lock the passphrase after the user has expended the specified number of attempts to unlock the token.
  • Token requires a passphrase  Select this check box to enforce the user to configure a passphrase for using with the token. When this check box is cleared, no passphrase is required. If you select this check box, you can optionally select the Passphrase must be strong check box, which requires the user to configure a passphrase that is at least six characters long, includes uppercase and lowercase characters, and numbers or special characters.

Mode, Encryption, and Response

Use the options in this step to specify an operation mode (synchronous or challenge-response), encryption method, and response length for the software token.

Select Password Algorithm

Select the one-time password algorithm you want Google Authenticator to use.

You can select one of the following algorithms:

  • Time based (TOTP)  One-time password remains valid for a particular amount of time. Then, Google Authenticator automatically generates a new one-time password.
  • Counter based (HOTP)  One-time password remains valid until the user manually generates a new one-time password in Google Authenticator.

Note that the algorithm you select in this wizard is only used if the user activates Google Authenticator with a QR code.

If the user activates Google Authenticator by manually typing the activation code, the one-time password algorithm specified by the user in Google Authenticator during activation takes precedence over the option you select in this wizard.

Select Token Location

Specify the Active Directory container in which you want to store the token object.

If you change the default location, ensure that the Defender Security Server service account and the Defender administrator account have sufficient permissions for the new location you specify.

Activation Code Distribution

Specify options for saving the token activation code.

In this step, you can use the following options:

  • One file for all users  Saves token activation codes for all users to a single file.
  • Individual file for each user  Saves token activation code for each user to an individual file.
  • File Location  Specify path to the folder in which you want to create files containing token activation codes.
  • File Name  Specify name for the file in which you want to store token activation codes. If a file with such name does not exist, it will be created.
  • Append activation codes to existing file  If you select this option and the file with the specified name already exists in the specified location, the wizard appends the activation codes to the file without overwriting its contents. If you leave this check box cleared, the existing file’s contents will be overwritten with the new token activation codes.

Action for Existing GrIDsure Tokens

This step shows up if the selected users already have a GrIDsure token assigned. Each user can only have one GrIDsure token assigned.

Select one of the following options:

  • Overwrite existing tokens  Creates new GrIDsure token objects which overwrite the existing GrIDsure token objects assigned to the users. As a result, the users will have to configure their GrIDsure Personal Identification Pattern (PIP) the next time they access a protected resource.
  • Keep using existing tokens  Does not create new GrIDsure token objects for the users who already have GrIDsure tokens assigned.

VIP Credential Activation

Enter the credential ID shown on the VIP credential you want to assign to the user. Make sure you register that credential ID with Symantec.

 

Securing VPN access

Remote access is the ability to get access to a computer or a network from a distant location. Employees in branch offices, telecommuters, and people who are traveling may need access to your company's network. Remote access is achieved using a dedicated line between a computer or a remote local area network and the central or main corporate local area network.

You can use Defender to authenticate your employees, business partners, and customers, whether they are local, remote, or mobile. Whether they require access through VPN to remote access applications, wireless access points, network operating systems, intranets, extranets, Web servers, or applications, Defender’s strong two-factor authentication ensures that only authorized users are granted access.

The Defender remote access environment includes the following components:

  • Remote Access Server  A remote access server is the computer and associated software that is set up to handle users seeking remote access to your company’s network. The remote access server usually includes or is associated with a firewall server to ensure security and a router that can forward the remote access request to another part of the corporate network. A remote access server may also be used as part of a virtual private network (VPN).
  • Virtual Private Network (VPN)  A VPN is an extension of a private network that encompasses links across shared or public networks like the Internet. VPN connections leverage the IP connectivity of the Internet using a combination of tunneling and encryption to securely connect two remote points, such as a remote worker and their office base.
  • Network Access Server (NAS)  The Network Access Server (NAS) acts as a gateway to guard access to a protected resource. This can be anything from a telephone network, to printers, to the Internet. The user connects to the NAS. The NAS then connects to another resource asking whether the user's supplied credentials are valid. Based on that answer the NAS then allows or disallows access to the protected resource. The NAS contains no information about which users can connect or which credentials are valid. The NAS simply sends the credentials supplied by the user to a resource which does know how to process the credentials.
  • Defender EAP Agent  Extensible Authentication Protocol (EAP) is a general protocol for authentication that also supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, public key authentication and smart cards. Defender utilizes the EAP protocol to integrate its two-factor authentication into the existing user authentication process.

In this chapter:

Configuring Defender for remote access

Configuring Defender for remote access

The configuration described in this section is an example only of a basic configuration using a Cisco ASA Server.

We assume that you have installed and configured the Defender Security Server that you will later define as the AAA Server.

To configure remote access, you need to perform the following additional tasks:

  • Create and configure the Access Node that will handle access requests from remote users.
  • Assign the Access Node to the Defender Security Server that will authenticate the remote users.
  • Configure the Defender Security Policy that will determine the method and level of access, time period within which access is permitted, and lockout conditions for failed logon attempts.
  • Assign the Defender Security Policy to the Access Node.
  • Assign users or groups of users to the Access Node.
  • Configure and assign security tokens to users.
  • Configure the remote access device in your environment.

The Configuration example illustrates how to configure the Cisco Adaptive Security Device (ASDM) version 6.1 for use with Defender. The configuration procedure may vary depending on the remote access device you are using.

Documentos relacionados