Chat now with support
Chat con el soporte

Defender 5.9.3 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Integration with Cloud Access Manager Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Testing Defender PAM configuration

Testing Defender PAM configuration

You can test the configuration of the Defender PAM by using a test tool that is installed together with the Defender PAM. You can find this tool in /opt/quest/libexec/defender/check_pam_defender.

The test tool requires two arguments: the user name to test and the name of service for which you want to test Defender authentication. The test tool attempts to access the Defender Security Servers configured in your environment, and if one or more servers are accessible, the tool attempts to authenticate the specified user via Defender by using the Defender PAM. Then, the tool reports the result.

Defender PAM logging

Defender PAM logging

The Defender PAM logs the RADIUS server responses for all failed authentication attempts to the system logger at the Info level. To do that the Defender PAM uses the auth or authpriv facility, depending on platform.

You can enable trace level logging for troubleshooting purposes.

To enable trace level logging

  1. Make sure the /tmp/pam_def.ini file exists on your system. The file must specify a location to a log file as well as a trace level.

    Example:

    filename=/tmp/pam_defender_trace.log
    level=0xffffffff

  2. Append the debug argument to the auth entries for the Defender PAM in the system PAM configuration.

Auth arguments

Auth arguments

The following table lists the arguments you can append to the auth entries for the Defender PAM in the system PAM configuration.

 

Table 30:

Auth arguments

Argument

Description

debug

Enables trace level logging for the Defender PAM entries in the system PAM configuration to which this argument is added. For instructions on how to enable trace level logging, see Defender PAM logging.

skip_password

Causes the Defender PAM to display the “Enter Synchronous Response:” prompt to the user, instead of the “Passcode:” prompt.

use_first_pass

Causes the Defender PAM to use the PAM_AUTHTOK item as the user’s passcode. In this case, the user is not prompted to enter a passcode.

If the PAM_AUTHTOK item is not set, authentication fails.

try_first_pass

Causes the Defender PAM to use the PAM_AUTHTOK item in the PAM stack as the user’s passcode.

If the PAM_AUTHTOK item is not set, the Defender PAM prompts the user for a passcode.

conf=<path to Defender configuration file>

Allows you to specify an alternate location for the defender.conf file. The default location is /etc/defender.conf.

client_id=<client ID>

Allows you to specify the client ID for accounting requests which are validated during the pam_session call. When no client ID specified, the PAM service name is used as the client ID.

Delegating Defender roles, tasks, and functions

Defender provides a scalable approach to the administration of access rights, enabling you to delegate specific Defender roles, tasks, and functions to the users or groups you want.

The Defender Administration Console provides a wizard you can use to search for and select one or multiple user accounts, and then choose which Defender roles or tasks you want these accounts to perform.

Besides delegating roles or tasks, you can delegate specific Defender functions, for example, appoint selected user accounts as service accounts for the Defender Security Servers or Defender Management Portal, or grant full control over particular Defender objects, such as Access Nodes, Defender Security Servers, licenses, RADIUS payloads, or security tokens.

Documentos relacionados