Defender 6.1 - Administration Guide

This section explains how to configure the rollout option in the following two scenarios:

Organizations where limited administration is required: In this scenario, users are switched to token authentication as soon as a token is registered with their user account. No administration is required.
Organizations with less Defender users, or where token self-registration is not in use: In this scenario, when a token is registered to the user account, administrative action is required to move users to the correct Active Directory group.

In both the scenarios the following security policies are required:

Automatically Switching to Token Authentication

Configure an access node for your access device (NAS), as a Radius Agent, allowing access for domain users using the Token policy.
Configure a second access node, as a Radius Agent on a different port, using the IP address of the Defender Security Server and allowing access for domain users with the Active Directory password (rollout mode) policy applied.
Configure a third access node as a Radius Proxy, using the IP address of the Defender Security Server on the same port and Shared Secret as configured in step 2.
NOTE: Do not assign any members or a security policy.
This configuration ensures that:
- Users with tokens can authenticate using the first access node
- Users without tokens is redirected to the second access node and authenticated using their Active Directory password.
Once a user has been assigned a token or has used Defender Self-Registration to register a token, the user is not redirected and can authenticate using the first access node (Token policy).

Manually switching to token authentication

Create two Active Directory security groups. One group with users who are token authenticated, for example, Defender Auth, and the other group with users who require Active Directory password, for example, Defender AD Password.
Assign the Token policy to the Defender Auth group.
Assign the Active Directory password policy to the Defender AD Password group.
Configure an access node for your access device (NAS), adding both AD groups to the members tab without assigning any policy on the access node.
Users in the Defender Auth security group authenticate with tokens and users in the Defender AD Password group authenticate with Active Directory Passwords.

When the users of Defender AD Password group are assigned a token, the administrator has to move users to the Defender Auth group and ensure they are removed from the Defender AD Password group.

Modifying Defender Security Policy object properties

To modify Defender Security Policy object properties

On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
In the left pane (console tree), expand the appropriate domain node, and then expand the Defender container.
Click to select the Policies container.
In the right pane, double-click the Defender Security Policy whose properties you want to modify.
Use the dialog box that opens to modify the Defender Security Policy properties as necessary.
The dialog box has the following tabs:
- General tab Allows you to configure the Defender Security Policy.
- Account tab Allows you to configure the Defender Security Policy settings related to the lockout of user accounts.
- Expiry tab Allows you to configure expiry settings for Defender passwords and token PINs.
- Logon Hours tab Allows you to configure a time slot when authentication via Defender is permitted or denied to the user.
- SMS Token tab Allows you to configure settings for sending SMS messages containing one-time passwords to users’ SMS-capable devices.
- E-mail Token tab Allows you to configure settings for sending e-mail messages containing one-time passwords to the users.
- GrIDsure Token tab Allows you to enable the use of GrIDsure Personal Identification Pattern (PIP) for authentication via Defender.
When you are finished, click OK to apply your changes.