Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Defender 5.8 - Administrator Guide

Table of Contents

Getting started

Features and benefits What you can do with Defender

Authenticating VPN users Authenticating Web site users Authenticating users of Windows-based computers

Deploying Defender

Step 1: Install required Defender components Step 2: Configure Defender Security Server Step 3: Create and configure objects in Active Directory

Defender Security Policy Defender Security Server Access Node

Step 4: Program and assign security tokens to users Defender Setup Wizard reference Defender Security Server Configuration tool reference

Communication ports Licensing

User interface for managing licenses Adding a license Removing a license

Managing Defender objects in Active Directory

Managing user objects

Managing tokens for a user

Tokens list buttons Authentication Details area elements

Resetting passphrase for a user Managing Defender Security Policy for a user Managing RADIUS payload for a user

Managing security token objects

Importing hardware token objects Assigning a hardware token object to a user Modifying token object properties

General tab Details tab Assigned Users

Import Wizard reference

Managing Defender Security Policies

Creating a Defender Security Policy object

New Object - Defender Policy Wizard reference

Modifying Defender Security Policy object properties

General tab Account tab Expiry tab Logon Hours tab SMS Token tab E-mail Token tab GrIDsure Token tab

Default Defender Security Policy

Managing Access Nodes

Creating an Access Node

New Object - Defender Access Node Wizard reference

Modifying Access Node properties

General tab Servers tab Members tab Policy tab RADIUS Payload tab

Managing Defender Security Servers

Creating a Defender Security Server object Modify Defender Security Server object properties

General tab Security Server tab Prompts tab Policy tab RADIUS Payload tab

Creating a RADIUS payload object

RADIUS payload attributes

Configuring security tokens

Configuring Defender Soft Token

Distributing Defender Soft Token for BlackBerry via BlackBerry Enterprise Service Distributing Defender Soft Token for BlackBerry by using a .jad file

Configuring GrIDsure token Enabling the use of Authy Enabling the use of Google Authenticator Configuring SMS token Configuring e-mail token Configuring VIP credentials

Enabling the use of VIP credentials Programming a VIP credential for a user

Configuring YubiKey

Yubico OTP mode OATH-HOTP mode

Defender Token Programming Wizard reference

Securing VPN access

Configuring Defender for remote access Configuration example

Configuring your remote access device

Step 1: Create an AAA server group, add Defender Security Server Step 2: Configure an IPsec connection profile

Configuring Defender

Step 1: Configure an Access Node Step 2: Specify users or groups for the Access Node

Using Defender VPN Integrator

Installing Defender VPN Integrator Configuring Defender VPN Integrator

Defender EAP Agent

Deploying Defender EAP Agent

Step 1: Install Defender EAP Agent Step 2: Configure Network Policy Server Step 3: Configure VPN connection on the client computer

Authenticating via EAP Agent

Securing Web sites

Installing ISAPI Agent Configuring ISAPI Agent Accessing Protected Website

Securing Windows-based computers

Installing Defender Desktop Login by using a wizard Performing an unattended installation of Defender Desktop Login Configuring Defender Desktop Login by using a configuration tool Configuring Defender Desktop Login by using Group Policy Defender Desktop Login Configuration tool reference

Securing PAM-enabled services

Installing Defender PAM Configuring Defender PAM

Step 1: Enable authentication for target service Step 2: Specify Defender Security Servers Step 3: Configure access control for users and services Step 4: Configure Defender objects in Active Directory

Testing Defender PAM configuration Defender PAM logging Auth arguments

Defender Management Portal (Web interface)

Installing the portal Opening the portal Specifying a service account for the portal Configuring the portal

Service Account tab Roles tab Log Receiver Service tab Reports tab

Portal roles Enabling automatic sign-in Configuring self-service for users

General tab Software Tokens tab Hardware Tokens tab E-mail Settings tab PIN Settings tab

Troubleshooting authentication issues

User Details tab Tokens tab Authentication Routes tab Authentications tab

Managing users Managing security tokens Viewing authentication statistics Viewing Defender Security Server warnings and logs Viewing token requests from users Using Defender reports

Generating a report

Audit trail Authentication requests Authentication activity Authentication violations Defender Security Server configuration License information Proxied users RADIUS payloads Tokens Active, inactive, and locked users User details

Report scheduling settings Viewing a generated report Deleting generated reports Viewing a list of scheduled reports Deleting scheduled reports

Managing portal database

Encrypting database Changing password for encrypted database Decrypting database

Defender Security Server log cache Log Receiver Service database

Delegating Defender roles, tasks, and functions

Steps to delegate roles, tasks, and functions Roles Service accounts Advanced control Full control Using control access rights

Automating administrative tasks

Installing Defender Management Shell Uninstalling Defender Management Shell Opening Defender Management Shell Getting help Cmdlets provided by Defender Management Shell

Administrative templates

Installing and configuring administrative templates Temporary Responses setting Active Roles Web Interface - Token Programming setting Mail Configuration setting ADSI Configuration setting

Integration with Active Roles

Installing Defender Integration Pack for Active Roles Commands added to the Active Roles Web Interface

Defender Properties Set Defender Password Program Defender Token

Enabling automatic deletion of tokens Delegating Defender roles or tasks

Integration with Cloud Access Manager Appendices

Appendix A: Enabling diagnostic logging

Administration Console Defender Core Token Operations SDK (DTSDK) Defender Security Server Desktop Login EAP Agent Integration Pack for Active Roles Management Portal Management Portal (reports) Management Shell Service Connection Point Soft Token for Windows Token Import Token Programming VPN Integrator Web Service API

Appendix B: Troubleshooting common authentication issues

Step 1: Gather required information Step 2: Analyze Defender Security Server log Step 3: Gather further diagnostics

Appendix C: Troubleshooting DIGIPASS token issues

Step 1: Determine type of failure Step 2: Verify Defender configuration Step 3: Gather further diagnostics

Appendix D: Defender classes and attributes in Active Directory

Classes defined by Defender

defender-tokenClass defender-danClass defender-dssClass defender-policyClass defender-licenseClass defender-radiusPayloadClass defender-tokenLicenseClass

Classes extended by Defender

Attributes defined by Defender

defender-tokenType defender-tokenData defender-userTokenData defender-tokenUsersDNs defender-tokenDate defender-dssDNs defender-dssMembers defender-danKey defender-id defender-violationCount defender-resetCount defender-lastLogon defender-objectActive defender-prompts defender-authMethods defender-lockoutThreshold defender-lockoutDuration defender-lockoutTime defender-policy defender-policyMembers defender-danType defender-userIdType defender-accessCategories defender-subnetMask defender-danMembers defender-danDNs defender-dssVersion defender-radiusPayloadDn defender-radiusPayloadMembers defender-radiusPayloadData defender-radiusPayloadGroups defender-radiusPayloadGroupsDN defender-radiusPayloadInherit defender-policyAutoUnlock defender-policyMobileUsers defender-policyMaximumPasswordAge defender-policyMaximumPINAge defender-policyPasswordChangeFlags defender-policyPasswordFilter defender-policyGINAOptions defender-policyLoginTimes

Appendix E: Defender Event Log messages

Defender VPN Integrator messages Defender Report Scheduler messages Defender Administration Console messages Defender Security Server messages

Appendix F: Defender Client SDK

Installing Defender Client SDK Application Programming Interfaces (APIs)

IAuthenticator, IAuthenticator2, and IAuthenticator3 interfaces IAuthenticator2 and IAuthenticator3 interfaces IAuthenticator3 interface IAuthInfo interface

Defender Security Server messages

Appendix G: Defender Web Service API

AddSoftwareTokenToUser method AddTokenToUser method GetTokensForUser method RemoveAllTokensFromUser method RemoveDefenderPassword method RemovePinFromUserToken method RemoveTemporaryResponse method RemoveTokenFromUser method ResetDefenderToken method ResetDefenderViolationCount method SetDefenderPassword method SetPinOnUserToken method SetTemporaryResponse method TestDefenderToken method

AssignedSoftwareToken type AssignedToken type ProgrammableSoftwareTokenType type TokenList type UserTokenDetail type DefenderResult type UserViolationCount type TemporaryResponse type

Default Defender Security Policy

If a user is a member of an Access Node and no Defender Security Policy is applied to the user explicitly or implicitly, then a default Defender Security Policy is effective for the user.

The default Defender Security Policy is configured as follows:

•

Primary authentication method is security token.

•

User’s violation count is incremented by one after each 3 unsuccessful authentication attempts.

•

Violation count upon which the user’s account is locked is 4. Lockout duration is 3 minutes.

•

Violation count is reset each time the user successfully authenticates.

•

The user can log on 24 hours a day, 7 days a week.

•

SMS token, e-mail token, and GrIDsure token are disabled for the user.

Managing Access Nodes

An Access Node is essentially an IP address or a range of IP addresses from which the Defender Security Server accepts authentication requests. If an Access Node is misconfigured, authentication requests may not reach the Defender Security Server and the user cannot get access to the resources protected by Defender.

After creating an Access Node, you need to assign it to a Defender Security Server, specify its members (users or groups you want to authenticate through the node), and select a Defender Security Policy for the node.

•

Creating an Access Node

•

Modifying Access Node properties

Creating an Access Node

To create an Access Node

1

On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).

2

In the left pane (console tree), expand the appropriate domain node, and then expand the Defender container.

3

Right-click the Access Nodes container, point to New, and then click Defender Access Node.

4

Complete the wizard that starts to create a new Access Node.

For more information about the wizard steps and options, see New Object - Defender Access Node Wizard reference.

New Object - Defender Access Node Wizard reference

Table 1. New Object - Defender Access Node Wizard reference

Enter a name and description for this Access Node

Provides the following text boxes:

•

Name Type a name for the Access Node being created.

•

Description Type a description for the Access Node being created.

Select the node type and user ID type for this Access Node

Provides the following options:

•

Node Type Use this list to select a type for the Access Node being created. The following node types are available:

Radius Agent Allows a NAS device to connect to Defender using the RADIUS protocol. RADIUS is transmitted over UDP and uses port 1812 by default. This is the default setting and is supported by most access devices.

Radius Proxy Allows RADIUS requests received from a RADIUS Agent access node to be forwarded to another RADIUS Server.

Radius Proxy (to non-negotiating server) Allows Defender to issue the response request on behalf of the RADIUS Server. This node type is typically used when migrating from RSA to Defender. In some cases, the user ID included in the request sent from the Access Node and proxied by the Defender Security Server to the RADIUS Server cannot be processed by the RADIUS Server, unless accompanied by a password.

Defender Agent Allows Defender agents to connect and process authentication requests. Typically, this node type is required for use with legacy Cisco ACS devices. Defender agents use a proprietary protocol to transmit data and use TCP (default port number 2626), instead of the UDP of RADIUS.

NetScreen Agent Select this node type if your Access Node is a NetScreen VPN.

NC-PASS Radius Agent Select this node type if you are using the NC-Pass two-factor authentication software.

Nortel VPN Agent Select this node type if you plan to authenticate using an SNK token in synchronous mode.

•

User ID Use this list to select the required user ID type. This is the user ID that will be used to locate the user in Active Directory. The available options are SAM Account Name, Defender ID, User Principal Name, Proper Name, and E-mail Address.

If you select E-mail Address, the e-mail address specified on the General tab of the user Properties dialog box is used.

Enter the connection details for this Access Node

•

IP Address or DNS Name Type the IP address or Network ID (IP address or DNS name) from which the Defender Security Server will accept authentication requests.

If you specify a single IP address, you must use the 255.255.255.255 subnet mask.

If you specify a network ID (for example, 192.168.10.0) and subnet mask 255.255.255.0, this causes the corresponding Defender Security Server to accept authentication requests from all hosts on the specified subnet (192.168.10.0).

•

Port Type the port number of the Defender Security Server.

•

Subnet Mask Type the subnet mask you want to use for the Access Node.

•

Shared Secret Type the shared secret you want to use. The shared secret configured on the access device must match the shared secret specified for the Access Node. The shared secret can be up to 256 alphanumeric characters. (For a Defender Agent Access Node, the shared secret can be 16 hex or 24 octal digits).

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy