Chat now with support
Chat with Support

Defender 6.1 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Step 2: Specify Defender Security Servers

The Defender PAM communicates with the Defender Security Server via the RADIUS protocol. The communication details for the Defender Security Server must be specified in the /etc/defender.conf file. This file must be readable by all.

The entries in the file must have the following format:

<hostname>:<portnumber> <sharedsecret> <timeout>

where

  • <hostname> is the name of the RADIUS server, that is, the Defender Security Server.
  • <portnumber> is the port number on which the Defender PAM will communicate with the RADIUS server. There must be no spaces between <hostname> and <portnumber>.
  • <sharedsecret> is the shared secret specified for the Defender PAM and the RADIUS server.
  • <timeout> is the length of time, in seconds, after which the connection between the Defender PAM and the RADIUS server will be lost if no activity is detected.

You can specify more than one RADIUS server in the file. The Defender PAM attempts to connect to the servers in the order they are listed.

The following example enables the Defender PAM to communicate with the RADIUS server on host dss.example.com, port 1645, with shared secret shared_secret, and timeout of 3 seconds:

dss.example.com:1645 shared_secret 3

Step 3: Configure access control for users and services

The Defender PAM uses a PAM RADIUS Access Control List file (/etc/pam_radius_acl.conf) to determine which service/user combinations will be authenticated by the Defender PAM.

The Access Control file should contain a list of <servicename>:<username> pairs (one line per entry), to indicate which service/user combinations require Defender authentication. The <servicename> and/or <username> may be substituted with an asterisk (*) or left blank to indicate a wildcard (all users or services).

If the pam_radius_acl.conf does not exist, then all users must authenticate via Defender.

Table 29:

pam_radius_acl.conf syntax examples

To configure this...

Do this...

All users must authenticate via Defender for all Defender PAM-enabled services.

Use a single entry with wildcards for both <servicename> and <username>.

Example 1

*:*

Example 2

:

All users must authenticate via Defender for a specific service.

Use a wildcard for the <username>.

Example 1

sshd:*

Example 2

telnet:

Specific users must authenticate via Defender for all services.

List individual users, but specify a wildcard for the <servicename>.

Example 1

:john

Example 2

*:sally

Specific users must authenticate via Defender for specific services.

List individual users and services without using wildcards.

Example

sshd:jane
sshd:david
su:adam

No users require authentication via Defender.

Ensure that the /etc/pam_radius_acl.conf file exists, but remove all entries from the file.

The following is an example pam_radius_acl.conf file:

upm:*

telnet:

:john

*:sally

login:david

In this example, all users accessing the service upm or telnet must authenticate via Defender. Users john and sally must authenticate via Defender for every service. User david must authenticate via Defender for the login service only. Any servicename:username combination not listed in the file does not require users to authenticate via Defender.

You should ensure that for each service specified in the pam_radius_acl.conf file there is a valid system PAM configuration for that service as described in Step 1: Enable authentication for target service.

Step 4: Configure Defender objects in Active Directory

You may need to add or modify Defender objects in Active Directory so that your UNIX/Linux system can use Defender authentication. You should ensure that an Access Node is defined for your UNIX/Linux system in the Defender configuration and that the Access Node is assigned to the Defender Security Servers listed in the /etc/defender.conf file.

Also, ensure that your UNIX users are defined in Active Directory, have tokens assigned to them, and are included under the Members tab of the Access Node object corresponding to your UNIX system.

Testing Defender PAM configuration

You can test the configuration of the Defender PAM by using a test tool that is installed together with the Defender PAM. You can find this tool in /opt/quest/libexec/defender/check_pam_defender.

The test tool requires two arguments: the user name to test and the name of service for which you want to test Defender authentication. The test tool attempts to access the Defender Security Servers configured in your environment, and if one or more servers are accessible, the tool attempts to authenticate the specified user via Defender by using the Defender PAM. Then, the tool reports the result.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating