Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Defender 6.3.1 - Administration Guide

Table of Contents

Getting started

Features and benefits What you can do with Defender

Authenticating VPN users Authenticating Web site users Authenticating users of Windows-based computers

Deploying Defender

Step 0: Install required pre-requisites for Defender Step 1: Install required Defender components Step 2: Configure Defender Security Server Step 3: Create and configure objects in Active Directory

Defender Security Policy Defender Security Server Access Node

Step 4: Program and assign security tokens to users Defender Setup Wizard reference Defender Security Server Configuration tool reference

Communication ports Upgrading Defender

Upgrading Defender Security Server and Administration Console Upgrading Defender Management Portal Upgrading Management Shell

User interface for managing licenses Adding a license Removing a license

Managing Defender objects in Active Directory

Managing user objects

Managing tokens for a user

Tokens list buttons Authentication Details area elements

Resetting passphrase for a user Managing Defender Security Policy for a user Managing RADIUS payload for a user

Managing security token objects

Importing hardware token objects Assigning a hardware token object to a user Modifying token object properties

General tab Details tab Assigned Users

Import Wizard reference

Managing Defender Security Policies

Creating a Defender Security Policy object

New Object - Defender Policy Wizard reference

Defender Rollout Mode

Automatically Switching to Token Authentication Manually switching to token authentication

Modifying Defender Security Policy object properties

General tab Account tab Expiry tab Logon Hours tab SMS Token tab E-mail Token tab GrIDsure Token tab

Default Defender Security Policy

Managing Access Nodes

Creating an Access Node

New Object - Defender Access Node Wizard reference

Modifying Access Node properties

General tab Servers tab Members tab Policy tab RADIUS Payload tab

Managing Defender Security Servers

Creating a Defender Security Server object Modify Defender Security Server object properties

General tab Security Server tab Prompts tab Policy tab RADIUS Payload tab

Creating a RADIUS payload object

RADIUS payload attributes

Configuring security tokens

Configuring Defender Soft Token Configuring GrIDsure token Enabling the use of Authy Enabling the use of Google Authenticator Configuring SMS token Configuring e-mail token Configuring VIP credentials

Enabling the use of VIP credentials Programming a VIP credential for a user

Configuring YubiKey

Yubico OTP mode OATH-HOTP mode

Defender Token Programming Wizard reference FIDO2 compatible Hardware Yubikey Configuration settings to provide access to request FIDO2 token from Self-Service Enabling/Disabling FIDO2 token Enabling the use of Microsoft Authenticator Enabling use of OneLogin Authenticator

Securing VPN access

Configuring Defender for remote access Configuration example

Configuring your remote access device

Step 1: Create an AAA server group, add Defender Security Server Step 2: Configure an IPsec connection profile

Configuring Defender

Step 1: Configure an Access Node Step 2: Specify users or groups for the Access Node

Using Defender VPN Integrator

Installing Defender VPN Integrator Configuring Defender VPN Integrator

Defender EAP Agent

Deploying Defender EAP Agent

Step 1: Install Defender EAP Agent Step 2: Configure Network Policy Server Step 3: Configure VPN connection on the client computer

Authenticating via EAP Agent

Securing Web sites

Installing ISAPI Agent Configuring ISAPI Agent Accessing Protected Website

Securing Windows-based computers

Installing Defender Desktop Login by using a wizard Performing an unattended installation of Defender Desktop Login Configuring Defender Desktop Login by using a configuration tool Configuring Defender Desktop Login by using Group Policy Defender Desktop Login Configuration tool reference

Defender Management Portal (Web interface)

Installing the portal Configuring SQL Express Server as database for the portal [Optional] Opening the portal Specifying a service account for the portal Configuring the portal

Service Account tab Roles tab Log Receiver Service tab Reports tab

Portal roles Enabling automatic sign-in Configuring self-service for users

General tab Software Tokens tab Hardware Tokens tab E-mail Settings tab PIN Settings tab

Troubleshooting authentication issues

User Details tab Tokens tab Authentication Routes tab Authentications tab

Managing users Managing security tokens Viewing authentication statistics Viewing Defender Security Server warnings and logs Viewing token requests from users Using Defender reports

Generating a report

Audit trail Authentication requests Authentication activity Authentication violations Defender Security Server configuration License information Proxied users RADIUS payloads Tokens Active, inactive, and locked users User details

Report scheduling settings Viewing a generated report Deleting generated reports Viewing a list of scheduled reports Deleting scheduled reports

Managing portal database

Encrypting database Changing password for encrypted database Decrypting database DB Migration

Defender Security Server log cache Log Receiver Service database

Securing PAM-enabled services

Installing Defender PAM Configuring Defender PAM

Step 1: Enable authentication for target service Step 2: Specify Defender Security Servers Step 3: Configure access control for users and services Step 4: Configure Defender objects in Active Directory

Testing Defender PAM configuration Defender PAM logging Auth arguments

Delegating Defender roles, tasks, and functions

Steps to delegate roles, tasks, and functions Roles Service accounts Advanced control Full control Using control access rights

Automating administrative tasks

Installing Defender Management Shell Uninstalling Defender Management Shell Opening Defender Management Shell Getting help Cmdlets provided by Defender Management Shell

Administrative templates

Installing administrative templates Configuring administrative templates Temporary Responses setting Active Roles Web Interface - Token Programming setting Mail Configuration setting ADSI Configuration setting Updating Administrative templates from .adm to .admx

Domain Controller Client computer

Integration with Active Roles

Installing Defender Integration Pack for Active Roles Commands added to the Active Roles Web Interface

Defender Properties Set Defender Password Program Defender Token

Enabling additional features via Group Policy Enabling automatic deletion of tokens Delegating Defender roles or tasks Upgrading Defender Integration Pack for Active Roles Uninstalling Defender Integration Pack for Active Roles

Push Notifications Appendices

Appendix A: Enabling diagnostic logging

Administration Console Defender Core Token Operations SDK (DTSDK) Defender Security Server Desktop Login EAP Agent Integration Pack for Active Roles Management Portal Management Portal (reports) Management Shell Service Connection Point Soft Token for Windows Token Import Token Programming VPN Integrator Web Service API Product information tool

Appendix B: Troubleshooting common authentication issues

Step 1: Gather required information Step 2: Analyze Defender Security Server log Step 3: Gather further diagnostics

Appendix C: Troubleshooting DIGIPASS token issues

Step 1: Determine type of failure Step 2: Verify Defender configuration Step 3: Gather further diagnostics

Appendix D: Defender classes and attributes in Active Directory

Classes defined by Defender

defender-tokenClass defender-danClass defender-dssClass defender-policyClass defender-licenseClass defender-radiusPayloadClass defender-tokenLicenseClass

Classes extended by Defender

Attributes defined by Defender

defender-tokenType defender-tokenData defender-userTokenData defender-tokenUsersDNs defender-tokenDate defender-dssDNs defender-dssMembers defender-danKey defender-id defender-violationCount defender-resetCount defender-lastLogon defender-objectActive defender-prompts defender-authMethods defender-lockoutThreshold defender-lockoutDuration defender-lockoutTime defender-policy defender-policyMembers defender-danType defender-userIdType defender-subnetMask defender-accessCategories defender-danMembers defender-danDNs defender-dssVersion defender-radiusPayloadDn defender-radiusPayloadMembers defender-radiusPayloadData defender-radiusPayloadGroups defender-radiusPayloadGroupsDN defender-radiusPayloadInherit defender-policyAutoUnlock defender-policyMobileUsers defender-policyMaximumPasswordAge defender-policyMaximumPINAge defender-policyPasswordChangeFlags defender-policyPasswordFilter defender-policyGINAOptions defender-policyLoginTimes defender-notificationId

Appendix E: Defender Event Log messages

Defender VPN Integrator messages Defender Report Scheduler messages Defender Administration Console messages

Appendix F: Defender Client SDK

Installing Defender Client SDK Application Programming Interfaces (APIs)

IAuthenticator, IAuthenticator2, and IAuthenticator3 interfaces

Authenticate method challengeMessage property sessionID property timeout property

IAuthenticator2 and IAuthenticator3 interfaces

challengeMessageId property challengeMessageData property

IAuthenticator3 interface

AddPayload method GetGridData method GetAuthenticationImage method SetGridResetPIPAttribute method payload property grIDsureMessage property grIDsureGridType property

IAuthInfo interface

userIdType property isUserDefenderAuthenticated property

Defender Security Server messages

Appendix G: Defender Web Service API

AddSoftwareTokenToUser method AddTokenToUser method GetTokensForUser method RemoveAllTokensFromUser method RemoveDefenderPassword method RemovePinFromUserToken method RemoveTemporaryResponse method RemoveTokenFromUser method ResetDefenderToken method ResetDefenderViolationCount method SetDefenderPassword method SetPinOnUserToken method SetTemporaryResponse method TestDefenderToken method

AssignedSoftwareToken type AssignedToken type ProgrammableSoftwareTokenType type TokenList type UserTokenDetail type DefenderResult type UserViolationCount type TemporaryResponse type

New Object - Defender Policy Wizard reference

Table 9:
New Object - Defender Policy Wizard reference
Wizard step	Options
Enter a name and description for this Policy	Provides the following text boxes: Name Type a name for the Defender Security Policy being created. Description Type a description for the Defender Security Policy being created.
Select an authentication method	Provides the following elements: Method Select a primary authentication method for the Defender Security Policy. An authentication method determines the passcode that the user must enter when attempting to authenticate. You can select one of the following authentication methods: Token The user must use a token response to authenticate. Defender password The user must enter a valid Defender password to authenticate. Active Directory password The user must enter a valid Active Directory password to authenticate. Token with Defender password The user must enter a token response followed by a valid Defender password to authenticate. Defender password with token The user must enter a valid Defender password followed by a token response to authenticate. Token with Active Directory password The user must enter a token response followed by a valid Active Directory password to authenticate. Active Directory password with token The user must enter a valid Active Directory password followed by a token response to authenticate. Active Directory password (rollout mode) The user can authenticate with the Active Directory password until a security token is assigned or registered to the user’s Active Directory account. After a security token has been assigned or registered for the user, the user must submit the token response to authenticate. For more information, see Defender Rollout Mode GrIDsure token (auto-enrollment mode) The user must authenticate by using a GrIDsure Personal Identification Pattern (PIP). During the first authentication, the user is prompted to configure a GrIDsure PIP to be used for subsequent authentications. Logon Attempts Enter the number of times that the user can attempt to log on. If the number of unsuccessful logon attempts exceeds the specified limit, the violation count for the user’s account is incremented. Use Synchronous tokens as event tokens Enables the use of the same DIGIPASS GO token response for logon to more that one system without generating a new response, provided that the logon process takes less than 36 seconds which is the validity period for a DIGIPASS GO token response.
Select the second authentication method	Specify parameters for the additional authentication method you want the user to use. If you want to disable the additional authentication method, from the Method list, select None. Other options in the Method list are identical to those available in the Select an authentication method step of the wizard.
Enter account lockout policy details	Provides the following options: Enable Account Lockout When this check box is selected, it causes the user’s Defender account to be locked out if the user has exceeded the number of violations (failed logon attempts) specified n the Lockout after n violations option. If you select the Lockout Windows account after indicated violations check box, this causes the user’s Windows account to be locked out after the specified number of failed logon attempts has been exceeded by the user. This option requires the Windows account lockout option to be enabled in Domain Security Policy or Domain Controller Security Policy. Locked accounts must be unlocked by an administrator Specifies that locked accounts can only be unlocked by an administrator. Use the Lockout duration option to set the lockout duration in minutes. The lockout duration period is counted from the moment of most recent logon attempt. That is, if the user attempts to logon while the account is still locked, the lockout duration is recalculated from the moment of that last attempt. If you set the Lockout duration value to 0, the locked user accounts can only be unlocked by an administrator. Automatically reset account after successful login Resets the count of unsuccessful logon attempts to 0 after the user successfully logs on.
Enter Defender Password and PIN expiry details	Provides the following options: Enable Defender Password Expiry When this check box is selected, it causes the Defender password to expire after the number of days specified in the Expire after option. Enable PIN Expiry When this check box is selected, it causes the token PIN to expire after the number of days specified in the Expire after option. This check box is only available if the token selected for authentication has a PIN.

Defender Rollout Mode

This section explains how to configure the rollout option in the following two scenarios:

Organizations where limited administration is required: In this scenario, users are switched to token authentication as soon as a token is registered with their user account. No administration is required.
Organizations with less Defender users, or where token self-registration is not in use: In this scenario, when a token is registered to the user account, administrative action is required to move users to the correct Active Directory group.

In both the scenarios the following security policies are required:

Token
Active Directory password (rollout mode)

Automatically Switching to Token Authentication

Configure an access node for your access device (NAS), as a Radius Agent, allowing access for domain users using the Token policy.
Configure a second access node, as a Radius Agent on a different port, using the IP address of the Defender Security Server and allowing access for domain users with the Active Directory password (rollout mode) policy applied.
Configure a third access node as a Radius Proxy, using the IP address of the Defender Security Server on the same port and Shared Secret as configured in step 2.
NOTE: Do not assign any members or a security policy.
This configuration ensures that:
- Users with tokens can authenticate using the first access node
- Users without tokens is redirected to the second access node and authenticated using their Active Directory password.
Once a user has been assigned a token or has used Defender Self-Registration to register a token, the user is not redirected and can authenticate using the first access node (Token policy).

Manually switching to token authentication

Create two Active Directory security groups. One group with users who are token authenticated, for example, Defender Auth, and the other group with users who require Active Directory password, for example, Defender AD Password.
Assign the Token policy to the Defender Auth group.
Assign the Active Directory password policy to the Defender AD Password group.
Configure an access node for your access device (NAS), adding both AD groups to the members tab without assigning any policy on the access node.
Users in the Defender Auth security group authenticate with tokens and users in the Defender AD Password group authenticate with Active Directory Passwords.

When the users of Defender AD Password group are assigned a token, the administrator has to move users to the Defender Auth group and ensure they are removed from the Defender AD Password group.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center