Chat now with support
Chat with Support

Defender 6.6 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Push Notifications Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

New Object - Defender Access Node Wizard reference

 

Table 10:

New Object - Defender Access Node Wizard reference

Wizard step

Options

Enter a name and description for this Access Node

Provides the following text boxes:

  • Name  Type a name for the Access Node being created.
  • Description  Type a description for the Access Node being created.

Select the node type and user ID type for this Access Node

Provides the following options:

  • Node Type  Use this list to select a type for the Access Node being created. The following node types are available:

    Radius Agent  Allows a NAS device to connect to Defender using the RADIUS protocol. RADIUS is transmitted over UDP and uses port 1812 by default. This is the default setting and is supported by most access devices.

    Radius Proxy  Allows RADIUS requests received from a RADIUS Agent access node to be forwarded to another RADIUS Server.

    Radius Proxy (to non-negotiating server)  Allows Defender to issue the response request on behalf of the RADIUS Server. This node type is typically used when migrating from RSA to Defender. In some cases, the user ID included in the request sent from the Access Node and proxied by the Defender Security Server to the RADIUS Server cannot be processed by the RADIUS Server, unless accompanied by a password.

    Defender Agent  Allows Defender agents to connect and process authentication requests. Typically, this node type is required for use with legacy Cisco ACS devices. Defender agents use a proprietary protocol to transmit data and use TCP (default port number 2626), instead of the UDP of RADIUS.

    NetScreen Agent  Select this node type if your Access Node is a NetScreen VPN.

    NC-PASS Radius Agent  Select this node type if you are using the NC-Pass two-factor authentication software.

    Nortel VPN Agent  Select this node type if you plan to authenticate using an SNK token in synchronous mode.

  • User ID  Use this list to select the required user ID type. This is the user ID that will be used to locate the user in Active Directory. The available options are SAM Account Name, Defender ID, User Principal Name, Proper Name, and E-mail Address.

    If you select E-mail Address, the e-mail address specified on the General tab of the user Properties dialog box is used.

Enter the connection details for this Access Node

  • IP Address or DNS Name  Type the IP address or Network ID (IP address or DNS name) from which the Defender Security Server will accept authentication requests.

    If you specify a single IP address, you must use the 255.255.255.255 subnet mask.

    If you specify a network ID (for example, 192.168.10.0) and subnet mask 255.255.255.0, this causes the corresponding Defender Security Server to accept authentication requests from all hosts on the specified subnet (192.168.10.0).

  • Port  Type the port number of the Defender Security Server.
  • Subnet Mask  Type the subnet mask you want to use for the Access Node.
  • Shared Secret  Type the shared secret you want to use. The shared secret configured on the access device must match the shared secret specified for the Access Node. The shared secret can be up to 63 alphanumeric characters. (For a Defender Agent Access Node, the shared secret can be 16 hex or 24 octal digits).

Modifying Access Node properties

To modify Access Node properties

  1. On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
  2. In the left pane (console tree), expand the appropriate domain node, and then expand the Defender container.
  3. Click to select the Access Nodes container.
  4. In the right pane, double-click the Access Node whose properties you want to modify.
  5. Use the dialog box that opens to modify the Access Node properties as necessary.

The dialog box has the following tabs:

  • General tab  Allows you to view or edit the Access Node configuration.
  • Servers tab  Allows you to view or edit a list of the Defender Security Servers to which the Access Node is assigned.
  • Members tab  Allows you to specify users or groups whose members can authenticate via the Access Node.
  • Policy tab  Allows you to assign a Defender Security Policy to the Access Node.
  • RADIUS Payload tab  Allows you to configure the RADIUS payload for the Access Node.
  1. When you are finished, click OK to apply your changes.

General tab

This tab allows you to view or edit the Access Node configuration. The tab has the following elements:

  • Description  View or edit the Access Node description.
  • IP Address or DNS Name  View or edit the IP address or DNS name of the NAS device.

    Examples:

    192.168.70.9  Allows connections from this IP address only.

    192.168.70.0  Allows connections from any IP address on the 192.168.70.0 subnet (subnet mask 255.255.255.0 would also be required).

  • Subnet Mask  View or edit subnet mask for the Access Nodes that connect to the Defender Security Server.
  • Authentication Port  View or edit the number of the port on which the Access Node accepts RADIUS requests.

    The default ports are:

    1812  RADIUS agent, RADIUS proxy.

    2626  Defender agent.

  • Accounting Port  View or edit the port number on which the Access Node accepts RADIUS accounting packets. Upon receipt of an accounting packet, its contents are written to an accounting log. The default port number is 1813.
  • Node Type  View or change the current node type. For available node types and their descriptions, see New Object - Defender Access Node Wizard reference.
  • Shared Secret  View or edit the shared secret that this Access Node uses when attempting to establish a connection with the Defender Security Server. To view a hidden shared secret, click the Reveal button next to this text box. To conceal a visible shared secret, click the Hide button next to this text box.
  • User ID  View or change the type of user ID by which the Defender Security Server searches for users in Active Directory. Possible values are Defender ID, User Principle Name, SAM Account Name, Proper Name, and E-mail Address.

Servers tab

This tab allows you to view or change a list of the Defender Security Servers to which the Access Node is assigned. To add a new Defender Security Server to the list, click Assign. To remove a Defender Security Server from the list, select that server, and then click Unassign.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating