Safeguard Authentication Services 5.0.2 - Defender Integration Guide

Defender installation prerequisites

Before you install Safeguard Authentication Services Defender on your host, ensure that you have:

1. Installed a Defender security server in your Active Directory domain.
2. Installed the Defender Microsoft Management Console (MMC) snap-in.
3. Installed Safeguard Authentication Services on your Unix or Linux machine.

Configuring Defender

To integrate Defender with Safeguard Authentication Services, perform the tasks described in this section.

Create a security policy

You use a security policy to specify which type of credential is to be sent to the Defender security server.

To create a security policy

1. Open Active Directory Users and Computers.
2. Right-click Defender and navigate to New | Defender Policy to launch the creation wizard.
3. Give the security policy a Name and Description, and then click Next.
4. Select Token for Method and click Next.
5. Select None for the Method and click Next.
6. Continue through the rest of the wizard, accepting the defaults and click Finish.

Create an access node

An access node is used to associate a security policy and a Defender security server to a machine or subnet of machines. In order to complete this task, you need to know the IP address of the machine or IP address and subnet mask of the subnet of machines that you would like to secure with Defender and Safeguard Authentication Services.

To create an Access node

1. Open Active Directory Users and Computers.
2. Right-click Defender and navigate to New | Defender Access Node to launch the creation wizard.
3. Give the access node a Name and Description, and then click Next.

4. Select a Node Type of Radius Agent.

   Note: pam_defender only works with Radius Agent.

5. Select the appropriate User ID for your environment based on the information below, then click Next.

   The User ID you select must match the attribute that you are using in Safeguard Authentication Services for Unix user name. Look in the Preferences of the Control Center to determine which attribute Safeguard Authentication Services is configured.

   Table 1: User IDs

   User IDs	Description
   SAM Account Name	This is the default Unix user name for Safeguard Authentication Services 5.0.1. It refers to the sAMAccountName attribute of the user.
   User Principal Name	Previous versions of Safeguard Authentication Services used this as the default Unix user name. It refers to the userPrincipalName attribute of the user.
   Defender ID	This refers to the defender-id attribute of the user, which is part of the Defender schema extension. You could configure this as the Unix user name, but One Identity does not recommend that.
   Proper Name	This refers to the cn attribute of the user.

6. Enter the IP Address of the machine or subnet of machines.
7. Enter the Port to use to establish a connection with the Defender security server (the default for a Radius Agent is port 1812).
8. Change the Subnet Mask from 255.255.255.255 to the appropriate value if you plan to use a subnet of machines.
9. Enter a Shared Secret to use in radius communications with the Defender security server and click Next.
10. Click Finish to complete the wizard.