Safeguard Authentication Services 5.0.2 - Defender Integration Guide

Apply one-time password authentication settings

The configuration of the one-time passwords are applied periodically according to a configurable Group Policy refresh interval (by default every 90 minutes).

To force a Group Policy refresh

1. Log in to the Linux or Unix machine.
2. At a command prompt, execute the following command as root:

   /opt/quest/bin/vgptool apply

   The output from this command, when one-time passwords are successfully enabled, look similar to the following example:

   root@testmachine:~# vgptool apply
   
   Group Policy Apply - CallType: REFRESH
   
   
   Updating VGP From Policy
   ------------------------
   [vgp_vgpext.so]
   
   Accumulating Settings from GPOs
   -------------------------------
   GPO: Defender DEMO  CSE: vgp_defender.so
   GUID: 1EBC7D87-EFB7-4376-AA1E-3CE5850AC5E5  PTYPE: 786318DB-DE76-42F2-8A57-F1E0C3ACE113
   
   Applying Settings Changes
   -------------------------
   [vgp_licext.so]
   [vgp_vasext.so]
   [vgp_scecli.so]
   [vgp_sudoext.so]
   [vgp_dfc.so]
   [vgp_unixext.so]
   [vgp_sshcfg.so]
   [vgp_samba.so]
   [vgp_defender.so]
     Quest Defender Policy
       Adding Defender authentication module
       Current defender.conf (showing server information only)
         10.5.37.22:1645
       Current pam_radius_acl.conf
         *:testuser1
         *:testuser2
         *:testuser3
   [vgp_qpm4u.so]
   [vgp_admext.so]

3. Login using the one-time password.

Manual configuration

You can configure one-time password information manually. Manual configuration requires a machine running Safeguard Authentication Services that has pam_defender installed. The machine must also be joined to an Active Directory domain. If an access node cannot be found that applies to the machine, no configuration changes are made.

Configuring with VASTOOL

To configure one-time passwords with vastool

1. Log in to the Linux or Unix machine.
2. At a command prompt, execute the following command as root:

   /opt/quest/bin/vastool otp configure radius

   The output from this command when one-time passwords are successfully enabled look similar to the following example:

   root@testmachine:~vastool otp configure radius
   Configuring defender.conf
     Server: 10.5.37.22  Port: 1645
   Configuring PAM Radius Access Control List
     testuser1
     testuser2
     testuser3                

3. To configure pam for a specific service, such as gdm, run the following command as root:

   /opt/quest/bin/vastool otp configure pam gdm

   Note: When successful this command produces no output.

4. Log in using the one-time password.

Troubleshooting

You can configure the pam_defender module to log debug information to a file.

To configure pam_defender to log debug information

1. Run the following command:

   /opt/quest/bin/vastool otp configure trace <path to log file>

   This creates the /tmp/pam_def.ini file that the defender pam module uses to determine whether it should log debug information and adds the necessary information to this file to configure full debug.

2. Modify the pam configuration for your system, as follows:
   1. Find all lines that specify the pam_defender module.
   2. Add the "debug" option to the end of those lines.