Chat now with support
Chat with Support

Quest has tools and processes in place to identify, protect, detect, and remediate vulnerabilities and incidents when they occur, including external security partners. As part of our standard security operations, Quest does not use CrowdStrike in any of our operations. We are reviewing our third parties, and so far, there is minimal affect. It is Quest's policy not to provide further technical details unless they directly impact customer data.

Password Manager 5.9.7 - Administration Guide

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview Secure Password Extension Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Password Change and Reset Process Overview Data Replication Phone-Based Authentication Service Overview
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Self-Service Workflows Helpdesk Workflows Notification Activities User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances Domain Connections Extensibility Features RADIUS Two-Factor Authentication Unregistering users from Password Manager Working with Redistributable Secret Management account Email Templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies One Identity Starling Reporting Password Manager Integration Appendixes Glossary

RADIUS Two-Factor Authentication

RADIUS Two-Factor Authentication enables two-factor authentication on Password Manager. RADIUS Two-Factor Authentication uses one-time passwords to authenticate users on the Self-Service site and Helpdesk site.

To configure RADIUS Two-Factor Authentication in Password Manager, you have to configure the RADIUS server details in Password Manager.

To configure RADIUS Two-Factor Authentication

  1. On the home page of the Administration site, click General Settings | RADIUS Two-Factor.

    The RADIUS Two-Factor Authentication page is displayed.

  2. Click Add RADIUS server to add a new RADIUS server for authentication.

    RADIUS Two-Factor Authentication page is displayed.

    NOTE: You can add only two servers, one is used as a primary server and the other as a secondary server. The server that is created first is considered as the primary server and used for RADIUS authentication.
  3. In the RADIUS Server (IP address or hostname) field, enter the RADIUS server IP address.

  4. In the Port number field, enter the port number assigned during configuration of RADIUS.

  5. In the RADIUS Shared Secret field, enter the password set during RADIUS configuration.

  6. Specify the Active Directory attribute to authenticate the user from the drop-down menu.

  7. From the Additional RADIUS Attribute section, select the required RADIUS attribute from the drop-down menu. Specify the value for the selected attribute and click +.

    The RADIUS attributes and the corresponding values that you add is displayed.

    NOTE: The RADIUS attributes supported are NAS-IP-Address, NAS-Port, NAS-Port-Type, and NAS-Identifier.
  8. Click Save.

For more information, see Authenticate with RADIUS Two-Factor Authentication.

Quest Enterprise Single Sign-On

Quest Enterprise Single Sign-On

Quest Enterprise Single Sign-on (QUESSO) is a One Identity product that provides users with the ability to access all applications on their desktop using a single user ID and password. After users have logged in, they can access password-protected applications on their desktop without the need to enter any further account details.

The account details for password-protected applications are encrypted by using the user login password. When the user resets or changes this password, the encrypted data is lost. To prevent data loss, Password Manager should be configured to notify QUESSO about password changes and QUESSO will re-encrypt the data using the new password.

For more information, see Quest Enterprise Single Sign-On (QESSO).

Redistributable Secret Management Service

Redistributable Secret Management Service

Redistributable Secret Management Service (rSMS) can be used to manage user passwords across multiple connected systems. Using the rSMS service it is possible to quickly synchronize the passwords across connected systems. By default, the rSMS service is installed with the Password Manager software.

For more information on creating an rSMS account, see Working with Redistributable Secret Management account

For more information on resetting passwords in connected systems through embedded systems, see Reset password in connected systems through embedded connectors.

Alternative options

The Redistributable Secret Management Service (rSMS) feature, can be used as an alternative to One Identity Quick Connect Sync Engine .

NOTE: Target platform IP address or the Hostname should not be same server where One Identity rSMS service is installed.

Location sensitive authentication

The location sensitive authentication feature allow you to skip certain authentication methods for users trying to execute a workflow on Self-Service site from a defined corporate network. Using this feature, you can also restrict the capability of searching for the users on Self-Service Site from IP addresses that is not specified in the defined corporate IP address range. For more information on restricting the user search, see Configuring Account Search Options.

IMPORTANT: It is mandatory to have at least one authentication method for users accessing the application from the defined corporate network.

You can use the location sensitive authentication feature for any of the authentication activities listed here.

  • Q&A profile (random questions)

  • Q&A profile (specific questions)

  • Defender
  • Starling Two-Factor Authentication

  • RADIUS Two-Factor Authentication

  • Phone

Configuring corporate IP address range

You must specify a defined corporate IP address range that help in determining if the users are trying to execute the workflow from an internal or external network.

  1. On the home page of the Administration site, click General Settings | Corporate IP Address Ranges.

  2. On the Corporate IP Address Ranges page, click Add Corporate IP Address Range.

  3. Provide the Network Address and Subnet Mask.

  4. Click Save.

    The corporate IP address range is successfully added.

To edit the defined corporate IP address, click Edit. Click Remove to delete the defined corporate IP address.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating