Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Defender Integration Guide

Apply one-time password authentication settings

The configuration of the one-time passwords are applied periodically according to a configurable Group Policy refresh interval (by default every 90 minutes).

Note: Your machine must already be joined to the domain to force a Group Policy refresh.

To force a Group Policy refresh

  1. Log in to the Linux or Unix machine.
  2. At a command prompt, execute the following command as root:
    /opt/quest/bin/vgptool apply

    The output from this command, when one-time passwords are successfully enabled, look similar to the following example:

    root@testmachine:~# vgptool apply
    
    Group Policy Apply - CallType: REFRESH
    
    
    Updating VGP From Policy
    ------------------------
    [vgp_vgpext.so]
    
    Accumulating Settings from GPOs
    -------------------------------
    GPO: Defender DEMO  CSE: vgp_defender.so
    GUID: 1EBC7D87-EFB7-4376-AA1E-3CE5850AC5E5  PTYPE: 786318DB-DE76-42F2-8A57-F1E0C3ACE113
    
    Applying Settings Changes
    -------------------------
    [vgp_licext.so]
    [vgp_vasext.so]
    [vgp_scecli.so]
    [vgp_sudoext.so]
    [vgp_dfc.so]
    [vgp_unixext.so]
    [vgp_sshcfg.so]
    [vgp_samba.so]
    [vgp_defender.so]
      Quest Defender Policy
        Adding Defender authentication module
        Current defender.conf (showing server information only)
          10.5.37.22:1645
        Current pam_radius_acl.conf
          *:testuser1
          *:testuser2
          *:testuser3
    [vgp_qpm4u.so]
    [vgp_admext.so]
  3. Login using the one-time password.

Manual configuration

You can configure one-time password information manually. Manual configuration requires a machine running Authentication Services that has pam_defender installed. The machine must also be joined to an Active Directory domain. If an access node cannot be found that applies to the machine, no configuration changes are made.

Configuring with VASTOOL

To configure one-time passwords with vastool

  1. Log in to the Linux or Unix machine.
  2. At a command prompt, execute the following command as root:

    /opt/quest/bin/vastool otp configure radius

    The output from this command when one-time passwords are successfully enabled look similar to the following example:

    root@testmachine:~vastool otp configure radius
    Configuring defender.conf
      Server: 10.5.37.22  Port: 1645
    Configuring PAM Radius Access Control List
      testuser1
      testuser2
      testuser3                
  3. To configure pam for a specific service, such as gdm, run the following command as root:

    /opt/quest/bin/vastool otp configure pam gdm

    Note: When successful this command produces no output.

  4. Log in using the one-time password.

Troubleshooting

You can configure the pam_defender module to log debug information to a file.

To configure pam_defender to log debug information

  1. Run the following command:

    /opt/quest/bin/vastool otp configure trace <path to log file>

    This creates the /tmp/pam_def.ini file that the defender pam module uses to determine whether it should log debug information and adds the necessary information to this file to configure full debug.

  2. Modify the pam configuration for your system, as follows:
    1. Find all lines that specify the pam_defender module.
    2. Add the "debug" option to the end of those lines.
Related Documents