Enabling/Disabling FIDO2 token
FIDO2 tokens are enabled by default if assigned to user for authentication. If User Does not want to use FIDO2 token, it can be disable/enable with the addition of registry entry mentioned below:
On a computer where Defender Security Server is installed, use Registry Editor to create the following value:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\PassGo Technologies\Defender\DSS Active Directory Edition
Value type: REG_DWORD
Value name: FIDO2ENABLED
Value data: 0 to disable and 1 to enable
See the following sections for instructions on enabling the use of the YubiKey token programmed in one of these modes:
Enabling the use of Microsoft Authenticator
You can allow users to authenticate via Defender by using one-time passwords generated with Microsoft Authenticator.
To enable Microsoft Authenticator for a user
- On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
- In the left pane (console tree), expand the appropriate nodes to select the container where the user object is located.
- In the right pane, double-click the user object, and then click the Defender tab in the dialog box that opens.
- Below the Tokens list, click the Program button.
- In the Select Token Type step, click to select the Software token option. Click Next.
- In the Select Software Token step, click to select the Microsoft Authenticator option.
- Complete the wizard to enable Microsoft Authenticator for the user.
- For more information about the wizard steps and options, see Defender Token Programming Wizard reference.
Enabling use of OneLogin Authenticator
You can get an activation code either from your system administrator or through a dedicated self-service Web site if it exists in your organization. The self-service Web site is called the Defender Self-Service Portal and it allows you to download and install software tokens, obtain activation code for software tokens, and register hardware tokens.
To enable OneLogin Authenticator for a user
- On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
- In the left pane (console tree), expand the appropriate nodes to select the container where the user object is located.
- In the right pane, double-click the user object, and then click the Defender tab in the dialog box that opens.
- Below the Tokens list, click the Program button.
- In the Select Token Type step, click to select the Software token option.
- Click Next.
- In the Select Software Token step, click to select the OneLogin Authenticator option.
- Complete the wizard to enable OneLogin Authenticator for the user.
- For more information about the wizard steps and options, see Defender Token Programming Wizard reference.
Securing VPN access
Remote access is the ability to get access to a computer or a network from a distant location. Employees in branch offices, telecommuters, and people who are traveling may need access to your company's network. Remote access is achieved using a dedicated line between a computer or a remote local area network and the central or main corporate local area network.
You can use Defender to authenticate your employees, business partners, and customers, whether they are local, remote, or mobile. Whether they require access through VPN to remote access applications, wireless access points, network operating systems, intranets, extranets, Web servers, or applications, Defender’s strong two-factor authentication ensures that only authorized users are granted access.
The Defender remote access environment includes the following components:
- Remote Access Server A remote access server is the computer and associated software that is set up to handle users seeking remote access to your company’s network. The remote access server usually includes or is associated with a firewall server to ensure security and a router that can forward the remote access request to another part of the corporate network. A remote access server may also be used as part of a virtual private network (VPN).
- Virtual Private Network (VPN) A VPN is an extension of a private network that encompasses links across shared or public networks like the Internet. VPN connections leverage the IP connectivity of the Internet using a combination of tunneling and encryption to securely connect two remote points, such as a remote worker and their office base.
- Network Access Server (NAS) The Network Access Server (NAS) acts as a gateway to guard access to a protected resource. This can be anything from a telephone network, to printers, to the Internet. The user connects to the NAS. The NAS then connects to another resource asking whether the user's supplied credentials are valid. Based on that answer the NAS then allows or disallows access to the protected resource. The NAS contains no information about which users can connect or which credentials are valid. The NAS simply sends the credentials supplied by the user to a resource which does know how to process the credentials.
- Defender EAP Agent Extensible Authentication Protocol (EAP) is a general protocol for authentication that also supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, public key authentication and smart cards. Defender utilizes the EAP protocol to integrate its two-factor authentication into the existing user authentication process.
In this chapter:
