立即与支持人员聊天

获得即时帮助
完成注册

登录

请求定价

联系销售人员

Defender 6.4 - Administration Guide

Getting started

Features and benefits What you can do with Defender

Authenticating VPN users Authenticating Web site users Authenticating users of Windows-based computers

Deploying Defender

Step 0: Install required pre-requisites for Defender Step 1: Install required Defender components Step 2: Configure Defender Security Server Step 3: Create and configure objects in Active Directory

Defender Security Policy Defender Security Server Access Node

Step 4: Program and assign security tokens to users Defender Setup Wizard reference Defender Security Server Configuration tool reference

Communication ports Upgrading Defender

Upgrading Defender Security Server and Administration Console Upgrading Defender Management Portal Upgrading Management Shell

User interface for managing licenses Adding a license Removing a license

Managing Defender objects in Active Directory

Managing user objects

Managing tokens for a user

Tokens list buttons Authentication Details area elements

Resetting passphrase for a user Managing Defender Security Policy for a user Managing RADIUS payload for a user

Managing security token objects

Importing hardware token objects Assigning a hardware token object to a user Modifying token object properties

General tab Details tab Assigned Users

Import Wizard reference

Managing Defender Security Policies

Creating a Defender Security Policy object

New Object - Defender Policy Wizard reference

Defender Rollout Mode

Automatically Switching to Token Authentication Manually switching to token authentication

Modifying Defender Security Policy object properties

General tab Account tab Expiry tab Logon Hours tab SMS Token tab E-mail Token tab GrIDsure Token tab

Default Defender Security Policy

Managing Access Nodes

Creating an Access Node

New Object - Defender Access Node Wizard reference

Modifying Access Node properties

General tab Servers tab Members tab Policy tab RADIUS Payload tab

Managing Defender Security Servers

Creating a Defender Security Server object Modify Defender Security Server object properties

General tab Security Server tab Prompts tab Policy tab RADIUS Payload tab

Creating a RADIUS payload object

RADIUS payload attributes

Configuring security tokens

Configuring Defender Soft Token Configuring GrIDsure token Enabling the use of Authy Enabling the use of Google Authenticator Configuring SMS token Configuring e-mail token Configuring VIP credentials

Enabling the use of VIP credentials Programming a VIP credential for a user

Configuring YubiKey

Yubico OTP mode OATH-HOTP mode

Defender Token Programming Wizard reference FIDO2 compatible Hardware Yubikey Configuration settings to provide access to request FIDO2 token from Self-Service Enabling/Disabling FIDO2 token Enabling the use of Microsoft Authenticator Enabling use of OneLogin Authenticator

Securing VPN access

Configuring Defender for remote access Configuration example

Configuring your remote access device

Step 1: Create an AAA server group, add Defender Security Server Step 2: Configure an IPsec connection profile

Configuring Defender

Step 1: Configure an Access Node Step 2: Specify users or groups for the Access Node

Using Defender VPN Integrator

Installing Defender VPN Integrator Configuring Defender VPN Integrator

Defender EAP Agent

Deploying Defender EAP Agent

Step 1: Install Defender EAP Agent Step 2: Configure Network Policy Server Step 3: Configure VPN connection on the client computer

Authenticating via EAP Agent

Securing Web sites

Installing ISAPI Agent Configuring ISAPI Agent Accessing Protected Website

Securing Windows-based computers

Installing Defender Desktop Login by using a wizard Performing an unattended installation of Defender Desktop Login Configuring Defender Desktop Login by using a configuration tool Configuring Defender Desktop Login by using Group Policy Defender Desktop Login Configuration tool reference

Defender Management Portal (Web interface)

Installing the portal Configuring SQL Express Server as database for the portal [Optional] Opening the portal Specifying a service account for the portal Configuring the portal

Service Account tab Roles tab Log Receiver Service tab Reports tab

Portal roles Enabling automatic sign-in Configuring self-service for users

General tab Software Tokens tab Hardware Tokens tab E-mail Settings tab PIN Settings tab

Troubleshooting authentication issues

User Details tab Tokens tab Authentication Routes tab Authentications tab

Managing users Managing security tokens Viewing authentication statistics Viewing Defender Security Server warnings and logs Viewing token requests from users Using Defender reports

Generating a report

Audit trail Authentication requests Authentication activity Authentication violations Defender Security Server configuration License information Proxied users RADIUS payloads Tokens Active, inactive, and locked users User details

Report scheduling settings Viewing a generated report Deleting generated reports Viewing a list of scheduled reports Deleting scheduled reports

Managing portal database

Encrypting database Changing password for encrypted database Decrypting database DB Migration

Defender Security Server log cache Log Receiver Service database

Securing PAM-enabled services

Installing Defender PAM Configuring Defender PAM

Step 1: Enable authentication for target service Step 2: Specify Defender Security Servers Step 3: Configure access control for users and services Step 4: Configure Defender objects in Active Directory

Testing Defender PAM configuration Defender PAM logging Auth arguments

Delegating Defender roles, tasks, and functions

Steps to delegate roles, tasks, and functions Roles Service accounts Advanced control Full control Using control access rights

Automating administrative tasks

Installing Defender Management Shell Uninstalling Defender Management Shell Opening Defender Management Shell Getting help Cmdlets provided by Defender Management Shell

Administrative templates

Installing administrative templates Configuring administrative templates Temporary Responses setting Active Roles Web Interface - Token Programming setting Mail Configuration setting ADSI Configuration setting Updating Administrative templates from .adm to .admx

Domain Controller Client computer

Integration with Active Roles

Installing Defender Integration Pack for Active Roles Commands added to the Active Roles Web Interface

Defender Properties Set Defender Password Program Defender Token

Enabling additional features via Group Policy Enabling automatic deletion of tokens Delegating Defender roles or tasks Upgrading Defender Integration Pack for Active Roles Uninstalling Defender Integration Pack for Active Roles

Push Notifications Appendices

Appendix A: Enabling diagnostic logging

Administration Console Defender Core Token Operations SDK (DTSDK) Defender Security Server Desktop Login EAP Agent Integration Pack for Active Roles Management Portal Management Portal (reports) Management Shell Service Connection Point Soft Token for Windows Token Import Token Programming VPN Integrator Web Service API Product information tool

Appendix B: Troubleshooting common authentication issues

Step 1: Gather required information Step 2: Analyze Defender Security Server log Step 3: Gather further diagnostics

Appendix C: Troubleshooting DIGIPASS token issues

Step 1: Determine type of failure Step 2: Verify Defender configuration Step 3: Gather further diagnostics

Appendix D: Defender classes and attributes in Active Directory

Classes defined by Defender

defender-tokenClass defender-danClass defender-dssClass defender-policyClass defender-licenseClass defender-radiusPayloadClass defender-tokenLicenseClass

Classes extended by Defender

Attributes defined by Defender

defender-tokenType defender-tokenData defender-userTokenData defender-tokenUsersDNs defender-tokenDate defender-dssDNs defender-dssMembers defender-danKey defender-id defender-violationCount defender-resetCount defender-lastLogon defender-objectActive defender-prompts defender-authMethods defender-lockoutThreshold defender-lockoutDuration defender-lockoutTime defender-policy defender-policyMembers defender-danType defender-userIdType defender-subnetMask defender-accessCategories defender-danMembers defender-danDNs defender-dssVersion defender-radiusPayloadDn defender-radiusPayloadMembers defender-radiusPayloadData defender-radiusPayloadGroups defender-radiusPayloadGroupsDN defender-radiusPayloadInherit defender-policyAutoUnlock defender-policyMobileUsers defender-policyMaximumPasswordAge defender-policyMaximumPINAge defender-policyPasswordChangeFlags defender-policyPasswordFilter defender-policyGINAOptions defender-policyLoginTimes defender-notificationId

Appendix E: Defender Event Log messages

Defender VPN Integrator messages Defender Report Scheduler messages Defender Administration Console messages

Appendix F: Defender Client SDK

Installing Defender Client SDK Application Programming Interfaces (APIs)

IAuthenticator, IAuthenticator2, and IAuthenticator3 interfaces

Authenticate method challengeMessage property sessionID property timeout property

IAuthenticator2 and IAuthenticator3 interfaces

challengeMessageId property challengeMessageData property

IAuthenticator3 interface

AddPayload method GetGridData method GetAuthenticationImage method SetGridResetPIPAttribute method payload property grIDsureMessage property grIDsureGridType property

IAuthInfo interface

userIdType property isUserDefenderAuthenticated property

Defender Security Server messages

Appendix G: Defender Web Service API

AddSoftwareTokenToUser method AddTokenToUser method GetTokensForUser method RemoveAllTokensFromUser method RemoveDefenderPassword method RemovePinFromUserToken method RemoveTemporaryResponse method RemoveTokenFromUser method ResetDefenderToken method ResetDefenderViolationCount method SetDefenderPassword method SetPinOnUserToken method SetTemporaryResponse method TestDefenderToken method

AssignedSoftwareToken type AssignedToken type ProgrammableSoftwareTokenType type TokenList type UserTokenDetail type DefenderResult type UserViolationCount type TemporaryResponse type

Managing tokens for a user

To manage tokens for a user

On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
In the left pane (console tree), expand the appropriate domain node to select the container that holds the user for whom you want manage tokens (typically, this is the Users container).
In the right pane, double-click the user.
In the dialog box that opens, click the Defender tab.
Use the following areas to make changes or view information as necessary:
- Tokens This list allows you to manage tokens for the user. This list shows the tokens that are currently assigned to the user. For each token in the list, you can view the token type, serial number, and whether PIN is enabled. For more information, see Tokens list buttons.
- Authentication Details Allows you to specify a Defender ID for the user. Also you can view violation count, reset count, and last logon date and time for the user. Optionally, you can reset the violation count. For more information, see Authentication Details area elements.
When you are finished, click OK to close the dialog box.

Tokens list buttons

Table 6:
Tokens list buttons
Button	Description
Program	Click to program a token for the user.
Recover	Click to recover the token selected in the list or reset the token’s passphrase. You may need to reset a token when it has reached its preset use limit or been invalidated because the user exceeded the preset number of bad PIN attempts.
Test	Allows you to verify that the token is programmed correctly and valid for the user. After you click this button, use the Response text box to type the one-time password displayed on the token. If a PIN is enabled for the token, you can also test the PIN by entering it in the PIN (Optional) text box. Click Verify to run the test on the token. If you use the Test button to test a token response, that token response cannot then be used for user authentication.
Helpdesk	Allows you to resynchronize the token selected in the list with the Defender Security Server or assign a temporary password to the token user. After you click the Helpdesk button, a dialog box opens. This dialog box provides the following options: Reset Click this button to resynchronize the token with the Defender Security Server. The token generates a one-time password that is based on an internal time clock and DES keys. For successful authentication, the Defender Security Server must agree with the token's time clock and DES keys. The token's time clock can become out-of-sync with the Defender Security Server. If this value is out-of-sync, the user cannot use the token for authentication. If access is denied to the user, the token clock must be synchronized with the Defender Security Server clock. After resetting the token, instruct the user to use the token to generate a one-time password and use it for Defender authentication. Expires Allows you to select a validity period for the temporary password. Allow response to be used multiple times Select this check box to allow the temporary password to be used more than once for authentication. If you leave this check box cleared, the temporary password can only be used once. Assign Assigns the generated temporary password to the user. Clear Removes the temporary password from the user. Response Shows the generated temporary password.
Unassign	Removes the token selected in the list from the user. You can also use this option to delete the corresponding token object from Active Directory. To remove the token from the user and keep the token object in Active Directory, in the confirmation message that appears after you click this button, click No. In this case, the token object does not get deleted from Active Directory and can be reassigned. To remove the token from the user and delete the token object from Active Directory, in the confirmation message, click Yes.
Add	Allows you to search for and assign a token to the user. After you click this button, a new dialog box opens. In that dialog box, you can use the following elements: Token Serial Number Type the serial number of the token you want to assign to the user. If you do not know the serial number, leave this text box blank. Show unassigned tokens only Select this check box to search for the tokens that are not assigned to users. If you leave this check box cleared, the search results will include both assigned and not assigned tokens. Token Type Select the token type you want to search for. Click OK to start your search. When the search completes, in the Select Defender Tokens dialog box, double-click the token you want to assign, and then click OK to assign the token to the user. The assigned token appears on the Defender tab in the Tokens list.
Set PIN	Allows you to set a new PIN for the token selected in the list. After you click the Set PIN button, a dialog box opens. This dialog box provides the following options: Enable PINs Enables PIN for the selected token. New PIN Type the new PIN you want to assign to the selected token. Confirm PIN Confirm the new PIN you want to assign. Expire Select this check box if you want the PIN to expire. When you require users to enter a PIN set for a selected token, users should enter the PIN followed by the token response to access a resource protected by Defender. For example, if the PIN is 1234 and the response is 5678, users should enter 12345678 when prompted for authentication. When users need to reset the PIN, they should enter the old and new PINs in the following format: <old PIN><new PIN><new PIN>. For example, if the old PIN is 1234 and the new PIN is 5678, users should enter the following: 123456785678.
Password	Allows you to specify the Defender password that the user must enter during the authentication process. The password is only required if Defender password is selected as the primary or secondary authentication method in the Defender Security Policy that applies to the user. After you click the Password button, a new dialog box opens. In the dialog box, use the Password and Confirm text boxes to type the new Defender password you want to assign. If you want the password to expire, select the Expire check box.

Authentication Details area elements

Table 7:
Authentication Details area elements
Element	Description
Defender ID	Use this text box to type the Defender ID you want the Defender Security Server to use to identify the user. You only need to specify a Defender ID for a user if the Access Node of which the user is a member has been configured to identify users by Defender ID.
Violation Count	Displays the number of violations accumulated by this user. The violation count is incremented each time the user exceeds the specified number of failed logon attempts.
Reset Count	Displays the number of times the user account has been reset following an account lockout.
Last Logon	Displays the time and date of the last successful logon.
Reset	Resets the violation count to zero and increments the reset count.

Resetting passphrase for a user

You can reset the passphrase for a user. For example, you can do so if the user has forgotten the passphrase and the passprhase has been locked. In order you could reset the passphrase, the user must provide to you the challenge code generated by the token.

To reset the passphrase for a user

On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
In the left pane (console tree), expand the appropriate domain node to select the container that contains the user.
In the right pane, double-click the user object.
In the dialog box that opens, click the Defender tab.
In the Tokens area, select the token, and then click the Recover button.
In the dialog box that opens, use the Challenge text box to type the challenge code provided to you by the user, and then click the Get Response button.
Copy the passphrase unlock code displayed in the Response box and provide the code to the user.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback 使用条款隐私 Cookie Preference Center