立即与支持人员聊天
与支持团队交流

Defender 6.5.1 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Push Notifications Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Step 3: Configure access control for users and services

The Defender PAM uses a PAM RADIUS Access Control List file (/etc/pam_radius_acl.conf) to determine which service/user combinations will be authenticated by the Defender PAM.

The Access Control file should contain a list of <servicename>:<username> pairs (one line per entry), to indicate which service/user combinations require Defender authentication. The <servicename> and/or <username> may be substituted with an asterisk (*) or left blank to indicate a wildcard (all users or services).

If the pam_radius_acl.conf does not exist, then all users must authenticate via Defender.

Table 29:

pam_radius_acl.conf syntax examples

To configure this...

Do this...

All users must authenticate via Defender for all Defender PAM-enabled services.

Use a single entry with wildcards for both <servicename> and <username>.

Example 1

*:*

Example 2

:

All users must authenticate via Defender for a specific service.

Use a wildcard for the <username>.

Example 1

sshd:*

Example 2

telnet:

Specific users must authenticate via Defender for all services.

List individual users, but specify a wildcard for the <servicename>.

Example 1

:john

Example 2

*:sally

Specific users must authenticate via Defender for specific services.

List individual users and services without using wildcards.

Example

sshd:jane
sshd:david
su:adam

No users require authentication via Defender.

Ensure that the /etc/pam_radius_acl.conf file exists, but remove all entries from the file.

The following is an example pam_radius_acl.conf file:

upm:*

telnet:

:john

*:sally

login:david

In this example, all users accessing the service upm or telnet must authenticate via Defender. Users john and sally must authenticate via Defender for every service. User david must authenticate via Defender for the login service only. Any servicename:username combination not listed in the file does not require users to authenticate via Defender.

You should ensure that for each service specified in the pam_radius_acl.conf file there is a valid system PAM configuration for that service as described in Step 1: Enable authentication for target service.

Step 4: Configure Defender objects in Active Directory

You may need to add or modify Defender objects in Active Directory so that your UNIX/Linux system can use Defender authentication. You should ensure that an Access Node is defined for your UNIX/Linux system in the Defender configuration and that the Access Node is assigned to the Defender Security Servers listed in the /etc/defender.conf file.

Also, ensure that your UNIX users are defined in Active Directory, have tokens assigned to them, and are included under the Members tab of the Access Node object corresponding to your UNIX system.

Testing Defender PAM configuration

You can test the configuration of the Defender PAM by using a test tool that is installed together with the Defender PAM. You can find this tool in /opt/quest/libexec/defender/check_pam_defender.

The test tool requires two arguments: the user name to test and the name of service for which you want to test Defender authentication. The test tool attempts to access the Defender Security Servers configured in your environment, and if one or more servers are accessible, the tool attempts to authenticate the specified user via Defender by using the Defender PAM. Then, the tool reports the result.

Defender PAM logging

The Defender PAM logs the RADIUS server responses for all failed authentication attempts to the system logger at the Info level. To do that the Defender PAM uses the auth or authpriv facility, depending on platform.

You can enable trace level logging for troubleshooting purposes.

To enable trace level logging

  1. Make sure the /tmp/pam_def.ini file exists on your system. The file must specify a location to a log file as well as a trace level.

    Example:

    filename=/tmp/pam_defender_trace.log
    level=0xffffffff

  2. Append the debug argument to the auth entries for the Defender PAM in the system PAM configuration.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级