立即与支持人员聊天
与支持团队交流

Defender 6.5.1 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Push Notifications Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Auth arguments

The following table lists the arguments you can append to the auth entries for the Defender PAM in the system PAM configuration.

 

Table 30:

Auth arguments

Argument

Description

debug

Enables trace level logging for the Defender PAM entries in the system PAM configuration to which this argument is added. For instructions on how to enable trace level logging, see Defender PAM logging.

skip_password

Causes the Defender PAM to display the “Enter Synchronous Response:” prompt to the user, instead of the “Passcode:” prompt.

use_first_pass

Causes the Defender PAM to use the PAM_AUTHTOK item as the user’s passcode. In this case, the user is not prompted to enter a passcode.

If the PAM_AUTHTOK item is not set, authentication fails.

try_first_pass

Causes the Defender PAM to use the PAM_AUTHTOK item in the PAM stack as the user’s passcode.

If the PAM_AUTHTOK item is not set, the Defender PAM prompts the user for a passcode.

conf=<path to Defender configuration file>

Allows you to specify an alternate location for the defender.conf file. The default location is /etc/defender.conf.

client_id=<client ID>

Allows you to specify the client ID for accounting requests which are validated during the pam_session call. When no client ID specified, the PAM service name is used as the client ID.

Delegating Defender roles, tasks, and functions

Defender provides a scalable approach to the administration of access rights, enabling you to delegate specific Defender roles, tasks, and functions to the users or groups you want.

The Defender Administration Console provides a wizard you can use to search for and select one or multiple user accounts, and then choose which Defender roles or tasks you want these accounts to perform.

Besides delegating roles or tasks, you can delegate specific Defender functions, for example, appoint selected user accounts as service accounts for the Defender Security Servers or Defender Management Portal, or grant full control over particular Defender objects, such as Access Nodes, Defender Security Servers, licenses, RADIUS payloads, or security tokens.

Steps to delegate roles, tasks, and functions

You can delegate Defender roles, tasks, or functions to specific users or groups by using the Defender Delegated Administration Wizard.

To delegate Defender roles, tasks, or functions

  1. On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
  2. In the left pane (console tree), expand the appropriate domain node, and click to select the Defender container.
  3. On the menu bar, select Defender | Delegate Control.

    Step through the wizard.

  4. In the Users and Groups step, add the user accounts or groups to which you want to delegate Defender roles, tasks, or functions. Click Next.
  5. In the Tasks to Delegate step, select the check boxes next to the Defender roles, tasks, or functions you want to delegate. Click Next.

For more information, see:

  1. Follow the steps in the wizard to complete delegating the roles, tasks, or functions.

    The wizard does not modify any standard Active Directory permissions. Rather, it modifies permissions on the Defender attributes in the Active Directory schema.

Roles

You can delegate the below-listed Defender roles to the users or groups you want. If necessary, you can delegate two or more roles to the same user.

 

Table 31:

Defender roles

Role

Description

Administrator

Members of this role can modify any Defender object and have complete control over the Defender configuration. This includes modification of all user-based Defender items.

Members of this role can:

  • Assign and unassign tokens.
  • Set a Defender password.
  • Set a Defender PIN.
  • Modify access nodes, Defender Security Servers, Defender policies, tokens, and RADIUS payloads.
  • Manage Defender licenses.

Basic Helpdesk

Members of this role can:

  • Reset tokens.
  • Test a token via the Defender Administration Console.
  • Reset a locked token by resetting the violation count for the user to whom the token is assigned.

Provisioning

Members of this role can:

  • Assign a Defender token.
  • Program a Defender token.
  • Remove a Defender token from a user’s account.
  • Reset a Defender PIN.

Enhanced Helpdesk

Members of this role can:

  • Assign a Defender token.
  • Program a Defender token.
  • Remove a Defender token.
  • Reset a Defender token.
  • Recover a Defender token.
  • Test a Defender token.
  • Reset a locked Defender token.
  • Set a Defender PIN.
  • Set a Defender password.
  • Assign a temporary token response.

Auditor

Members of this role have read-only access to

  • All Defender objects of Users and Groups.
  • All Defender attributes of Users and Groups.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级