立即与支持人员聊天
与支持团队交流

Defender 6.6 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Push Notifications Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

RADIUS payload attributes

The next table lists the attributes you can assign to a RADIUS payload. The RADIUS payload will return these attributes after user’s access to the resource has been approved. For instructions on how to create a RADIUS payload, see Creating a RADIUS payload object.

 

Table 11:

Attributes you can assign to a RADIUS payload

Attribute

Description

06: Service-Type

Specifies the type of service the user has requested or the type of service to be provided.

This attribute can take one of the following values:

  • 1 - Login
  • 2 - Framed
  • 3 - Callback Login
  • 4 - Callback Framed
  • 5 - Outbound
  • 6 - Administrative
  • 7 - NAS Prompt
  • 8 - Authenticate only
  • 9 - Callback NAS Prompt
  • 10 - Call Check
  • 11 - Callback Administrative
  • 12 - Voice
  • 13 - Fax
  • 14 - Modem Replay
  • 15 - IAPP-Register
  • 16 - IAPP-AP-Check
  • 17 - Authorize Only

07: Framed-Protocol

Specifies the framing to be used for framed access. This attribute can take one of the following values:

  • 1 - PPP
  • 2 - SLIP
  • 3 - Apple Talk Remote Access Protocol (ARAP)
  • 4 - Gandalf proprietary SingleLink/MultiLink protocol
  • 5 - Xylogics proprietary IPX/SLIP
  • 6 - X.75 Synchronous
  • 7 - GPRS PDP Context

08: Framed-IP-Address

Specifies the address to be configured for the user. This attribute can take one of the following values:

  • 0xFFFFFFFF - NAS should allow the user to select an address
  • 0xFFFFFFFE - NAS should select an address for the user
  • Specific IP address value

09: Framed-IP-Netmask

Specifies the IP netmask to be configured for the user when the user is a router to a network.

10: Framed-Routing

Specifies the routing method for the user when the user is a router to a network. This attribute can take one of the following values:

  • 0 - None
  • 1 - Send routing packets
  • 2 - Listen for routing packets
  • 3 - Send and Listen

11: Filter-Id

Specifies the name of the filter list for particular user. The value of this attribute can include individual groups or all groups of which the user is a member. The default value is all groups. When the user has been successfully authenticated by the Defender Security Server, groups that include the authenticated user’s ID are returned to the NAS.

12: Framed-MTU

Specifies the maximum transmission unit (MTU) to be configured for the user when it is not negotiated by some other means such as PPP.

13: Framed-Compression

Specifies a compression protocol to be used for the link. This attribute can take one of the following values:

  • 0 - None
  • 1 - VJ TCP/IP header compression
  • 2 - IPX header compression
  • 3 - Stac-LZS compression

14: Login-IP-Host

Specifies the system with which to connect the user, when the Login-Service attribute is included. This attribute can take one of the following values:

  • 0xFFFFFFFF - NAS should allow the user to select an address
  • 0 - NAS should select a host to connect the user to
  • Specific address value

25: Class

Available to be sent by the server to the client in an Access-Accept and should be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported.

The value of this attribute can include individual groups or all groups of which the user is a member. When the user has been successfully authenticated by the Defender Security Server, groups that include the authenticated user’s ID are returned to the NAS that initiated the authentication request.

26: Vendor Specific

Specifies a method for communicating vendor-specific information between Network Access Servers and RADIUS servers. This attribute encapsulates vendor-specific attributes, allowing vendors to support their own extended attributes otherwise not suitable for general use.

Custom

Allows you to specify a custom attribute by attribute ID.

 

Configuring security tokens

For users to authenticate and access resources protected with Defender, you need to configure and assign security tokens supported by Defender to them. Defender can work with a number of security tokens, which include native Defender tokens and third-party tokens.

The native Defender tokens include the following:

  • Defender Soft Token Can be installed and used in various environments and operating systems, such as Android, Java Runtime Environment, iOS, and Windows.
  • E-mail token  Allows users to authenticate by using one-time passwords sent to their e-mail address.
  • GrIDsure token  Allows users to authenticate by using a GrIDsure Personal Identification Pattern (PIP).
  • SMS token  Allows users to authenticate by using one-time passwords sent to their SMS-capable device.

Third-party security tokens supported by Defender include Authy, DIGIPASS GO, Google Authenticator, Symantec VIP credentials, and YubiKey.

Configuring Defender Soft Token

This section provides instructions on how to configure and assign to users the following security tokens:

  • Defender Soft Token for Android
  • Defender Soft Token for iOS
  • Defender Soft Token for Java
  • Defender Soft Token for Windows

To configure and assign Defender Soft Token to a user

  1. On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
  2. In the left pane (console tree), expand the appropriate nodes to select the container where the user object is located.
  3. In the right pane, double-click the user object, and then click the Defender tab in the dialog box that opens.
  4. Below the Tokens list, click the Program button.
  5. In the Select Token Type step, click to select the Software token option. Click Next.
  6. In the Select Software Token step, click to select the Defender Soft Token you want to configure and assign.
  7. Complete the wizard to configure and assign the Defender Soft Token.

For more information about the wizard steps and options, see Defender Token Programming Wizard reference.

Configuring GrIDsure token

Before configuring and assigning the GrIDsure token, you need to enable the use of GrIDsure for authentication in the Defender Security Policy properties. Then, you need to assign that policy to the users you want to authenticate with the GrIDsure token. For more information, see Managing Defender Security Policies.

To configure the GrIDsure token for a user

  1. On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
  2. In the left pane (console tree), expand the appropriate nodes to select the container where the user object is located.
  3. In the right pane, double-click the user object, and then click the Defender tab in the dialog box that opens.
  4. Below the Tokens list, click the Program button.
  5. In the Select Token Type step, click to select the Software token option. Click Next.
  6. In the Select Software Token step, click to select the GrIDsure token option.
  7. Complete the wizard to configure and assign the GrIDsure token.

    For more information about the wizard steps and options, see Defender Token Programming Wizard reference.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级