Defender 5.7 Configuration Guide
©
2012 Quest Software, Inc. ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com email:
[email protected] Refer to our Web site for regional and international office information.
TRADEMARKS Quest, Quest Software, the Quest Software logo, and Defender are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Software's trademarks, please see http://www.quest.com/legal/trademark-information.aspx. Other trademarks and registered trademarks are property of their respective owners.
Disclaimer The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.
Quest Defender Configuration Guide Updated: April 2012 Software Version - 5.7
ABOUT
THIS
GUIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
QUEST ONE IDENTITY SOLUTION . . . . . INTRODUCTION . . . . . . . . . . . . . . . AUDIENCE AND SCOPE . . . . . . . . . . . CONVENTIONS . . . . . . . . . . . . . . . . ABOUT QUEST SOFTWARE . . . . . . . . . CONTACTING QUEST SOFTWARE . . . . . CONTACTING CUSTOMER SUPPORT .
................. 6 ................. 7 . . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
7 8 9 9 9
CHAPTER 1 COMPONENT OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 INTRODUCTION . . . . . . . . . . . . . . . . DEFENDER MANAGEMENT CONSOLE . . . . DEFENDER ACCESS NODE OVERVIEW . . . DEFENDER SECURITY SERVER OVERVIEW . DEFENDER SECURITY POLICY OVERVIEW . RADIUS PAYLOAD . . . . . . . . . . . . . . AGGREGATING RADIUS PAYLOADS .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
.12 .13 .14 .15 .16 .17 .17
DEFENDER TOKENS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 STOPPING AND RESTARTING THE DEFENDER SERVICE . . . . . . . . .19 DEFENDER SECURITY SERVER SERVICE ACCOUNT CREDENTIALS . . . . . . . . . . . . . . . . . .20 ABOUT DEFENDER . . . . . . . . . . . . . . . . . . . . . . . . . . .21 CHAPTER 2 ACCESS NODE CONFIGURATION . . . . . . . . . . . . . . . . . . . . . . . . 25 INTRODUCTION . . . . . . . . . . . . . . . . CREATING A NEW ACCESS NODE. . . . . . DEFENDER ACCESS NODE PROPERTIES . . CHANGING DEFENDER ACCESS NODE ADDING USERS
OR
........... ........... ........... CONFIGURATION.
1
THE
. . . .
. . . .
. . . .
.26 .27 .32 .32
USER GROUPS . . . . . . . . . . . . . . . . . .36
ASSIGNING A DEFENDER SECURITY POLICY TO AN ACCESS NODE. . . . . . . . . . . . . . CHANGING
. . . .
. . . . . . . . . . . .38
RADIUS PAYLOAD . . . . . . . . . . . . . . . . .45
Quest Product Name
CHAPTER 3 SECURITY POLICY CONFIGURATION . . . . . . . . . . . . . . . . . . . . . 49 INTRODUCTION . . . . . . . . . . . . . . . . . . . . CREATING A NEW DEFENDER SECURITY POLICY . CHANGING POLICY PROPERTIES . . . . . . . . . . ACCOUNT SETTINGS . . . . . . . . . . . . . .
. . . . . . . . . . . .50 . . . . . . . . . . . .51 . . . . . . . . . . . .57 . . . . . . . . . . . .61
EXPIRY SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 LOGON HOURS SETTINGS . . . . . . . . . . . . . . . . . . . . . . .64 MOBILE PROVIDER SETTINGS . . . . . . . . . . . . . . . . . . . . .65 E-MAIL OTP SETTINGS . . . . . . . . . . . . . . . . . . . . . . . .68 ACCESS CATEGORY SETTINGS . . . . . . . . . . . . . . . . . . . .72 GRIDSURE TOKENS. . . . . . . . . . . . . . . . . . . . . . . . . . .73 CHAPTER 4 DEFENDER RADIUS PAYLOAD CONFIGURATION . . . . . . . . . . . . . 75 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76 CREATING A NEW RADIUS PAYLOAD . . . . . . . . . . . . . . . . . . .76 CHAPTER 5 SECURITY SERVER CONFIGURATION . . . . . . . . . . . . . . . . . . . . . 83 INTRODUCTION . . . . . . . . . . . . . . . . . . . . CREATING A NEW DEFENDER SECURITY SERVER CHANGING DEFENDER SECURITY SERVER . . . . . PROMPTS . . . . . . . . . . . . . . . . . . . . . ASSIGNING
A
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.84 .85 .87 .91
DEFENDER POLICY . . . . . . . . . . . . . . . . . . .92
POLICY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 RADIUS PAYLOAD . . . . . . . . . . . . . . . . . . . . . . . . . . .97
2
CHAPTER 6 TOKEN CONFIGURATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 IMPORTING DEFENDER TOKEN SERIAL NUMBERS . . . . . . . . . . . 105 TOKEN PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . . . . 110 TOKEN DETAILS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 USER PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 ASSIGNING A TOKEN TO A USER . . . . . . . . . . . . . . . . . . 119 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 ASSIGNING
A
DEFENDER SECURITY POLICY
TO A
USER . . . . 130
TEMPORARY RESPONSES . . . . . . . . . . . . . . . . . . . . . . . 137 ACTIVEROLES SERVER WEB INTERFACE TOKEN PROGRAMMING . . . . . . . . . . . . . . . . . . . . . . . . 139 MAIL CONFIGURATION . . . . . . . . . . . . . . . . . . . . . . . . 140 SENDING
AN
ACTIVATION CODE
BY
EMAIL . . . . . . . . . . . . 141
3
About this Guide • Quest One Identity Solution • Introduction • Audience and Scope • Conventions • About Quest Software • Contacting Quest Software
Defender Configuration Guide
Quest One Identity Solution Defender is a component of the Quest One Identity Solution, a set of enabling technologies, products, and integration that empowers organizations to simplify identity and access management by: •
Reducing the number of identities
•
Automating identity administration
•
Ensuring the security of identities
•
Leveraging existing investments, including Microsoft Active Directory
Quest One improves efficiency, enhances security and helps organizations achieve and maintain compliance by addressing identity and access management challenges as they relate to:
6
•
Single sign-on
•
Directory consolidation
•
Provisioning
•
Password management
•
Strong authentication
•
Privileged account management
•
Audit and compliance.
About
Introduction This guide takes you step-by-step through the Defender configuration options.
Audience and Scope This book is intended for administrators who want to configure and administer Defender, assign and distribute Defender tokens and manage Defender agents and the Defender Security Server. This book does not provide tutorial information on the use of the Windows operating system or on network communication concepts. Users must have experience in using the specified operating system and an understanding of networking concepts
7
Defender Configuration Guide
Conventions In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes, and cross-references. ELEMENT
CONVENTION
Select
This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons.
Bolded text
Used to highlight installation questions and responses.
courier text
File, daemon, utility, option, attribute names.
Italic text
Used for comments.
Bold Italic text
Used for emphasis.
Blue text
Indicates a cross-reference. When viewed in Adobe Acrobat, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care.
8
+
A plus sign between two keystrokes means that you must press them at the same time.
|
A pipe symbol (vertical bar) between elements means that you must select the elements in that particular sequence.
\
The back slash, immediately followed by a new line, indicates a Unix command line continuation.
.
References to the product version you are installing are displayed with . in angle brackets.
About
About Quest Software Quest Software, Inc., a two-time winner of Microsoft’s Global Independent Software Vendor Partner of the Year award, delivers innovative products that help organizations get more performance and productivity from their applications, databases, Windows infrastructure and virtual environments. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 100,000 customers worldwide meet higher expectations for enterprise IT. Quest’s Windows management solutions simplify, automate secure and extend Active Directory, Exchange Server, SharePoint, SQL Server, .NET and Windows Server as well as integrating Unix, Linux and Java into the managed environment. Quest Software can be found in offices around the globe and at www.quest.com.
Contacting Quest Software Phone
949.754.8000 (United States and Canada)
Email
[email protected]
Mail
Quest Software World Headquarters 5 Polaris Way Aliso Viejo, CA 92656
Web site
www.quest.com
Please refer to our Web site for regional and international office information.
Contacting Customer Support Quest Software's world-class support team is dedicated to ensuring successful product installation and use for all Quest Software solutions. SupportLink
www.quest.com/support
Email at
[email protected]
You can use SupportLink to do the following: •
Create, update, or view support requests
•
Search the knowledge base
•
Access FAQs
•
Download patches 9
Component Overview • Introduction • Defender Management Console • Defender Access Node Overview • Defender Security Server Overview • Defender Security Policy Overview • RADIUS Payload • Defender Tokens • Stopping and Restarting the Defender Service
11
Defender Configuration Guide
Introduction This chapter describes:
12
•
the Defender Management Console
•
the role of each Defender component
•
starting and stopping the Defender service.
Component Overview
Defender Management Console After installation, an OU for Defender is included in the Active Directory Users and Computers tree. A Defender menu is also included on the menu bar.
Figure 1: Directory Users and Computers tree
Use the Defender Management Console to: •
configure an Access Node
•
configure Defender Security Servers
•
specify the payload for a RADIUS server
•
configure Defender Security Policies •
assign a Defender Security Policy to: •
a user or group of users
•
an Access Node
•
a Defender Security Server.
•
assign users or groups of users to an Access Node
•
import Tokens
•
program Tokens
•
assign Tokens to users
•
configure the RADIUS Payload
•
assign RADIUS Payload to an Access Node, Security Server, User Group and/or User 13
Defender Configuration Guide
Defender Access Node Overview The Defender Management Console enables you to configure Defender Access Nodes. The access node is the point in your network where you need to challenge the user to verify their identity. The access node can be a: •
Radius Agent
•
Radius Proxy
•
Defender Agent
•
NetScreen Agent
•
NC-Pass Radius Agent.
Use the Access Node property pages to:
14
•
assign one or more Defender Security Servers to the Access Node
•
specify users and/or groups of users who can authenticate via this Access Node
•
assign a Defender Security Policy to the Access Node
•
configure the RADIUS payload for the Access Node.
Component Overview
Defender Security Server Overview The Defender Management Console enables you to create and configure Defender Security Servers. The Defender Security Server is the point in your network where user authentication is performed. If authentication is successful, the user is allowed access to the network. When you have defined the Defender Security Server, you can use the Security Server property pages to: •
change the configuration for the Defender Security Server
•
assign a Defender Security Policy to this Security Server
•
view and change the prompts displayed to the user during the authentication process
•
configure the RADIUS Payload. When a user has successfully authenticated, the Defender Security Server returns the RADIUS Payload information to the Access Node that initiated the user authentication request.
15
Defender Configuration Guide
Defender Security Policy Overview The Defender Management Console enables you to create and configure Defender Security Policies. A Security Policy can be assigned to: •
a user
•
a user group
•
an Access Node
•
a Defender Security Server.
If a different Defender Security Policy is applied to each of the above elements, the policy assigned to the user will take the highest priority, followed by the policy assigned to the user group, then the policy assigned to the access node and finally, the policy assigned to the Defender Security Server. Security Policies are not aggregated. Logon attempts made by the user are rejected if: •
the user belongs to two groups with conflicting security policies, and
•
both groups are assigned to the Access Node that the user uses to connect to the Defender Security Server.
If no policy has been assigned, a Token Only policy will be applied. When you have defined the Defender Security Policy, you can use the Security Policy property pages to:
16
•
change the Defender Security Policy configuration
•
change user account lockout information
•
configure password and PIN expiration policies
•
configure settings for SMS tokens
•
provide backward compatibility with Defender 4 (Access Categories)
•
specify permitted logon hours
•
configure settings for E-mail OTP tokens
•
configure settings for GrIDsure tokens.
Component Overview
RADIUS Payload The Defender Management Console enables you to configure the RADIUS Payload. The RADIUS Payload is information that is passed from the Defender Security Server to the Network Access Server where the user authentication attempt originated. This RADIUS Payload information can be assigned to: •
a user
•
a user group
•
an Access Node
•
a Defender Security Server.
If a different RADIUS Payload is applied to each of the above elements, the payload assigned to the user will take the highest priority, followed by the payload assigned to the user group, then the payload assigned to the access node and finally, the payload assigned to the Defender Security Server. RADIUS Payloads can be aggregated if required.
Aggregating RADIUS Payloads RADIUS Payloads can be aggregated. For example, if you define a payload for an access node and also define a payload for the Defender Security Server to which the access node is assigned, the RADIUS Payload defined for the Security Server can be aggregated with the RADIUS Payload defined for the Access Node. A RADIUS Payload can be aggregated from the User, User Group(s), Access Node(s) and Defender Security Server(s). To specify that RADIUS Payload must be aggregated, check the Inherit payload entries from parent checkbox in the RADIUS Payload dialog in the Properties for the User/User Group and/or Access Node. The Inherit payload entries from parent checkbox is not available on the RADIUS Payload dialog in the Defender Security Server Properties. For a child to inherit a payload from a parent, the Inherit payload entries from parent checkbox must be checked on the RADIUS Payload dialog in the Properties for both the child and parent. If a RADIUS Payload has been defined for the child, the RADIUS Payload defined for the parent will be aggregated with the payload defined for the child. If a RADIUS Payload has not been defined for the child, the RADIUS Payload defined for the parent will be inherited by the child.
17
Defender Configuration Guide
Defender Tokens The following token types can be used to authenticate to a Defender-protected network: •
Quest Soft Token for: •
Android
•
Blackberry
•
E-mail
•
iPhone (iToken)
•
Java
•
Palm
•
SMS
•
Windows Desktop
•
Windows Phone/Windows Mobile
•
GrIDsure Token
•
Authenex OATH Compliant Token
•
Defender Go-x Token
•
Defender DualTok Token
•
Digipass Pro 260 Token
•
Digipass Pro 300 Token
•
Defender One Token
•
Defender Hand-Held Token
•
Defender Hand-Held Token Plus
•
Verisign VIP Token
For further information on token administration and usage, please refer to the:
18
•
Related Token administration and / or User Guide
•
Defender Hardware Token User Guide.
Component Overview
Stopping and Restarting the Defender Service To stop and restart the Defender Security Server Service, select Start, Programs, Defender Active Directory Edition, Defender Security Server. The Defender Security Server Configuration dialog box is displayed:
Figure 2: Defender Security Server Configuration - Service dialog box
To restart the Defender Security Server Service, click Restart Service. To stop the Defender Security Server Service, click Stop Service.
19
Defender Configuration Guide
Defender Security Server - Service Account Credentials The Defender Security Server (DSS) will communicate with Active Directory (AD) during the authentication process to read and write specific Defender related data. Therefore the service account used must have the correct privileges within AD. An account such as the built-in Administrator account or members of the Domain Admins security group will have the required permissions by default.
In the screen shot above a service account has been configured in AD specifically for use with the DSS. The account must be delegated the correct permissions within AD. To assign the correct permissions use the Delegate Control wizard provided on the Defender menu in Active Directory Users & Computers:
For further information, refer to the Defender Delegated Administration User Guide.
20
Component Overview
About Defender For general information about Defender 5.7, select Defender on the menu bar, then select About. The About Defender 5.7 dialog box displays the version number of Defender and provides access to the User License tab, Defender Desktop Token Licenses and Token Summary tabs. The User License tab displays information about the currently installed user license:
Figure 3: User License tab
•
DN - the distinguished name of the Defender Security Server where the user license is installed
•
License Type - either Permanent or Temporary
•
Users - the number of users permitted by this license and the number of users assigned to date
•
License Expires - if you have installed a temporary license, this is the date that the license will expire.
The Defender Desktop Token License tab displays information about the currently installed Defender Desktop Token license(s). In Defender 5.7 the Defender Desktop Token license has changed. A Universal license is now available, which will allow for any token type to be created. This differs from Defender 5.6 where a Desktop Token license was required for each token type.
21
Defender Configuration Guide
The Token Licenses tab displays the number of permanent Universal licenses that have been installed. These are accumulative and the combination of all licenses is displayed e.g 20 used out of a total of 9405.
Figure 4: Token License tab for a New Defender 5.7 Installation
For customers that have upgraded from Defender 5.6 or earlier the Token Licenses tab will look slightly different. The Token Licenses tab below shows a system that has been upgraded from Defender 5.6 to 5.7. The individual token licenses installed for Defender 5.6 will be listed displaying the token type and license count. All of these licenses will be treated as universal licenses. In the example below the license total of 53006 is a combination of all legacy (5.6) licenses – this allows for any token type to be created.
Figure 5: Token License Tab for a System that has been Upgraded to 5.7
22
Component Overview
The Token Summary tab will display the current number of licenses used for each token type:
Figure 6: Defender Desktop Token License Tab
23
Access Node Configuration • Introduction • Defender Access Node Properties • Changing Defender Access Node Configuration • Adding Users or User Groups • Assigning a Defender Security Policy to an Access Node • Changing the RADIUS Payload
25
Defender Configuration Guide
Introduction This section describes how to create and configure an Access Node. The Access Node is the point in your network where you need to challenge the user to verify their identity, for example, a firewall or VPN server. At the access node, the user will be prompted to enter their logon credentials. This may be a user ID, password and token authentication information. The access node sends the user’s logon credentials to the Defender Security Server for authentication. If authentication is successful, the user is granted access to the network. You can define any number of access nodes in your Defender configuration. An access node can be a:
26
•
RADIUS Agent
•
RADIUS Proxy
•
RADIUS Proxy (to non-negotiating server)
•
Defender Agent
•
NetScreen Agent
•
NC-Pass Radius Agent
•
Nortel VPN Agent.
Access Node Configuration
Creating a New Access Node To create a new Access Node, click the Defender OU and then right-click Access Nodes. 1.
From the menu, select New.
2.
From the submenu, select Defender Access Node.
3.
The New Object - Defender Access Node dialog box is displayed:
Figure 1: New Object – Defender Access Node (name and description) dialog box
4.
In the Name field, type a name for this Access Node.
5.
In the Description field, type a description for this Access Node.
6.
Select Next to continue. The New Object - Defender Access Node (node type) dialog box is displayed:
Figure 2: New Object - Defender Access Node (node type) dialog box 27
Defender Configuration Guide
7.
In the Node Type field, click the arrow and select the required node type from the list. The access node is the point in your network where you need to challenge the user to verify their identity. The options are: •
Radius Agent Select this node type to allow a NAS device to connect to Defender using the RADIUS protocol. RADIUS is transmitted over UDP and uses port 1812 by default. This is the default setting and is supported by most access devices.
•
28
Radius Proxy select this node type to allow RADIUS requests received from a RADIUS Agent access node to be forwarded to another RADIUS Server.
Access Node Configuration
•
Radius Proxy (to non-negotiating server) in some cases, the user ID included in the request sent from the Access Node and proxied by the Defender Security Server to the RADIUS Server cannot be processed by the RADIUS Server, unless accompanied by a password. Select this node type to allow Defender to issue the response request on behalf of the RADIUS Server. This node type is typically used when migrating from RSA to Defender.
8.
•
Defender Agent select this node type to allow Defender 4 embedded agents to connect and process authentication requests. Typically, this node type is required for use with legacy Cisco ACS devices. Defender Agents use a proprietary protocol to transmit data and use TCP (default port number 2626), instead of the UDP of RADIUS.
•
NetScreen Agent select this node type if your Access Node is a NetScreen VPN.
•
NC-PASS Radius Agent select this node type if you are using the Quest NC-Pass two-factor authentication product.
•
Nortel VPN select this node type if you will authenticate using an SNK token in synchronous mode.
In the User ID field, click the arrow and select the required user ID type from the list. This is the user ID that will be used to locate the user in the Active Directory. The options are SAM Account Name, Defender ID, User Principal Name, Proper Name or Email Address. If you select Email Address, the email address entered in the E-mail field on the username Properties, General tab will be used.
9.
Select Next to continue. The New Object - Defender Access Node (connection details) dialog box is displayed:
29
Defender Configuration Guide
Figure 3: New Object - Defender Access Node (connection details) dialog box
10. In the IP Address or DNS Name field, type the IP address or DNS name of this Access Node. Figure 3 above shows an example of the configuration required to allow access from a single IP address only. This type of configuration would be used when allowing authentication requests from a VPNserver or firewall.
Figure 4: New Object - Defender Access Node (connection details) dialog box
Figure 4 above shows an example of the configuration to allow a range of IP addresses. This type of configuration would typically be used with Defender Desktop Login to allow all workstations on a particular subnet to use Defender for authentication. 11. In the Port field, type the RADIUS port number that will be used with this connection. RADIUS typically uses port 1812. 30
Access Node Configuration
12. If you want to define multiple Access Nodes to connect to the Defender Security Server, type the required subnet mask in the Subnet Mask field. 13. In the Shared Secret field, type the shared secret that matches the shared secret configured on your access device. The shared secret can be up to 256 alphanumeric characters. (For a Defender Agent Access Node, the shared secret can be 16 hex or 24 octal digits). 14. Select Next to continue. The New Object - Defender Access Node (summary) dialog box is displayed:
Figure 5: New Object - Defender Access Node (summary) dialog box
15. This dialog box displays a summary of your settings for this Access Node. Select Finish to save your settings.
31
Defender Configuration Guide
Defender Access Node Properties Defender Access Node Properties includes the following tabs: •
Access Node - allows you to display or edit the configuration information for this Access Node
•
Members - allows you to specify users and/or groups of users who can authenticate via this Access Node
•
Policy - allows you to add or remove a Defender Security Policy for this Access Node
•
RADIUS Payload - allows you to configure the RADIUS payload for this Access Node.
Changing Defender Access Node Configuration To change Access Node configuration, perform the following steps: 1.
In the Users and Computers tree, select the Defender OU and then Access Nodes.
2.
Right-click the required Access Node.
32
Access Node Configuration
3.
From the menu, select Properties. The Access Node dialog box is displayed:
Figure 6: accessnodename Properties - Access Node dialog box
The fields in the Access Node dialog box are described in the following table: Table 1: Fields in the Access Node dialog box
FIELD NAME
DESCRIPTION displays the description for this Access Node.
Description
To edit the description, click in the Description field and type the new description for this Access Node.
33
Defender Configuration Guide
FIELD NAME
DESCRIPTION IP Address or DNS name of the NAS device.
IP Address or DNS Name
To change the IP Address or DNS name, click in the IP Address or DNS Name field and type the new IP Address or DNS name for this Access Node. E.g. 192.168.70.9 will allow connection from this IP address only. 192.168.70.0 will allow connections from any IP address on the 192.168.70.x subnet (subnet mask 255.255.255.0 would also be required). number of the port that this Access Node will accept RADIUS requests on.
Auth Port
To change the Port number, click in the Port field and type the new port number for this Access Node. The default port numbers are: Radius Agent - port number 1812 Radius Proxy - port number 1812 Defender Agent - port number 2626 subnet mask address.
Subnet Mask
If multiple Access Nodes within the same subnet will connect to the Defender Security Server, the subnet mask for the Access Nodes is displayed in this field. To change the Subnet mask, click in the Subnet mask field and type the new Subnet mask address.
Acct Port
number of the port that this Access Node will accept RADIUS accounting packets on. When an accounting packet is received its contents are written to an accounting log. The default port numbers are: RADIUS Agent - port number 1813. type of node.
Node Type
34
To change the type of node, click the arrow in the Node Type field and select the required node type from the list. The access node is the point where you need to challenge the user to verify their identity. The available node types are Radius Agent, Radius Proxy, Radius Proxy (to non-negotiating server), Defender Agent, NetScreen Agent, NC-Pass Radius Agent or Nortel VPN. For a description of each node type, refer to Creating a New Access Node.
Access Node Configuration
FIELD NAME
DESCRIPTION
Shared Secret
contains the secret that this Access Node will share when it attempts to establish a connection with the Defender Security Server. To display the shared secret in clear text, click Reveal. To hide the shared secret (display as asterisks), click Hide.
User ID
type of user ID that will be used by the Defender Security Server to search for users in Active Directory. The options are Defender ID, User Principle Name, SAM Account Name, Proper Name or E-mail Address. displays the name and location of the Defender Security Server(s) to which this Access Node is assigned. To assign this Access Node to a Defender Security Server:
1.
Select Assign. The Select Defender Security Servers dialog box is displayed:
Assigned To
Figure 2-1: Select Defender Security Servers dialog box 2.
Double-click the required Defender Security Server. The selected Security Server is displayed in the lower window.
3.
Select OK to return to the Defender Access Node dialog box. The Defender Security Server is displayed in the Assigned To table.
To remove a Defender Security Server from the Assigned To table in the Access Node dialog box, click on the required Security Server in the Assigned To table, then click Unassign. The Security Server is removed from the Assigned To table.
4.
If you have made any changes in the Access Node dialog box, click OK to save your settings. 35
Defender Configuration Guide
Adding Users or User Groups To specify the users and/or groups of users who will be authenticated by the Defender Security Server via this Access Node, perform the following steps: 1.
Select the Defender OU, then click Access Nodes.
2.
Right-click the required Access Node.
3.
From the menu, select Properties. The Access Node dialog box is displayed.
4.
Select the Members tab. The nodename Properties - Members dialog box is displayed:
Figure 3: nodename Properties - Members dialog box
36
Access Node Configuration
5.
Select Add to select a user or group of users. The Select Users or Groups dialog box is displayed.
Figure 4: Select Users or Groups dialog box
6.
To specify the object type(s) to be included in the search, click Object Types. The Object Types dialog is displayed. Check the box adjacent to the required object types, then click OK. The Select Users dialog box is displayed.
7.
To specify the directory location that will be searched, click Locations. The Locations dialog box is displayed. Select the required directory location, then click OK. The Select Users dialog box is displayed.
8.
In the Enter the object names to select field, type the object name(s) that will be used to match with users and/or groups. For more specific search options, click Advanced.
9.
Select OK to save your settings and return to the Members dialog box. Selected users/groups are displayed in the Members table.
Removing a User or Group To remove a user or group of users from the Members table in the Members dialog box: 1.
Select the required user or group, then select Remove.
2.
Select OK to save your settings and return to the AD Users and Computers tree.
37
Defender Configuration Guide
Assigning a Defender Security Policy to an Access Node This section describes how to assign a Defender Security Policy to an Access Node. For information on creating a new Defender Security Policy, refer to Security Policy Configuration. Perform the following steps: 1.
Select the Defender OU from the AD Users and Computers tree.
2.
Select Access Nodes.
3.
In the right-hand window, right-click the required Access Node.
4.
Select Properties from the menu.
5.
The nodename Properties – Access Node dialog box is displayed. Select the Policy tab.
6.
The nodename Properties – Policy dialog box is displayed.
Figure 5: accessnodename Properties - Policy dialog box
38
Access Node Configuration
7.
Click Select. The Select Defender Policies dialog box is displayed:
Figure 6: Select Defender Policies dialog box
8.
Double-click the required policy in the list. The selected policy is displayed in the lower window. Alternatively, type the name of the required policy, either in full or in part, in the lower window. Select Check Names. If more than one policy is found, the Multiple Objects Found dialog box is displayed:
Figure 7: Check Names - Multiple Objects Found dialog box
9.
Select the required policy in the list.
10. Select OK to save your settings and return to the Policy dialog box. 11. The selected policy is displayed in the Policy field. All other fields in the Policy dialog box are display fields only. The information in these fields is described in the following table: 39
Defender Configuration Guide Table 2: Fields in the Policy dialog box
FIELD NAME
DISPLAYS
Authentication
First
the first method of authentication that the user is required to enter during an authentication request. The authentication methods are Token, Defender Password, Active Directory Password, Token with Defender Password, Token with Active Directory Password, Active Directory Password (Rollout Mode) and Token (GrIDsure Auto-Enrollment Mode).
Second
the second method of authentication that the user is required to enter during an authentication request. The authentication methods are Token, Defender Password, Active Directory Password, Token with Defender Password, Token with Active Directory Password, Active Directory Password (Rollout Mode) and Token (GrIDsure Auto-Enrollment Mode) or None
Account Lockout Threshold Lockout Duration
Auto Reset
the number of invalid authentication attempts the user can make before their Defender account is locked. the length of time that the account will remain locked when the specified number of failed authentication attempts is reached. whether the user’s violation count will be automatically reset after a successful login.
12. Select OK to save your settings.
40
Access Node Configuration
13. To establish which security policy will be effective when a specific user attempts to authenticate, click Effective. The Effective Policy dialog box is displayed:
Figure 8: Effective Policy dialog box
14. The currently selected Security Server is displayed in the DSS field. This is the Security Server that will process the user’s authentication request. You can, if required, select a different Security Server. 15. In the DAN field, select the Access Node in your network where the user will be prompted to enter authentication credentials.
41
Defender Configuration Guide
16. To select a user, click Select. The Select Users dialog box is displayed:
Figure 9: Select Users dialog box
17. To search for a specific user name, in the Enter the object names to select field, type the required user name, either in full or in part. Select Check Names. All object names that match the search criteria are displayed. If more than one object name matched your search criteria, a list is displayed. To select an object name, double-click on the required object name. The object name is displayed in the Enter the object names to select field. For more extensive search options, click Advanced. 18. Select OK to return to the Effective Policy dialog box. The effective security policy for the selected user is displayed in the Policy field. The Defender component associated with the effective Security Policy, either Security Server, Access Node, User Group or User, is displayed in the From field. 19. Select Close to return to the Policy dialog box.
42
Access Node Configuration
If the effective Security Policy requires the user to authenticate with a token and/or a password, the Use field in the Effective Policy dialog box shows whether the user is in possession of a token and/or password. If the user is not in possession of a token and/or password, this is indicated in red.
Figure 10: Defender Effective Policy
43
Defender Configuration Guide
If the attempt to identify the effective Policy for a user results in the identification of two or more conflicting security policies, this is indicated in the Policy field in the Effective Policy dialog box.
Figure 11: Defender Effective Policy
Ambiguous policies may occur if a user is assigned to more than one AD security group that have Defender policies assigned.
44
Access Node Configuration
Changing the RADIUS Payload To change the RADIUS Payload specified for this Defender Access Node, perform the following steps: 1.
From AD Users and Computers, select the Defender OU and then select Access Nodes.
2.
Right-click on the required Access Node.
3.
Select Properties from the menu.
4.
The accessnodename Properties - Access Node dialog box is displayed.
5.
Select the RADIUS Payload tab. The RADIUS Payload dialog box is displayed:
Figure 12: servername Properties - RADIUS Payload dialog box
6.
Click Select. The RADIUS Payload definitions are displayed.
7.
Double-click on the required RADIUS Payload.
45
Defender Configuration Guide
8.
Select OK. The selected payload is displayed in the Payload field on the accessnodename Properties - RADIUS Payload dialog box:
Figure 13: accessnodename Properties - RADIUS Payload dialog box
9.
46
To inherit a RADIUS Payload from the Defender Security Server(s) to which this Access Node is assigned, check the Inherit payload entries from parent checkbox. For further information, refer to .
Access Node Configuration
10. To establish which RADIUS Payload definition will be effective when a specific user is authenticated, click Effective. The Effective Payload dialog is displayed:
Figure 14: Effective Payload dialog
11. The currently selected Security Server is displayed in the DSS field. This is the Security Server that will authenticate the user. You can, if required, select a different Security Server. 12. In the DAN field, select the Access Node through which the user will attempt to authenticate.
47
Defender Configuration Guide
13. To select a user, click Select. The Select Users dialog box is displayed:
Figure 15: Select Users dialog box
14. To search for a specific object name, in the Enter the object names to select field, type the required object name, either in full or in part. Select Check Names. All object names that match the search criteria are displayed. If more than one object name matched your search criteria, a list is displayed. To select an object name, double-click on the required object name. The object name is displayed in the Enter the object names to select field. For more extensive search options, click Advanced. 15. Select OK to return to the Effective Payload dialog. The effective payload for the selected user is displayed in the Payload field. 16. Select Close to return to the securityservername Properties- Radius Payload dialog.
48
Security Policy Configuration • Introduction • Creating a New Defender Security Policy • Changing Policy Properties • Account Settings • Expiry Settings • Logon Hours Settings • Access Category Settings • GrIDsure Tokens
49
Defender Configuration Guide
Introduction This section describes how to: •
create a new Defender Security Policy
•
change policy properties
•
define account settings
•
configure expiry settings
•
configure mobile provider settings
•
configure access category settings
•
configure security settings
•
configure logon hours settings
•
configure the RADIUS Payload
•
configure E-mail OTP settings
•
configure GrIDsure token settings.
The security policy is assigned to a user, user group, access node or security server.
50
Security Policy Configuration
Creating a New Defender Security Policy To create a new Defender Security Policy, click the Defender OU and then right click Policies. 1.
From the menu, select New.
2.
Select Defender Policy from the list.
3.
The New Object - Defender Policy (name and description) dialog box is displayed.
Figure 1: New Object - Defender Policy (name and description) dialog box
4.
In the Name field, type a name for this policy.
5.
In the Description field, type a description for this policy.
51
Defender Configuration Guide
6.
Select Next to continue. The New Object - Defender Policy (authentication method) dialog box is displayed:
Figure 2: New Object - Defender Policy (authentication method) dialog box
7.
52
In the Method field, click the arrow and select an authentication method from the list. The authentication method determines the credentials that the user must enter when he attempts to authenticate. If you select: •
Token - the user must use a challenge/response or response only token
•
Defender Password - the user must enter a valid Defender password
•
Active Directory Password - the user must enter a valid Active Directory password
•
Token with Defender Password - the user must use a challenge/response or response only token and enter a valid Defender password
•
Token with Active Directory Password - the user must use a token response with a valid Active Directory password
•
Active Directory Password (Rollout Mode) - users can authenticate using their Active Directory password until a Defender token is assigned / registered to their Active Directory users account
•
Token (GrIDsure Auto-Enrollment Mode) - the first time that the user attempts to authenticate using a GrIDsure enabled policy, the GrIDsure token will be created and configured.
Security Policy Configuration
8.
In the Logon Attempts field, select the number of times that the user can attempt to logon. If the number of unsuccessful logon attempts exceeds the specified limit, the violation count for the user’s account is incremented. For further information, refer to Step 14.
9.
If the user will use the token response more than once, check the Use Synchronous tokens as Event tokens checkbox. This option is for use with the Defender Go-x, Digipass Pro 260 and Digipass Pro 300 tokens. The response generated by these tokens changes approximately every 36 seconds. If the Use Synchronous tokens as Event tokens checkbox is checked, the user can use a token response more than once to log on to more than one system, without generating a new response if the entire logon process takes less than 36 seconds. The time limit for multiple use of the token response is specified in the API.
10. Select Next to continue. The New Object - Defender Policy (second authentication method) dialog box is displayed:
Figure 3: New Object - Defender Policy (second authentication method) dialog box
11. In the Method field, click the arrow and select an authentication method from the list. This is the second authentication method that the user must enter when he attempts to authenticate. If you do not want to specify an additional authentication method, select None. For a description of the authentication methods and the fields in this dialog box, refer to Step 7.
53
Defender Configuration Guide
12. Select Next. The New Object - Defender Policy (account lockout) dialog box is displayed.
Figure 4: New Object - Defender Policy (account lockout) dialog box
13. To enable the user’s account to be locked out if the specified number of unsuccessful logon attempts is exceeded, check the Enable Account Lockout checkbox. 14. In the Lockout after n violations field, specify the maximum number of violations allowed before the user’s account is locked. The violation count is incremented each time the user performs the number of unsuccessful logon attempts specified in the Logon Attempts field in the New Object Defender Policy dialog box described in Step 8. 15. To lock the user’s Windows account if the specified number of violations is reached, check the Lockout Windows account after indicated violations checkbox.
To use this option, you must ensure that Windows account lockout is enabled in Domain Security Policy and/or Domain Controller Security Policy. 16. To specify that a locked account can be unlocked by an Administrator only, check the Locked accounts must be unlocked by an Administrator checkbox.
54
Security Policy Configuration
17. In the Lockout duration field, specify the time in minutes that the user’s account will remain locked after exceeding the maximum number of unsuccessful authentication attempts. If this value is 0, the account must be unlocked by an administrator. The account lockout period starts from the time the maximum number of invalid logon attempts is exceeded. If the user attempts to logon while the account is locked, the account lockout period will be effective from the time of the most recent logon attempt. 18. To reset the count of unsuccessful logon attempts to zero when the user performs a successful logon, check the Automatically reset account after successful login checkbox. 19. Select Next to continue. The New Object - Defender Policy (password and PIN expiry) dialog box is displayed:
Figure 5: New Object - Defender Policy (password and PIN expiry) dialog box
20. If you want Defender passwords to expire after a specified period of time, check the Enable Defender Password Expiry checkbox. This checkbox is only available if you have chosen to authenticate using a Defender password. 21. In the Expire after field, select the number of days that the Defender password will remain valid. When the specified number of days has lapsed, the password will expire. 22. If you want PINs to expire after a specified period of time, check the Enable PIN Expiry checkbox. This checkbox is only available if you have chosen to authenticate with a token that is locked with a PIN. 23. In the Expire after field, select the number of days that the PIN will remain valid. When this period of days has lapsed, the PIN will expire.
55
Defender Configuration Guide
24. Select Next. The New Object - Defender Policy (summary) dialog box is displayed:
Figure 6: New Object - Defender Policy (summary) dialog box
25. Select Finish to save your settings.
56
Security Policy Configuration
Changing Policy Properties Policy Properties includes the following tabs: •
Policy - enables you to configure a Defender Security Policy
•
Account - enables you to change user account lockout information
•
Expiry - enables you to specify expiry details for the Defender password and token PIN
•
Logon Hours - enables you to configure the times that a user is permitted to logon
•
Mobile Provider - enable SMS Tokens and specify the details of your mobile service provider and SMS token settings
•
E-Mail OTP - enable E-mail OTPs and configure the relevant settings. This option requires that the user has an E-mail address configured on their user account
•
Access Categories - provides backward compatibility with Defender 4 and allows you to specify which Defender Agents a user can access
•
GrIDsure - enable GrIDsure tokens and configure GrIDsure token settings.
To change a Defender Security Policy, perform the following steps: 1.
Select the Defender OU.
2.
Select Policies.
3.
Right-click on the required policy.
4.
Select Properties from the menu.
5.
The policyname - Properties Policy dialog box is displayed.
57
Defender Configuration Guide
Figure 7: policyname Properties – Policy dialog box
The fields in the policyname Properties - Policy dialog box are described in the following table:
58
Security Policy Configuration Table 1: Fields in the policyname Properties - Policy dialog box
FIELD NAME
DISPLAYS THE: description for this policy.
Description
To change the description, click in the Description field and type the new description.
Authentication methods first authentication method used with this policy.
Use
Logon Attempts
To change the first authentication method, click the arrow in the Use field and select an authentication method from the list. The available authentication methods are Token, Defender Password, Active Directory Password, Token with Defender Password, Token with Active Directory Password, Active Directory Password (Rollout Mode), GrIDsure (Auto-Enrollment Mode). For further information on the Active Directory Password (Rollout Mode) option, contact Customer Support. the number of unsuccessful logon attempts that the user can make. If the number of unsuccessful logon attempts exceeds the specified limit, the violation count for the user’s account is incremented. For further information, refer to Account Settings. To change the number of logon attempts, use the arrows or type the required number in the Logon Attempts field. if checked, enables the user to use the token response more than once.
Use Synchronous tokens as Event tokens
This option is for use with Defender Go-x, Digipass Pro 260 and Digipass Pro 300 tokens. The response generated by these tokens changes approximately every 36 seconds. If the Use Synchronous tokens as Event tokens checkbox is checked, the user can use a token response more than once to log on to more than one system, without generating a new response if the entire log on process takes less than 36 seconds. The time limit for multiple use of the token response is determined in the API.
59
Defender Configuration Guide
FIELD NAME
DISPLAYS THE: second authentication method used with this policy.
Followed By
Logon Attempts
To change the second authentication method, click on the arrow in the Followed By field and select the required authentication method from the list. The available authentication methods are Token, Defender Password, Active Directory Password, Token with Defender Password, Token with Active Directory Password, Active Directory Password (Rollout Mode), GrIDsure (Auto-Enrollment Mode). For further information on the Active Directory Password (Rollout Mode) option, contact Customer Support. the number of unsuccessful logon attempts that the user can make. If the number of unsuccessful logon attempts exceeds the specified limit, the violation count for the user’s account is incremented. For further information, refer to Account Settings. To change the number of logon attempts, use the arrows or type the required number in the Logon Attempts field. if checked, enables the user to use the token response more than once.
Use Synchronous tokens as Event tokens
6.
60
This option is for use with Defender Go-x, Digipass Pro 260 and Digipass Pro 300 tokens. The response generated by these tokens changes approximately every 36 seconds. If the Use Synchronous tokens as Event tokens checkbox is checked, the user can use a token response more than once to log on to more than one system, without generating a new response if the entire log on process takes more than 36 seconds. The time limit for multiple use of the token response is determined in the API.
If you have made any changes in the Policy dialog box, click OK to save your settings.
Security Policy Configuration
Account Settings The Account dialog box enables you to change the account lockout details for this Security Policy. Select the Account tab, to display the Account dialog box:
Figure 8: policyname Properties – Account dialog box
The fields in the policyname Properties - Account dialog box are described in the following table: Table 2: Fields in the policyname Properties - Account dialog box
FIELD NAME
Enable Account Lockout
DESCRIPTION: if checked, the user’s Defender account is locked out after the number of violations specified in the Lockout after n violations field. To disable account lockout, uncheck the checkbox.
Lockout after n violations
Lockout Windows account after indicated violations
if the number of violations incurred by the user reaches the number specified in this field, the user’s Defender account is locked. if checked, the user’s Windows account will be locked when the number of violations reaches the number specified in the Lockout after n violations field. If the Windows account is locked, the user is unable to logon to their Windows account locally or remotely via Defender.
61
Defender Configuration Guide
FIELD NAME
DESCRIPTION:
Locked accounts must be unlocked by an Administrator
if checked, a locked account can be unlocked by an Administrator only.
Lockout duration n minutes
the number of minutes that a locked account will remain locked. To change the lockout duration, use the arrows or type the required number of minutes in the Lockout duration n minutes field.
Automatically reset account after successful login.
the violations count is reset to zero when the user performs a successful logon.
If you have made any changes in the Account dialog box, click OK to save your settings.
62
Security Policy Configuration
Expiry Settings The Expiry dialog box enables you to specify the expiry details for the Defender password and token PIN. These settings only apply if authentication requires a Defender password and/or a PIN protected token. Select the Expiry tab to display the Expiry dialog box:
Figure 9: policyname Properties – Expiry dialog box
1.
To specify that the Defender password will expire after a specified number of days, check the Enable Defender Password Expiry checkbox.
2.
In the Expire after nn days field, specify the number of days that will lapse before the password expires.
3.
To specify that the PIN for the token will expire after a specified number of days, check the Enable PIN Expiry checkbox.
4.
In the Expire after nn days checkbox, specify the number of days that will lapse before the PIN expires.
5.
To allow the user to authenticate to Defender, even if their Active Directory password has expired, check the Allow authentication with expired Active Directory password checkbox. To use this option, you must select Active Directory Password or Token with Active Directory Password in the Use field on the Policy tab. Refer to Table 1 for further information.
63
Defender Configuration Guide
6.
To enable the user to change an expired Active Directory password, check the Allow expired Active Directory password to be changed checkbox. This setting can only be used if the method used by the user to communicate with Defender also supports the password change option.
7.
Select OK to save your settings.
Logon Hours Settings The Logon Hours dialog box enables you to specify the time of day and day(s) of the week that the user is allowed to logon. The default setting permits logon at all times.
Figure 10: policyname Properties - Logon Hours dialog box
To specify the hours when logon is not permitted, follow the steps below: 1.
Select the time slot during which you want to deny logon.
2.
Select the Logon denied button. The time slot you selected is shown in white. To deny logon across a range of time slots, click the earliest time slot, then you can drag the pointer across to the latest time slot in the range. Select the Logon denied option button. All time slots in the range are shown in white.
3.
Select Apply to save your settings and remain in the Logon Hours tab. Alternatively, select OK to save your settings and return to Active Directory.
64
Security Policy Configuration
Additional Options To permit logon at all times, click Permit all. To deny logon at all times, click Deny all. To invert your selected time slots for logon permitted and logon denied, click Invert.
Mobile Provider Settings Defender SMS enables you to use your cell phone to receive a token response from Defender. The Mobile Provider dialog box enables you to specify mobile provider information and the settings for your SMS tokens. The policyname Properties – Mobile Provider dialog box is displayed:
Figure 11: policyname Properties – Mobile Provider dialog box
65
Defender Configuration Guide Table 3: Fields in the policyname Properties - Mobile Provider dialog box
FIELD NAME
DESCRIPTION:
Enable SMS OTP Tokens
Select this option to enable SMS Tokens. If unchecked SMS Tokens are not usable
Responses per SMS
Enter then number of OTP responses that will be included in the SMS message. Valid options are 1 to 10. A new SMS containing this number of OTP responses will be sent either when a keyword is used by the user during authentication or if the user has already received an SMS containing OTP’s then using the penultimate or last OTP response will also trigger the sending of a new SMS. If a keyword is provided in this field when this is entered during the authentication process it will trigger the sending of the SMS message.
Keyword
If a PIN has been assigned to the SMS token on the users properties page then this can also be used as the trigger to send the SMS. Also, on first use, a blank token response during the authentication process or an invalid token response will also trigger the DSS to send the SMS containing OTP responses. If this option is enabled the user can enter their AD Password during the authentication process to act as the trigger for the DSS to send the SMS message.
Use AD Password
If enabled and the user enters an incorrect AD Password or an invalid token response then the DSS will still check this against the users AD Password. If an AD ‘Account lockout policy’ is enforced then a number of invalid attempts could lockout the users AD account. This option should be used with caution. Type the URL of the Service Provider.
SMS Provider URL
Phone attribute
The exact URL will vary depending on the service provider who should be contacted for the correct details. This option allows for a choice of which attribute to be used for the phone number The default option is to use the Mobile attribute.
66
[USERID]
This is the User Account name required to access your Service Provider’s web site.
[PASSWORD]
This is the password for the user account specified above.
Security Policy Configuration
FIELD NAME
DESCRIPTION: Enter the information that will be sent to your Service Provider at the URL specified above.
POST Data
Default XML Post data is provided but this may need to be modified to work with your specific mobile provider. Your service provider should be able to provide the syntax for this data. A test option is provided so that you can confirm your settings.
Test
If you have made any changes in the Mobile Provider dialog box, click OK to save your settings.
67
Defender Configuration Guide
E-Mail OTP Settings E-mail OTP enables you to receive your one-time password(s) in an email. The E-mail OTP dialog box enables you to configure the required settings.
Figure 12: policyname Properties – E-mail OTP dialog box
68
Security Policy Configuration Table 4: Fields in the policyname Properties - E-mail OTP dialog box
FIELD NAME Enable E-mail OTP Tokens
Responses per Mail
DESCRIPTION: Check the box to enable the use of E-mail OTP tokens with this policy. Enter the number of OTP responses that will be included in each e-mail. The responses must be used sequentially. The penultimate or last response will trigger the sending of a new E-mail OTP. If a keyword is provided in this field when this is entered during the authentication process it will trigger the sending of the E-mail OTP message.
Keyword
If a PIN has been assigned to the E-mail OTP token on the users properties page then this can also be used as the trigger to send the E-mail. Also, on first use, a blank token response during the authentication process or an invalid token response will also trigger the DSS to send the E-mail containing OTP responses. If this option is enabled the user can enter their AD Password during the authentication process to act as the trigger for the DSS to send the E-mail OTP message.
Use AD password
If enabled and the user enters an incorrect AD Password or an invalid token response then the DSS will still check this against the users AD Password. If an AD ‘Account lockout policy’ is enforced then a number of invalid attempts could lockout the users AD account. This option should be used with caution.
E-mail attribute
the E-mail address. The default option is to use the Mail attribute
Subject
Type the text that will appear in the subject line of the e-mail sent to the user.
From address
The e-mail address from which the e-mail containing the OTP(s) will be sent.
Copy (cc) address
The e-mail address to which a copy of the email containing the OTP(s) will be sent.
69
Defender Configuration Guide
FIELD NAME
DESCRIPTION: Select Mail Content:
Mail Content
1.
Enter the descriptive text that will appear in the body of e-mails sent to the email OTP token users. Token responses will be inserted at the foot of the text. To specify where the responses should be positioned in the email, enter [RESPONSES] in the required position.
2.
Select OK.
Select Mail Server to enter the settings for your SMTP Server:
Mail Server
70
1.
In the Name field, enter the name or IP Address of the SMTP Server.
2.
In the Port field, enter the port number used by the SMTP Server. The default port is 25.
3.
If the SMTP Server requires authentication, select Basic or NTLM from the dropdown list in the Authentication field. When prompted, enter the username and password credentials.
4.
Select OK.
Security Policy Configuration
FIELD NAME Test
DESCRIPTION: Enables the administrator to send a test email to a specified address to check that the email send function is working correctly.
If you have made any changes in the E-mail OTP dialog box, click OK to save your settings.
71
Defender Configuration Guide
Access Category Settings Access Categories provide backward compatibility with Defender 4. Access Categories are used by Defender 4 to determine which agents a user can access. When an agent is installed, it is assigned an access category. Before a user can access that agent, you must give the user the same access category as the agent. An agent can belong to only one access category; while an access category can contain more than one agent. You can select from 26 (A-Z) access categories. To configure Access Categories, click the Access Categories tab. The Access Categories dialog box is displayed:
Figure 13: Access Categories dialog box
1.
To select a category, check the box adjacent to the required category letter. To select all categories, click Select All. To de-select a category, uncheck the box adjacent to the required category letter. To de-select all currently selected categories, click Clear All. To invert your selections, i.e. to switch off all settings currently set to on, click Invert.
2.
72
To save your settings, click OK.
Security Policy Configuration
GrIDsure Tokens The GrIDsure dialog box allows you to enable the use of GrIDsure tokens and configure the required settings. Select the GrIDsure tab, to display the GrIDsure dialog box:
Figure 14: Figure 8: policyname Properties – GrIDsure dialog box
The fields in the policyname Properties - GrIDsure dialog box are described in the following table:
73
Defender Configuration Guide Table 5: Fields in the policyname Properties - GrIDsure dialog box
FIELD NAME
DESCRIPTION:
Enable GrIDsure Tokens
Check the box to enable the use GrIDsure tokens with this policy.
Pattern Length between
The minimum and maximum length of the GrIDsure pattern can be configured.
Block consecutive patterns (horizontal, vertical and diagonal)
Optional – If enabled users are prevented from using simple patterns.
Enable Pattern Expiry
Optional – If enabled users will be required to reset their pattern after the configured number of 90 days. (Default 30 days). If enabled the GrIDsure grid will contain numbers.
Use numbers in grid
If enabled the GrIDsure grid will contain letters.
Use letters in grid
74
If both Use numbers in grid and Use letters in grid are selected the grid will contain a mixture of both.
Defender RADIUS Payload Configuration • Introduction • Creating a New RADIUS Payload
75
Defender Configuration Guide
Introduction This section describes how to create and configure RADIUS Payloads.
Creating a New RADIUS Payload To create a new Defender RADIUS Payload, click the Defender OU and then right click RADIUS Payload. 1.
From the menu, select New.
2.
Select Defender RADIUS Payload from the list.
3.
The New Object - Defender RADIUS Payload (name and description) dialog box is displayed.
Figure 1: RADIUS Payload (name and description) dialog box
4.
In the Name field, type a name for this RADIUS Payload.
5.
In the Description field, type a description for this RADIUS Payload.
76
Security Policy Configuration
6.
Select Next to continue. The New Object - Defender RADIUS Payload (attributes) dialog box is displayed:
Figure 2: New Object - Defender RADIUS Payload (attributes) dialog box
7.
To apply attributes to this RADIUS payload, click Add. The RADIUS Payload Attributes dialog box is displayed.
8.
In the Attribute Id field, click the arrow to display a list of attribute Ids.
9.
Select the required attribute Id from the list. The attribute Ids and their values are described in Table 1.
77
Defender Configuration Guide Table 1: Radius Payload Attributes
ATTRIBUTE
6:Service Type indicates the framing to be used for framed access
7:Framed-Protocol indicates the framing to be used for framed access
8:Framed-IP-Address indicates the address to be configured for the user
VALUE 1 - Login 2 - Framed 3 - Callback Login 4 - Callback Framed 5 - Outbound 6 - Administrative 7 - NAS Prompt 8 - Authenticate only 9 - Callback NAS Prompt 10 - Call Check 11 - Callback Administrative 12 - Voice 13 - Fax 14 - Modem Replay 15 - IAPP-Register 16 - IAPP-AP-Check 17 - Authorize Only 1 - PPP 2 - SLIP 3 - Apple Talk Remote Access Protocol (ARAP) 4 - Gandalf proprietary SingleLink/MultiLink protocol 5 - Xylogics proprietary IPX/SLIP 6 - X.75 Synchronous 7 - GPRS PDP Context 0xFFFFFFFF - NAS should allow the user to select an address 0xFFFFFFFE - NAS should select an address for the user Enter specific value for user to use as user’s IP address
9:Framed-IP-Netmask indicates the IP Netmask address to be configured for the user when the user is a router to a network
78
Specify the Netmask IP Address in the Address field.
Security Policy Configuration
ATTRIBUTE
VALUE
10:Framed-Routing indicates the routing method for the user when the user is a router to a network
11:Filter-Id indicates the name of the filter list for this user
0 1 2 3
-
None Send routing packets Listen for routing packets Send and Listen
Specify that the Filter-Id will include: • individual groups, or • all groups of which the user is a member. The default is all groups. When the user has been successfully authenticated by the Defender Security Server, groups that include the authenticated user’s ID are returned to the NAS.
12:Framed-MTU indicates the maximum transmission unit to be configured for the user when it is not negotiated by some other means, (such as PPP) 13:Framed-Compression indicates a compression protocol to be used for the link 14:Login-IP-Host indicates the system with which to connect the user, when the Login-Service attribute is included
Specify the required transmission unit in the Value field.
0 1 2 3
-
None VJ TCP/IP header compression IPX header compression Stac-LZS compression
0xFFFFFFFF - NAS should allow the user to select an address 0 - NAS should select a host to connect the user to Enter specific value for the address the NAS should connect the user to
79
Defender Configuration Guide
ATTRIBUTE 25:Class available to be sent by the server to the client in an Access-Accept and should be sent unmodified by the client to the accounting server as part of the Accounting- Request packet if accounting is supported
26:Vendor Specific
VALUE Specify that the Class will include: • individual groups, or • all groups of which the user is a member. The default is all groups. When the user has been successfully authenticated by the Defender Security Server, groups that include the authenticated user’s ID are returned to the NAS that initiated the authentication request. a method for communicating vendor-specific information between Network Access Servers and RADIUS servers. Attribute 26 encapsulates vendor specific attributes, allowing vendors to support their own extended attributes otherwise not suitable for general use.
26:Vendor Specific (Groups) In the Attribute Id field, type an attribute Id for this customized attribute. In the Type field, click the arrow to select the attribute type, either: Custom Text Integer Hex IP Address
For further information about RADIUS Payload attributes, go to: www.rfc-editor.org/cgi-bin/rfcdoctype.pl?loc=RFC&letsgo=2865&type=ftp&file _format=txt
80
Security Policy Configuration
10. Select OK to return to the Defender RADIUS Payload (attributes) dialog box. The selected attribute Id and value are displayed:
Figure 3: New Object - Defender RADIUS Payload (attributes) dialog box
11. Select OK. The New Object Defender RADIUS Payload (summary) dialog box is displayed:
Figure 4: RADIUS Payload Attributes (summary) dialog box
12. Select Finish to save your settings.
81
Security Server Configuration • Introduction • Creating a New Defender Security Server • Changing Defender Security Server • Assigning a Defender Policy • Changing the Prompts • RADIUS Payload
83
Defender Configuration Guide
Introduction This section describes how to: •
create a new Defender Security Server
•
change the Security Server configuration
•
assign a Defender Security Policy to the Security Server
•
assign a RADIUS Payload to the Security Server.
The Defender Security Server is the point in your network where user authentication is performed. If authentication is successful, the user is allowed access to the network.
84
Security Server Configuration
Creating a New Defender Security Server To create a new Defender Security Server object, click on the Defender OU, then right click on Security Servers. 1.
From the menu, select New.
2.
Select Defender Security Server from the list.
3.
The New Object – Defender Security Server (name and description) dialog box is displayed:
Figure 1: New Object – Security Server (name and description) dialog box
4.
In the Name field, type the name for this Defender Security Server.
5.
In the IP Address field, type the IP Address of the machine where this Defender Security Server is located.
6.
In the Description field, type a description of this Defender Security Server.
85
Defender Configuration Guide
7.
Select Next to continue. The New Object – Defender Security Server (prompts) dialog box is displayed:
Figure 2: New Object – Defender Security Server (prompts) dialog box
This dialog box lists the prompts that will be displayed to the user as appropriate during the authentication process. The prompts cannot be changed in this dialog box. If you want to change the prompts, refer to Changing the Prompts. 8.
Select Next to continue. The New Object – Defender Security Server (summary) dialog box is displayed:
Figure 3: New Object – Defender Security Server (summary) dialog box
9.
86
Select Finish to save your settings.
Security Server Configuration
Changing Defender Security Server Defender Security Server Properties includes the following tabs: •
Security Server - enables you to modify the IP address of the DSS, change the description, assign and unassign access nodes
•
Prompts - enables you to view and change the prompts displayed to the user during the authentication process
•
Policy - enables you to configure a Defender Security Policy
•
RADIUS Payload - enables you to configure the RADIUS Payload. When a user has successfully authenticated, the Defender Security Server returns the RADIUS Payload information to the Access Node that initiated the user authentication request.
87
Defender Configuration Guide
To configure a Defender Security Server, perform the following steps: 1.
Select the Defender OU from the Active Directory tree.
2.
Select Security Servers.
3.
Right-click the required Defender Security Server.
4.
Select Properties from the menu.
5.
The securityservername Properties - Security Server dialog box is displayed:
Figure 4: securityservername Properties - Security Server dialog box
88
Security Server Configuration
The fields in the securityservername Properties - Security Server dialog box are described in the following table: Table 1: Fields in the securityserver Properties - Security Server dialog box
FIELD NAME
DISPLAYS THE IP address of the machine where the Defender Security Server is located.
Address To change the IP address, click in the Address field and type the new IP address. description for this Defender Security Server. Description
Version
To change the description, click in the Description field and type the new description for this Defender Security Server. version number of the Defender Security Server.
89
Defender Configuration Guide
FIELD NAME
DISPLAYS THE The names of the Access Nodes through which users will be allowed to authenticate to this Defender Security Server. To assign an Access Node: 1.
Select Assign. The Select Defender Access Nodes dialog box is displayed:
Assigned Access Nodes Figure 5: Select Defender Access Nodes dialog box 2.
Double-click the required Access Node in the list. The selected Access Node is displayed in the lower window.
3.
Select OK to return to the securityservername Properties Security Server dialog box.
To remove an Access Node: 1.
In the securityservername Properties - Security Server dialog box, click on the required Access Node in the Assigned Access Nodes table.
2.
Select Unassign. The selected Access Node is removed from the Assigned Access Nodes table. Select OK to save your settings and return to the Users and Computers tree.
If you have made any changes in the securityservername Properties Security Server dialog box, click OK to save your settings and return to the Users and Computers tree. For any changes you make to the Defender Security Server configuration to take effect, you must click Apply. The Security Server will automatically refresh the data. The indicator light located in the top left hand corner of the Defender Security Server dialog box is red while the Defender Security Server is refreshing the data. When the data has been refreshed, a green light is displayed.
90
Security Server Configuration
Prompts The Prompts dialog displays a list of the Defender prompt messages that may be seen during authentication requests. These can be changed if required.
91
Defender Configuration Guide
Assigning a Defender Policy To assign a Defender Security Policy to a Defender Security Server, perform the following steps: 1.
Select the Defender OU from the Users and Computers tree.
2.
Select Security Servers.
3.
Right-click on the required Defender Security Server.
4.
Select Properties from the menu.
5.
The securityservername Properties - Security Server dialog box is displayed:
92
Security Server Configuration
To change a prompt, select the required prompt from the list:
Figure 6: securityservername Properties - Security Server dialog box
The prompt will appear in the update box at the bottom of the dialog. Make the required changes and select Update.
Policy The Policy dialog can be used to assign a specific token policy directly to the DSS.
Figure 7: securityservername Properties - Policy dialog box
93
Defender Configuration Guide
To assign a token policy: 1.
Click Select. The Select Defender Policies dialog box is displayed:
Figure 8: Select Defender Policies dialog box
2.
Double-click the required policy. The selected policy is displayed in the lower window.
3.
Select OK to save your settings and return to the securityservernameProperties - Policy dialog box.
4.
To establish which security policy will be effective when a specific user attempts to authenticate, click Effective.
94
Security Server Configuration
The Effective Policy dialog is displayed:
Figure 9: Effective Policy dialog
5.
The currently selected Security Server is displayed in the DSS field. This is the Security Server that will authenticate the user. You can, if required, select a different Security Server.
6.
In the DAN field, select the Access Node through which the user will attempt to authenticate.
95
Defender Configuration Guide
7.
To select a user, click Select. The Select Users dialog box is displayed:
Figure 10: Select Users dialog box
8.
To search for a specific user, in the Enter the object names to select field, type the required user name, either in full or in part. Select Check Names. All users that match the search criteria are displayed. If more than one user name matched your search criteria, a list is displayed. To select a user, double-click on the required user name. The user name is displayed in the Enter the object names to select field. For more extensive search options, click Advanced.
9.
Select OK to return to the Effective Policy dialog. The effective security policy for the selected user is displayed in the Policy field. The Defender element associated with the effective security policy, either Security Server, Access Node, User Group or User, is displayed in the From field.
10. Select Close to return to the Policy dialog. If the effective security policy requires the user to authenticate with a token and/or a password, the Use field on the Effective Policy dialog shows whether the user is in possession of a token and/or password. If the user is not in possession of a token and/or password, this is indicated in red. If the attempt to identify the effective policy for a user results in the identification of two or more conflicting security policies, this is indicated in the Policy field on the Effective Policy dialog.
96
Security Server Configuration
RADIUS Payload The RADIUS Payload dialog can be used to assign a specific RADIUS Payload directly to the DSS.
Figure 11: servername Properties - RADIUS Payload dialog box
To assign a RADIUS Payload: 1.
Click Select. The RADIUS Payload definitions are displayed.
2.
Double-click the required RADIUS Payload.
97
Defender Configuration Guide
3.
Select OK. The selected payload is displayed in the Payload field on the securityservername Properties - Security Server dialog box:
Figure 12: securityservername Properties - RADIUS Payload dialog box
4.
98
To establish which RADIUS Payload definition will be effective when a specific user attempts to authenticate, select Effective. For further information about the effective Payload, refer to RADIUS Payload. The Effective Payload dialog is displayed:
Security Server Configuration
Figure 13: Effective Payload dialog
5.
The currently selected Security Server is displayed in the DSS field. This is the Security Server that will authenticate the user. You can, if required, select a different Security Server.
6.
In the DAN field, select the Access Node through which the user will attempt to authenticate.
99
Defender Configuration Guide
7.
To select a user, click Select. The Select Users dialog box is displayed:
Figure 14: Select Users dialog box
8.
To search for a specific object name, in the Enter the object names to select field, type the required object name, either in full or in part. Select Check Names. All object names that match the search criteria are displayed. If more than one object name matched your search criteria, a list is displayed. To select an object name, double-click on the required object name. The object name is displayed in the Enter the object names to select field. For more extensive search options, click Advanced.
9.
100
Select OK to return to the Effective Payload dialog.
Security Server Configuration
The effective payload for the selected user is displayed in the Payload field.
10. Select Close to return to the securityservername Properties- Radius Payload dialog.
101
Token Configuration • Introduction • Importing Defender Token Serial Numbers • Token Properties • Token Details • User Properties • Assigning a Token to a User • • Changing the RADIUS Payload
103
Defender Configuration Guide
Introduction This section describes how to: •
import token serial numbers
•
display token properties
•
assign a token to a user.
For information on the types of token available for use with Defender, refer to the Defender Installation Guide. Before you can generate and assign Defender Desktop Tokens, you must ensure that your Defender Desktop Token license is installed. For further information, refer to the Defender Installation Guide.
104
Token Configuration
Importing Defender Token Serial Numbers The Defender token serial number is used to associate the token with a user and can be used for later reference or for tracking purposes. A list of serial numbers for the tokens that you have purchased is supplied as part of your Defender package. The serial number is also located on the back of hardware tokens. To import the Defender token serial numbers into the Active Directory: 1.
In the Active Directory Users and Computers, select the Defender OU. A Defender menu item will appear on the menu bar.
2.
Select Import Tokens from the menu.
Figure 1: Import Tokens option
105
Defender Configuration Guide
3.
The Welcome to the Defender Token Import Wizard dialog box is displayed:
Figure 2: Defender Token Import Wizard Welcome dialog box
4.
Select Next. The Defender Import Wizard (File and Key) dialog box is displayed:
Figure 3: Defender Import Wizard (File and Key) dialog box
5.
106
Select Browse to navigate to the directory where the file containing the Defender token definitions is located.
Token Configuration
6.
Select Paste to paste the key into the Key field in the File and Key dialog box:
Figure 4: Import Defender Token Definitions (File and Key) dialog box
The tokens definition file and database key is provided by the Quest distribution team or by your product vendor. 7.
Select Next. The Defender Import Wizard (Available Tokens) dialog box is displayed:
Figure 5: Defender Import Wizard (Available Tokens) dialog box
The example screen shot above shows the import of a single Go-6 token, which is a synchronous token. If the token type you are importing can operate in either synchronous (response only) or asynchronous (challenge/response), the dialog will display checkboxes that enable you to select which mode you want the token to operate in - Response Only and / or Challenge Response. For further information, please refer to the Defender Token User Guide. 107
Defender Configuration Guide
8.
Click Select All to import all available tokens.
9.
Select Next. The Defender Import Wizard (Storage Location) dialog box is displayed:
Figure 6: Defender Import Wizard (Storage Location) dialog box
10. To change the default token storage location click Select. Alternatively, select Next to accept the default location and continue. The Defender Import Wizard (Import Progress) dialog box is displayed:
Figure 7: Defender Import Wizard (Import Progress) dialog box
108
Token Configuration
11. Select Next. The Defender Import Wizard (Import Complete) dialog box is displayed:
Figure 8: Defender Import Wizard (Defender Import Complete) dialog box
12. Select Finish.
109
Defender Configuration Guide
Token Properties To display token properties, select the Tokens OU. A list of token serial numbers is displayed in the right-hand window. Select the required token serial number. The Token dialog box is displayed:
Figure 9: token Properties (Token) dialog box
110
Token Configuration
The fields in the Token dialog box are described in the following table: Token Type
displays the type of token selected
Token Date
For Defender Go-x, Digipass Pro 260 and Digipass Pro 300 tokens this field displays the manufacture date of the token. This date enables you to calculate the approximate expiry of the token’s battery. For the Defender Desktop Token, this field displays the activation code expiry date, or indicates that the token has been activated. Select to program the token. The following token types can be programmed:
Program
•
ActivIdentity Series
•
Defender Handheld Token
•
Defender Handheld Token (Manual)
•
Defender Handheld Token Plus
•
Defender One token
For further information, refer to the Defender Token Administration Guide. Select to synchronize the token with the Defender Security Server. The token generates a one-time password that is based on an internal time clock and DES keys. For successful authentication, the Defender Security Server must agree with the token's time clock and DES keys.
Reset
The token's time clock can become out-of-sync with the Defender Security Server. If this value is out-of-sync, the user will not be able to use the token for authentication. If access is denied, the token clock must be synchronized with the Defender Security Server clock. To re-synchronize: 1.
Select Reset. You are asked to confirm that you want to reset the token.
2.
Select Yes in the message box.
Instruct the user to use their token to generate a one-time password and use it for Defender authentication.
111
Defender Configuration Guide
Select to verify that the token is programmed correctly and that it is valid for the user. The use of this option requires that the token is available for testing. To test that a Defender token is functioning correctly: 1.
Select Test in the Token dialog box. The Test Token dialog box is displayed:
Test
Figure 10: Test Token dialog box 2.
Ask the user to provide you with the one-time password displayed on the token, type the one-time password in the Response field in the Test Token dialog, and then click Verify. A message indicates whether the token tested successfully. Select OK. If the token test failed, it is possible that either:
112
•
you entered the response incorrectly
•
the token is out of sync.
Token Configuration
Enables you to remotely recover a Defender One Token, Defender Handheld Token Plus or Defender Windows Desktop token after it has: •
reached its preset use limit
•
been invalidated because the user exceeded the preset number of bad PIN attempts.
Recover also enables you to reset a passphrase for a Defender Windows Desktop Token. These values are defined in the token profile assigned to the user. To recover the token: 1.
Select Recover. The Recover Token dialog box is displayed:
2.
Type the Unlock Challenge obtained from the token, and then click Get Response.
3.
Enter the response into the token to complete the recover procedure.
Recover
Click to assign a Defender token to one or more users. Select Assign. The Select Users dialog box is displayed: 1.
Assign
In the Enter the object names to select field, type the name of the user that you want to assign the token to. Alternatively, type part of the name, then click Check Names to display a list of matching user names. Select the required user name. The selected user is displayed in the Assigned Users table. Repeat Step 1 to assign the token to more than one user.
2.
Select OK to save your settings.
A token can be assigned to one or more users, and a user can be assigned one or more tokens.
113
Defender Configuration Guide
click to unassign a Defender token from a user or group. To unassign a token: Unassign
1.
Select the required token from the Assigned Tokens table.
2.
Select Unassign. The details for the token you selected are removed from the Assigned Tokens table. After you have clicked Unassign, the action cannot be cancelled using the Cancel button.
114
Token Configuration
Token Details The fields on the Details dialog box will vary depending on the type of token selected. The Details dialog box for a Go-6 token is shown below:
Figure 11: token Properties (Details) dialog box
115
Defender Configuration Guide
The fields on the Details dialog box for Defender Go-x, Digipass Pro 260 and Digipass Pro 300 tokens are described in the following table: SETTING
VALUE
Token Type
the type of token. For a list of supported token types, refer to Defender Tokens.
Usage Count
number of times this token has been used for successful authentication.
Last Token Time Used
time of the most recent successful authentication.
Last Token Time Shift
time difference between the token clock and the Defender Security Server clock.
Current Error Count
n/a
Binary Codeword
n/a
Triple DES flag
indicates whether Triple DES is enabled or disabled for this token
Challenge/Data fields nbr
n/a
Response Length
number of digits included in a response
Output Type
decimal or hexadecimal
Checksum Requested Flag
n/a
Time Step used if any
the time interval at which new responses are generated by the token.
The Details dialog box for the Defender Software Token is shown below:
116
Token Configuration
Figure 12: Defender Software Token token Properties (Details) dialog box
The fields on the Details dialog box for the Defender Software Token are described in the following table:
117
Defender Configuration Guide
SETTING
VALUE
Token Type
the type of token. For a list of supported token types, refer to Defender Tokens.
Encryption Type
AES, DES or TripleDES.
Response Length
number of digits included in a response.
Response Type
challenge/response or response only.
Response Format
decimal or hexadecimal.
Activation Key
the key required to activate this token. Once activated the key is no longer displayed.
Status
indicates whether this token has been activated.
118
Token Configuration
User Properties This section describes: •
how to assign a token to a user
•
the Defender tab
•
how to assign a token policy to a user
•
how to assign a RADIUS Payload to a user.
Assigning a Token to a User To assign a token to a user, perform the following steps: 1.
From Active Directory Users and Computers, select Defender.
2.
Select Users.
3.
In the right-hand window, right-click the required user or group.
4.
Select Properties from the menu.
5.
The username Properties - General dialog box is displayed.
119
Defender Configuration Guide
6.
Select the Defender tab. The username Properties - Defender dialog box is displayed:
Figure 13: username Properties - Defender dialog box
7.
To assign an existing token to this user or group, click Add. The Assign Token To User dialog box is displayed:
Figure 14: Assign Token To User dialog box
120
Token Configuration
8.
In the Token Serial Number field, type the serial number of the token you want to assign to the user, in full or in part.
9.
To restrict the search to tokens that are not assigned to users, check the Show unassigned tokens only checkbox.
10. To search for a specific type of token, click the arrow in the Token Type field and select the token type from the list. 11. Select OK. The Select Defender Tokens dialog box is displayed:
Figure 15: Select Defender Tokens dialog box
12. Double-click the required token in the list. The selected token is displayed in the lower window.
121
Defender Configuration Guide
13. Select OK to save your selection and return to the Defender dialog box. The selected token is displayed in the Token Management table.
14. Select OK to save your settings. The fields and buttons in the Defender dialog box are described in the following table: Table 1: Fields and buttons in the Defender dialog box
FIELD OR BUTTON
DESCRIPTION
Token Management
displays the type, serial number and whether the PIN is enabled for the token(s) assigned to this user or group.
Program
click to program the Defender Token for the selected user.
122
Token Configuration
FIELD OR BUTTON
DESCRIPTION enables you to remotely reset: •
a Defender One Token or Defender Handheld Token Plus after it has:
Recover
•
reached its preset use limit
•
been invalidated because the user exceeded the preset number of bad PIN attempts.
Both of these values are defined in the token profile assigned to the user. •
a Defender Desktop Token passphrase.
click to verify that the token is programmed correctly and that it is valid for the user. To test that a Defender token is functioning correctly: 1.
Select Test in the Tokens dialog box. The Test Token dialog box is displayed:
Test Figure 16: Test Token dialog box 2.
Enter the one-time password displayed on the token in the Response field in the Test Token dialog, and then click Verify. A message indicates whether the token tested successfully. Select OK.
If the token test failed, it is possible that either: •
you entered the response incorrectly
•
the token is out of sync.
If a PIN is enabled for the token, the PIN can also be tested when you test the token response.
123
Defender Configuration Guide
FIELD OR BUTTON
DESCRIPTION Click to: •
re-synchronize the user’s token
•
allocate a temporary password to this user.
Helpdesk
Figure 17: Helpdesk dialog box
Resetting a Token The Reset button is used to re-synchronize the Defender Token. The Defender Token generates a one-time password that is based on an internal time clock and DES keys. For successful authentication, the Defender Security Server must agree with the token's time clock and DES keys. The token's time clock can become out-of-sync with the Defender Security Server. If this value is out-of-sync, the user will not be able to use the token for authentication. If access is denied, the Defender Token clock must be synchronized with the Defender Security Server clock.
124
Token Configuration
FIELD OR BUTTON
DESCRIPTION To synchronize the Defender Security Server with a Defender token: 1.
Select Reset. You are asked to confirm that you want to reset the token.
2.
Select Yes in the message box.
3.
Instruct the user to use their token to generate a one-time password and use it for Defender authentication.
Assigning a temporary password
Helpdesk (cont’d)
A temporary password can be assigned to a token for a limited period of time. This may be necessary if the user requires access to the system, but does not have their token with them. To assign a temporary password: 1.
Click the arrow in the Expires field and select the period of time that the temporary password will be valid. The default value is 5 hours.
2.
To allow the password to be used more than once for authentication, check the Allow password to be used multiple times box. If this box is unchecked, the password can be used only once for authentication.
3.
The temporary password is displayed in the Password field. Select Assign to assign the password to the user.
To remove the temporary password settings for this user, click Clear.
125
Defender Configuration Guide
FIELD OR BUTTON
DESCRIPTION Click to unassign a Defender token from a user or group. To unassign a token: 1.
Select the required token from the Assigned Tokens table.
2.
Select Unassign.
3.
If required, you can delete the token profile and the token assignment for this user.
Unassign
Select Yes, to delete the token profile and the token assignment for this user. Select No, to delete the token assignment for this user. The token profile remains in the Defender system and can be re-assigned as required.
After you have clicked Unassign, the action cannot be cancelled using the Cancel button.
126
Token Configuration
FIELD OR BUTTON
DESCRIPTION Click to assign a Defender token to one or more users. To assign a token: 1.
Select Add. The Select Defender Tokens dialog box is displayed:
Add
Figure 18: Select Defender Tokens dialog box 2.
Double-click the required token. The selected token is displayed in the lower window.
3.
Select OK to save your settings and return to the Defender dialog box. The selected token is displayed in the Token Management window.
127
Defender Configuration Guide
FIELD OR BUTTON
DESCRIPTION Click to set the PIN for this Defender token. The Set PIN dialog box is displayed:
Set PIN
Figure 19: Set PIN dialog box 1.
Check the Enable PINs checkbox to enable PINs to be set for this user’s tokens.
2.
In the New PIN field, type the new 1 - 8 character PIN.
3.
In the Confirm PIN field, type the new 1 - 8 character PIN again to confirm that it is correct.
4.
If you want this PIN to expire, check the Expire checkbox.
5.
Select OK.
The Set PIN option is available for all supported hardware and software tokens, except the Defender Windows Desktop Token.
128
Token Configuration
FIELD OR BUTTON
DESCRIPTION Enables you to specify the Defender password that the user will enter during the authentication process. The password is only required if Defender Password is selected as the authentication method in either the First or Second field on the Defender Policy dialog box for the Defender Security Policy assigned to this user. To specify the password: 1.
Select Password. The Set Defender Password dialog box is displayed:
Password
Figure 20: Set Defender Password dialog box 2.
In the Password field, type the password that the user will enter during the authentication process.
3.
In the Confirm field, type the password again to confirm it.
4.
Select OK to save your settings and return to the Defender dialog box.
Authentication Details
Defender ID
type the Defender ID that will be used by the Defender Security Server to identify the user. This entry is only required if Defender ID is selected in the User ID field for the Access Node assigned to this user. For further information, refer to Creating a New Access Node.
Violation Count
displays the number of violations accumulated by this user. The violation count is incremented each time the user exceeds the specified number of invalid logon attempts. For further information, refer to Creating a New Defender Security Policy.
129
Defender Configuration Guide
FIELD OR BUTTON
DESCRIPTION
Reset Count
displays the number of times this account has been reset following an account lockout.
Last Logon
displays the time and date of the last successful logon.
Reset
click to reset the Violation Count to zero and increment the Reset Count.
Assigning a Defender Security Policy to a User To assign a Defender Security Policy to a user, perform the following steps: 1.
Select the Policy tab. The Policy dialog box is displayed:
Figure 21: username Properties - Policy dialog box
130
Token Configuration
2.
Click Select. The Select Defender Policies dialog box is displayed:
Figure 22: Select Defender Policies dialog box
3.
Double-click the required Defender Security Policy in the list. The selected policy is displayed in the lower window. Alternatively, type the required policy name, in full or in part, in the lower window. Select Check Names. A list of all matching policy names is displayed. Double-click the required policy in the list.
4.
Select OK to return to the Policy dialog box. The selected policy is displayed in the Policy field.
Figure 23: Defender username Properties - Policy Tab 131
Defender Configuration Guide
5.
To remove a policy from this user profile, click Clear.
6.
To establish which security policy will be effective when a specific user attempts to authenticate, click Effective. The Effective Policy dialog is displayed:
Figure 24: Effective Policy dialog
7.
In the DSS field, select the Defender Security Server that will be used to authenticate the user.
8.
The currently selected Access Node is displayed in the DAN field. This is the Access Node through which the user will attempt to authenticate. You can, if required, select a different Access Node.
9.
Select Close.
132
Token Configuration
Assigning a RADIUS Payload to a User To change the RADIUS Payload information specified for this user, perform the following steps: 1.
Select the RADIUS Payload tab. The RADIUS Payload dialog box is displayed:
Figure 25: username Properties - RADIUS Payload dialog box
2.
Click Select. The RADIUS Payload definitions are displayed:
3.
Double-click the required RADIUS Payload.
133
Defender Configuration Guide
4.
Select OK. The selected payload is displayed in the Payload field on the username Properties - RADIUS Payload dialog box:
Figure 26: username Properties - RADIUS Payload dialog box
5.
To inherit RADIUS Payload information from the Access Node(s) to which this user is assigned, check the Inherit payload entries from parent checkbox.
6.
To establish which RADIUS Payload definition will be effective when this user is authenticated, click Effective.
134
Token Configuration
7.
The Effective Payload dialog box is displayed:
Figure 27: Effective Payload dialog box
8.
The currently selected Security Server is displayed in the DSS field. This is the Security Server that will authenticate the user. You can, if required, select a different Security Server.
9.
In the DAN field, select the Access Node through which the user will attempt to authenticate.
10. Select Close.
135
Defender Configuration Guide
Defender Group Policy Defender Group Policy provides an administrative template that includes the following additional features: •
provide an option to limit the available expiry time for the Temporary HelpDesk Token feature
•
provide an option to include a Send Mail feature to allowing the sending of the token activation code for a newly programmed Desktop Token
•
provide configuration options for programming Defender Desktop Tokens when managing Defender using the ActiveRoles Web Interface.
To install the Defender Group Policy, perform the following steps: 1.
From the Defender Administration Console folder on the Defender Autorun CD, copy the file called DefenderGroupPolicy.adm to %windir%\inf
2.
On a domain controller, start the Group Policy Object Editor (run gpedit.msc).
3.
Navigate to Computer Configuration\Administrative Templates.
4.
From the Action menu, select Add/Remove Templates....
5.
On the dialog that is now displayed, click Add, then select DefenderGroupPolicy.adm
6.
On the Add/Remove Templates dialog, click Close.
136
Token Configuration
Defender specific settings can now be edited and deployed, together with standard Windows policy settings.
On Windows 2008 the template will appear within the Classic Administrative Templates (ADM) folder.
Temporary Responses To limit the expiry time that can be set for a temporary HelpDesk Token response:
137
Defender Configuration Guide
1.
On the Temporary Responses Properties dialog, select Enabled.
Figure 28: Temporary Responses Properties dialog
2.
138
In the Maximum expiry time field, select the maximum length of time that a temporary HelpDesk Token response can remain valid.
Token Configuration
ActiveRoles Server Web Interface - Token Programming 1.
Select Next Setting to configure the token programming availability options. This option is only for use with the ActiveRoles Server Web Interface.
2.
Select Enabled.
3.
Enable or disable the token types and token programming modes from the Options section.
139
Defender Configuration Guide
Mail Configuration 1.
Select Next Setting to configure the SMTP server details for the distribution of token activation codes.
2.
Select Enabled.
3.
In the SMTP Server field, enter the IP Address of the SMTP Server.
4.
In the SMTP Server Port field, enter the port number of the SMTP Server.
5.
In the Address from which to send mails field, enter the email address from which all activation code emails will be sent.
6.
In the CC address to which mails are sent field, enter the email address to which a copy of each activation code email will be sent.
7.
If required, you can include standard text that will be printed at the bottom of each activation code email that is sent.
8.
Select OK to save all settings.
140
Token Configuration
Sending an Activation Code by Email When Defender Group Policy is installed, the Send E-Mail checkbox and Send To field are available on the Defender Token Programming Wizard, Save Activation Codes dialog.
To send the activation code for a newly programmed Desktop Token to the user by email: 1.
Check the Send E-Mail checkbox.
2.
In the Send To field, enter the token recipient’s email address. If an email address is configured on the user’s Active Directory Account, this will automatically display in the Sent To field.
3.
Select Next to save the settings and continue with the Defender Token Programming Wizard. For further information, refer to the Defender Token Administration Guide.
141
