SurePassID Local Agent Guide SurePassID Authentication Server 2016

Similar documents
ServicePass Installation Guide SurePassID Authentication Server 2017

Desktop Authenticator Guide. SurePassID Authentication Server 2017

SurePassID ServicePass User Guide. SurePassID Authentication Server 2017

RapidIdentity Mobile Guide

AT&T Cloud Web Security Service

Integration Guide. SafeNet Authentication Service (SAS)

SurePassID Authenticator Guide. SurePassID Authentication Server 2017

Integration Guide. LoginTC

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

VMware AirWatch Integration with SecureAuth PKI Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Horizon Workspace Administrator's Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Google Authenticator Guide. SurePassID Authentication Server 2017

Azure MFA Integration with NetScaler

VMware AirWatch Integration with RSA PKI Guide

DIGIPASS Authentication to Citrix XenDesktop with endpoint protection

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Dell OpenManage Mobile Version 1.0 User s Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. CyberArk Enterprise Password Vault

Mobility Manager 9.5. Users Guide

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

One Identity Starling Two-Factor Desktop Login 1.0. Administration Guide

McAfee Cloud Identity Manager

External Authentication with Checkpoint R77.20 Authenticating Users Using SecurAccess Server by SecurEnvoy

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Barracuda Networks NG Firewall 7.0.0

Revised: 08/02/ Click the Start button at bottom left, enter Server Manager in the search box, and select it in the list to open it.

Cloud Access Manager Overview

VMware AirWatch Tizen Guide

4TRESS AAA. Out-of-Band Authentication (SMS) and Juniper Secure Access Integration Handbook. Document Version 2.3 Released May hidglobal.

McAfee Cloud Identity Manager

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Two factor authentication for Microsoft Remote Desktop Web Access

McAfee Cloud Identity Manager

Identity Firewall. About the Identity Firewall

Cloud Access Manager Configuration Guide

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Authlogics Forefront TMG and UAG Agent Integration Guide

CONFIGURING BASIC MACOS MANAGEMENT: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

McAfee Cloud Identity Manager

pinremote Manual Version 4.0

USER GUIDE. CTERA Agent for Windows. June 2016 Version 5.5

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

AT&T Business Messaging Account Management

VMware AirWatch Epson Printer Integration Guide Using Epson printers with Workspace ONE UEM

VMware AirWatch Integration with Palo Alto Networks WildFire Integrate your application reputation service with AirWatch

Checklist. Version 2.0 October 2015

Table of Contents. Configure and Manage Logging in to the Management Portal Verify and Trust Certificates

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

SafeNet Authentication Service

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Cisco Adaptive Security Appliance 9.5(2)

VMware AirWatch Android Platform Guide

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

<Partner Name> <Partner Product> RSA SECURID ACCESS. Pulse Secure Connect Secure 8.3. Standard Agent Client Implementation Guide

McAfee Cloud Identity Manager

BlackBerry UEM Configuration Guide

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

Configuration Guide. BlackBerry UEM. Version 12.9

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

Pulse Policy Secure. Identity-Based Admission Control with Check Point Next-Generation Firewall Deployment Guide. Product Release 9.0R1 Document 1.

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Installing and Configuring vcloud Connector

VMware AirWatch Self-Service Portal End User Guide

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Better MDM

Using CSE Cisco Anyconnect with 2FA

Advanced Authentication 6.0 includes new features, improves usability, and resolves several previous issues.

SafeNet Authentication Service

Integrating AirWatch and VMware Identity Manager

VMware AirWatch Integration with Microsoft ADCS via DCOM

Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

VMware Content Gateway to Unified Access Gateway Migration Guide

AT&T Toggle. 2/3/2014 Page i

VMware Horizon Client for Windows 10 UWP User Guide. Modified on 21 SEP 2017 VMware Horizon Client for Windows 10 UWP 4.6

Workspace Secure Container for Mobile Devices

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Establishing two-factor authentication with Cisco and HOTPin authentication server from Celestix Networks

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with Check Point Security Gateway

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

VMware AirWatch Integration with Palo Alto Networks WildFire Integrate your application reputation service with AirWatch

Dell OpenManage Mobile Version 1.0 User s Guide

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

SafeNet Authentication Service

Establishing two-factor authentication with Barracuda SSL VPN and HOTPin authentication server from Celestix Networks

Administering Jive Mobile Apps for ios and Android

VMware PIV-D Manager Deployment Guide

Establishing two-factor authentication with Juniper SSL VPN and HOTPin authentication server from Celestix Networks

VMware AirWatch Datamax-O Neil Integration Guide

VMware AirWatch Content Gateway Guide for Linux For Linux

Remote Support Security Provider Integration: RADIUS Server

McAfee Cloud Identity Manager

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

CRYPTOCard BlackBerry Token Implementation Guide

VII. Corente Services SSL Client

Aventail Connect Client with Smart Tunneling

McAfee Cloud Identity Manager

SafeNet Authentication Service

Transcription:

SurePassID Local Agent Guide SurePassID Authentication Server 2016

SurePassID Local Agent Guide Revision: 03 10 2016 You can find the most up-to-date technical documentation at: http://www.surepassid.com The SurePassID web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: support@surepassid.com 2013-2016 SurePassID, Corp. All rights reserved. Protected by patents pending. SurePassID, the SurePassID logo and design, and Secure SSO are registered trademarks or trademarks of SurePassID, Corp. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. SurePassID, Corp. 13750 W. Colonial Drive Winter Garden, FL 34787 www.surepassid.com 0B SurePassID Local Agent Guide Page 2 of 26

Table of Contents Table of Figures... 3 Introduction... 5 What is the SurePassID Local Agent?... 6 Security... 6 System Logging... 6 Installing the Local Agent... 7 Configuring the Radius Server... 14 Example 1 Login Using Single Factor... 20 Example 2 Login Using Code from Hard or Soft Token... 21 Example 3 Login Using SMS, Email or Voice Code... 22 Example 4 Login Using SMS Question... 23 Configuring the Directory Sync Application... 25 Configuring the Event Log Sync Application... 26 Table of Figures Figure 1: Start Installation... 7 Figure 2: Specify Install Options... 8 Figure 3: Confirm Install... 9 Figure 4: Installing... 10 Figure 5: Installation Complete... 11 Figure 6: Installed System Component... 12 Figure 7: Installed Services... 12 Figure 8: Installation Directory Tree... 13 Figure 9: Start Configuration Application... 15 Figure 10: SurePassID Server Settings... 16 Figure 11: SurePassID Account Settings... 18 Figure 11: Radius Server Settings... 19 Figure 12: Single Factor VPN Login... 21 Figure 13: Two Factor Authentication with Token... 21 Figure 14: Two Factor Authentication with SMS Text Code... 22 Figure 15: Two Factor Authentication with Voice Call... 22 Figure 16: Two Factor Authentication with Email... 23 Figure 17: Two Factor Authentication with SMS Question... 24 SurePassID Local Agent Guide Page 3 of 26

SurePassID Local Agent Guide Page 4 of 26

Introduction This guide explains how to install and configure the SurePassID Local Agent to meet your organization s security needs. The purpose of this guide is to provide a reference for system administrators. This guide provides information on the following topics: What is SurePassID Local Agent? o A brief introduction to the SurePassID Local Agent and how it can help you get the most out of the SurePassID authentication system. Installing and Configuring SurePassID Local Agent o Detailed explanations for installing, configuring and maintaining the SurePassID Local Agent. Other SurePassID Guides The SurePassID Local Agent Guide has the following companion guides that provide additional detail on specific topics for SurePassID: Server API Guide Fido U2F Mobile API Guide System Administration Guide Desktop OTP Authenticator Guide Google Authenticator Guide Window Login Authentication Guide SurePassID Local Agent Guide Page 5 of 26

What is the SurePassID Local Agent? The SurePassID Local Agent integrates SurePassID into your existing enterprise as part of your on-premises datacenter. The SurePassID Local Agent is installed in your datacenter typically behind your firewall. The SurePassID Local Agent is comprised of the following components: Radius Server A system service that allows SurePassID to authenticate users from any Radius-compliant system such as Microsoft Universal Access Gateway, VPN devices (Cisco, Sonic Wall, etc.), Wi-Fi Access points, etc. Event Log Synchronization App A Power Shell application that can pull SurePassID Audit Trail events into Windows Event Logs synchronizing your system management tools to manage SurePassID. User Synchronization App - A Power Shell application that can update SurePassID user information from your existing directory service. SurePassID only allows you to update information such as First Name, Last Name, Phone Number, Email, etc. SurePassID never synchronizes passwords. Security SurePassID Local Agent uses transport level security (SSL) at a minimum. Optionally SurePassID Local Agent can be configured to use message level security for a higher level security. Message level security requires an X509 certificate exchange between SurePassID and your on-premises systems. System Logging All of SurePassID sub-agents maintain their own system log files and write critical information to the system log. In tandem these two different event logs help you troubleshoot and repair any issues that a sub-agent system might encounter during daily operations. SurePassID Local Agent Guide Page 6 of 26

Installing the Local Agent The SurePassID Local Agent installer will install all of the Local Agent components. After the SurePassID Local Agent is installed you can configure the Radius component using the Configuration Manager app that will be installed as part of the installation. The Event Log Sync App and Directory Sync App are configured by modifying parameters in their command-line arguments and configuration files. To start the installation you must first download the installation file SurePassLocalAgent.exe to one of your Windows servers such as Windows Server 2008, Windows Server 2012 or Windows Server 2015. After the file has been downloaded, run SurePassLocalAgent.exe and you will see the following installation screen. Click the Next button. Figure 1: Start Installation SurePassID Local Agent Guide Page 7 of 26

Figure 2: Specify Install Options Specify the installation settings and press the Next button. SurePassID Local Agent Guide Page 8 of 26

Figure 3: Confirm Install Select the Install button to confirm installation or select the Cancel to stop the installation. Selecting the Install button will start installing the software as shown below: SurePassID Local Agent Guide Page 9 of 26

Figure 4: Installing After the software has been installed you will see the following screen. SurePassID Local Agent Guide Page 10 of 26

Figure 5: Installation Complete This screen indicates that the software has been installed. The SurePassID Local Agent has now been installed. You can select the Exit button. To verify installation you can review the Installed Programs located in the Control Panel applet as shown below: SurePassID Local Agent Guide Page 11 of 26

Figure 6: Installed System Component As part of the installation the SurePass Radius Service is installed as shown below: Figure 7: Installed Services SurePassID Local Agent Guide Page 12 of 26

By default, this service is installed in a non-running state as shown below. This allows you to configure the service and then start it only when you plan to use it. When you plan to use the SurePass Radius Service, you should set the service to start automatically. The installation process also creates the following directory tree structure shown below. It is important to note that: Figure 8: Installation Directory Tree Each component has its own folder; and Each component has its own Trace sub-folder for storing the sub-agent traces and log files. SurePassID Local Agent Guide Page 13 of 26

Configuring the Radius Server The Radius Server allows you to add two-factor authentication (two-step authentication) to any system that supports Radius. The server supports the following Radius features: Challenge Response The user can be challenged for many different credentials. Most of the time, the challenge will be to provide a One-Time Password after successfully entering in a valid username and password. Some Radius devices (such as VPNs) only support single-factor authentication. Two-factor authentication can still be used by appending the One-Time Password to the user s password. Proxy Server Chaining In Radius authentication, there can often be multiple Radius servers as part of the authentication process. The Radius Server also supports the following directories for single-factor (username and password) authentication: Active Directory For tight integration with existing enterprise Identity Management Systems SurePass Directory For use with other cloud systems or external users that are not part of the existing enterprise Active Directory forest. LDAP Directory For companies that use an LDAP directory such as Unix and Linux systems. The Radius Server also supports the pushing of One-Time Codes to the user. The choices are: SMS Code An SMS text code is sent to the user. This code is concatenated after the user s password. SMS Question A question is sent to the user s mobile device asking the user to confirm a request to allow access to the system. If the user responds positively, the user is allowed to login with just username and password. Voice Code A call is made to the user giving the user a code. This code is concatenated after the user s password. Email Code An email is sent to the user which contains a code in the email. This code is concatenated after the user s password. HINT: All messages sent to the user can be tailored to your company s needs in the SurePass portal using the Customize SMS Messages and Customize Email Messages menus. SurePassID Local Agent Guide Page 14 of 26

The SurePassID Local Agent Configuration application is used to configure the Radius and Directory Authentication Services. To configure the services, select SurePassID Local Agent Configuration from the Windows Start menu as shown below: Figure 9: Start Configuration Application SurePassID Local Agent Guide Page 15 of 26

Configuration Manager Figure 10: SurePassID Server Settings The application has two folder tabs. These tabs are: SurePass Server Configuration settings for identifying your SurePass account. Radius Agent Configuration settings for the SurePass Radius Server specific. The SurePass Server tab has the following fields: SurePassID Local Agent Guide Page 16 of 26

Endpoint URL The SurePassID authentication Endpoint URL. In most cases, you will not need to change this unless you are using a custom SurePassID installation. Only change this parameter if you are instructed by SurePassID Technical Support. Endpoint Binding The WCF binding that SurePassID will use to communicate with the SurePass server Endpoint. Only change this parameter if you are instructed by SurePassID Technical Support. Test Server Connection Button This button will verify that this server has connectivity to the SurePass server. If this fails, then steps must be taken to determine where the connection fails. Common problems are (1) port 443 is not open in the firewall, (2) the SurePass Endpoint URL is invalid, (3) no Internet connectivity, (4) other problems. Server Login Name - The login name for your SurePassID account. Server Login Password - The login password for your SurePassID account. Test Server Credentials Button This button will verify that the Server Login Name and Server Login Password are correct. IMPORTANT: Before trying this, make sure you have successfully connected to the server via pressing the Test Server Connection button. Open Trace Viewer Button This button will display the Radius Server trace log. This can be useful for verifying initial system connectivity, trouble-shooting system configuration, login failures, and performance related issues. The Server Login Name and Server Login Password can be retrieved from your SurePass account as shown below. To view the password, click the lock icon to toggle the display of the password: SurePassID Local Agent Guide Page 17 of 26

Figure 11: SurePassID Account Settings Configuring the Radius Server Selecting the Radius Server tab and the following form will be displayed: SurePassID Local Agent Guide Page 18 of 26

Figure 11: Radius Server Settings The Radius Server tab has the following fields: Enable Radius Server Check this box to enable the radius server. Port The UDP port that the radius server will listen on. Radius Client White List - The first three radius devices that are permitted to communicate with the SurePassID Radius service. o IP The IP of address of the radius client device o Secret The shared secret on the radius client device. Edit White List Button Add, update or remove White list IP address Enable Radius Server Check this box to enable the radius server. SurePassID Local Agent Guide Page 19 of 26

Allow single-factor authentication for users without a device Check this box if you will have some users logging in that will not have a twofactor authentication device. Users who are assigned a two-factor authentication device must provide the second factor of authentication. Single-Factor Authentication Method Check the appropriate method to validate the user s name and password. o Authenticate with SurePass Directory Check this box to use the SurePass directory o Authenticate with Active Directory/LDAP Check this box to use Active Directory or LDAP o None Only authenticate OTP Check this box to instruct the SurePass Radius server to only check the OTP. This means the access control hardware (VPN/firewall/etc.) will validate the username locally or with some external directory such as Active Directory/LDAP first and then prompt the user for the OTP and send it to SurePass Radius server. After making changes, you can start the SurePass Radius Server. If the server is already running then the server will automatically pick up the changes. VPN End-User Login Overview & Examples Example 1 Login Using Single-Factor Logging into your VPN with single-factor authentication is a fairly straight forward and legacy process that requires only the username and password. Typically, you follow these steps: 1. Start VPN client software 2. Enter username 3. Enter password SurePassID Local Agent Guide Page 20 of 26

Figure 12: Single-Factor VPN Login 4. Press OK button to authenticate When you use two-factor authentication, the process changes slightly because you will need to enter the second factor code in addition to the username and password. Example 2 Login Using Code from Hard or Soft Token You will follow these steps if you have a device that displays a second factor code such as a hard token (OTP display smart card, key fob, etc.) or a soft token (SurePassID desktop token, mobile OTP apps such as Google Authenticator, Nymi Companion App, etc.) 1. Start VPN client software 2. Enter username 3. Enter password and concatenate the second factor code that is displayed from the device. In this example, the number displayed on the device is 034761 as show below: Figure 13: Two-Factor Authentication with Token SurePassID Local Agent Guide Page 21 of 26

4. Press OK button to authenticate Example 3 Login Using SMS, Email or Voice Code You will follow these steps if you want to have a second factor code sent to you via SMS Text, Voice Call, or Email: 1. Start VPN client software. 2. Enter username. 3. Enter a command in the password field. You can enter these values: # (or SENDSMS) to have a code sent via text to your cell phone. Figure 14: Two-Factor Authentication with SMS Text Code v (or SENDVOICE) to have an automated voice call made to your cell phone that will tell you a code. Figure 15: Two-Factor Authentication with Voice Call SurePassID Local Agent Guide Page 22 of 26

m (or SENDEMAIL) to have a code sent via email. Figure 16: Two-Factor Authentication with Email 4. Press OK button to send code. 5. Wait for the code to be delivered to you. 6. Enter the password and concatenate (append) the code you have just received (no spaces after the password). Press OK button to authenticate Example 4 Login Using SMS Question You will follow these steps if you want to secure yourself via an SMS question and not have to enter a code. 1. Start VPN client software. 2. Enter username. 3. Enter? (or PUSHSMS) to have a question sent via text to your phone. You only need to reply y or yes (not case sensitive) to the text message to have the second factor authenticated. If you did not request to be authenticated you can respond with any other answer (such as n or no) and access will be denied. SurePassID Local Agent Guide Page 23 of 26

Figure 17: Two-Factor Authentication with SMS Question 4. Press button OK to send you a question. 5. Wait for the question to be delivered via SMS to you mobile device. 6. Reply Yes (or Y) to the question to allow you to authenticate. 7. Wait for confirmation from the server that you have been authenticated. 8. Enter password. 9. Press OK button to authenticate. SurePassID Local Agent Guide Page 24 of 26

Configuring the Directory Sync Application The Directory Sync application is a command line application that synchronizes user Active Directory user information with the SurePassID directory. The Directory Sync application (DirectorySync.exe) is located in the SurePassID Local Agent\Directory Sync folder. To run the Directory Sync application, use the following syntax: DirectorySync -ln=loginname -lp=loginpassword -add=activedirectorydomain -adf=activedirectoryfilter where loginname: is your SurePassID account login name loginpassword: is you SurePassID account login password activedirectorydomain: is the active directory domain to synchronize. activedirectoryfilter: is the active directory filter to synchronize a subset of the active directory domain. The Directory Sync application synchronizes the following data: Username (same as account name) First Name (given name) Last Name (surname) Email (email) Mobile Number (mobile) The Directory Sync application by default uses https for transport security. If you need a greater level of security, please contact SurePassID technical support and we can assist in setting up message level security using X509 certificates. SurePassID Local Agent Guide Page 25 of 26

Configuring the Event Log Sync Application The Event Log Sync Application is a command line application that pulls information from the SurePassID Audit Trail down to your local system. Event Log Sync only pulls down specific events that your SurePassID account is configured for. This allows you to only pull down a subset of information (such as errors only) and not all audit trail records. The Event Sync application (EventLogSync.exe) is located in the SurePassID Local Agent\Event Log Sync folder. To run the application, use the following syntax: EventLogSync -ln=loginname -lp=loginpassword where loginname: is your SurePassID account login name loginpassword: is you SurePassID account password The Event Log Sync Application by default uses https for transport security. If you need a greater level of security, please contact SurePassID technical support and we can assist in setting up message level security using X509 certificates. SurePassID Local Agent Guide Page 26 of 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback