Safeguard integration with Defender

Hi Mahmoud,

1. Yes SPP supports adding a Radius Server as secondary authentication for user login to SPP and Defender is a Radius Server.

2. SPS also supports adding a AA Plugin for Radius which can be configured to point to Defender to add OTP on SSH or RDP sessions proxied via SPS.

Thanks!

Do you have documentation guide how to do it ?

The SPP admin guide has a section on adding Radius as a secondary authentication for SPP login here:

https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-passwords/7.1/administration-guide/45#TOPIC-1918157

This assumes that you already have Defender Server installed and configured to accept authentications from SPP nodes (Defender is the Radius Server in this example) 

SPP will then point to Defender for Radius Secondary authentications to prompt for 2FA

Thanks!

The SPP admin guide has a section on adding Radius as a secondary authentication for SPP login here:

https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-passwords/7.1/administration-guide/45#TOPIC-1918157

This assumes that you already have Defender Server installed and configured to accept authentications from SPP nodes (Defender is the Radius Server in this example) 

SPP will then point to Defender for Radius Secondary authentications to prompt for 2FA

Thanks!

Hi Tawfiq

How to define access node for SPP ?

as I know we define access node to secure windows based computers , Unix systems , VPN access and secure access websites for application hosted on IIS server.

Also we always need a defender agent installed on the systems that we have to protect.

Defender Access node for SPP would the same as a Windows based Access node but no Defender Desktop Client is needed to be installed on SPP because it is a hardened appliance and no access to the OS, instead SPP supports Radius without the need for the agent:

In the Defender Access node, Include the IP address range of all SPP Nodes

You can use a different authentication port (For example 1645 instead of 1812) if you prefer not to conflict with other access nodes using similar IP address range

Type: Radius Agent

Defender policy is Token only

Then in SPP, you would add the Radius settings as Secondary authentication (SPP > Safeguard Access > Identity and authentication > Radius > Secondary Authentication) pointing to Defender IP address with same port and shared secret as in the Access node in Defender

Then enable secondary authentication on the user settings in SPP selecting Radius as secondary authentication.

Thanks!

You may also need to disable push notification on Defender side if you are running Defender 6.2 or above as it may not work correctly yet with SPP

To disable Push notifications in Defender, add the registry key below on all Defender security servers:

• Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\PassGo Technologies\Defender\DSS Active Directory Edition

• Value type: REG_DWORD

• Value name: PushOff
• Set the value to 1 

thanks for your reconnandations.

I have installed Defender 6.1 

I am testing and send you feedback

Hi Tawfiq

It works fine.thank you very much

the only thing is that defender ask for a fist password that is not define on configution before asking for windows password and the token.

When I press enter I can continue.

there is a way to remove this step????

If you are using a Directory User to authenticate to SPP in the first step using AD password then there should be no need to have Defender enforce AD password again on the secondary authentication.

You can have Defender handle the token response only as the second step by setting the Defender Policy on the SPP Access node to be Token only

Unless there is another Defender policy on the Defender Security Server object that could be conflicting, you can remove the Defender policy from ADUC > Defender OU > Security Server > properties > Policy Tab > Clear it from here.

You can create a new Defender policy that is Token only rather than (AD password followed by Token) and assign that to the SPP access node so that way you can have different Access nodes with different Defender policy requirements based on what you want to enforce for that access node endpoint.

Please what is the Defender one-time password number??

Defender OTP or One time password is just another name for the token response 

Hi

Hope you are doing fine.

I have configure for one client  assurance company SPP 6.13 integration with Defender 6.1  2fa authentication for SPP's users following your instrction...good

I tried the same configuration for bank  SPP 6.13 and Defender 6.14---error message '''access dinied -- no valide route''''  SPP and defender are in the same subnets..What can be the possible cause and how to solve it???

you can try disable of Push Notification in Defender and test again and may have to upgrade SPP as 6.13 version is out of support now.

Defender push notifications can be disabled

• To turn the notifications off, the user needs to manually create the following registry value at:

  Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\PassGo Technologies\Defender\DSS Active Directory Edition

  Value type: REG_DWORD

  Value name: PushOff

  Value data: 1