• State Verified Answer
  • Replies 18 replies
  • Subscribers 31 subscribers
  • Views 3567 views
  • Users 0 members are here
Options
Related

Safeguard integration with Defender

mahmoud
over 2 years ago

Hi,

Can safeguard be integrated with defender?, So it can provide 2FA in one of 2 cases

1- login to safegaurd

2- login to SSH or RDP session using OTP Adding to Password authentication

Parents
  • +1 over 2 years ago

    Hi Mahmoud,

    1. Yes SPP supports adding a Radius Server as secondary authentication for user login to SPP and Defender is a Radius Server.

    2. SPS also supports adding a AA Plugin for Radius which can be configured to point to Defender to add OTP on SSH or RDP sessions proxied via SPS.

    Thanks!

  • 0 over 1 year ago in reply to Tawfiq.Ahmad

    Do you have documentation guide how to do it ?

  • 0 over 1 year ago in reply to diki mardiatmoko

    The SPP admin guide has a section on adding Radius as a secondary authentication for SPP login here:

    https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-passwords/7.1/administration-guide/45#TOPIC-1918157

    This assumes that you already have Defender Server installed and configured to accept authentications from SPP nodes (Defender is the Radius Server in this example) 

    SPP will then point to Defender for Radius Secondary authentications to prompt for 2FA

    Thanks!

  • 0 over 1 year ago in reply to Tawfiq.Ahmad

    Hi Tawfiq

    How to define access node for SPP ?

    as I know we define access node to secure windows based computers , Unix systems , VPN access and secure access websites for application hosted on IIS server.

    Also we always need a defender agent installed on the systems that we have to protect.

  • 0 over 1 year ago in reply to martial assouman

    Defender Access node for SPP would the same as a Windows based Access node but no Defender Desktop Client is needed to be installed on SPP because it is a hardened appliance and no access to the OS, instead SPP supports Radius without the need for the agent:

    In the Defender Access node, Include the IP address range of all SPP Nodes

    You can use a different authentication port (For example 1645 instead of 1812) if you prefer not to conflict with other access nodes using similar IP address range

    Type: Radius Agent

    Defender policy is Token only

    Then in SPP, you would add the Radius settings as Secondary authentication (SPP > Safeguard Access > Identity and authentication > Radius > Secondary Authentication) pointing to Defender IP address with same port and shared secret as in the Access node in Defender

    Then enable secondary authentication on the user settings in SPP selecting Radius as secondary authentication.

    Thanks!

  • 0 over 1 year ago in reply to Tawfiq.Ahmad

    You may also need to disable push notification on Defender side if you are running Defender 6.2 or above as it may not work correctly yet with SPP

    To disable Push notifications in Defender, add the registry key below on all Defender security servers:

    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\PassGo Technologies\Defender\DSS Active Directory Edition
    • Value type: REG_DWORD
    • Value name: PushOff
    • Set the value to 1 
  • 0 over 1 year ago in reply to Tawfiq.Ahmad

    thanks for your reconnandations.

    I have installed Defender 6.1 

    I am testing and send you feedback

  • 0 over 1 year ago in reply to Tawfiq.Ahmad

    Hi Tawfiq

    It works fine.thank you very much

    the only thing is that defender ask for a fist password that is not define on configution before asking for windows password and the token.

    When I press enter I can continue.

    there is a way to remove this step????

  • 0 over 1 year ago in reply to martial assouman

    If you are using a Directory User to authenticate to SPP in the first step using AD password then there should be no need to have Defender enforce AD password again on the secondary authentication.

    You can have Defender handle the token response only as the second step by setting the Defender Policy on the SPP Access node to be Token only

    Unless there is another Defender policy on the Defender Security Server object that could be conflicting, you can remove the Defender policy from ADUC > Defender OU > Security Server > properties > Policy Tab > Clear it from here.

    You can create a new Defender policy that is Token only rather than (AD password followed by Token) and assign that to the SPP access node so that way you can have different Access nodes with different Defender policy requirements based on what you want to enforce for that access node endpoint.

Reply
  • 0 over 1 year ago in reply to martial assouman

    If you are using a Directory User to authenticate to SPP in the first step using AD password then there should be no need to have Defender enforce AD password again on the secondary authentication.

    You can have Defender handle the token response only as the second step by setting the Defender Policy on the SPP Access node to be Token only

    Unless there is another Defender policy on the Defender Security Server object that could be conflicting, you can remove the Defender policy from ADUC > Defender OU > Security Server > properties > Policy Tab > Clear it from here.

    You can create a new Defender policy that is Token only rather than (AD password followed by Token) and assign that to the SPP access node so that way you can have different Access nodes with different Defender policy requirements based on what you want to enforce for that access node endpoint.

Children