Safeguard integration with Defender

If you are using a Directory User to authenticate to SPP in the first step using AD password then there should be no need to have Defender enforce AD password again on the secondary authentication.

You can have Defender handle the token response only as the second step by setting the Defender Policy on the SPP Access node to be Token only

Unless there is another Defender policy on the Defender Security Server object that could be conflicting, you can remove the Defender policy from ADUC > Defender OU > Security Server > properties > Policy Tab > Clear it from here.

You can create a new Defender policy that is Token only rather than (AD password followed by Token) and assign that to the SPP access node so that way you can have different Access nodes with different Defender policy requirements based on what you want to enforce for that access node endpoint.

Please what is the Defender one-time password number??

Defender OTP or One time password is just another name for the token response 

Hi

Hope you are doing fine.

I have configure for one client  assurance company SPP 6.13 integration with Defender 6.1  2fa authentication for SPP's users following your instrction...good

I tried the same configuration for bank  SPP 6.13 and Defender 6.14---error message '''access dinied -- no valide route''''  SPP and defender are in the same subnets..What can be the possible cause and how to solve it???

you can try disable of Push Notification in Defender and test again and may have to upgrade SPP as 6.13 version is out of support now.

Defender push notifications can be disabled

• To turn the notifications off, the user needs to manually create the following registry value at:

  Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\PassGo Technologies\Defender\DSS Active Directory Edition

  Value type: REG_DWORD

  Value name: PushOff

  Value data: 1

Hello Tawfiq,

Does SPS portal access support Defender MFA authentication?

As I'm trying to create new Radius login option

- PAP authentication protocol

- Authorization backend : LDAP

but still can't access, what should additional requirements please?

Hi Mahmoud,

SPS Web UI portal does support Radius as a login option which can be pointed to Defender correct.

The login prompt in SPS is not currently designed for multiple prompts (if you are trying to enter AD password separately from token response) so one way this would work for MFA currently is if you use a Defender Policy such as AD password with Token (so that the user would type both the AD password and token in the same password field line) which I was able to test successfully. 

I created a separate Defender Access node with different port example 400 and using SamAccountName for the user id

Point SPS to Defender and that radius port in step above and add all other configurations in Access node such as the DSS server and members plus the policy of AD Password with token in First method followed by None in second method

In SPS side you also need to have an AD group of which the user is a member of added under User & Access Control > Appliance Access > here you can add the AD group and grant the rights for what the user has access to in the SPS Web UI.

Thanks!

Many thanks Tawfiq,

It worked using (AD Password with token) policy.