Server Administrator Guide

Administration Guide
Advanced Authentication
Version 6.0
Legal Notice
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government
rights, patent policy, and FIPS compliance, https://www.netiq.com/company/legal/.
Copyright © 2016 NetIQ Corporation, a Micro Focus company. All Rights Reserved.
Contents
About NetIQ Corporation 7

About this Book 9
1 Advanced Authentication Overview 11

1.1 How Is Advanced Authentication Better Than Other Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2 Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3 Advanced Authentication Server Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.3.1 Administration Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.3.2 Self-Service Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.3.3 Helpdesk Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.3.4 Reporting Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.4 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.4.1 Basic Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.4.2 Enterprise Level Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.4.3 Enterprise Architecture With A Load Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.5 Terminologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.5.1 Authentication Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.5.2 Authentication Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.5.3 Authentication Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.5.4 Endpoint. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.5.5 Tenant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Part I Configuring Advanced Authentication 19
2 Logging In to the Advanced Authentication Administrative Portal 21

2.1 Logging In to Advanced Authentication Portal using Out-Of-Band Authentication . . . . . . . . . . . . . . . 21
3 Configuring Advanced Authentication Server Appliance 23

3.1 Managing Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.1.1 Adding Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.1.2 Customizing Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.1.3 Updating Dashboard to View Real Time or Historical Data . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.1.4 Customizing the Default Widgets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.1.5 Exporting Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.2 Adding a Tenant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.3 Adding a Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.3.1 Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.3.2 Used Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.3.3 Local Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.4 Configuring Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.4.1 Bluetooth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.4.2 Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.4.3 Email OTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.4.4 Emergency Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.4.5 Fingerprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.4.6 FIDO U2F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.4.7 LDAP Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.4.8 OATH OTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Contents 3
3.4.9 Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.4.10 PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.4.11 RADIUS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.4.12 SMS OTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.4.13 Security Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.4.14 Smartphone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.4.15 Swisscom Mobile ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.4.16 Touch ID. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.4.17 Voice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.4.18 Voice OTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.5 Creating a Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.6 Configuring Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.6.1 Configuring an Existing Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.6.2 Creating a Customized Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
3.7 Managing Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.8 Configuring Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
3.8.1 Admin UI Whitelist Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
3.8.2 Authenticator Management Options Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
3.8.3 Cache Options Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
3.8.4 CEF Log Forward Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
3.8.5 Custom Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
3.8.6 Delete Me Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
3.8.7 Endpoint Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
3.8.8 Event Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
3.8.9 Geo Fencing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
3.8.10 Helpdesk Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
3.8.11 HTTPS Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
3.8.12 Kerberos SSO Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
3.8.13 Last Logon Tracking Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
3.8.14 Lockout Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
3.8.15 Login Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
3.8.16 Logo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
3.8.17 Logon Filter for AD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
3.8.18 Mail Sender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
3.8.19 Multitenancy Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
3.8.20 Password Filter for AD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
3.8.21 Public External URLs (Load Balancers) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
3.8.22 SMS Sender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
3.8.23 Services Director Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
3.8.24 SAML 2.0 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
3.8.25 Voice Sender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
3.9 Configuring Server Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
3.9.1 Enabling Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
3.9.2 Uploading a Keytab File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
3.10 Adding a License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
4 Configuring Ports and Firewall 91
5 Configuring a Cluster 95
5.1 Registering a New Site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
5.2 Registering a New Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5.3 Resolving Conflicts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.4 Installing a Load Balancer for Advanced Authentication Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.4.1 Installing nginx on Ubuntu 16.04 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
5.4.2 Configuring nginx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
5.4.3 Configuring Advanced Authentication Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
5.5 Determining the Number of Web Servers for Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
4 Advanced Authentication - Administration

5.6 Restoring Operations When a Global Master Server is Broken . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
6 Enrolling the Authentication Methods 107
Part II Configuring Integrations 109
7 OAuth 2.0 111

7.1 Building Blocks of OAuth 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
7.1.1 OAuth 2.0 Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
7.1.2 OAuth 2.0 Grants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
7.2 Sample OAuth 2.0 Application Integrated with Advanced Authentication . . . . . . . . . . . . . . . . . . . . 114
7.2.1 Running the Sample Web Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
7.3 OAuth 2.0 Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
7.4 Non Standard Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
8 RADIUS Server 123
9 SAML 2.0 127
10 Examples of Integrations 129

10.1 Configuring Integration With Barracuda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
10.2 Configuring Integration With Citrix NetScaler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
10.3 Configuring Integration With Dell SonicWall SRA EX-Virtual Appliance. . . . . . . . . . . . . . . . . . . . . . 132
10.4 Configuring Integration With FortiGate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
10.5 Configuring Integration With OpenVPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
10.6 Configuring Integration With Palo Alto GlobalProtect Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
10.6.1 Adding the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
10.6.2 Adding an Authentication Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
10.6.3 Configuring GlobalProtect Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
10.7 Configuring Integration With Salesforce. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
10.8 Configuring Integration With ADFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
10.9 Configuring Integration With Google G Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Part III Maintaining Advanced Authentication 145
11 Reporting 147
12 Logging 149
12.1 Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
12.2 RADIUS Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
12.3 Async Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
12.4 Web Server Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
12.5 Replication Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
12.6 Superuser Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
12.7 Background Tasks Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
12.8 NGINX Errors Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
12.9 WebAuth Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Contents 5
13 Managing Tokens 163
13.1 CSV File Format To Import OATH Compliant Tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
14 Searching a Card Holder’s Information 165
15 Monitoring Performance of Advanced Authentication Servers 167
16 Troubleshooting 169
16.1 Error During the Deployment of ISO File and Installation in the Graphic Mode . . . . . . . . . . . . . . . . 169
16.2 Partition Disks to Avoid Removal of Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
16.3 Networking Is Not Configured . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
16.4 Error While Coying the DB Master Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
16.5 The ON/OFF Switch Is Broken If the Screen Resolution Is 110% . . . . . . . . . . . . . . . . . . . . . . . . . . 170
16.6 Error When Requesting For Update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

About NetIQ Corporation
We are a global, enterprise software company, with a focus on the three persistent challenges in your
environment: Change, complexity and risk—and how we can help you control them.
Our Viewpoint
Adapting to change and managing complexity and risk are nothing new
In fact, of all the challenges you face, these are perhaps the most prominent variables that deny
you the control you need to securely measure, monitor, and manage your physical, virtual, and
cloud computing environments.
Enabling critical business services, better and faster

We believe that providing as much control as possible to IT organizations is the only way to
enable timelier and cost effective delivery of services. Persistent pressures like change and
complexity will only continue to increase as organizations continue to change and the
technologies needed to manage them become inherently more complex.
Our Philosophy
Selling intelligent solutions, not just software
In order to provide reliable control, we first make sure we understand the real-world scenarios in
which IT organizations like yours operate—day in and day out. That's the only way we can
develop practical, intelligent IT solutions that successfully yield proven, measurable results. And
that's so much more rewarding than simply selling software.
Driving your success is our passion

We place your success at the heart of how we do business. From product inception to
deployment, we understand that you need IT solutions that work well and integrate seamlessly
with your existing investments; you need ongoing support and training post-deployment; and you
need someone that is truly easy to work with—for a change. Ultimately, when you succeed, we
all succeed.
Our Solutions
 Identity & Access Governance
 Access Management
 Security Management
 Systems & Application Management
 Workload Management
 Service Management
About NetIQ Corporation 7

Contacting Sales Support
For questions about products, pricing, and capabilities, contact your local partner. If you cannot
contact your partner, contact our Sales Support team.
Worldwide: www.netiq.com/about_netiq/officelocations.asp
United States and Canada: 1-888-323-6768
Email: [email protected]
Web Site: www.netiq.com
Contacting Technical Support

For specific product issues, contact our Technical Support team.
Worldwide: www.netiq.com/support/contactinfo.asp
North and South America: 1-713-418-5555
Europe, Middle East, and Africa: +353 (0) 91-782 677
Email: [email protected]
Web Site: www.netiq.com/support
Contacting Documentation Support

Our goal is to provide documentation that meets your needs. The documentation for this product is
available on the NetIQ Web site in HTML and PDF formats on a page that does not require you to log
in. If you have suggestions for documentation improvements, click Add Comment at the bottom of
any page in the HTML version of the documentation posted at www.netiq.com/documentation. You
can also email [email protected]. We value your input and look forward to
hearing from you.
Contacting the Online User Community

NetIQ Communities, the NetIQ online community, is a collaborative network connecting you to your
peers and NetIQ experts. By providing more immediate information, useful links to helpful resources,
and access to NetIQ experts, NetIQ Communities helps ensure you are mastering the knowledge you
need to realize the full potential of IT investments upon which you rely. For more information, visit
community.netiq.com.

About this Book
This Administration Guide is intended for system administrators and describes the procedure of
Advanced Authentication Server appliance configuration.
Intended Audience
This book provides information for individuals responsible for understanding administration concepts
and implementing a secure, distributed administration model.
About this Book 9

1 Advanced Authentication Overview
1
Advanced Authentication™ is a multi-factor authentication solution that enables you to protect your
sensitive data by using a more advanced way of authentication on top of the typical username and
password authentication. With Advanced Authentication, you can authenticate on diverse platforms
by using different types of authenticators such as Fingerprint, Card, and OTP. Advanced
Authentication provides a single authentication framework that ensures secure access to all your
devices with minimal administration.
Authentication comprises of the following three factors:
 Something that you know such as password, PIN, and security questions.
 Something that you have such as smartcard, token, and mobile phone.
 Something that you are such as biometrics (fingerprint or iris).
You can achieve multi-factor or strong authentication by using any two factors out of this list. For
example, multi-factor authentication can include combination of a password and a token or a
smartcard and a fingerprint.
This section contains the following topics:
 Section 1.1, “How Is Advanced Authentication Better Than Other Solutions,” on page 11
 Section 1.2, “Key Features,” on page 11
 Section 1.3, “Advanced Authentication Server Components,” on page 12
 Section 1.4, “Architecture,” on page 14
 Section 1.5, “Terminologies,” on page 18
1.1 How Is Advanced Authentication Better Than

Other Solutions
Advanced Authentication leverages the needs of users to authenticate on different platforms with
different needs. The following points explain how Advanced Authentication is different from other
solutions:
 Works on multiple platforms such as Windows, Mac OS X, Linux and so on.

 Supports multi-site configurations that helps organizations to distribute the authentication
globally.
1.2 Key Features

 Multi-factor Authentication: The solution provides a flexibility of combining more than twenty
authentication methods to create authentication chains. You can assign these chains to different
events to use the specific authentication chains for different kinds of endpoints.
 Supports Multiple Repositories: Advanced Authentication supports Active Directory, Active
Directory Lightweight Domain Services, NetIQ eDirectory, and other RFC 2037 and RFC 2037
bis compliant LDAP repositories.
Advanced Authentication Overview 11

 Supports Distributed Environments: Advanced Authentication works on geographically
distributed environments containing high loads.
 Multitenancy: A single Advanced Authentication solution can support multiple tenants to serve
multiple customers with different environments.
 Supports Multiple Platforms: Advanced Authentication works on various platforms such as
Windows, Linux, and Mac OS.
 Helpdesk: Advanced Authentication provides a separate role of Helpdesk or Security officer. A
user with Helpdesk or Security Officer role can manage authenticators for the end users through
the Helpdesk portal.
 Supports the RADIUS Server: Advanced Authentication Server contains a built-in RADIUS
server to provide strong authentication for third-party RADIUS clients. Also, it can act as a
RADIUS client for the third-party RADIUS servers.
 Supports ADFS 3, OAuth 2.0, and SAML 2.0: Advanced Authentication integrates with Active
Directory Federation Services, OAuth 2.0, and SAML 2.0. This enables you to perform strong
authentication for the users who need to access the third-party consumer applications.
 Reporting: Advance Authentication provides the Reporting portal that enables you to access
different security reports. You can also create customized reports based on your requirement.
 Syslog support: Advanced Authentication provides the central logging server that can be used
for log forwarding. You can configure the solution to forward logs to an external Syslog server.
 FIPS 140-2 Compliant Encryption: Advanced Authentication adheres to Federal Information
Processing Standard (FIPS) 140-2. You can enable FIPS 140-2 compliant encryption for new
installations.
 Supports Localization: Advanced Authentication supports several languages such as Arabic,
Chinese, Dutch, and Danish.
1.3 Advanced Authentication Server Components

Advanced Authentication server comprises of the following components:
 Administration Portal
For more information, see Section 1.3.1, “Administration Portal,” on page 12

 Self-Service Portal
For more information, see Section 1.3.2, “Self-Service Portal,” on page 13
 Helpdesk Portal
For more information, see Section 1.3.3, “Helpdesk Portal,” on page 13
 Reporting Portal
For more information, see Section 1.3.4, “Reporting Portal,” on page 13
1.3.1 Administration Portal

Administration Portal is a centralized portal that helps you to configure and manage various
authentication settings such as methods, events, and so on. You can also configure various policies
that are required for authentication. You can perform the following tasks:
 Add repositories: A repository is a database that stores users information. For example: An
organization, Digital Airlines contains an Active Directory that stores all of the user’s information
such as username, telephone, address, and so on. Administrator can add this Active Directory to

Advanced Authentication solution to help different departments in the organization such as the
IT, finance, HR, and Engineering departments to authenticate based on their requirements. For
more information about how to add repositories, see “Adding a Repository”.
 Configure methods: A method or an authenticator helps to confirm the identification of a user
(or in some cases, a machine) that is trying to log on or access resources. You can configure the
required settings for the appropriate methods depending on the requirement by each
department. For more information about how to configure methods, see “Configuring Methods”.
 Create chains: A chain is a combination of methods. Users must authenticate with all the
methods in a chain. For example, a chain with Fingerprint and Card method can be applicable
for the IT department and a chain with Smartphone, LDAP Password, and HOTP is applicable
for the Engineering department. For more information about how to create chains, see “Creating
a Chain”.
 Configure events: An event is triggered by an external device or application that needs to
perform authentication such as a Windows machine, a RADIUS client, a third party client and so
on. After creating the chain, Administrator maps the chain to an appropriate event. For more
information about how to configure events, see “Configuring Events”.
 Map endpoints: An endpoint is a device on which you can authenticate. Endpoints can be
computers, Laptops, tablets, and so on. For more information about how to configure endpoints,
see “Managing Endpoints”.
 Configure policies: An administrator can manage policies that are specific to users, devices, or
locations to control a user’s authentication. In Advanced Authentication, you can manage the
policies in a centralized policy editor. For more information about how to configure policies, see
“Configuring Policies”.
1.3.2 Self-Service Portal

The Self-Service Portal allows users to manage the available authentication methods. This portal
consists of Enrolled authenticators and Add authenticator. The Enrolled authenticators section
displays all the methods that users have enrolled. The Add authenticator section displays additional
methods available for enrollment. You must configure and enable the Authenticators Management
event to enable users to access the Self-Service portal. For more information on Self-Service portal,
see Advanced Authentication- User guide.
1.3.3 Helpdesk Portal

The Helpdesk Portal allows the helpdesk administrators to enroll and manage the authentication
methods for users. Helpdesk administrators can also link authenticators of a user to help authenticate
to another user’s account. For more information on Helpdesk portal, see the Advanced
Authentication- Helpdesk Administrator guide.
1.3.4 Reporting Portal

The Reporting Portal allows you to create or customize security reports that provide information about
user authentication. It also helps you understand the processor and memory loads. For more
information on Reporting portal, see “Reporting”.

1.4 Architecture
Advanced Authentication architecture is based on the following three levels of architecture:
 Basic Architecture
For more information, see Section 1.4.1, “Basic Architecture,” on page 14

 Enterprise Level Architecture
For more information, see Section 1.4.2, “Enterprise Level Architecture,” on page 15
 Enterprise Architecture With A Load Balancer
For more information, see Section 1.4.3, “Enterprise Architecture With A Load Balancer,” on
page 17
1.4.1 Basic Architecture

The basic architecture of Advanced Authentication is a simple configuration that requires only one
Advanced Authentication server.
An Advanced Authentication server is connected to a directory such as Active Directory Domain

Services, NetIQ eDirectory, Active Directory Lightweight Directory Service or other compliant LDAP
directories. An Event Endpoint can be Windows, Linux or Mac OS X machine, NetIQ Access
Manager, NetIQ CloudAccess, or RADIUS Client to authenticate through the RADIUS Server that is
built-in the Advanced Authentication Server. For a complete list of supported events, see Configuring
Events.

1.4.2 Enterprise Level Architecture
In the enterprise level architecture of Advanced Authentication, you can create several sites for
different geographical locations.
For example, the Figure 1-1 on page 15 displays two Advanced Authentication sites, Site A and Site
B.
Figure 1-1 Enterprise Level Architecture
 Site A: The first site that is created for headquarters in New York. The first Advanced
Authentication server of site A contains the Global Master and Registrar roles. This server
contains a master database and it can be used to register new sites and servers.
 Site B: Another site created for the office in London. The structure of site B is similar to site A.
The Global Master in another site has the DB Master role. DB servers interact with the DB
Master.
DB Server provides a database that is used for backup and fail-over. You can create a maximum
of two DB servers per site. When the Global Master is unavailable, the DB server responds to
the database requests. When the Global Master becomes available again, the DB server
synchronizes with the Global Master and the Global Master becomes the primary point of
contact for database requests again.
Endpoints interact with Global Master or DB Master servers. When these servers are not
available, they interact with DB servers.
NOTE: DB servers connect to each other directly. If the Global Master is down, the DB servers will
replicate.
A Global Master must have a connection to each of the LDAP servers. Hence in a data center with
Global Master, you must have LDAP servers for all the used domains.

IMPORTANT: Ensure to take regular snapshots or to clone the primary site to protect from any
hardware issues or any other accidental failures. It is recommended to do it each time after you
change the configuration of repositories, methods, chains, events and policies, or add or remove
servers in the cluster.
You can convert DB server of primary site to Global Master. This requires corresponding DNS
changes. Nothing can be done if Global Master and all slaves are lost.

1.4.3 Enterprise Architecture With A Load Balancer
The enterprise architecture with a load balancer contains web servers and load balancers along with
the components in Enterprise Level Architecture. Figure 1-2 on page 17 illustrates the Enterprise
architecture with a load balancer.
Figure 1-2 Enterprise Architecture with Load Balancer
 Web Servers: Web server does not contain a database. It responds to the authentication
requests and connects to Global Master. You need more web servers to serve more workload. It
is not recommended to deploy more than 5-6 web servers per site.
 Load Balancer: A load balancer provides an ability to serve authentication requests from
External Endpoints. A load balancer is a third-party component. It must be configured to interact
with Web servers.

NOTE: To view an example of configuring a load balancer for an Advanced Authentication cluster,
see “Installing a Load Balancer for Advanced Authentication Cluster”.
1.5 Terminologies
 Section 1.5.1, “Authentication Method,” on page 18
 Section 1.5.2, “Authentication Chain,” on page 18
 Section 1.5.3, “Authentication Event,” on page 18
 Section 1.5.4, “Endpoint,” on page 18
 Section 1.5.5, “Tenant,” on page 18
1.5.1 Authentication Method

An authentication method verifies the identity of an individual who wants to access data, resources, or
applications. Validating that identity establishes a trust relationship for further interactions.
1.5.2 Authentication Chain

An authentication chain is a combination of authentication methods. A user must pass all methods in
the chain to be successfully authenticated. For example, if you create a chain with LDAP Password
and SMS, a user must first specify the LDAP Password. If the password is correct, the system sends
an SMS with a One-Time-Password (OTP) to the user’s mobile. The user must specify the correct
OTP to be authenticated.
You can create chains with multiple methods that are applicable for highly secure environments. You
can create authentication chains for specific group of users in the repositories.
1.5.3 Authentication Event

An authentication event is triggered by an external device or application that needs to perform
authentication. It can be triggered by a RADIUS Client (Citrix Netscaler, Cisco VPN, Juniper VPN and
so on) or an API request. Each event can be configured with one or more authentication chains that
enables a user to authenticate.
1.5.4 Endpoint
An endpoint is a device on which you can authenticate. Endpoints can be computers, Laptops,
tablets, Smartphones, and so on.
1.5.5 Tenant
A tenant is a company with a group of users sharing common access with specific privileges. In
Advanced Authentication, tenants have the privileges to customize some of the configuration
settings.

I Configuring Advanced
I
Authentication
Advanced Authentication Server Appliance is intended for processing requests for authentication
coming from the Advanced Authentication system users.
This chapter contains the following sections:
 Chapter 2, “Logging In to the Advanced Authentication Administrative Portal,” on page 21

 Chapter 3, “Configuring Advanced Authentication Server Appliance,” on page 23
 Chapter 4, “Configuring Ports and Firewall,” on page 91
 Chapter 5, “Configuring a Cluster,” on page 95
 Chapter 6, “Enrolling the Authentication Methods,” on page 107
Configuring Advanced Authentication 19

2 Logging In to the Advanced
2
Authentication Administrative Portal
After you set up an applicable server mode, the Advanced Authentication Administrative portal is
displayed.
To log in to the Advanced Authentication Administrative portal, perform the following steps:
1 Specify the administrator's credentials in the format: repository\user (local\admin by default).
NOTE: You can also use the format user@repository, if the Multitenancy mode is disabled.
2 Click Next.
3 The Admin Password chain is selected by default as the only available chain. Specify the
password that you specified while setting up the DB Master server mode.
4 Click Next.
The Dashboard page is displayed.
5 You can change the language from the list on the upper-right corner of the Administration portal.
The languages supported are: Arabic, Chinese Simplified, Chinese Traditional, Danish, Dutch,
English, French, German, Italian, Japanese, Polish, Portuguese (Brazilian), Russian, Spanish,
Hebrew, and Swedish.
IMPORTANT: Password of local\admin account expires by default. For uninterrupted access to the
Administration portal, it is strongly recommended to add authorized users or group of users from a
configured repository to the FULL ADMINS role. Then you must assign chains, which contain
methods that are enrolled for users, to the AdminUI event (at a minimum with an LDAP Password).
NOTE: It is not recommended to access the Advanced Authentication Administration portal through a
load balancer, as the replicated data may not be displayed.
2.1 Logging In to Advanced Authentication Portal

using Out-Of-Band Authentication
Out-of-Band (OOB) authentication is a form of strong authentication that allows user to access
Advanced Authentication Portal from different computers (Source and Remote) located on different
networks simultaneously. On the source computer, user must pass the chain configured for the
specific event using authenticators (like PKI card reader, Fingerprint scanner or so on that are not
available on remote computer) to get authenticated successfully. OOB authentication can be applied
on Administration, Helpdesk, Self-Service, and Reporting portals, OSP, RADIUS, and custom events.
NOTE: OOB authentication is not applicable for Helpdesk user event.
Logging In to the Advanced Authentication Administrative Portal 21

NOTE: Ensure to configure the load balancer URL in the Public External URL policy using which the
second URL gets generated for remote access.
To access Advanced Authentication Portal from Remote computer using OOB authentication,
perform the following steps:
1 Login to remote computer.

2 Navigate to Advanced Authentication UI
3 Specify User name.
4 Click Launch second URL.
5 Copy the URL.
6 Navigate to the URL on source computer.
7 Authenticate all methods in the configured chain for the specific event.
Remote computer gets logged in to the Advanced Authentication automatically.

3 Configuring Advanced Authentication
3
Server Appliance
In the Administration portal, you can configure and manage various authentication settings such as
methods, events, and so on. You can also configure various policies that are required for
authentication.
Advanced Authentication Administration portal contains the Help option that guides you on how to
configure all settings for your authentication framework. The Help section provides you with
information on the specific section you are working on.
 Section 3.1, “Managing Dashboard,” on page 23

 Section 3.2, “Adding a Tenant,” on page 29
 Section 3.3, “Adding a Repository,” on page 30
 Section 3.4, “Configuring Methods,” on page 39
 Section 3.5, “Creating a Chain,” on page 59
 Section 3.6, “Configuring Events,” on page 61
 Section 3.7, “Managing Endpoints,” on page 69
 Section 3.8, “Configuring Policies,” on page 70
 Section 3.9, “Configuring Server Options,” on page 88
 Section 3.10, “Adding a License,” on page 89
3.1 Managing Dashboard

After you login into the Advanced Authentication Administration console, the Dashboard is displayed.
Dashboard contains widgets that you can add or customize to view a graphical representation of
data. The information in the Dashboard helps administrators to track memory utilization, tenant
information, successful or failed logins, and so forth.
You can view the Dashboard for all the tenants or specific tenants.
Configuring Advanced Authentication Server Appliance 23

You can perform the following to manage the Dashboard:
 Add widgets
 Customize Dashboard
 Update Dashboard
 Customize the Default Widgets
 Export Widgets
3.1.1 Adding Widgets

To add widgets, perform the following steps:
1 Click Add widget in the top-right corner of the Dashboard screen.

2 Select the widget from the list that you want to add to the dashboard.
3 Specify the appropriate details for the widget in the Add Widget screen.
3.1.2 Customizing Dashboard

You can customize the Dashboard by moving the widgets or deleting the unused widgets.
To move the widgets, click on the widget and the drag icon appears. You can then drag and drop
the widget to the desired location of the Dashboard.
To delete unused widgets, click Delete on the top of each widget.

After customizing the dashboard, click Save Dashboard on the upper-right corner of the Dashboard
screen.
3.1.3 Updating Dashboard to View Real Time or Historical Data

You can update Dashboard to view the data based on the time interval or historical data.
Viewing Dashboard based on Time Interval

To view records based on real time interval, enable Relative time interval to ON and select the
Relative interval. The default time interval for Dashboard is 15 minutes.
Viewing Dashboard for Previous Records

To view previous records, enable Relative time interval to OFF and select the Date range.Click
Update
3.1.4 Customizing the Default Widgets

Following are the default widgets when you login. You can edit these widgets according to your need:
 “System Metrics” on page 26

 “Tenants” on page 26
 “CPU Usage Per Server and Memory Usage Per Server” on page 26
 “Servers” on page 26
 “Authentications” on page 26
 “Logons Per Result” on page 26
 “Activity Stream” on page 26
 “Successful/Failed Logons” on page 27
 “Top Events With Successful Logon Per Chain” on page 27
 “Top Events With Failed Logon Per Method” on page 27
 “Top 10 Events” on page 27
 “Top 10 chains With Successful Result” on page 27
 “Top 10 Servers” on page 28
 “Top 10 Tenants” on page 28
 “Top 10 Repo” on page 28
 “Top 5 Events for Logons” on page 28
 “Top 5 Users for Logons” on page 28
 “Top 10 Users With Failed Logon” on page 28
 “Top 10 Users” on page 29
 “Top 10 Events” on page 29
 “Top 10 Methods With Failed Result” on page 29
 “Disk Usage Per Server” on page 29

System Metrics
This widget displays statistics about user’s login, popularity and so on. The following section defines
each system metric:
 All Logons: Total number of logins.

 Failed Login: Total number of failed logins by the users.
 Succeeded Login: Total number of successful logins by the users.
 Active Users Count: The number of active users.
 Most Popular User: The user that has used the console most.
 Most Popular Event: The event that users have used the most.
 Most Popular Repo: The repository that users have used the most.
 CPU Usage Stats: The average percentage of CPU usage.
Tenants
This widget displays information about the tenants and their login.
CPU Usage Per Server and Memory Usage Per Server

These widgets display information about percentage of CPU and memory usage per time interval.
They show average CPU and memory usage.
You can edit the title and change the time interval to view the records.
Servers
This widget displays the CPU, memory, and disk usage.
Authentications
This widget displays the total logon count for time interval. You can edit the display based on the
events: All logon events, Failed logon events, or successful logon events.
Logons Per Result

This widget displays two lines: one for successful logons and one for failed logons.
To edit the widget, click Edit and select the appropriate fields. You can also select the number of
records from Size and sort in the ascending (previous to latest) or descending (latest to previous)
order.
Activity Stream
This widget displays information about user, tenant, chain, and method used for authentication, and
the result.
You can edit the display based on the events: All logon events, Failed logon events, or successful
logon events.

Successful/Failed Logons
This widget displays information about the successful or failed logins by users. You can edit the
widget to customize the display based on the event type and parameters such as Tenant name, event
name and so on.
order.
Top Events With Successful Logon Per Chain

This widget displays the top events based on the successful logon for each chain. You can edit the
widget to customize the display based on the event type and parameters such as Tenant name, event
name and so on.
order.
Top Events With Failed Logon Per Method

This widget displays the top events based on the failed logon for each chain. You can edit the widget
to customize the display based on the event type and parameters such as Tenant name, event name
and so on.
order.
Top 10 Events
This widget displays the top ten events the user has performed. You can edit the widget to customize
the display based on the event type.
order.
Top 10 chains With Successful Result

This widget displays the top ten chains the user has successfully authenticated with. You can edit the
widget to customize the display based on the event type.
order.

Top 10 Servers
This widget displays the top ten servers the user has used to authenticate. You can edit the widget to
customize the display based on the event type.
order.
Top 10 Tenants
This widget displays the top ten tenants. You can edit the widget to customize the display based on
the event type.
order.
Top 10 Repo
This widget displays the top ten repositories. You can edit the widget to customize the display based
on the event type.
order.
Top 5 Events for Logons

This widget displays the top five events for login. You can edit the widget to customize the display
based on the event type.
order.
Top 5 Users for Logons

This widget displays the top five users for login. You can edit the widget to customize the display
based on the event type.
order.
Top 10 Users With Failed Logon

This widget displays the top ten users who have failed in the login attempt. You can edit the widget to
order.

Top 10 Users
This widget displays the top ten users. You can edit the widget to customize the display based on the
event type.
order.
Top 10 Events
This widget displays the top ten events. You can edit the widget to customize the display based on
the event type.
order.
Top 10 Methods With Failed Result

This widget displays the top ten methods with failed authentication results. You can edit the widget to
order.
Disk Usage Per Server

This widget displays information about the percentage of disk usage per time interval. It shows the
average disk usage.
You can edit the title and change the time interval to view the records.
3.1.5 Exporting Widgets

Each widget displays export options like Export to .csv, Export to .xls and Export to .json using
which you can export the widget data to respective formats according your need. When you export
statistics of the widget, Advanced Authentication creates a copy of the selected widget, and stores
the copied data in preferred file format on your local drive.
3.2 Adding a Tenant

A tenant is a company with a group of users sharing common access with specific privileges. Each
company has a tenant administrator. The tenant administrator has the privilege to configure settings
for methods, chains, events, and so on.
Multitenancy is a feature where a single instance of Advanced Authentication solution supports

multiple tenants. The multitenancy feature is optional and is disabled by default. To enable
Multitenancy, see the policy Multitenancy options.

To add a tenant, perform the following steps:
1 Click Tenants > Add.

2 Specify the name, description, and password for the tenant administrator.
3 Click Save.
For the tenants added, you can view the number of configured repositories and the license expiry
date. In the Edit tenant page, you can view the number of users and change the password for the
tenant administrator.
NOTE: A tenant administrator cannot add another tenant and cannot access the Server options,
Cluster, and Updates sections. For more information, see the Tenant Administration Guide.
3.3 Adding a Repository

A repository is a central location where the user’s data is stored. Advanced Authentication uses the
repository only to retrieve the user information and configurations in Advanced Authentication do not
affect the repository. The authentication templates are stored inside the appliance and are fully
encrypted.
Advanced Authentication supports any LDAP compliant directory such as Active Directory Domain
Services, NetIQ eDirectory, Active Directory Lightweight Directory Services, OpenLDAP, and
OpenDJ.
When you add a new repository, you can match the users in the repository to the authentication
chains. You require only the read permission to access a repository.
To add a repository, perform the following steps:
1 Click Repositories > Add.

2 Select an applicable repository type from the LDAP type list. The options are:
 AD for Active Directory Domain Services
 AD LDS for Active Directory Lightweight Domain Services
 eDirectory for NetIQ eDirectory
 Other for OpenLDAP, OpenDJ and other types
For AD, a repository name is automatically set to the NetBIOS name of the domain. For other
LDAP repository types, you need to specify the name in Name.
3 Specify a container for the users in Base DN. When you select the Subtree option, Advanced
Authentication performs a search for the users in all the child nodes. You can change the search
scope by selecting the Search one level only option.
4 Specify a user account in User and specify the password of the user in Password. Ensure that
the user's password has no expiry.
5 You can specify a container for the groups in Group DN (optional). When you select the Subtree
option, Advanced Authentication performs a search for the groups in all the child nodes. You can
change the search scope by selecting the Search one level only option.
6 If you have selected AD as the LDAP type, select DNS discovery to find LDAP servers
automatically. Specify the DNS zone and Site name (optional) and click Perform DNS Discovery.
If you want to add LDAP servers manually, select Manual setting.

NOTE: If you specify an RODC (Read Only Domain Controller) in the LDAP server, the server
uses this DC for read requests (get groups, get user info) and for logon requests (LDAP
Password method and bind requests for Advanced Authentication LDAP user). These requests
are redirected to a writable DC because RODC is installed in untrusted locations and does not
have copies of the user’s passwords. Therefore, if a writable DC is not available, Advanced
Authentication will not be able to bind to the LDAP repository.
To solve this issue, you must enable the password replication of a user account specified in
Step 4. To do this, you must add the account to the Allowed RODC Password Replication
Group.
However, even when you enable such replication, users cannot use the LDAP Password method
because user’s passwords are not replicated. It is recommended not to replicate passwords of
all the users. For more information, see the article Understanding “Read Only Domain Controller”
authentication.
7 Click Add server. You can add the different servers in your network. The list is used as a pool of
servers. Each time the connection is open, a random server is selected in the pool and
unavailable servers are discarded.
8 Specify an LDAP server's Address and Port.
9 Turn SSL to ON to use the SSL technology (if applicable).
10 Click Save, next to server's credentials.
11 Add additional servers (if applicable).
12 (Conditional) To configure custom attributes, expand Advanced Settings. The Advanced Settings
are required for OpenDJ, OpenLDAP, and in some cases for NetIQ eDirectory.
13 Click Save.
NOTE: If you use NetIQ eDirectory with the option Require TLS for Simple Bind with Password
enabled, you may get the error: Can't bind to LDAP: confidentialityRequired. To fix the
error, you must either disable the option or do the following:
1. Click LDAP > LDAP Options > Connections in the NetIQ eDirectory Administration portal.
2. Set Client Certificate to Not Requested.
3. Set a correct port number and select SSL in the Repository settings.
4. Click Sync now with the added repository.
14 You can change the search scope and the Group DN (optional) functionality. In Advanced
Authentication 5.2, you had to specify a common Base DN for users and groups.
15 To verify the synchronization of a repository, click Edit and you can view the information in Last
sync.
16 Click Full sync to perform a complete synchronization of the repository.
Advanced Authentication performs an automatic synchronization of modified objects (fastsync)
on an hourly basis for AD. The complete synchronization (Full sync) is performed on a weekly
basis.
NOTE: If an LDAP server is unavailable for 2.5 seconds, Advanced Authentication excludes it from
the LDAP requests for a period of 3 minutes.

3.3.1 Advanced Settings
Advanced Settings allow you to customize attributes that Advanced Authentication reads from a
repository. Click + to expand the Advanced Settings. The following list describes the different
attributes in Advanced Settings:
 “User Lookup Attributes” on page 32

 “User Name Attributes” on page 32
 “User Mail Attributes” on page 32
 “User Cell Phone Attributes” on page 32
 “Group Lookup Attributes” on page 33
 “Group Name Attributes” on page 33
 “Verify SSL Certificate” on page 34
 “Enable Paged Search” on page 34
 “Enable Nested Groups Support” on page 34
 “Framed IPv4 Address Attribute” on page 35
User Lookup Attributes

Advanced Authentication validates the specified attributes for an entered user name.
For Active Directory (AD), the default attributes are sAMAccountName and userPrincipalName. For
other repositories, cn is the default attribute.
User Name Attributes

Advanced Authentication shows a name from the first, non-empty specified field for an entered user
name.
For AD, the default attributes are sAMAccountName and userPrincipalName. For other repositories,
cn is the default attribute.
User Mail Attributes

Advanced Authentication validates the specified attributes to retrieve a user's email address.
Default attributes are mail and otherMailbox.
User Cell Phone Attributes

Advanced Authentication validates the specified attributes to retrieve a user's phone number. These
attributes are used for methods such as SMS OTP, Voice, and Voice OTP. Previously, the first
attribute of User cell phone attributes was used as a default attribute for authenticating with SMS
OTP, Voice, and Voice OTP methods. Now, users can use different phone numbers for these
methods. For example, Bob wants to authenticate with SMS OTP, Voice, and Voice OTP methods. He
has a cell phone number, a home phone number, and an IP phone number and wants to use these
numbers for each of these methods. He can define these phone numbers in the respective settings of
these methods.
Default attributes: mobile, otherMobile.

NOTE: If you have multiple repositories, you must use the same configuration of User cell phone
attributes for all the repositories.
Group Lookup Attributes

Advanced Authentication validates the specified attributes for an entered group name.
For Active Directory, the default attribute is sAMAccountName. For other repositories, cn is the default
attribute.
Group Name Attributes

Advanced Authentication shows a name from the first, non-empty specified field for an entered group
name.
For Active Directory, the default attribute is sAMAccountName. For other repositories, cn is the default
attribute.
Advanced Authentication supports the RFC 2037 and RFC 2037 bis. RFC 2037 determines a
standard LDAP schema and contains a memberUid attribute (POSIX style). RFC 2037 bis determines
an updated LDAP schema and contains a member attribute. Active Directory, LDS, and eDir support
RFC 2037 bis. OpenLDAP contains posixAccount and posixGroup that follows RFC 2037.
Attribute Default Value Value for the Repository
User Object Class user OpenDJ and OpenLDAP: person
Group Object Class group OpenDJ: groupOfNames
OpenLDAP: posixGroup
Group Member Attribute member OpenDJ: member
 User UID attribute OpenLDAP: memberUid.
This attribute is available If a required group contains groupOfNames

only when POSIX style class, disable POSIX style groups. If the
groups is ON. group contains posixGroup, enable POSIX
style groups.
Default value: uid.
Advanced Authentication supports the following attributes for the Group Name attributes:
User Object Class user OpenDJ and OpenLDAP: person
Group Object Class group OpenDJ: groupOfNames
OpenLDAP: posixGroup

Group Member Attribute member OpenDJ: member
OpenLDAP: memberUid.
If a required group contains groupOfNames

class, disable POSIX style groups. If the
group contains posixGroup, enable POSIX
style groups.
 User UID attribute

This attribute is available only when
POSIX style groups is ON.
Default value: uid.
Object ID Attribute entryUUID
This attribute is available only

for other LDAP type only.
NOTE: For information about the Logon filter settings (Legacy logon tag and MFA logon tag), see
Configuring Logon Filter.
Verify SSL Certificate

Enable Verify SSL Certificate to ensure that the LDAP connection to appliance is secured with a valid
self-signed SSL certificate. This helps to prevent any attacks on the LDAP connection and ensures
safe authentication. Click Choose File to browse the self-signed certificate.
Enable Paged Search

The Enable paged search option allows LDAP repositories to support paged search in which the
repositories can retrieve a result of a query set in small portions. By default, this option is set to ON.
For openLDAP (with file-based backend), the option must be set to OFF.
NOTE: You must not disable the option for Active Directory repositories. It can also affect the
performance on other supported repositories such as NetIQ eDirectory.
Enable Nested Groups Support

This option allows you to enable or disable nested groups support. By default, the Enable nested
groups support option is set to ON.
If Enable nested groups support option is set to ON, then Advanced Authentication will authenticate
all the users of the group and its nested groups assigned to a chain. If Enable nested groups support
option is set to OFF, then Advanced Authentication will authenticate only the members of the group
assigned to the chain. The members of the nested groups cannot access the chain.
Consider there is a group by name All Users assigned to SMS Authentication chain and the All
Users group has subgroups Contractors and Suppliers. When Enable nested groups support
option is set to ON, then Advanced Authentication will authenticate All Users group and the nested
groups Contractors and Suppliers for SMS Authentication chain. When the option is set to OFF,

then Advanced Authentication will authenticate only the members of All Users group and the nested
group members will not have access to SMS Authentication chain. This improves the login
performance of the appliance.
Framed IPv4 Address Attribute

This attribute is applicable for the Radius Server event.
For Active Directory, when the Framed IPv4 Address is blank, the Advanced Authentication RADIUS
server returns value of the msRADIUSFramedIPAddress attribute as Framed-IP-Address after you log
in with the RADIUS event. When you specify any other attribute in Framed IPv4 Address attribute,
then the value of the specified attribute is returned as the Framed-IP-Address instead of the
msRADIUSFramedIPAddress attribute value. You can configure the Framed-IP-Address in Active
Directory Users and Computers > Dial-in > Assign Static IP Addresses and click Static IP
Addresses. It supports only IPv4.
For the other repositories, when the Framed IPv4 Address is blank, the Advanced Authentication
RADIUS server returns value of the radiusFramedIPAddress attribute as Framed-IP-Address after
you log in with the RADIUS event. When you specify any other attribute in Framed IPv4 Address
attribute, then the value of the specified attribute is returned as the Framed-IP-Address instead of
the radiusFramedIPAddress attribute value.
3.3.2 Used Attributes

The following table describes the attributes that the appliance uses in the supported directories.
Attribute LDAP Description Type Supported Supported Supported

Name Name in Active in LDS in
Directory eDirectory
CN CN An identifier of an object String ✓ ✓ ✓

(Common
Name)
Mobile Mobile A phone number of an Phone ✓ ✓ ✓

object's cellular or mobile number
phone
Email mail An email address of a user Email ✓ ✓ ✓

Address address
User- userPrinc An Internet based format String ✓ ✓ ✓

Principal- ipalName login name for a user
Name (UPN)
SAM- The login name used to String ✓ × ×

Account- sAMAccoun support clients and servers
Name tName running earlier versions of
operating systems such as
Windows NT 4.0
GUID GUID An assured unique value Octet String × × ✓

for any object
Object Class Object An unordered list of object String ✓ ✓ ✓

Class classes

Attribute LDAP Description Type Supported Supported Supported
Name Name in Active in LDS in
Directory eDirectory
Member Member A list that indicates the String ✓ ✓ ✓

objects associated with a
group or list
User- userAccou Flags that control the Enumeration ✓ × ×

Account- ntControl behavior of a user account
Control
ms-DS- msDS- Flags that are similar to Enumeration ✓ ✓ ×

User- User- userAccountControl, but
Account- Account- the attribute's value can
Control- Control- contain additional bits that
Computed Computed are not persisted
Primary- primaryGr A relative identifier (RID) Enumeration ✓ × ×

Group-ID oupID for the primary group of a
user
Object-Guid A unique identifier for an Octet String ✓ ✓ ×

objectGUI object
D
object-Sid A Binary value that Octet String ✓ ✓ ×

objectSid specifies the security
identifier (SID) of the user
Logon- Hours that the user is Octet String ✓ × ×

Hours logonHour allowed to logon to the
s domain
USN- An update sequence Interval ✓ ✓ ×

Changed uSNChange number (USN) assigned by
d the local directory for the
latest change including
creation
NOTE: The sAMAccountName and userPrincipalName attributes are supported only for AD DS
repository. The Active Directory LDS and eDirectory repositories do not support the attributes.
LDAP Queries for Repository Sync

Active Directory DS and AD LDS Queries
1. Search users
(&(usnChanged>=217368)(&(objectClass=user)(|(cn=*)(sAMAccountName=*)(userPrincipal
Name=*))))
Requested attributes:
['objectSID', 'sAMAccountName', 'objectClass', 'logonHours', 'primaryGroupId',

'otherMobile', 'mobile', 'userAccountControl', 'cn', 'usnChanged',
'userPrincipalName', 'msDS-User-Account-Control-Computed', 'objectGUID', 'mail',
'otherMailbox', 'GUID']
2. Search groups

(&(usnChanged>=217368)(&(objectClass=group)(|(cn=*)(sAMAccountName=*))))

'userAccountControl', 'cn', 'usnChanged', 'msDS-User-Account-Control-Computed',
'objectGUID', 'GUID']
eDirectory Queries
The queries are the same as for Active Directory DS and Active Directory LDS, except for
'usnChanged' (this filter is not used).
1. Search users
(&(objectClass=user)(|(cn=*)(sAMAccountName=*)(userPrincipalName=*)))

'otherMobile', 'mobile', 'userAccountControl', 'cn', 'userPrincipalName', 'msDS-
User-Account-Control-Computed', 'objectGUID', 'mail', 'otherMailbox', 'GUID']
2. Search groups
(&(objectClass=group)(|(cn=*)(sAMAccountName=*)))

'userAccountControl', 'cn', 'msDS-User-Account-Control-Computed', 'objectGUID',
'GUID']
LDAP Queries During Logon

For Active Directory LDS queries, the attributes are same as Active Directory DS except for the
objectSid (the filter is not used in queries on membership in groups).
In the examples below, the username is pjones, base_dn is DC=company,DC=com
Active Directory DS and Active Directory LDS queries
1. Basic user information
(&(objectClass=user)(|(cn=pjones)(sAMAccountName=pjones)(userPrincipalName=pjones)
))
(&(objectClass=user)(objectGUID=\0f\d1\14\49\bc\cc\04\44\b7\bf\19\06\15\c6\82\55))
['otherMobile', 'GUID', 'userAccountControl', 'msDS-User-Account-Control-

Computed', 'mobile', 'primaryGroupId', 'cn', 'objectGUID', 'userPrincipalName',
'objectSID', 'mail', 'sAMAccountName', 'objectClass', 'logonHours',
'otherMailbox']
2. Group membership information for user
Active Directory specific query using objectSid filter:
(|(member=CN=pjones,CN=Users,DC=company,DC=com)(objectSid=S-1-5-21-3303523795-
413055529-2892985274-513))

['GUID', 'userAccountControl', 'msDS-User-Account-Control-Computed',

'primaryGroupId', 'objectGUID', 'cn', 'objectSID', 'objectClass',
'sAMAccountName', 'logonHours']
3. Iteratively query about each group received from above query
(member=CN=Performance Monitor Users,CN=Builtin,DC=company,DC=com)

eDirectory Queries
Basic user information
(&(objectClass=user)(|(cn=pjones)(sAMAccountName=pjones)(userPrincipalName=pjones)
))

'otherMailbox']
(&(objectClass=user)(GUID=\57\b6\c2\c1\b9\7f\4b\40\b9\70\5f\9a\1d\76\6c\d2))

'otherMailbox']
Group membership information for user
(member=cn=pjones,o=AAF)

3.3.3 Local Repository

The Local repository contains the Advanced Authentication server data. You can manage users and
set roles for users in the local repository.
To edit a local repository, perform the following steps:
1 Click Edit in the LOCAL section of Repositories.

2 In the Global Roles tab, you can manage the Helpdesk administrators as ENROLL ADMINS and
Advanced Authentication administrators as FULL ADMINS.

By default, there are no ENROLL ADMINS and the account LOCAL\ADMIN is specified as FULL
ADMIN. You can change this by adding the user names from local or the repositories in
Members.
3 Click Save.
4 In the Users tab, you can manage the local users.
To add the new local account, click Add and specify the required information of the user.
5 In the Settings tab, you can edit the name of the Local repository.
3.4 Configuring Methods

A method is a way of authenticating the identity of an individual who attempts to access an endpoint.
Advanced Authentication provides several such methods.
To configure an authentication method for Advanced Authentication, perform the following steps:
1 Click Methods.
2 Click the Edit icon next to the authentication method.

You can also double-click on the method to edit the configuration.
3 Make the required changes.
4 Click Save.
You can translate the method name to a preferred language in the Custom Names section. The
localized method name will reflect in the Administration, Helpdesk, Self-Service, and Reporting
portals, Windows, Linux PAM, and Mac OS X clients, OSP, RADIUS, and custom events. To
customize and localize the method name to a specific language, perform the following steps:
1 Open the method for which you want to localize the method name.
2 Specify the method name in a specific language field in the Custom Names section.
3 Click Save.
A top administrator can enforce the configurations of a method on secondary tenants. After
configuring a method, you can lock the settings for that specific tenant. The tenant cannot edit the
locked settings in the tenant administrator console.
To enforce the configurations for a specific tenant, perform the following steps:
1 Click the Edit icon next to the authentication method for which you want to enforce the
configurations.
2 In Tenancy settings, click +.
3 Move the tenant to whom you want to enforce the configurations from Available to Used list in
the Force the configuration for the tenants section.
4 After you add a tenant, the Hide forced settings option is displayed. You can turn this option to
ON if you want to hide the settings that you have enforced on the tenant.
5 Click Save.
After configuring the authentication methods, you must create an authentication chain and map the
configured methods to the chain. You can also create a chain with a single method. For example, you
can create different authentication chains for an organization that has two departments, IT and
Finance. For the IT department, you can create a chain with Password and Smartphone methods.
For the Finance department, a chain with only the Fingerprint method can be created. For more
information about creating chains, see “Creating a Chain”.

The methods do not appear in the Self-Service portal until you include them in a chain, and link that
chain to an event.
You can configure the following methods in Advanced Authentication:
 Bluetooth
 Card
 Email OTP
 Emergency Password
 Fingerprint
 LDAP Password
 OATH OTP
 Password
 PKI
 RADIUS Client
 Security Questions
 Smartphone
 SMS OTP
 Swisscom Mobile ID
 Touch ID
 FIDO U2F
 Voice
 Voice OTP
3.4.1 Bluetooth
In the Bluetooth method, you can enroll your smartphone or a mobile device. For example, Bob
wants to be authenticated through the Bluetooth method. He enrolls the Bluetooth method on the
Advanced Authentication Self-Service portal. He can get authenticated with the Bluetooth method
only when his smartphone is in the range.
By default, the Enable reaction on device removal option is enabled. When this option is enabled and
a user tries to logs in to Windows using Bluetooth, Windows gets locked automatically in the following
scenario:
 When the Bluetooth device is disabled

 When the Bluetooth device is out of range
NOTE: It is recommended to combine the Bluetooth method with another authentication method in a
chain to increase the security.

3.4.2 Card
The Card authentication happens when a user places a contactless card on a card reader.
Advanced Authentication supports the Microsoft policy Interactive logon: Smart card removal
behavior that allows you to specify an action on the card event. You can configure the policy to
perform a force log off or lock a user session when a user places a card on the reader. Only Microsoft
Windows supports this policy.
By default, the Enable Tap&Go option is disabled. When this option is disabled, a card must be
placed on the reader when a user logs in. When the user removes the card from the reader, the
Windows Client runs an action that is specified in the Interactive logon: Smart card removal behavior
policy. When you set this option to ON, users can tap a card to perform the following actions
(depending on the Interactive logon: Smart card removal behavior policy) without keeping their cards
on the reader:
 To log in
 To lock a session
 To log off
NOTE: The policy is supported for Microsoft Windows only and it is not supported for the PKI
authenticators.
3.4.3 Email OTP

In the Email OTP authentication method, the server sends an email with a one-time password (OTP)
to the user's e-mail address. The user must specify the OTP on the device where the user needs to
get authenticated. It is a best practice to use the Email OTP authentication method with other
methods such as Password or LDAP Password to achieve multi-factor authentication and to prohibit
malicious users from sending SPAM mails to a user's email box with authentication requests.
To configure the Email OTP method, specify the following details:
Parameter Description
OTP period Lifetime of an OTP token in seconds. The default OTP

period is 120 seconds. Maximum value for the OTP
period is 360 seconds.
OTP Format Length of an OTP token. The default value is 6 digits.
Sender email Email address of the sender.
Subject Subject of the mail.
Format Format of an email message. The default format is

Plain Text. The HTML format allows to use embedded
images. You can specify an HTML format of the
message in HTML.

Body For the Plain Text format, you can specify the
following variables:
 {user}: Username.
 {endpoint}: Device that a user authenticates to.
 {event}: Name of the event where the user is
trying to authenticate to.
 {otp}: One-Time-Password to be sent to the user.
3.4.4 Emergency Password

The Emergency Password method facilitates the use of a temporary password for users if they lose a
smartcard or forget their smartphone. Only a helpdesk administrator can enroll the Emergency
Password method for users.
WARNING: An administrator can misuse this method by trying to access other user’s account. Full
administrator must be vigilant to select the right helpdesk administrators.
To configure the Emergency Password method, specify the following details:
Minimum password length The length of the password must be at least five
characters long.
Password age (days) The validity period of a password. The default value is
3 days.
Max logons The maximum number of login attempts that a user

can perform before the password gets expired. The
default value is 10 and the password is expired after
the user logs in 10 times using this password.
Complexity requirements Set to ON to enforce users creating a complex and not

easily detectable password. Password must meet the
following requirements:
 Contains at least one uppercase character

 Contains at least one lowercase character
 Contains at least one digit
 Contains at least one special character
Allow change options during enrollment When set to ON, this option allows a helpdesk
administrator to set Start date, End date, and
Maximum logons manually in the Helpdesk portal.
This manual configuration overrides the settings in the
Emergency Password method.

3.4.5 Fingerprint
The Fingerprint method is one of the strong biometric authentication methods that Advanced
Authentication provides. Users can authenticate with methods such as Password (something they
know) and Fingerprint (something they are) for multi-factor authentication. Users need to place their
fingers on a fingerprint scanner to enroll and authenticate.
To configure the Fingerprint method, perform the following steps:
1 Set the Similarity score threshold by moving the slider to the desired score.
NOTE: Default and recommended value for Similarity score threshold is 25. Reducing the
score may result in different fingerprints getting validated.
2 Select the number of fingers to be enrolled.

It is recommended to enroll more than one finger as any injuries to the enrolled finger may make
it unable to use.
3 Select the number of scans required for enrollee's each finger.
NOTE: To improve the quality of the fingerprint enrollment, it is recommended to have multiple
captures. The total number of captures including all the enrolled fingers must not exceed 25.
4 Set Specify Fingers during enrollment to ON, if you want to enforce selected fingers for user to
enroll.
5 Select the preferred fingers to enroll from Selected Fingers list.
6 Click Save.
3.4.6 FIDO U2F

With the FIDO U2F authentication method, users can authenticate with the touch of a finger on the
U2F device.
You can configure certificate settings for the FIDO U2F authentication method. By default, Advanced
Authentication does not require the attestation certificate for authentication by the FIDO U2F
compliant token. Ensure that you have a valid attestation certificate added for your FIDO U2F
compliant token, when you configure this method. The Yubico and Feitian attestation certificates are
pre-configured in the Advanced Authentication appliance.
To validate attestation certificate for the FIDO U2F authentication, perform the following steps:
1 Set Require attestation certificate to ON to enable validation of attestation certificate.
2 To use a custom certificate instead of predefined device manufacturer certificate, click

against the particular certificate to remove the attestation certificate.
3 Click Add to add a custom certificate. The certificate must be in the PEM format.
To restore the deleted attestation certificate, click Add Default.
Advanced Authentication supports the Microsoft policy Interactive logon: Smart card removal
behavior that allows you to specify an action on the U2F. You can configure the policy to perform a
force log off or lock a session when a user removes the U2F device from a computer. This policy is
supported for Windows only. When the user removes the U2F device from the computer, the
Windows Client runs an action that is specified in the Interactive logon: Smart card removal behavior
policy.

IMPORTANT: To use the FIDO U2F authentication for Access Manager in the OAuth 2.0 event, you
must configure an external web service to perform enrollment and authentication for one domain
name. For more information, see Configuring a Web Server to Use the FIDO U2F Authentication.
The YubiKey tokens may flash with a delay when the token is initialized in a combination mode. For
example, when authentication uses OTP and U2F methods. This may cause the users to wait for the
token to flash before enrollment or authentication. Therefore, it is recommended to flash the tokens
only in the U2F mode if the other modes are not needed.
Configuring a Web Server to Use the FIDO U2F Authentication

This section is applicable for Debian 8 Jessie. The procedure may differ for other distributives.
This sections explains how to configure web server to use the FIDO U2F authentication in NetIQ
Access Manager for the OAuth 2.0 event.
According to the FIDO U2F specification, both enrollment and authentication must be performed for
one domain name. As NetIQ Access Manager and Advanced Authentication appliance are located on
different servers, you must configure web server to enable performing the following actions:
 Port forwarding to Advanced Authentication appliance for the FIDO U2F method enrollment
 Port forwarding to NetIQ Access Manager for further authentication using FIDO U2F tokens
Perform the following actions to configure a web server to use the FIDO U2F authentication.
Installing Nginx Web Server

You must install the Nginx web server for URL forwarding.
To install Nginx, add the following two lines to the /etc/apt/sources.list file:
deb http://packages.dotdeb.org jessie all

deb-src http://packages.dotdeb.org jessie all
Preparing SSL Certificate

Run the following commands:
mkdir –p /etc/nginx/ssl
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/
proxy.key -out /etc/nginx/ssl/proxy.crt
Preparing Nginx Proxy Configuration

Add the following to the /etc/nginx/sites-available/proxy file:

server {
listen 443 ssl;
error_log /var/log/nginx/proxy.error.log info;
server_name nam.company.local;
ssl_certificate /etc/nginx/ssl/proxy.crt;
ssl_certificate_key /etc/nginx/ssl/proxy.key;
location ~ ^/account {
proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://<appliance_IP>$uri?$args;
}
location ~ ^/static {

}
location ~ ^/admin {

}
location / {

proxy_read_timeout 300;
proxy_pass https://<NAM_IP>;
}
}
Create a link and restart the nginx service running the following commands:
ln -s /etc/nginx/sites-available/proxy /etc/nginx/sites-enabled/proxy
service nginx reload
Adding DNS Entries

Ensure that the NetIQ Access Manager name server corresponds to the IP address of web server.
Enrolling U2F FIDO

To enroll U2F, open the link https://<NAM_FQDN>/account. The Self-Service portal of Advanced
Authentication server appliance is displayed.
Enroll the U2F method in the Self-Service portal. For information about enrolling, see “Enrolling the
Authentication Methods”.

3.4.7 LDAP Password
In the LDAP Password method, the Advanced Authentication client retrieves password that is stored
in the user repository from the Advanced Authentication server.
If you do not include the LDAP Password method in a chain, you will be prompted to perform a
synchronization. When you set Save LDAP password to ON, the prompt is displayed only for the first
time until the password is changed or reset. If you set this option to OFF, a prompt for synchronization
is displayed each time.
 Set Enable SSPR integration to ON if you want to enable the Self Service Password Reset
integration for Advanced Authentication web portals.
 Specify the SSPR link text. This link is displayed on the login page where user enters the LDAP
Password.
 Specify the SSPR URL. This URL points to the Self Service Password Reset portal.
LDAP password is stored on the Advanced Authentication server in two places:
1. User data: It is used for OS logon (Windows Client, Mac OS X Client, and Linux PAM Client) and
is stored when Save LDAP password option in LDAP Password method is set to ON.
2. LDAP password authenticator: It is used while using cached logon. The password is stored when
the Enable local caching option is set to ON in the Cache Options Policy.
When the Enable cached logon option is set to OFF (default behavior), the Advanced Authentication
server always contacts the LDAP server to validate the user password. It may cause performance
issues. When you set this option to ON, during authentication user specified password is validated
with password stored (cached) in the Advanced Authentication server.
If the user password does not match with the stored password or password is not stored on the
Advanced Authentication server, then cached value gets reset and Advanced Authentication server
contacts the LDAP server to validate the user password.
If the user specified password matches the cached password, the Advanced Authentication server
validates user password with LDAP server in the background. If the validation failed, the password
stored on Advanced Authentication Server gets reset, so next logon will be without cache.
NOTE: The Enable cached logon option works only if any one of the following setting is set to ON:
 Save LDAP password in the LDAP Password method.

 Enable local caching in the Cache Options policy.
3.4.8 OATH OTP

OATH (Initiative for Open Authentication) is an industry-wide collaboration to develop an open
reference architecture using open standards to promote the adoption of strong authentication using
OTP.
Advanced Authentication supports the following two different types of OATH OTP:
 HOTP: Counter based OTP

 TOTP: Time based OTP

For HOTP, you can specify the following parameters:
 OTP format: The number of digits in the OTP token. The default value is 6 digits. The value must
be the same as of the tokens you are using.
 OTP window: The number of OTPs that the Advanced Authentication server will generate
starting from the current HOTP counter value to match an HOTP entered by the user during
authentication. The default value is 10. The maximum value for the OTP window is 100000
seconds.
This is required when users use tokens for accessing websites such as Google. After each use,
the HOTP counter increases by 1. Therefore, the counter will be out of sync between the token
and Advanced Authentication server. Also, users can press the token button accidentally.
WARNING: Do not increase the HOTP window value to more than 100 as it may decrease the
security by causing false matches.
During enrollment or HOTP counter synchronization in the Self-Service portal, Enrollment HOTP
window that has a value of 100,000 is used. This is helps in the following:
 HOTP tokens may be used for a long period before the enrollment in Advanced Authentication
and the value is unknown and can be equal to some thousands.
 Secure because users must provide 3 consequent HOTPs.
For TOTP, you can specify the following parameters:
 OTP period (sec): The value to specify how often a new OTP is generated. The default value is
30 seconds. The maximum value for the OTP period is 360 seconds.
 OTP format: The number of digits in the OTP token. The default value is 6 digits. The value must
be the same as the tokens you are using.
 OTP window: The value to specify the periods used by Advanced Authentication server for
TOTP generation. For example, if you have a period of 30 and a window of 4, then the token is
valid for 4*30 seconds before current time and 4*30 seconds after current time, which is 4
minutes. These configurations are used because time can be out-of-sync between the token and
the server and may impact the authentication. The maximum value for the OTP window is 64
periods.
IMPORTANT: You cannot use OTP window equal to 32 and higher for four digit OTPs as it can
lead to false matches and reduces the security.
 Google Authenticator format of QR code (Key Uri): Option to scan the QR code for enrollment
of the software token with the Google Authenticator. Enable this option to use the Google
Authenticator or Microsoft Authenticator app in place of the Advanced Authentication
smartphone app to scan a QR code.
IMPORTANT: OTP format must be set to 6 digits when you use the Google Authenticator or
Microsoft Authenticator format of QR code.
You can import the PSKC or CSV files. These token files contain token information. To import these
files, perform the following steps:
1 Click the OATH Token tab.

2 Click Add.
3 Click Browse and add a PSKC or CSV file.

4 Choose a File type. The options are:
 OATH compliant PSKC: This file type must be compliant with OAuth. For example, HID
OATH TOTP compliant tokens.
 OATH csv: This file type must contain the format as described in CSV File Format To Import
OATH Compliant Tokens. You cannot use the YubiKey CSV files.
 Yubico csv: In this file type, you must use one of the supported Log configuration output
(see YubiKey Personalization Tool > Settings tab > Logging Settings) formats with comma
as a delimiter.
 Traditional format: In this file type, OATH Token Identifier must be enabled.
 Yubico format: This file type is supported only for HOTP Length set to 6 Digits and
OATH Token Identifier set to All numeric.
IMPORTANT: Moving Factor Seed must not exceed 100000.
5 Add the encrypted PSKC files. For this, select Password or Pre-shared key in PSKC file
encryption type and provide the information.
6 Click Upload to import tokens from the file.
NOTE: Advanced Authentication receives an OTP format from the imported tokens file and stores
the information in the enrolled authenticator. Therefore, you need not change the default value of OTP
format on the Method Settings Edit tab.
When the tokens are imported, you can see the list and you must assign the tokens to users. This can
be done in the following two ways:
 Click Edit next to the token and select Owner and click Save.
 A user can self-enroll a token in the Self-Service portal. Administrator must let the user know an
appropriate value from the Serial column for the self-enrollment.
NOTE: Tenancy settings are not supported for the OATH tokens. Therefore, the configurations in the
OATH Tokens tab cannot be enforced on tenant administrators.
CSV File Format To Import OATH Compliant Tokens

A CSV file, which is imported as OATH csv file in the Administration portal > Methods > OATH OTP >
OATH Tokens tab, must contain fields with the following parameters:
 Token’s serial number

 Token’s seed
 (Optional) Type of the token: TOTP or HOTP (by default HOTP)
 (Optional) OTP length (default value is 6 digits)
 (Optional) Time step (default value is 30 seconds)
Comma is a delimiter.
The following is an example of a CSV file:
Token001, 15d2fa517d3c6b791bd4cc2044c241429307001f
Token002, 8c557fc050721037fd31e1d3345b5d3263263e0f, totp, 8
Token003, 658208efea5ac49d5331ba781e66f2c808cccc8e, hotp, 6
Token004, 89f0dfe1c90379da6a11aaca2fc1070f606efe36, totp, 6, 60

IMPORTANT: For the YubiKey tokens, you must use the traditional format of the CSV (check
YubiKey Personalization Tool > Settings tab > Logging Settings) with comma as a delimiter. Use
Yubico csv file type (Advanced Authentication Administration portal > Methods > OATH OTP >
OATH Tokens).
3.4.9 Password
In the Password authentication method, you can configure security options for passwords that are
stored in the appliance. For example, the local/admin user who does not have an LDAP Password
can use this option.
NOTE: Do not use the Password method in chains that contain only one factor. You must always
combine the Password method with other factors.
You can configure the following options for the Password method:
 Minimum password length: The maximum length of the password.

 Maximum password age: The validity period of the password. The default value is 42 days. If
you set the value to 0, the password never expires.
 Complexity requirements: Option to enable users to create a complex and not easily detectable
password.Set to ON to enable this option. Password must meet the following requirements:
 Contains at least one uppercase character
 Contains at least one lowercase character
 Contains at least one digit
 Contains at least one special character
 Rename to PIN: Option to rename the Password to PIN. Set to ON to enable the option. The
Password method is renamed to PIN in the Advanced Authentication Administration portal,
Helpdesk portal, Self-Service portal, Windows Client, Mac OS X Client, and Linux PAM Client.
NOTE: It is recommended to use Custom names to rename the Password method because the
Rename to PIN setting will not be available in versions after Advanced Authentication 6.0.
IMPORTANT: Advanced Authentication does not generate notifications about the password expiry.
After the password expires, the local administrator cannot sign-in to the Administration portal and
users using this method cannot get authenticated.
However, an administrator and a user can change their passwords in the Self-Service portal.
3.4.10 PKI
The Public Key Infrastructure (PKI) creates, stores, and distributes digital certificates. These
certificates are used to verify whether a particular public key belongs to a specific entity.
In the PKI method, you must upload trusted root certificates. These certificates must meet the
following requirements:
1. Root CA certificate is in the .pem format.

2. All certificates in the certification path (except Root CA) contain AIA and CDP http link to check
revocation status.
3. The certificate for PKI device contains a key pair: public and private key in the x509 format. The
certificates that do not comply with the requirements are ignored and hidden during enrollment.
NOTE: Advanced Authentication supports the p7b format of parent certificates. These p7b format
files can contain certificates and chain certificates, but not the private key. They are Base64 encoded
ASCII files with extensions .p7b or.p7c.
Configuring the Environment for a Standalone Root CA

1 Install Web Server (IIS) Role.
2 Create the CertEnroll Folder and grant Share & NTFS permissions to the Cert Publishers
group.
3 Create CertEnroll Virtual Directory in IIS.
4 Enable Double Escaping on IIS Server.
5 Install Enterprise Root CA using Server Manager.
6 Enable Object Access Auditing on CA.
7 Configure the AIA and CDP.
8 Publish the Root CA Certificate to AIA.
9 Export Root CA in .der format and convert the format to .pem.
10 Export personal certificate (that was signed by Root CA) with private key and place it on a PKI
device.
Configuring the Environment for a Subordinate CA

1 Install Web Server (IIS) Role.
2 Create the CertEnroll Folder and grant Share & NTFS permissions to Cert Publishers group.
3 Create CertEnroll Virtual Directory in IIS.
4 Enable Double Escaping on IIS Server.
5 Install the Standalone Offline Root CA.
6 Create a CAPolicy.inf for the standalone offline root CA.
7 Installing the Standalone Offline Root CA.
8 Enable Auditing on the Root CA.
10 Install Enterprise Issuing CA.
11 Create CAPolicy.inf for Enterprise Root CA.
12 Publish the Root CA Certificate and CRL.
13 Install Subordinate Issuing CA.
14 Submit the Request and Issue subordinate Issuing CA Certificate.
15 Install the subordinate Issuing CA Certificate.
16 Configure Certificate Revocation and CA Certificate Validity Periods.
17 Enable Auditing on the Issuing CA.

19 Install and configure the Online Responder Role Service.
20 Add the OCSP URL to the subordinate Issuing CA.
21 Configure and publish the OCSP Response Signing Certificate on the subordinate Issuing CA.
22 Configure Revocation Configuration on the Online Responder.
23 Configure Group Policy to provide the OCSP URL for the subordinate Issuing CA.
24 Export Root CA in .der format and convert the format to .pem.
25 Export personal certificate (that was signed by subordinate CA) with private key and place it on a
PKI device.
For more information, see Single Tier PKI Hierarchy Deployment and Two Tier PKI Hierarchy
Deployment.
To upload a new trusted root certificate, perform the following steps.
1 Click Add in the PKI Method Settings Edit page.

2 Click Browse.
3 Choose a .pem certificate file and click Upload.
4 Click Save.
NOTE: You must upload only the Root CA on appliance.
3.4.11 RADIUS Client

In the Radius Client method, Advanced Authentication forwards the authentication request to a third-
party RADIUS server. This can be any RADIUS server. For example, you can use RADIUS Client as
an authentication method when you have a token solution such as RSA or Vasco. You want to
migrate users to Advanced Authentication with the flexibility that users can use the old tokens while
the new users can use any of the other supported authentication methods.
You can configure the following options for the Radius Client method:
 Server: The Hostname or IP address of the third-party RADIUS server.

 Secret: The shared secret between the RADIUS server and Advanced Authentication.
 Port: The port to where the RADIUS authentication request is sent. The default port is 1812.
 Send repository name: Option for a repository name to be used automatically with a username.
For example, company\pjones. Set to ON to enable the option.
 NAS Identifier: An attribute that contains a string identifying the NAS originating the Access-
Request. It is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier
must be present in an Access-Request packet.
3.4.12 SMS OTP

In the SMS OTP authentication method, a one time password (OTP) is sent with the SMS text to the
user’s phone. The user receives the OTP and enters it on the device where the authentication is
happening. The OTP must be used within a specific time frame. The OTPs delivered through text
messages prevent phishing and malicious attacks. SMS OTP is recommended to be used with other
methods, such as Password or LDAP Password.

NOTE: In the User’s settings of a repository, ensure that a phone number without extension is used.
An SMS is not sent to the user’s mobile where the phone number contains an extension.
To configure the SMS OTP method, specify the following details:
 OTP Period: The lifetime of an OTP in seconds. The default value is 120 seconds.The maximum
value for the OTP period is 360 seconds.
 OTP Format: The number of digits in the OTP. The default value is 6.
 Body: The text in the SMS that is sent to the user. The following structure describes the text in
the OTP:
 {user}: Name of the user.
 {endpoint}: Device the user is authenticating to.
 {event}: Name of the event where the user is trying to authenticate to.
 {otp}: One-Time Password.
 User cell phone attribute: The cell phone number of a user on which the OTP is sent through
SMS. You can use custom attributes such as mobile, homePhone, ipPhone, and other attributes
of a repository. You must define the attribute in “User Cell Phone Attributes” of the Repositories
section.
NOTE: If you do not configure the attribute in the method settings, then the first attribute defined
in the “User Cell Phone Attributes” section of Repository configuration is used when the user
tries to authenticate. For example, if you define mobile as the first attribute in User cell phone
attribute and do not configure the attribute in method settings of SMS OTP, then while
authenticating, the first attribute, which is the mobile attribute, is used for the SMS OTP method
authentication.
3.4.13 Security Questions

In Security Questions authentication method, an administrator can set up a series of predefined
questions. A user must answer these questions to get authenticated. Security Questions are used
when users forget their passwords.
Security questions are often easy to guess and can often bypass passwords. Therefore, Security
Questions do not prove to be secure.
You must follow few guidelines to use this method. You must use Good security questions that meet
five criteria. Ensure that the answers to a good security question are:
1. Safe: Cannot be guessed or researched.

2. Stable: Does not change over time.
3. Memorable: Can be remembered.
4. Simple: Precise, easy, and consistent.
5. Many: Has many possible answers.
Some examples of good, fair, and poor security questions according to goodsecurityquestions.com
are as follows. For a full list of examples, see the website (http://goodsecurityquestions.com/.)
GOOD
 What is the first name of the person you first kissed?

 What is the last name of the teacher who gave you your first failing grade?
 What is the name of the place your wedding reception was held?
 In what city or town did you meet your spouse/partner?
 What was the make and model of your first car?
FAIR
 What was the name of your elementary / primary school?
 In what city or town does your nearest sibling live?
 What was the name of your first stuffed animal, doll, or action figure?
 What time of the day were you born? (hh:mm)
 What was your favorite place to visit as a child?
POOR
 What is your pet's name?
 In what year was your father born?
 In what county where you born?
 What is the color of your eyes?
 What is your favorite _____?
Configure the following options for the Security Questions method:
 Min. answer length: The minimum number of characters an answer must contain.
 Correct answers for logon: The number of answers a user must answer correctly to get access.
 Total questions for logon: The number of questions that are presented to the user while
authenticating.
For example, if the Correct answers for logon is set to 3 and the Total questions for logon is set to 5,
the user needs to specify only 3 correct answers out of a set of 5 questions.
3.4.14 Smartphone
Advanced Authentication provides the Smartphone method that facilitates users to authenticate
through their Smartphone. The authentication happens through the NetIQ smartphone app to perform
the out-of-band authentication. The out-of-band authentication is typically a two-factor authentication
that requires a secondary verification through a separate communication channel along with the ID
and password.
The authentication flow for the Smartphone method in Advanced Authentication is described in the
following image.

A user wants to authenticate on an endpoint such as a laptop or a website with the Smartphone
method. The following steps describe the authentication flow:
1 When the authentication request is initiated, the endpoint contacts the Advanced Authentication
server.
2 The Advanced Authentication server validates the user’s credentials.
3 After validating the credentials, the Advanced Authentication server sends a push message to
proxy.authasas.com.
4 Depending on the platform of the Smartphone, the server selects an appropriate push service
and then forwards the push message to the Smartphone.
5 The push message is then delivered to the user’s Smartphone to inform that an authentication
request has been initiated.
6 When the user opens the Smartphone app, the app reaches the Advanced Authentication server
to validate if there is an authentication needed. The authentication is indicated by the Accept
and Reject options. The user’s selection is then sent to the server.
7 Finally, the server validates the authentication and the endpoint gets authenticated.
HTTPS protocol is used for the communication.
This authentication method is recommended to use in combination with another method such as
Password or LDAP Password to achieve multi-factor authentication and protect a user from getting
SPAM push messages.

Access Configurations
The following are the configurations required for the Smartphone method.
 Advanced Authentication server must be accessible by the specified Server URL address from
smartphones (HTTPS, outbound).
 Advanced Authentication server must have a permitted outbound connection to
proxy.authasas.com (HTTPS).
Scenario for Authenticating with the Smartphone Method
Bob wants to authenticate on the myexample.com website. When he logs in to the website, the
Smartphone authentication method sends a push message to Bob’s mobile phone. When he opens
the Smartphone app installed on his phone, he sees Accept and Reject options. If he selects the
Accept option, the authentication request is sent over the mobile network (secure) back to the
Authentication framework. Without specifying an OTP code, Bob has been authenticated to
myexample.com.
When your smartphone does not have a network connection, you can use a backup OTP as offline
authentication.
To configure the Smartphone method, specify the following details:
Push salt TTL The lifetime of an authentication request sent to the smartphone.
Learn timeout The time that is valid for the user to scan the QR code for enrollment.
Auth salt TTL The lifetime in which the out-of-band authentication needs to be accepted
before authentication fails.
TOTP Length The length of OTP token used for backup authentication.
TOTP step The time a TOTP is displayed on a screen before the next OTP is
generated. The default time is 30 seconds.
TOTP time window The time in seconds in which the TOTP entered is accepted. The default
time is 300 seconds.
Server URL The URL of Advanced Authentication server to where the smartphone
app connects for authentication. This URL points to the Public External
URLs (Load Balancers) policy. For example, http://
<AAServerAddress>/smartphone (/smartphone cannot be changed).
Use http only for testing and https in a production environment. You need
a valid certificate when using https.
Require PIN Set to ON to enforce the Enable PIN setting for the Smartphone
application. A user will not be able to edit the settings on the Smartphone
NOTE: If the PIN is not set, then the user is prompted to set the PIN
during authentication.
Minimum PIN length The minimum PIN length. The available options are 4,5, and 6.
Require biometrics Set to ON to enforce the fingerprint setting for the Smartphone
application. A user will not be able to edit the settings on the Smartphone.

Use image on mobile devices Select the option to use a customized image on your Smartphone app.
Browse the image. This image is displayed in the About screen of your
Smartphone app. The resolution of the image must be 2732×637 pixels.
NOTE: The Require PIN, Require biometrics, and Use image on

mobile devices policies are automatically applied on the smartphone if a
user has an enrolled authenticator in the smartphone app and the app is
open on one of the screens: Authentication Requests, Enrolled
Authenticators, or Requests History. It takes 2 to 30 seconds to display
the authentication request.
 If a user has configured a 4-digit PIN but a 6-digit PIN has been
enforced by the administrator, then the user will be able to use the 4-
digit PIN until the user decides to change the PIN.
 If Require biometrics is set in the policies, but a user’s device does
not support fingerprint, the policy will not be applied for the device.
 If a user has authenticators enrolled for two different Advanced
Authentication servers with different policies, then the policies are
combined for the device and the most secure policies are applied for
the app.
Use Smartphone network info to Set to ON, if you want to enforce the Advanced Authentication server to
check location calculate user’s accurate geo-location based on the network data (Wi-Fi
BSSID and Cellular ID) received from the smartphone.
The Google API calculates the geo-location and sends the calculated
location to Advanced Authentication server. The Advanced Authentication
server compares calculated location with location received from the
smartphone and concludes as follows:
 If the server calculated location and smartphone location point to

same position then the server authenticates the geo-location
successfully.
 If the server calculated location and smartphone location do not
point to same position then the server returns failed authentication.
Specify the valid Geocode API key that converts address into geographic
co-ordinates (like latitude and longitude values) in the Google Geocode
API Key.

Geo Zones You can configure Geo-fencing with the Smartphone method. Geo-
fencing allows you to authenticate with the Smartphone method with one
more factor, which is the geographical location. When you enable geo-
fencing, users will be able to authenticate with Smartphone from only
allowed geographical locations. You must enable the policy Geo Fencing
Options to use geo-fencing.
To configure geo-fencing, you need to draw a boundary of the location to

be authenticated with a polygon. To configure geo-fencing, perform the
following steps:
1. Click Add.
2. Specify the name of the zone.
3. Click the Search icon and specify the address to locate the required
geographical location.
You can click the full-screen icon to view the map in the full
screen.
4. Click the polygon icon in the menu bar of the map.

5. Click the starting point on the map and draw the boundary of the
specific location to be authenticated.
6. Click to mark the end point of the boundary after you have finished
drawing the geo zone.
You can also edit the marked polygon by clicking the edit icon.
7. Click Save.
NOTE: To use geo-fencing, ensure that access to the location is enabled for the NetIQ Advanced
Authentication app on the smartphone.
3.4.15 Swisscom Mobile ID

In the Swisscom Mobile ID authentication method, a PKI- based mobile signature secure encryption
technology is stored on a user’s SIM card. When the user tries to authenticate, the Swisscom Mobile
ID is validated against the user’s mobile phone attribute in the repository. If the number is validated,
the user gets authenticated.
To configure the Swisscom Mobile ID method, specify the following details:
 Application provider ID: Identifier of the application provider.

 Application provider password: Password of the application provider.
 Swisscom Mobile ID service URL: Interface of the Swisscom Mobile ID.
 Notification message prefix: Message that is displayed on the user’s mobile as a notification.
In addition, you can upload the Swisscom client certificates as follows:
1. Browse Client SSL certificate. The required certificate must be in a .pem format and self-signed
with a private key.
2. Specify Private key password for the certificate.
3. Click Save.

NOTE: Users must activate the Mobile ID service for the Swisscom SIM card.
For more information about the Swisscom Mobile ID method, see the Mobile ID Reference guide.
3.4.16 Touch ID
Advanced Authentication provides the Touch ID method that facilitates users to authenticate through
the MacBook Pro. User should place their fingers on the Touch id to enroll and authenticate. When
the user place their fingers, the sensor quickly scans the fingerprint and automatically authenticates
the user.
3.4.17 Voice
In the Voice authentication method, a user receives a call with an OTP through voice.
The following workflow describes the Voice authentication method in Advanced Authentication:
1 A user tries to authenticate with the Voice method.

2 The user receives a call on the phone with a OTP.
3 User must specify the PIN that has also been enrolled in the Self-Service portal during the
enrollment.
4 After the user specifies the PIN followed by a hash (#) symbol, user is authenticated with the
Voice method.
IMPORTANT: Phone number with extensions are supported for this method.
Special characters “,” and “x” are used to indicate wait time and can be used as separators between
phone number and extension.
For example, if +123456789 is the phone number and 123 is the extension, then it can be specified
as +123456789,,,,123.
In the above example, “,” is specified 4 times and this multiplied by 0.5 (default value in Twilio)
indicates the wait time, which is 2 (4*0.5) seconds. First, call is sent to the number 123456789 and
after a wait period of 2 seconds, the extension 123 is dialed.
To configure the Voice method, specify the following details:
 Minimum pin length: The length of the PIN must be at least three characters long.
 Maximum pin age: The validity period of a PIN. The default value is 42 days. If you set the age to
0, the PIN will not expire.
 User cell phone attribute: The cell phone number of a user that is used to call the user for voice
authentication. You can use custom attributes such as mobile, homePhone, ipPhone, and other
attributes of a repository. You must define the attribute in “User Cell Phone Attributes” of the
Repositories section.
attribute and do not configure the attribute in method settings of Voice, then while
authenticating, the first attribute, which is the mobile attribute, is used for the Voice method
authentication.

IMPORTANT: Advanced Authentication does not notify a user about the expiry of a PIN.
3.4.18 Voice OTP

In the Voice OTP authentication method, a user receives an OTP over a call. The user must specify
this OTP on the device where the authentication is happening. The OTP must be used within a
specific time frame. Voice OTP is recommended to use with other methods, such as Password or
LDAP Password.
To configure the Voice OTP method, specify the following details:
 OTP period: The time period for which the Voice OTP is valid. Default time is 120 seconds. The
maximum value for the Voice OTP period is 360 seconds.
 OTP format: The length of the Voice OTP token. Default length is 4.
 Body: The text or number in the Voice OTP that is sent to the user. Here, you can specify the
{otp} variable, which is the actual one-time password. To repeat the one-time password during
the call you can specify: Use the OTP for authentication: {otp}. OTP: {otp}.
 User cell phone attribute: Cell phone number of a user that is used to send the OTP through a
call. You can use custom attributes such as mobile, homePhone, ipPhone, and other attributes of
a repository. You must define the attribute in “User Cell Phone Attributes” of the Repositories
section.
attribute and do not configure the attribute in method settings of Voice OTP, then while
authenticating, the first attribute, which is the mobile attribute, is used for the Voice OTP method
authentication.
3.5 Creating a Chain

A chain is a combination of authentication methods. A user must pass all methods in the chain to be
successfully authenticated. For example, if you create a chain with LDAP Password and SMS OTP, a
user must first specify the LDAP Password. If the LDAP password is correct, the system sends an
SMS with a One-Time-Password (OTP) to the user’s mobile. The user must specify the correct OTP
to be authenticated.
Advanced Authentication contains the following chains that are created by default:
1. LDAP Password Only: Any user from a repository can use this chain to get authenticated with
the LDAP Password (single-factor) method.
2. Password Only: Any user who has a Password method enrolled can use this chain to get
authenticated with the Password (single-factor) method.
You can create any number of chains with multiple authentication methods. To achieve better
security, you can include multiple methods in a chain.
Authentication comprises of the following three factors:
 Something that you know such as password, PIN, and security questions.
 Something that you have such as smartcard, token, and mobile phone.
 Something that you are such as biometrics (fingerprint or iris).

You can achieve multi-factor or strong authentication by using any two factors out of this list. For
example, multi-factor authentication can include a combination of password and a token or a
smartcard and a fingerprint.
After you create a chain, you can use the chain on specific user groups in your repository. The chain
is then mapped to an event.
To create a new chain or edit an existing chain, perform the following steps:
1 Open the Chains section.
2 Click Add to create a chain. You can also click the edit icon against the chain that you want
to edit.
3 Specify a name of the chain in Name.
4 Specify a Short name. The short name is used by a user to move to a chain. For example, if you
name a chain containing the LDAP Password and SMS methods as SMS, then a user can
specify <username> sms and the user is forced to use SMS as the chain. This is helpful in
scenarios when the primary chain is not available.
NOTE: This is applicable only for the RADIUS Server event.
5 Set Is enabled to ON to enable the chain.

6 Select the methods that you want to add to the chain from the Methods section. You can
prioritize the methods in the list. For example, if you create a chain with LDAP Password and
HOTP methods, then the user will be prompted for the LDAP Password method first and then the
OTP.
7 Specify the groups that will use the authentication chain in Roles & Groups.
IMPORTANT: It is not recommended to use groups such as All Users group in Active
Directory, from which you will not be able to exclude users. This is because you will not be able
to free up a user's license.
8 Expand Advanced Settings by clicking +.

9 Set Apply if used by endpoint owner to ON if only an Endpoint owner must use the chain.
NOTE: The Endpoint owner feature is supported for Windows Client, Mac OS Client, and Linux
PAM Client only.
10 Specify the MFA tags. When a user logs in to Windows on a workstation with Advanced
Authentication Windows Client installed, the user's account is moved to the group specified in
MFA tags.
For example if you specify a Card users group from Active Directory in MFA tags, then the user
will be moved from the legacy group (specified in the Advanced Settings of Active Directory
repository) to the Card users group. This functionality is available when you set the Enable filter
to ON in the Logon Filter for AD policy and have configured the Logon Filter.
NOTE: The MFA tag does not work while connecting to Remote Desktop, if the user credentials
were saved with Remember my credentials.
11 Set Required chain to Nothing, if this is a normal (high-security) chain. If you want to configure a
simple chain within a specific time period after successful authentication with a high-security
chain, choose an appropriate high-security chain. In this case you also need to specify a Grace
period (mins). Within this time period the chain will be used instead of the appropriate high-
security chain. The maximum value for grace period is 44640 minutes (31 days).

NOTE: You must assign both a high-security chain and a simple chain to an Event. The simple
chain must be higher than the corresponding high-security chain. The options are available
when the Last logon tracking options policy is set to ON.
For example, LDAP Password+Card is a high-security chain and Card is a simple chain. The
users must use LDAP Password+Card chain once in every 8 hours and within this period, they
must provide only the Card method to authenticate.
12 A top administrator can enforce the configurations of a chain on secondary tenants. After the
administrator configures the settings for a chain, the administrator can freeze those
configurations for that specific tenant. The tenant will not be able to edit the settings in the tenant
administrator console that have been enforced by the top administrator for that chain.
12a In the Tenancy settings, click + to expand the settings.
12b Select the tenant to whom you want to enforce the configurations in Force the configuration
for the tenants.
12c After you add a tenant, the Hide forced settings option is displayed. You can turn this option
to ON if you want to hide the configurations that you have enforced on the tenant. This will
be hidden on the tenant administrator console.
13 (Conditional) In Custom names, you can specify the chain name in a specific language. To do
this click + to expand the settings and specify the chain name.
14 Click Save.
IMPORTANT: If you have configured more than one chain using one method (for example,
LDAP Password, LDAP Password+Smartphone) and assigned it to the same group of users and
the same event, then the top chain is always used if the user has enrolled all the methods in the
chain. An exception is the use of a high-security chain and its appropriate simple chain, where
the simple chain must be higher than its high-security chain.
3.6 Configuring Events

Advanced Authentication provides authentication events for the supported applications or devices.
You can configure an event to leverage the Advanced Authentication functionalities for the respective
application or device. The application or device triggers the respective authentication event when a
user tries to access it.
You can create customized events for the following:
 Third-party integrations.
 To use Windows Client, Linux PAM Client or Mac OS X Client on both the domain joined and
non-domain workstations and it requires to have a separate event to use the non-domain mode.
 Integrations using SAML 2.0 and OAUTH 2.0.
This section contains the following:
 Section 3.6.1, “Configuring an Existing Event,” on page 62

 Section 3.6.2, “Creating a Customized Event,” on page 66

3.6.1 Configuring an Existing Event
1 Click Events.
2 Click the edit icon against the event that you want to edit.
3 Ensure that Is enabled is set to ON if you want to use the event.
4 Select the event type.
For most of the predefined events, you cannot change the Event type. For events such as
Windows logon, Linux logon, and Mac OS logon, you can change the Event type from OS
Logon (domain) to OS Logon (local) if the workstations are not joined to the domain.
5 Select the Authenticator category. The Authenticator category option is displayed only if you
have added categories in the “Event Categories” policy.
6 Select the chains that you want to assign to the current event.
In an event, you can configure a prioritized list of chains that can be used to get access to that
specific event.
7 If you want to restrict access of some endpoints to the event, add all the endpoints that must
have access to the Endpoint whitelist. The remaining endpoints are blacklisted automatically. If
you leave the Endpoints whitelist blank, all the endpoints will be considered for authentication.
Move the endpoints from the Available to Used list if you want to blacklist an endpoint.
8 Set Geo-fencing to ON to enable geo-fencing. Move the permitted zones from Available to Used.
For more information about configuring geo-fencing, see the Smartphone method.
IMPORTANT: You must enable the Geo Fencing Options policy to use the geo fencing
functionality.
9 Select Allow Kerberos SSO if you want to enable single sign-on (SSO) to the Advanced
Authentication portals. Kerberos SSO is supported for AdminUI, Authenticators Management,
Helpdesk, and Report logon events.
IMPORTANT: To use the Kerberos SSO feature, you must configure the Kerberos SSO Options
policy and upload a keytab file.
10 Set Bypass user lockout in repository to ON, if you want to allow repository locked-out users to
be authenticated on the Advanced Authentication. By default, Bypass user lockout in repository
is set to OFF and users locked on repository is not allowed to authenticate.
11 You as a top administrator can enforce the configuration of events (except the Radius Server
event) on secondary tenants. After configuring the settings for the event, you can freeze those
settings for a specific tenant. The tenant cannot edit the settings in the tenant administrator
console that have been enforced by the top administrator for that event.
11a In the Tenancy settings, click +.
11b Select the tenant to in Force the configuration for the tenants to whom you want to enforce
the configurations.
11c After you select a tenant, the Hide forced settings option is displayed. You can set Hide
forced settings to ON if you want to hide the configurations that you have enforced on the
tenant. When this option is set to ON, the tenant administrator console does not show
setting changes.
12 Click Save.
13 If you want to revert the changes to the default configuration, click Initialize default chains.

NOTE: If you have configured more than one chain using one method (for example, LDAP Password,
LDAP Password+Smartphone) and assigned it to the same group of users and to the same event,
the top chain is always used if the user has enrolled all the methods in the chain. An exception is the
use of a high-security chain and its appropriate simple chain, where the simple chain must be higher
than its high-security chain.
TIP: It is recommended to have a single chain with the Emergency Password method at the top of
the chains list in the Authenticators Management event and other events, which are used by users.
The chain will be ignored if the user does not have the Emergency Password enrolled. The user can
use the Emergency Password immediately after the helpdesk administrator enrolls the user with the
Emergency Password authenticator.
By default, Advanced Authentication contains the following events.
 ADFS Event
 AdminUI Event
 Authenticators Management Event
 Helpdesk Event
 Helpdesk User Event
 Linux Logon Event
 Mac OS Logon Event
 NAM Event
 NCA Event
 RADIUS Server Event
 Report Logon Event
 Search Card Event
 Tokens Management Event
 Windows Logon Event
ADFS Event
Use this event to integrate Advanced Authentication with ADFS using the ADFS plug-in. For more
information about ADFS, see “Configuring Advanced Authentication Server” in the Advanced
Authentication - ADFS Plug-in guide.
NOTE: The ADFS plug-in is discontinued and it is recommended to use integration with ADFS using
SAML. For more information about integration with ADFS using SAML, see “Configuring Integration
With ADFS”.
AdminUI Event
Use this event to access the Administration portal. You can configure the chains that can be used to
get access to the /admin URL.

NOTE: You can promote users or group of users from a repository to the FULL ADMINS role in
Repositories > Local. After this, you must assign chains in which the methods are enrolled for users
with the AdminUI event (at a minimum with an LDAP Password).
WARNING: You must be careful when changing the default chains that are assigned to this event.
You may block the access to the Administration portal.
Authenticators Management Event

Use this event to access the Self-Service portal. In the Self-Service portal, users can enroll to any of
the methods that are configured for any chain and they are a member of the group assigned to the
chain.
Add an LDAP Password chain as the last chain in the list of chains to ensure secure access to the
portal for users who have methods enrolled.
IMPORTANT: If the Administration portal uses a repository that does not have any user, you must
enable a chain with Password only (Authenticators Management - Password) for this event. This
action enables you accessing the Self-Service portal or changing the password in the Self-Service
portal.
You can also perform basic authentication with Advanced Authentication. To achieve basic
authentication, set the Allow basic authentication option to ON in the Event Edit screen for
Authenticators Management.
NOTE: The basic authentication is supported only for the Authentication Management event and for
the Password (PIN), LDAP Password, and HOTP methods.
You must specify /basic with the URL to login to the enrollment page. The Login page appears and
the format of the Username you must provide is: username:PASSWORD|LDAP_PASSWORD|HOTP:1. For
example: admin:PASSWORD:1.
When you log in to the Self Service portal, by default the chain with the highest priority is displayed.
To display the other chains with the enrolled methods, set Show chain selection to ON.
NOTE: If you enable to show the chain selection, but a chain is not displayed in the list of available
chains in the Self-Service portal, ensure that all the methods of the chain are enrolled by the user.
For more information, see “Authenticators Management” in the Advanced Authentication- User guide.
Helpdesk Event
Configure the settings of this event to enable the Helpdesk administrator to access the Helpdesk
portal. One of the roles of a Helpdesk administrator is to set an emergency password for users. An
emergency password is a temporary password for users when they lose their smart card or smart
phone. Some companies restrict self-enrollment and have the Helpdesk administrator who does the
enrollment after hiring. You can promote the repository administrators or users as Helpdesk
administrators in the Repositories > LOCAL > Edit > Global Roles > ENROLL ADMINS section.
For more information, see “Authenticators Management” in the Advanced Authentication- Helpdesk
Administrator guide.

Helpdesk User Event
Configure the settings of this event to enable the Helpdesk administrator to authenticate users in the
Helpdesk portal. This event is applicable for the User to manage screen that appears on the
Helpdesk portal.
You must enable the Ask credentials of management user option in the Helpdesk Options policy
before using this event.
Linux Logon Event

Configure the settings of this event to enable login to the Linux Client. If you want to use Linux Client
on non-domain joined workstations, change the Event type from OS Logon (domain) to OS Logon
(local).
Mac OS Logon Event

Configure the settings of this event to enable login to the Mac OS Client. If you want to use Mac OS
Client on non-domain joined workstations, change the Event type from OS Logon (domain) to OS
Logon (local).
NAM Event
Configure the settings of this event to facilitate the integration of Advanced Authentication with NetIQ
Access Manager.
NCA Event
Configure the settings of this event to facilitate the integration of Advanced Authentication with NetIQ
CloudAccess. CloudAccess must be configured to use Advanced Authentication as an authentication
card and user stores must be added for the repositories for the integration to work. For more
information, see the Advanced Authentication CloudAccess documentation.
RADIUS Server Event

The Advanced Authentication server contains a built-in RADIUS server to authenticate any RADIUS
client using one of the chains configured for the event. For more information about configuring the
RADIUS Server event, see Chapter 8, “RADIUS Server,” on page 123.
Report Logon Event

Configure the settings of this event to log in to the Advanced Authentication Reporting portal. For
more information about the Reporting portal, see Chapter 11, “Reporting,” on page 147.
Search Card Event

Configure the settings of this event to log in to the Advanced Authentication Search Card portal. The
Search Card functionality helps you to get the card holder’s contact information by inserting the card
in the card reader. For more information about searching a card holder’s information, see Chapter 14,
“Searching a Card Holder’s Information,” on page 165.

Tokens Management Event
Configure the settings of this event to log in to the Advanced Authentication Tokens Management
portal. The Tokens Management functionality allows you to assign each token to specific user. For
more information about assigning a token to user, see Chapter 13, “Managing Tokens,” on page 163.
Windows Logon Event

Configure the settings of this event to log in to the Windows Client.
3.6.2 Creating a Customized Event

You can create customized events for the following.
 Third-party integrations.
 When you must use Windows Client or Linux PAM Client, or Mac OS X Client on both the
domain joined and non-domain workstations and you must have a separate event to use the
non-domain mode.
 For integrations using SAML 2.0 and OAUTH 2.0.
You can create the following types of customized events:
 Generic
 OS Logon (domain)
 OAuth2
 SAML2
 RADIUS
Creating a Generic Event

You can create a generic event for Windows Client, Mac OS X Client, and Linux PAM Client
workstation when these clients are not joined or bound to a domain.
Perform the following steps to create a generic event:
1 Click Events > Add.

2 Specify a name for the event.
3 Set Is enabled to ON.
4 Select Generic in the Event type.

functionality.
10 A top administrator can enforce the configuration of events (except the Radius Server event) on
secondary tenants. For more information, see Step 11 on page 62.
11 Click Save.
NOTE: When you create a custom event, you must specify the custom event in the configuration file
of the related endpoints. For more information, see the Advanced Authentication- Linux PAM Client,
Advanced Authentication - Mac OS X Client, or Advanced Authentication - Windows Client guides
related to the specific endpoint.
Creating an OS Logon (Domain) Event

You can create this event when the third-party application needs to read password of a user after
authentication. For example, when Windows Client, Mac OS X Client, or Linux PAM Client
workstation is joined or bound to a domain, the third-party application must read the password of the
user.
The steps to create an OS Logon (domain) event are similar to the Generic event.
Creating an OAuth 2.0 Event

You can create this event for third-party integrations with OAuth 2.0.
IMPORTANT: Enable the WebAuth option in Server Options before configuring OAuth2 event.
To create an OAuth 2 event, perform the following steps:

4 Select OAuth2 in the Event type.
7 Specify the Redirect URIs. The Client ID and Client secret are generated automatically. The
Client ID, Client secret, and Redirect URI are consumed by the consumer web application. After
successful authentication, the redirect URI web page specified in the event is displayed.
8 In Advanced Settings, perform the following actions:
 Set the Use for Owner Password Credentials option to ON, if the consumer web application
provides authorization in the form of Resource Owner Password Credentials Grant.
 Set the option to OFF, if the consumer web application provides authorization in the form of
Authorization Code Grant or Implicit Grant.

NOTE: If option is set to ON, you can use only the LDAP Password only chain for this event. It is
recommended to use separate events for Resource Owner Password Credentials Grant (Use for
Owner Password Credentials > ON) and Authorization Code Grant / Implicit Grant (Use for
Owner Password Credentials > OFF).
11 Click Save.
After you have created an OAuth 2 event, perform the following steps to access the consumer web
application:
1 Specify the Client ID, Client secret, and redirect URIs in the consumer web application.
2 Specify the appliance end point (authorization end point) in the web application. For example,
https://<Appliance IP>/osp/a/TOP/auth/oauth2/grant.
3 Authenticate with the required authentication method(s) to access the consumer web
application.
NOTE: Authorization is provided in the form of Authorization Code Grant or Implicit Grant or
Resource Owner Password Credentials Grant.
Creating a SAML 2.0 Event

You can create this event for third-party integrations with SAML 2.0.

4 Select SAML 2 in the Event type.
functionality.
9 You can either insert your Service Provider's SAML 2.0 metadata in SP SAML 2.0 metadata or
click Browse and select a Service Provider's SAML 2.0 metadata XML file to upload it.
NOTE: You must enable the SAML 2.0 options policy for the SAML 2.0 event to work
appropriately.

12 Click Save.
3.7 Managing Endpoints

Endpoints are devices where the Advanced Authentication server authenticates. An endpoint can be
a Windows workstation for Windows Client endpoint, or Advanced Authentication Access Manager
appliance for the NAM endpoint and so on.
The endpoints are automatically added when you install a plug-in such as NAM or install Windows
Client. The RADIUS endpoint, an OSP endpoint that is used for WebAuth authentication, and
Endpoint41 and Endpoint42 are the predefined endpoints.
NOTE: Endpoint41 and Endpoint42 are created for the integration with legacy NAM and NCA plug-
ins, which are used in NAM 4.2 and earlier versions with Advanced Authentication 5.1.
The NAM and NCA plug-ins work with the hard coded endpoint ID and secret. In Advanced
Authentication 5.2 and later, you must register the endpoints. This breaks the backward compatibility
with old plug-ins. These two legacy endpoints allow to keep the old plug-ins working.
To configure an endpoint for Advanced Authentication, perform the following steps:
1 In the Endpoints section, click Edit against the endpoint you want to edit.
2 You can rename the endpoint, change its description or endpoint type.
3 Set Is enabled to ON to enable the endpoint.
4 Set Is trusted to ON if the endpoint is trusted. In some integrations such as Migration Tool,
Password Filter, NAM, and NCA you must enable the Is trusted option for their endpoints.
5 Specify an Endpoint Owner if you have configured a specific chain to be used by the Endpoint
owner only. This is a user account that must be able to use a different chain than the other users
for authentication.
The Endpoint Owner feature is supported for Windows Client, Mac OS Client, and Linux PAM
Client only.
NOTE: Additional information such as Operating System, Software version, Last session time
and Device information are displayed. Also in Advanced properties, RAM information is
displayed.
Advanced Authentication Windows Client 5.6 or newer, Advanced Authentication Linux PAM
Client 6.0 or newer, Advanced Authentication Mac OS X Client 6.0 or newer must be installed on
the endpoint.
6 Click Save.
You can create an endpoint manually. This endpoint can be used for the third-party applications that
do not create endpoints.

To create an endpoint manually, perform the following steps:
1 In the Endpoints section, click Add.

2 On the Add endpoint page, specify a Name of the endpoint and its Description.
3 Set the Type to Other.
5 Leave Endpoint Owner blank.
6 Click Save. The New Endpoint secret window is displayed.
7 Take down the values specified in Endpoint ID and Endpoint Secret and place them in a secure
place in your application.
NOTE: You will not be able to get the Endpoint ID and Endpoint Secret later on the appliance.
8 Click OK.
NOTE: Tenancy settings are not supported for Endpoints.
IMPORTANT: You must ensure not to remove an endpoint that has at least one component running
on it such as Windows Client, Logon Filter, RD Gateway plug-in, or ADFS plug-in. Endpoint is
removed automatically when you uninstall Windows Client. However you must remove the endpoint
manually when you uninstall Logon Filter, RD Gateway plug-in or ADFS plug-in.
If you remove an endpoint accidentally, ensure to remove the records with prefix endpoint* from the
%ProgramData%\NetIQ\Windows Client\config.properties file and re-start the machine. This
recreates the endpoint.
3.8 Configuring Policies

Policies contain configuration settings for the Advanced Authentication methods, events, and so on.
For example, to use the Email OTP method, you must configure the server and port settings in the
Mail sender policy and to use the Multitenancy mode, you must enable the Multitenancy options
policy.
Advanced Authentication provides the following policies:
 Admin UI Whitelist Policy

 Authenticator management options
 Cache options
 CEF log forwarding
 Custom Messages
 Delete me options
 Endpoint management options
 Event categories
 Geo fencing options
 HTTPS Options
 Helpdesk Options
 Kerberos SSO Options

 Last Logon Tracking Options
 Lockout Options
 Login Options
 Logo
 Logon Filter for AD
 Mail sender
 Multitenancy Options
 Password Filter for AD
 Public external URLs (load balancers)
 SAML 2.0 options
 SMS sender
 Services Director Options
 Voice sender
To configure a policy, perform the following steps:
1 Click Policies in the Administration portal.
2 Click the Edit icon against the policy you want to configure.
You can also double-click on the policy to edit the configuration.
3 Make the required changes for a specific policy.
A top administrator can enforce the configurations of a policy on secondary tenants. After
configuring a policy, you can lock the settings for that specific tenant. The tenant cannot edit the
locked settings in the tenant administrator console.
3a In Tenancy settings, click +.
3b Move the tenant to whom you want to enforce the configurations from the Available to the
Used list in the Force the configuration for the tenants section.
3c After you add a tenant, the Hide forced settings option is displayed. You can turn this option
to ON if you want to hide the configurations that you have enforced on the tenant.
NOTE: The Tenancy settings are not supported for the following policies: CEF log
forwarding, Event categories, HTTPS Options, Logo, and Multitenancy options.
A tenant administrator cannot access the CEF log forwarding and Multitenancy options
policies.
4 Click Save.
IMPORTANT: The configured policies are applied for all the Advanced Authentication servers.

3.8.1 Admin UI Whitelist Policy
In this policy, you can configure the security settings to allow only permitted IP addresses to use the
Advanced Authentication Administration portal.
By default, all the IP addresses are considered as whitelist. To configure a restriction so that only a
particular IP address can access the Administration portal, perform the following steps:
1 Click Add in the Admin UI whitelist policy.

2 Specify the address in the format 10.20.30.0/255.255.255.0 or 10.20.30.0/24.
Advanced Authentication has an automatic validation check to prevent administrators from
losing access to the Administration portal. If your IP address is out of the range, a message:
Your IP address is not whitelisted. You will lose access! Please add your IP is
displayed.
3 Click Save.
3.8.2 Authenticator Management Options Policy

This policy allows you to configure the following two settings:
 Enable sharing: This setting allows a user to authenticate with his or her authenticator to another
user’s account. The helpdesk administrator can link an authenticator of one user to another user.
To enable sharing authenticators, set Enable sharing to ON.
NOTE: Linked authenticators work only in the online mode. Cached login does not work for the
linked authenticators.
The supported methods for sharing authenticators are TOTP, HOTP, Password, Fingerprint,
Card, and FIDO U2F.
 Disable re-enrollment: This setting allows you to restrict users from re-enrolling, editing, and
deleting the enrolled authenticators in the Self-Service portal.
To disable re-enrollment or removal of authenticators, set Disable re-enrollment to ON.
WARNING: If you access the Administration portal with local user credentials such as
local\admin, you might get into a lockout situation. This can happen when the administrator's
password expires and it is not possible to change the password through the Self-Service portal.
Therefore, to use the Disable re-enrollment option, you must configure the access of a
repository account to the Administration portal. To do this:
 Add authorized users or a group of users from a repository to the FULL ADMINS role.
 Assign chains, which contain methods that are enrolled for users, to the AdminUI event (at
a minimum with an LDAP Password method).
NOTE: This setting disables re-enrollment and removal of the authenticators only in the Self-
Service portal. The setting has no effect on the Helpdesk portal.

3.8.3 Cache Options Policy
In this policy, you can disable the local caching of authenticators. The policy is supported for Windows
Client, Mac OS X Client, and Linux PAM Client for chains that use the methods: LDAP Password,
Password, HOTP, TOTP, Smartphone (offline mode), Card, FIDO U2F, Fingerprint, and PKI.
The caching functionality enables the storing of credentials on the Client for offline authentication
when the Advanced Authentication server is not available. Therefore a user who has successfully
logged in once to the server with the authentication, can now login with the offline authentication.
By default, the Enable local caching option is enabled. To disable the caching, set the option to OFF
and click Save.
NOTE: The caching period cannot be configured. The cache will be cleared only if the Enable local
caching option is disabled.
3.8.4 CEF Log Forward Policy

In this policy, you can configure settings to forward the logs to an external Syslog server. The central
logging server can be used for log forwarding. To configure the policy, perform the following steps:
1 Set Enable to ON.

2 Specify the IP address of the remote logging server in Syslog server.
3 Specify the port of the remote logging server in Port.
4 Select an applicable transfer protocol from Transport.
5 Click Save.
NOTE: The same Syslog configuration is used for each server type. Each server type in the
appliance records its own log file.
Only logs from the Syslog section are forwarded to the external Syslog server. For more information
about Syslog, see Chapter 12, “Logging,” on page 149.
3.8.5 Custom Messages

In this policy, you can customize and localize the error messages for a specific language.
For example, if you customize the logon error message in German - Anmeldung nicht erfolgt to
Benutzer nicht registriert, then on the Self-Service portal, when the user specifies wrong user
name, the customized error message is displayed.
Advanced Authentication supports two ways to localize the messages:
1. You can use Administration portal to localize only the main messages.
2. You can download the custom localization file and update the preferred messages.
To customize a specific message, perform the following steps:
1 Click Custom Messages.

2 Use the Message filter to search for a specific message or you can find the preferred message
manually.

3 Click the Edit icon next to the preferred message. You can also double-click on the message
to edit the content.
4 Specify the message in the preferred language.
5 Click Save.
To customize all required messages using the Custom localization file, perform the following steps:
1 Click Custom Messages.

2 Click Download Original to save custom_messages.tar.gz file on your local drive.
3 Extract the files from custom_messages.tar.gz file.
4 Navigate to the preferred language folder.
To customize English messages, use custom_messages.pot file and for other languages use
custom_messages.po file.
5 Open the custom_messages.po file in the text format.
6 Specify the message in the msgstr "".
7 Save the changes.

8 Compress the custom_messages folder to either .tar.gz or .zip format.
9 Click Choose File and select the compressed custom_messages file from the local drive.
10 Click Upload.
3.8.6 Delete Me Options

In this policy, you can configure settings that enable deleting all the user data from the server,
including the enrolled methods.
When you set Enable delete me feature to ON, the users can view the Delete me option in a drop-
down by clicking on the user name on the top-right corner of the Self-Service portal.

3.8.7 Endpoint Management Options
In this policy, you can configure settings for endpoint management.
Set Require admin password to register endpoint/workstation to ON for endpoints to provide the
local administrator's credentials during the registration of endpoint.
You must disable the option when installing any components from the Advanced Authentication
distributives package that uses endpoints (Advanced Authentication Windows Client, Mac OS X
Client, Linux PAM Client, Logon Filter, and RDG plug-in). Otherwise, the endpoints are not created.
You must use the option for third-party integrations only.
3.8.8 Event Categories

In this policy you can add categories, which can be used in an event to support multiple enrollments
for a method. For each event, you can specify one category.
To add a category, perform the following steps:
1 Click Event categories.

2 Click Add.
3 Specify a name and description for the category.
4 Click Save.
5 Click Events and edit the required event to specify the category.
Ensure that users or helpdesk administrators enroll authenticators for the new category.
NOTE:
 You can enroll only one authenticator of one type for each category.
 The Authenticator category option in Events is not displayed when no category is created.
 The LDAP Password method is an exception. There is one LDAP password authenticator
always, it can be used with any category.
3.8.9 Geo Fencing Options

In this policy, you can create authentication zones by drawing boundaries for a geographical location.
When you enable the geo-fencing policy, users can authenticate with their Smartphones only from the
allowed geographical locations.
To enable geo-fencing, set Enable geo fencing to ON. For more information about how to configure
the geo-zones, see the “Smartphone” method.
NOTE: When you enable the Geo-fencing options policy, the functioning of the TOTP mode of the
Smartphone method, which is used in the offline mode, is affected. An error message TOTP login is
disabled is displayed to the users when they try to authenticate with this method.

3.8.10 Helpdesk Options
In this policy, you can configure settings to prompt the helpdesk administrators to provide the
credentials of the users in the Helpdesk portal. This enhances security. This policy is applicable to the
Helpdesk User event.
Set Ask credentials of management user to ON to prompt the helpdesk administrator to provide the
credentials of the user in the Helpdesk portal. Ensure that you have specified a chain (with all the
methods of the chain enrolled for the users) for the Helpdesk User event.
When you set the option to OFF, it may not be secure, but the user management is done faster.
3.8.11 HTTPS Options

In this policy, you can configure settings to ensure that the appliance is safe from security
vulnerabilities.
This policy allows you to configure the following two settings:
 Enable TLS 1.0: It is recommended to keep this option disabled by default to ensure security
vulnerabilities are prevented because TLS 1.0 is considered as an unsafe protocol. In some
scenarios, you can enable the option to support the older versions of browsers. For more
information on browser support for TLS, see TLS support for web browsers.
 Enable HTTP compression: This setting allows you to enable the HTTP compression to
accelerate performance in the scenarios of low bandwith or when the network connectivity is
slow.
3.8.12 Kerberos SSO Options

In this policy, you can select an Active Directory repository that points to a domain for which you want
to configure the single sign-on (SSO). Kerberos SSO is supported for the AdminUI, Authenticators
Management, Helpdesk, and Report logon events.
To configure this policy, perform the following steps.
1. Select a required repository.

2. Click Save.
NOTE: This feature works only for a single Active Directory repository at a time and is disabled
in the Multitenancy mode.
3. Generate a keytab file for each Advanced Authentication server and upload them in the
appliance for each server. For more information, see Uploading Keytab File.
4. After configuring the Kerberos SSO options and uploading the keytab files, enable Allow
kerberos SSO for the required event. For more information on configuring an event, see
Configuring Events.
By default, the basic authentication window is displayed in your browser while accessing an
Advanced Authentication portal. Advanced Authentication servers’ sites must be added to the local
intranet in the browser on the domain-joined workstations to avoid it. Perform the following steps to
do it for Internet Explorer:
1. From the Start menu, navigate to Control Panel > Network and Internet > Internet Options.
2. In the Internet Properties window, click the Security tab and select Local intranet.

3. Click Sites.
4. In the Local intranet window, click Advanced.
5. Add the Advanced Authentication Servers’ sites to the zone. For example: https://
v5.netiq.loc or v5.netiq.loc
6. Click Close and save the changes.
You can configure Advanced Authentication to perform an SSO authentication to access the
Advanced Authentication web portals: Administration portal, Self-Service portal, Helpdesk portal, and
Reporting portal.
Perform the following steps to configure Advanced Authentication to perform an SSO authentication:
1 Ensure that the Multitenancy options policy is disabled.

2 Go to Policies > Kerberos SSO options.
3 Select Active Directory as repository in Repository.
NOTE: This feature works only for a single Active Directory repository at a time.
4 Click Save.
5 Log in to a Domain Controller.
6 Generate the keytab files for the Kerberos authentication for each Advanced Authentication
server.
A Sample command to create the keytab file is:
□ktpass /princ HTTP/[email protected] /mapuser [email protected] /

crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass Q1w2e3r4 /out
C:\Temp\keytab_aas1srv
where
 aas1 is a server name (according to the record in DNS), the domain name is netiq.loc.
 aas1srv is a service account created in the Active Directory for the Advanced
Authentication server. The password of this account is Q1w2e3r4.
The keytab file keytab_aas1srv is created in the C:\Temp folder.
7 Go to the Advanced Authentication Administration portal.
8 Click Server Options.
9 Scroll down to the Keytab file section.
10 Click Choose File and select a keytab file for the Advanced Authentication server.
11 Click Upload.
12 Repeat Step 8 to Step 11 for the other Advanced Authentication servers.
13 Click Events on the Global Master server.
14 Open the properties of any supported event: AdminUI, Authenticators Management, Helpdesk,
or Report logon.
15 Scroll down and set Allow Kerberos SSO to ON.
IMPORTANT: You must add the Advanced Authentication server sites to the local intranet in the
browser of the domain-joined workstations. To know how to do this for the Internet Explorer and
Firefox browsers, see the following note.

NOTE: The basic authentication window is displayed while accessing a configured Advanced
Authentication portal, if the Kerberos SSO option is enabled for Authenticators Management event
and security is set to High for Local intranet in the Internet Explorer.
By default, Firefox browser does not support SSO. If you use the Firefox browser, you can enable
SSO by performing the steps defined on the Single Sign-On in Firefox page.
3.8.13 Last Logon Tracking Options

The Last Logon Tracking options policy allows Advanced Authentication to enable tracking for the
last login. This policy helps you to automatically move to a simple chain that contains less factors
within a few hours of authentication done with a high-security chain.
For example, if a user authenticates with the LDAP Password+Card chain once in a day, the user can
further use only the Card method without the LDAP Password method, or if a user authenticates with
the Fingerprint method once in every four hours, the user can authenticate once with this chain and
next authentication he can use only the Smartphone chain.
To enable tracking, set Enable tracking option to ON. You must enable this policy for the Require
chain option while creating a chain.
To configure a high-security chain and the corresponding simple chain, see Creating Chains.
3.8.14 Lockout Options

In this policy, you can configure settings to lock a user’s account when the user reaches the
maximum failure attempts of login. This enhances security by preventing the guessing of passwords
and one-time passwords (OTPs).
You can configure the following options in this policy:
 Enable: An option to enable the lockout settings.

 Failed attempts: The limit of failure attempts of authentication, after which the user’s account is
locked. The default value is 3.
 Lockout period: The period within which the user’s account is locked and the user cannot
authenticate. The default value is 300 seconds.
 Lock in repository: The option to lock the user account in repository. You cannot use Lockout
period if you enable this option. Only the system administrator must unlock the user in the
repository.
IMPORTANT: You must configure the appropriate settings in your repository for the options to
function appropriately. For Active Directory Domain Services, you must enable the Account
lockout threshold policy on Domain Controllers.
For NetIQ eDirectory, you must configure the Intruder Detection properly.
After a user’s account is locked (not in the repository), you can unlock the user account. To do this,
click Repositories > Edit > Locked Users and click Remove against the user’s account name.

3.8.15 Login Options
In this policy, you can configure the settings to add repositories that are used as default repositories.
Therefore while logging in, you need not prefix the repository name before the username for
authentication.
For example, if pjones is a member of the company repository, then while logging in, instead of
specifying company\pjones, you can specify only pjones.
To add a repository as default, move the repository from Available to Default and click Save.
3.8.16 Logo
This policy allows you to set and customize an image as a logo for the Administration and Self-
Service portal. You can also set an alternate text instead of an image as logo.
To set a logo for the Administration and Self-Service portal, perform the following steps:
1 In the Logo page, set Use image to ON.

2 Specify an alternate text for the image in Image ALT text.
3 Specify the URL that is redirected when you click on the logo.
4 Select an image for the logo. The image resolution must be 230x50 pixels. The supported
formats are .jpg and .png.
5 You can also set a mini logo with an image. This mini logo is displayed when the navigation pane
on the left is collapsed. The image resolution for the mini logo must be 50x50 pixels.
6 Click Save.
NOTE: The logo is applied for all the tenants. A tenant administrator cannot customize the logo.
3.8.17 Logon Filter for AD

In this policy you can configure settings to enable the use of Logon Filter that you must install on all
the Domain Controllers in the domain and configure it. Logon Filter allows you to automatically
update group membership if you login with the Advanced Authentication Windows Client.
To enable the policy, set Enable filter to ON and click Save.
NOTE: Before enabling the policy, you must ensure the Advanced Authentication Logon Filter is
installed on all the Domain Controllers in the domain. Else, you might face problems with password
validation during password synchronization on workstations that have the Windows Client installed.
For information about how to configure Logon Filter, see Configuring Logon Filter.

3.8.18 Mail Sender
In the Mail sender policy, you can configure settings for the Email OTP method to facilitate sending
email messages with one-time passwords to users.
To configure the Mail sender settings, perform the following steps:
1 Specify the following details:

1. Host: The outgoing mail server name. For example, smtp.company.com.
2. Port: The port number. For example, 465.
3. Username: The username of an account that is used to send the authentication email
messages. For example, noreply or [email protected].
4. Password: The password for the specified account.
5. TLS and SSL: The cryptographic protocol used by the mail server.
2 You can test the configurations for the Mail sender policy in the Test section.
2a Specify the email address in E-mail to which you want to send the Email OTP.
2b Specify a message to be sent to the phone in Message.
2c Click Send test message!.
3 Click Save.
Real messaging uses async sender. Ensure that you have configured a chain with the Email
OTP method and assigned it to an event. Login to the Self-Service portal and test the Email
authenticator. If it does not work, click async log.
Authentication Flow
The authentication flow for the Mail sender is described in the following image.
A user wants to authenticate on an endpoint such as a laptop or a website with the Email OTP
method. The following steps describe the authentication flow:
server.
2 The Advanced Authentication server validates the user’s credentials and gets an email address
of the user from a repository.

3 Advanced Authentication server sends the request to a configured mail server to send an email
message with the content that includes a one-time password (OTP) for authentication.
4 Mail server sends the message to the user's email address.
5 Mail server sends the sent signal to the Advanced Authentication server.
6 Advanced Authentication server sends a request to the user to specify an OTP on the endpoint.
7 The user specifies the OTP from the email message. The Advanced Authentication server gets
the OTP.
8 Advanced Authentication server validates the authentication. The authentication is done or
denied.
HTTPS protocol is used for the internal communication.
Access configuration
Advanced Authentication server - Mail Server (SMTP, outbound).
3.8.19 Multitenancy Options

In this policy, you can enable the Multitenancy mode.
A tenant is a company with a group of users sharing common access with specific privileges. The
Multitenancy options policy helps you to create a single instance of Advanced Authentication
solution that supports multiple tenants.
Enable Multitenancy mode to support more than one tenant on a single appliance.
For workstations with Windows Client, Mac OS X Client, or Linux PAM Client installed, you must
perform the following steps before you enable Multitenancy options:
1. Ensure that you have installed Advanced Authentication 5.4 or later Client components.
2. Configure the Clients to point to a tenant.
 For information about how to configure Multitenancy in Windows Client, see Configuration
Settings for Multitenancy.
 For information about how to configure Multitenancy in Mac OS X Client, see Configuration
 For information about how to configure Multitenancy in Linux PAM Client, see Configuration
These steps are critical and if not performed, the users on the workstations cannot login.
IMPORTANT: The Multitenancy options policy is hidden when your license does not have the
Multitenancy feature. To have the policy, you must apply for a license that contains the Multitenancy
feature.

3.8.20 Password Filter for AD
In this policy, you can configure settings to synchronize the password update between the appliance
and Active Directory through the Password Filter. The Password Filter automatically updates the
LDAP Password stored in Advanced Authentication, whenever the password is changed or reset in
the Active Directory. This helps you to authenticate without getting any prompt to synchronize the
password after it is changed or reset.
You can perform the following settings in this policy:
 Set Update password on change to ON to update the LDAP password automatically in

Advanced Authentication when it is changed in the Active Directory. This helps you to
authenticate without getting a prompt to synchronize the password after it is changed.
Set Update password on change to OFF to prompt the user to synchronize the LDAP password
while logging in to Windows when the password is changed in the Active Directory.
 Set Update password on reset to ON to update the LDAP password automatically in Advanced
Authentication when it is it is reset in the Active Directory.This helps users to authenticate without
getting a prompt to synchronize the password if it is reset.
Set Update password on reset to OFF to prompt the user to synchronize the LDAP password
while logging in to Windows when the user's password has been reset in the Active Directory.
NOTE: Endpoint for the Password Filter must be trusted. To do this, perform the following steps:
1 Click Endpoints in the Advanced Authentication Administration portal.

2 Edit an endpoint of the Password Filter.
3 Set Is trusted to ON and add a description.
4 Save the changes.
3.8.21 Public External URLs (Load Balancers)

In this policy, you can set the external URLs used for the Smartphone and Voice methods. You can
specify multiple server URLs for the different sites, which are callback URLs, for the authentication to
happen between the sites.
The following work flow describes the working of this policy in a multi-site environment for the
Smartphone authentication.
1. Smartphone app receives and updates the list of callback URLs during enrollment and in the
background when the Smartphone app starts.
2. When a user opens the Smartphone app, the app sends the request get salt to all callback
URLs.
3. Only one callback URL returns the salt to the Smartphone and this is an Advanced
Authentication server, which initiated the authentication.
4. The Smartphone app sends the user's answer (Accept/Reject) only to this Advanced
Authentication server.
NOTE: A tenant administrator cannot access the Public external URLs policy.

3.8.22 SMS Sender
In this policy, you can configure the settings for the SMS OTP method. The SMS OTP method sends
SMS messages with one-time passwords to the users. Advanced Authentication contains predefined
settings for Twilio and MessageBird services.
The Sender Service consists of the following three options:
 Generic
 Twilio
 MessageBird
To configure SMS sender manually perform the following steps:
1 Select Generic in Sender service.

2 Specify a Service URL value. For example, Clickatell http://api.clickatell.com/http/
sendmsg?.
3 Leave HTTP Basic Auth Username and HTTP Basic Auth Password blank.
4 Select POST from HTTP request method.
5 Click Add and create the following parameters in HTTP request body.
 name: user
value: name of your account
 name: to
value: {phone}
 name: text
value: {message}
 name: api_id, this is a parameter that is issued after addition of an HTTP sub-product to
your Clickatell account. A single account may have multiple API IDs associated with it.
 name: from
value: sender’s phone number
6 Click Add secure and create the following parameter in HTTP request body.
 name: password
value: current password that is set on the account
For more information about the additional parameters for Clickatell, see the Clickatell
documentation.
NOTE: The parameters may differ for different SMS service providers. But the {phone} and
{message} variables are mandatory.
To configure SMS sender settings for Twilio service, perform the following steps:
1 Select Twilio in Sender service.

2 Specify the following details:
 Account sid and Auth token: In Twilio, the Account SID acts as a username and the Auth
Token acts as a password.

 Use Copilot: The copilot option is used to send SMS from a Twilio’s phone number of your
location. This is helpful when SMS messages have to be sent across the geographical
locations. For example, with copilot, SMS will be sent from Indian phone number to the
Indian users. Without copilot, SMS will be sent from US phone number to the Indian users.
For more information on Copilot option and its features, see https://www.twilio.com/
copilot#phone-number-intelligence and https://www.twilio.com/docs/api/rest/sending-
messages-copilot#features.
 Messaging Service SID: Service SID.
 Sender phone: Sender’s phone number.
For more information, see the Twilio website.
To configure SMS sender settings for MessageBird service, perform the following steps:
1 Select MessageBird in Sender service.

2 Specify the Username, Password, and Sender name.
For more information, see the MessageBird website.
IMPORTANT: MessageBird API v2 is not supported. To activate MessageBird API v1, perform the
following steps:
1 Go to the MessageBird account.

2 Click Developers in the left navigation bar and open the API access tab.
3 Click Do you want to use one of our old API's (MessageBird V1, Mollie or Lumata)? Click here.
You can test the configurations for the SMS sender policy in the Test section.
1 Specify the phone number in Phone to which you want to send the SMS OTP.
2 Specify a message to be sent to the phone in Message.
3 Click Send test message!.
4 Click Save.
Real messaging uses async sender. Ensure that you have configured a chain with the SMS
method and assigned it to an event. Then sign-in to the Self-Service portal and test the SMS
authenticator. If it does not work, see the async logs.
Authentication Flow
The authentication flow for the SMS sender in Advanced Authentication is described in the following
image.

A user wants to authenticate on an endpoint such as a laptop or a website with the SMS method. The
following steps describe the authentication flow:
server.
2 The Advanced Authentication server validates the user’s credentials and gets a phone number
of the user from a Repository.
3 Advanced Authentication server sends the request to a configured SMS Service Provider to
send an SMS message with the content that includes a one-time password (OTP) for
authentication.
4 SMS Service Provider sends the SMS message to the user's phone.
5 SMS Service Provider sends the 'sent' signal to the Advanced Authentication server.
6 Advanced Authentication server sends a request to the user to specify an OTP on the endpoint.
7 The user specifies the OTP from the SMS message. The Advanced Authentication server gets
the OTP.
8 Advanced Authentication server then validates the authentication. The authentication is done or
denied.
HTTP/HTTPS protocol is used for the communication.
Advanced Authentication server - SMS Service Provider (HTTP/HTTPS, outbound).
3.8.23 Services Director Options

In this policy, you can configure settings required to integrate with the Services Director.
Perform the following steps to configure this policy:
1 Set Enable integration to ON to enable the integration of Advanced Authentication with Services
Director.
2 Specify the Public DNS name of Advanced Authentication, Services Director DNS Name, Tenant
Admin Name, and Tenant Admin Password of Services Director to integrate it with Advanced
Authentication.

NOTE: You cannot integrate Services Director with Advanced Authentication when the Multitenancy
Options policy is enabled.
3.8.24 SAML 2.0 Options

In this policy, you can configure settings to specify the Identity Provider’s URL and to download the
SAML 2.0 metadata file. The downloaded SAML 2.0 metadata file is used to configure the service
provider.
IMPORTANT: The WebAuth option must be enabled in Server Options before configuring this policy.
For more information about configuring this policy, see “SAML 2.0”.
For information about how to configure Advanced Authentication integration with Salesforce using
SAML 2.0, see “Configuring Integration With Salesforce”.
3.8.25 Voice Sender

In this policy, you can configure the settings for the Voice and Voice OTP methods. Advanced
Authentication supports the Twilio service for the Voice methods.
To configure Voice Sender settings for Twilio service, perform the following steps.
1 Specify the following details in the Voice sender policy:

 Account sid and Auth token: In Twilio, the Account SID acts as a username, and the Auth
Token acts as a password.
 Sender phone: The phone number of the sender.
 Public server url: The public URL to which the Twilio service connects for authentication.
This URL points to the Public External URLs (Load Balancers) policy. You can use http
protocol for testing purpose, but for production environment you must use https protocol.
You must have a valid certificate when you use https.
2 In the Enroll without a phone section, you can configure settings for the user to enroll the Voice
authenticator without a phone number in the repository.
 Set Allow user enrollment without a phone to OFF to ensure that a user does not enroll the
Voice authenticator without a phone. The user gets an error message that you can specify
in Error message.
 Set Allow user enrollment without a phone to ON for the user to enroll the Voice
authenticator without a phone.
3 You can test the configurations for the Voice sender policy in the Test section.
3a Specify the phone number in Phone to which you want to send the Voice OTP.
3b Specify a message to be sent to the phone in Message.
3c Click Send test message!.
4 Click Save.
Real messaging uses async sender. Ensure that you have configured a chain with the Voice
OTP method and assigned it to an event. Then sign-in to the Self-Service portal and test the
Voice authenticator. If it does not work, see the async logs.

IMPORTANT: The users may receive calls with the voice Application error. This happens
because of incorrect settings or invalid certificates. Ensure that the certificate is valid and is not
expired. Invalid certificates cannot be applied by Twilio.
Authentication Flow
The authentication flow for the Voice sender in Advanced Authentication is described in the following
image.
A user wants to authenticate on an endpoint such as a laptop or a website with the Voice Call method.
The following steps describe the authentication flow:
server.
2 The Advanced Authentication server validates the user’s credentials and gets a phone number
of the user from a repository.
3 Advanced Authentication server sends the request to a configured voice call service provider
(Twilio) to call the user.
4 The voice call service provider calls the user.
5 The user picks up the phone, listens to the call, and specifies the PIN followed by the hash (#)
sign.
6 Voice call provider sends the specified PIN to the Advanced Authentication server.
7 Advanced Authentication server then validates the authentication. The authentication is done or
denied.
HTTP/HTTPS protocol is used for the communication.
Advanced Authentication server - Voice Call Service Provider (HTTP/HTTPS, inbound/ outbound).

3.9 Configuring Server Options
This section contains information about the Advanced Authentication server settings. Advanced
Authentication server uses HTTPS protocol. You must create a certificate file that is in the .pem or
.crt, or .pfx format. You must apply the existing SSL certificate on the server.
NOTE: The certificate must not contain any of the encrypted private keys.
IMPORTANT: Smartphone and Voice Call authentication providers work only with a valid SSL
certificate. Self-signed certificate does not work.
To upload an SSL certificate perform the following steps:
1 Log in to the Advanced Authentication Administration portal directly and not through a load
balancer or Access Manager.
2 Click Server Options.
3 Click Browse and select a new SSL certificate. The file must contain both the certificate and the
private key.
Intermediate certificates must also be placed in the certificate file in the .pem or .crt or .pfx
format if they are present.
4 Click Upload.
You can set a custom login page background. It must be a JPEG or PNG image and the
recommended resolution is 1920x774 px, 72 dpi. You must not use backgrounds whose size exceeds
100KB. To apply a custom login page background, perform the following steps:
1. Click Choose File in Login page background.

2. Select the background file.
3. Click Upload to upload and apply the custom background.
4. Click Revert to original to revert the settings to original.
3.9.1 Enabling Web Authentication

Strong Web Authentication is used for OAUTH 2.0 and SAML 2.0 events. By default, WebAuth is
disabled to free some RAM. If you need to use OAuth 2.0 or SAML 2.0, enable WebAuth.
To enable web authentication, perform the following steps:
1. Click Server Options.

2. Click Enable for WebAuth.
3. Click OK.
NOTE: The changes that you do to the WebAuth settings do not replicate to the other servers.

3.9.2 Uploading a Keytab File
The Keytab file option located in Server Options of Advanced Authentication Administration portal
helps you to upload a keytab file. The keytab file contains the encrypted files required for the
Advanced Authentication server to authenticate to the selected Active Directory using Kerberos.
1 Generate a keytab file for Kerberos authentication to the Advanced Authentication server on a
Domain Controller. For information on generating a keytab file, see the website.
Sample command to create the keytab file: ktpass /princ HTTP/[email protected]
/mapuser [email protected] /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set
/pass Q1w2e3r4 /out C:\Temp\keytab_aas1srv
Information about the sample command is as follows:
 HTTP in upper-case is mandatory in the parameter for keytab file. For more information, see
the website.
 aas1 is a server name (according to record in DNS), the domain name is netiq.loc.
 aas1srv is a service account specially created in Active Directory for the Advanced
Authentication server, Q1w2e3r4 is the password.
 The keytab file keytab_aas1srv is created in the folder C:\Temp.
IMPORTANT: If there are multiple Advanced Authentication servers in the cluster, generate a
keytab file for each Advanced Authentication server. Different users must be used for the keytab
file generation for each server.
2 Click Upload to select and upload the keytab file.
NOTE: Keytab file can be removed only when an Active Directory repository is selected in the
Kerberos SSO Options policy.
3.10 Adding a License

To add a license for Advanced Authentication, perform the following steps:
1. Click Licenses.
2. Click Add.
3. Click Browse and select the valid license.
4. Click Upload to upload the license.
A user license is consumed when a user enrolls at least one authenticator through an automatic
enrollment, enrollment by a Helpdesk administrator, or self-enrollment. This is an exception for the
LDAP password, as a license is not consumed for it. An automatic enrollment is done only when a
user performs a first authentication.
TIP: To free up a user's license, perform the following steps:
1 Exclude the user from a group that is assigned to chains.

2 Click Repositories and edit a repository.
3 Click Full sync to perform a full synchronization of the repository.
The existing user's authenticators are removed.

4 Configuring Ports and Firewall
4
IMPORTANT: The Advanced Authentication server uses ports 443 and 80. These ports cannot be
changed.
Advanced Authentication supports port forwarding but it is not recommended. Here, the entire
appliance is available through the internet. It is recommended to use reverse proxy to map only the
specific URLs.
By default, the Advanced Authentication server uses the following RFC standard ports.
Service Port Protocol Usage
REST 443 HTTPS All Communications
Administration portal, 443 HTTPS All Communications (<AAServer>/admin,

Self-Service portal, <AAServer>/account, <AAServer>/helpdesk,
Helpdesk portal, <AAServer>/report)
Reporting portal
Server Update 443 HTTPS Update channel: appliance - update server

(repo.authasas.com)
Database replication 5432: This port is TCP Database replication between DB servers
required only for
the installation of a
new DB Server.
Then the port can
be closed.
Database replication 8080 TCP Database replication between DB servers
DNS 53 TCP, UDP DNS
NTP 123 UDP NTP, used for time synchronization
LDAP 389 TCP, UDP LDAP (if used with repository)
LDAPS 636 TCP,UDP LDAP over TLS/SSL (if used with repository)
Dashboard and 9200 HTTPS Collecting statistics from the Advanced

Reporting portal Authentication servers in the cluster
Configuring Ports and Firewall 91

Advanced Authentication server uses the following ports for the different methods:
Service Port Protocol Usage
RADIUS 1812 TCP, UDP Authentication
RADIUS 1813 TCP, UDP Accounting
E-Mail Service Variable SMTP E-Mail Traffic
Voice Call Service Variable HTTPS All Communications (<AAServer>/twilio/

status, <AAServer>/twilio/gather)
Smartphone Variable HTTPS All Communications (<AAServer>/

smartphone)
Smartphone Push Service 443 HTTPS Communication between AAF and

proxy.authasas.com (push service)
SMS Variable HTTPS Communication to a used SMS service
Swisscom Mobile ID Variable HTTPS Communication to the specified Swisscom

Mobile ID service URL
Voice OTP Service Variable HTTPS All Communications (<AAServer>/twilio/

otp)
IMPORTANT: Any port can be used in case of reverse proxy. For example, https://dnsname:888/
smartphone. A reverse proxy redirect is done from port 888 to port 443 internally to appliance. Port
888 is used from outside, but port 443 is used inside the appliance.
Advanced Authentication uses the following URLs.
URL Used for
Advanced Authentication Server
/static/*, /user/api Web portals
/admin Administration portal
/account Self-Service portal
/helpdesk Helpdesk portal
/report Reporting portal
/api REST API calls
/adfs ADFS plug-in
/osp SAML 2.0, OAUTH 2.0 integrations
/search-card Search Card portal
Smartphone
/smartphone/adddevice/{path}/{enc_dev_id}
/smartphone/confirm/{path}
/smartphone/pushid/{path}

URL Used for
/smartphone/requestsalt/{path}
/smartphone/saltpushid/{path}
/oob/{oob_proc_id:[0-9a-zA-Z-]{3,32}} for Out-Of-Band

authentication
Twilio (SMS, Voice Call, Voice OTP)
/twilio/gather/{proc_id}
/twilio/otp/{proc_id}
/twilio/otp_anon/{tenant_id}/{otp}
/twilio/status/{proc_id}
Configuring Ports and Firewall 93

5 Configuring a Cluster
5
In a production environment, you must use more than one Advanced Authentication server for fault
tolerance, load balancing, and redundancy. In Advanced Authentication, a cluster consists of sites.
Each site is installed in a specific geographical location and contains the following:
 A DB Master server
 One or two DB servers that are used for only backup and fail-over
 Maximum of 6 Web servers without a database that are used in combination with a third-party
load balancer for load balancing.
All these servers handle the authentication requests from clients of the same location. The Advanced
Authentication server that you deploy first gets the Global Master and Server Registrar roles.
 Section 5.1, “Registering a New Site,” on page 96

 Section 5.2, “Registering a New Server,” on page 98
 Section 5.3, “Resolving Conflicts,” on page 99
 Section 5.4, “Installing a Load Balancer for Advanced Authentication Cluster,” on page 100
 Section 5.5, “Determining the Number of Web Servers for Load Balancing,” on page 104
 Section 5.6, “Restoring Operations When a Global Master Server is Broken,” on page 104
To configure an Advanced Authentication cluster, perform the following steps:
1 Click Cluster in the Administration portal.

2 You must create a Global Master. Click Set up Global Master to create a Global Master.
3 Specify the Global site name in Enter name of the site. Renaming not supported. The Global
site name must be in lower case and can contain latin characters, digits, and underscores.
4 Click OK.
In DB servers, the following information about each server in the list is displayed:
 Site: Name of the site.
 Mode: Mode of the server. The options are:
 Global Master
 DB Master
 DB Server-1
 DB Server-2
 Host: IP address of the host.
 Desc: Status of the server. Click the edit icon to add or edit the description.
 Heartbeat: Time of the last ping. Each server is pinged every 5 minutes.
Configuring a Cluster 95
IMPORTANT: Ensure to take regular snapshots of all the DB servers at the same time or to
clone them to protect the environment from any hardware issues or accidental failures. It is
recommended to do this for the following scenarios:
 Each time you change the configuration of repositories, methods, chains, events, and
policies.
 After performing the enrollment.
In large companies, the enrollment can be used on a daily basis as a massive
enrollment. In such scenarios, it is good to create snapshots regularly (it can be
fortnightly or monthly).
 When you are adding or removing servers in the cluster.
 Before you upgrade Advanced Authentication servers in the environment.
You can convert a DB server of the primary site to a Global Master server or a DB server
from the secondary site to a DB Master server of the same site. You must update the DNS
settings after the conversion. If the Global Master and the DB servers from the primary site
are lost, you cannot replace them.
NOTE: All the servers in a cluster must have the same version.
5 Click Register new site if your company is geographically distributed and to deploy a DB Master
server in another site. For information about creating a new site, see Registering a New Site.
6 Click Register new server to register a new server in one of the existing sites. For information
about creating a new site, see Registering a New Server.
If you have configured a cluster and you receive a replication conflict, click Resolving Conflicts.
Performing a Health Check of the Advanced Authentication Servers

You can use REST API to configure third-party tools to perform a health check of the Advanced
Authentication servers.
5.1 Registering a New Site

You must register a new site to deploy Advanced Authentication in a new geographical location. For
example, a cluster has a single site A. To deploy an Advanced Authentication server at site B, you
must register a new Advanced Authentication site. With the registration of the new site, you must
configure a DB Master in the site.
Before registering a new site, ensure that the following requirements are met:
 You have an administrator’s privilege to access the Advanced Authentication Server Registrar.
 You have installed the Advanced Authentication server appliance that has the same version as
the Global Master server. Ensure that you have not configured for a DB server in the new site.
To register a new site and to deploy a DB Master server in the site, perform the following steps:
1 Open the database port <Registrar_host_name>:5432 on your NAT/Firewall.

2 Open the Advanced Authentication Configuration Wizard for a new installed server: https://
<New_Server_host_name>.
3 Select Existing cluster in the first Server Mode.
4 Click Next.

5 Specify the server DNS hostname in My DNS hostname.
WARNING: You must specify a DNS hostname instead of an IP address because appliance
does not support the changing of IP address.
6 Click Next.
7 Specify a password for the LOCAL\admin account.
You may get the error Remote host returned error: Wrong password of key file
(AuError) when you are trying to deploy a DB server on the previous versions of Advanced
Authentication server. You must have Advanced Authentication 5.5-326 or later installed.
8 Click Next.
In Import database information, a message Waiting for Global Master.... is displayed.
9 Goto the Advanced Authentication Administration portal of the Advanced Authentication Server
Registrar.
10 Click Register new site in Cluster.
11 Specify a host name for the new DB server of the new site in Master server host.
TIP: If the new server is behind NAT, you can forward its port 443 on a temporary basis and
specify an external hostname:port. You must close the port after installation.
12 Specify a name of the new site in Site name.

13 Click Register.
After successful registration, a message Success! Continue server install is displayed.
DB Master server is displayed in DB servers, for the newly created site. The record is marked in
red.
14 Go to the new server and click Next.
15 Click Copy.
The server is automatically restarted within 60 seconds after the database completes copying
from a Global Master server.
16 Go to the Advanced Authentication Server Registrar. The newly deployed server is displayed in
DB servers.
NOTE: Each of the DB servers in the list is pinged every 5 minutes. If an issue occurs, the server
is marked in red. To view the details of connectivity issues click View log. To view the replication
issues, click Conflicts.
17 Close the database port <Registrar_host_name>:5432 on your NAT/Firewall.

18 To prevent issues when the Advanced Authentication server from one site communicates to a far
located LDAP Server from another site, perform the following steps:
18a Login to the Administration portal on the DB Master of the new site.
18b Click Repositories.
18c Edit the existing repository.
18d Update the LDAP Servers list.
Remove the LDAP servers that are not located in the site and add only LDAP servers from
the same site.
NOTE: These changes are replicated only within a site.
NOTE
 You must install the new servers one at a time. Simultaneous installations may cause replication
issues.
 The inter-site replication interval is 10 seconds.
5.2 Registering a New Server

You must register a new server to an existing Advanced Authentication site. e.g.
After you create a Global Master (in the primary site) or a DB Master (in the secondary site), you must
deploy DB servers for database backup. For this, you must register a new server or a Web server.
Before registering a new site, ensure that the following requirements are met:
 You have an administrator’s privilege to access the Advanced Authentication Server Registrar.
 You have installed the Advanced Authentication server appliance that has the same version as
the Global Master server. Ensure that you have not configured for a new server.
To deploy a new DB server or a Web server in an existing site, perform the following steps:
1 Open the database port <Registrar_host_name>:5432 on your NAT/Firewall if you are

deploying a DB server.
2 Open the Advanced Authentication Configuration Wizard for a new installed server: https://
<New_Server_host_name>.
3 Select Existing cluster in the first Server Mode.
4 Click Next.
5 Specify the server DNS hostname in My DNS hostname.
WARNING: You must specify a DNS hostname instead of an IP address because appliance
does not support the changing of IP address.
6 Click Next.
7 Specify a password for the LOCAL\admin account.
You may get the error Remote host returned error: Wrong password of key file
(AuError) when you are trying to deploy a DB server on previous versions of Advanced
Authentication server. You must have Advanced Authentication 5.5-326 or later installed.
8 Click Next.
In Import database information, a message Waiting for Global Master.... is displayed.
9 Goto the Advanced Authentication Administration portal of the Advanced Authentication Server
Registrar.
10 Click Register new server in Cluster.
11 Specify the new server's host name in Server host.
TIP: If the new server is behind NAT, you can forward its port 443 on a temporary basis and
enter external hostname:port. You must close the port after installation.

12 Select one of the following servers:
 Web Server: This server does not contain a database. Web server responds to
authentication requests and connects to the DB Master database. You need more Web
servers to serve more workload. You must not deploy more than 5-6 web servers per site.
 DB Server: This server provides a DB Slave database that is used for backup and fail-over.
Two DB Slave servers are allowed within a site. When the DB Master is unavailable, the DB
Slave node responds to the database requests. When the DB Master becomes available
again, the DB Slave node synchronizes with the DB Master and the DB Master becomes
the primary point of contact for database requests again.
NOTE: If you select DB Server, you must copy the database from Global Master. Open database
port <Registrar_host_name>:5432 on your NAT/Firewall. You must close the port after
installation.
13 Select the site in Add server to the site.

14 Click Register.
15 Go to the new server and click Next.
16 If you select DB Server, click Copy in Copy database.
The server is automatically restarted within 60 seconds after the database completes copying
from a Global Master server.
17 If you select DB Server, goto the Advanced Authentication Server Registrar. The newly deployed
server is displayed in DB servers.
NOTE: Each of the DB servers in the list are pinged for every 5 minutes. If an issue occurs, the
server is marked in red. To view the details of connectivity issues click View log. To view the
replication issues, click Conflicts.
18 Close the database port <Registrar_host_name>:5432 on your NAT/Firewall if you have

opened it.
NOTE: You must install the new servers one at a time. Simultaneous installations may cause
replication issues.
5.3 Resolving Conflicts

In Advanced Authentication, conflicts can occur if two servers try to configure the same object. For
example, MasterX and MasterY create a same login chain Visitor. This can lead to a conflict because
both try to send Visitor to each other. If a conflict occurs, the replication between the conflicting
servers stops. Replication uses last-write-wins policy. Conflicts can occur for one of the following
reasons:
 During upgrade when a new server communicates with the old server.
 When two unique objects have been added.
Outgoing conflict indicates an incoming conflict on the destination server. Unique object collision
causes two corresponding conflicts: incoming and outgoing conflicts on both the source and target
servers.
You can resolve the conflict in one of the following ways:
 Simplest way: Click Fix on both the servers.
 Smarter way: Click Fix on a server in one site and click Forget on a server in the other site.
 Possible way: Click Forget outgoing on the servers in both the sites. You can use this method
for UPDATE conflicts. Object changes are lost but will sync on next object change.
 Zero way: Source server automatically re-sends the changes until you forget the outgoing
conflict.
 Purge working tables: This method is used as a last resort. If you see low-level errors in the
replication log, if conflict resolution does not work for you, you may force the replication system
to forget all pending replicas and re-initialize.
Advanced Authentication scans for the replication conflicts, automatically. To resolve the existing
conflicts, in the Cluster section of the Advanced Authentication Server Registrar, click Conflicts. If no
conflicts are detected, only the information is displayed. If there are any conflicts, the details and
controls to resolve the conflicts are displayed. You will get a confirmation request with each action.
The confirmation contain notes that help you to resolve the conflicts.
5.4 Installing a Load Balancer for Advanced

Authentication Cluster
You can install a Load balancer and configure it through a third-party software. The following example
guides you on how to install and configure nginx as a load balancer on Ubuntu 16.04.
NOTE: Advanced Authentication supports DNS round-robin and third-party VIP, but only with Sticky
sessions. The DNS Discovery mechanism is excluded from the workflow. Advanced Authentication
clients are pointed to a load balancer that manages all traffic.
Target configuration:
Hostname IP address Role Operation System
Domain controller win-dc.utopia.locl 192.168.1.56 AD DS, DNS Windows Server 2012

R2
Advanced aaf-clu- 192.168.1.70 Global Master Advanced

Authentication 5.5 gm.utopia.locl Authentication 5.5
Advanced aaf-clu- 192.168.1.71 Slave Advanced

Authentication 5.5 gs.utopia.locl Authentication 5.5
Load balancer llb.utopia.locl 192.168.1.138 Nginx load balancer Ubuntu 16.04
Client windows7v5.utopi 192.168.1.61 AA Client Windows 7 x64

a.locl
Before you start the configuration, ensure that the following requirements are met:
 Repository is configured in Advanced Authentication appliance.

 Both Advanced Authentication servers are installed and configured as Master and Slave.
 Appropriate entries are added to DNS.
 Ubuntu 16.04 is installed.

5.4.1 Installing nginx on Ubuntu 16.04
1 Update repository and install nginx:.
1a apt-get update
1b apt-get install nginx
2 Start nginx and ensure that web server is working.
2a sudo service nginx restart
3 Open your browser and go to the web server http://192.168.1.138.
5.4.2 Configuring nginx

The following load balancing methods are supported in nginx.
 round-robin: The requests to the application servers that are distributed in a round-robin fashion.
 least-connected: Next request assigned to the server with the least number of active
connections.
 ip-hash: A hash-function that is used to determine which server must be selected for the next
request (based on the client’s IP address).
This document describes the ip-hash configuration because the REST queries that are balancing
require sticky-session enabled and ip-hash is a similar mechanism.
In this document, the ip-hash configuration has been described because for the REST queries that
are balancing, the sticky-session must be enabled. The ip-hash has a similar mechanism.
To configure nginx, perform the following steps:
1 Create a backup of the original configuration file by running the following command:
sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf_original.
NOTE: This configuration file allows to balance REST, Administration, and Self-Service portal
requests.
2 Copy the certificate from any Advanced Authentication server in a cluster from the directory /
etc/nginx/cert.pem to the same directory on a load balancer.
3 Open the nginx.conf file and replace with the following:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
#tcp_nopush on;

#tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
#include /etc/nginx/mime.types;
#default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE

ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/cert.pem;
ssl_certificate_key /etc/nginx/cert.pem;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/
xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
resolver 192.168.1.56 valid=300s ipv6=off; # ip address of DNS
resolver_timeout 10s;
upstream aaf-clu {
ip_hash; # Type of load balancing mechanism
server aaf-clu-gm.utopia.locl:443; #192.168.1.70:443;
server aaf-clu-gs.utopia.locl:443; #192.168.1.71:443;
}
server {
listen 443 ssl;
# Rule for REST
location ~ ^/user/api/ {

proxy_pass https://aaf-clu$uri?$args;
}
location ~ ^/admin {
}
location ~ ^/static {
}
location ~ ^/helpdesk {
}
location ~ ^/account {
}
location ~ ^/osp/ {
}
}
}
Performing a Health Check of the Advanced Authentication Servers

You can use REST API to configure third-party tools to perform a health check of the Advanced
Authentication servers.
5.4.3 Configuring Advanced Authentication Client

To point the Advanced Authentication client to a load balancer, you must make some changes after
installing the client on a workstation.
1 Install Windows Client. To install Windows Client, see “Installing Windows Client” in the
Advanced Authentication - Windows Client guide.
2 Open the configuration file: C:\ProgramData\NetIQ\Windows Client\config.properties.

3 Set the parameter discovery.host = <IP_address/hostname_loadbalancer>.
This configuration points Advanced Authentication Client to a load balancer that manages the
traffic between the Advanced Authentication server and Advanced Authentication Client (REST
API).
5.5 Determining the Number of Web Servers for Load

Balancing
You need Advanced Authentication Web servers for load balancing. It is not possible to estimate
approximately the number of Web servers required for environments with X users. This is because,
the estimation depends on factors such as the available hardware resources, number of users
authenticating in a peak time, and the chains they authenticate with.
You can determine the optimal number of Web servers only with experimenting. It is recommended to
identify the number of Web servers when the user’s activity is high. For example, when all users start
their workday.
To determine the number of Web servers, perform the following steps:
1 Open the configuration console for the Web servers.

2 Press Alt+F9 to verify the CPU or memory load. If the Web servers are highly loaded during the
peak time, add more Web servers.
3 Press Alt+F12 to verify the number of active connections. If some Web servers are more loaded
than the others, it can be helpful to change weights. For nginx load balancer, you can do it in one
of the following ways.
3a Changing weights:
upstream aucore443 {
server 192.168.108.32:443 weight=1;
server 192.168.108.33:443 weight=2;
server 192.168.108.34:443 weight=2;
}
3b Using least_conn:
upstream aucore443 {
least_conn;
server 192.168.108.32:443;
server 192.168.108.33:443;
server 192.168.108.34:443;
}
5.6 Restoring Operations When a Global Master

Server is Broken
When a GMS (Global Master server) breaks, restore it from backup or a snapshot. If this does not
work, perform the following steps to convert an existing DB server from the same site as GMS to a
new GMS and deploy a new DB server.
You can also use the following instructions to promote a DB server from a secondary site to a new DB
Master of the same site when the current DB Master of the site is broken.

As a pre-requisite, ensure that the GMS is turned off.
1 Open the Advanced Authentication Administration portal on the DB server.

2 Click Cluster.
Wait until you see the Cluster section updated.
3 Click Failover.
4 Open database port 5432 (TCP/UDP) on your NAT/Firewall for a time of conversion.
5 Click Convert to Global Master.
6 Click OK.
7 When you see Cluster again, close the database port.
8 If you have been using the RADIUS server, you must reconfigure the settings.
8a In the Administration portal, click Events and edit the Radius Server event.
8b Check the configuration including the Clients section.
8c Click Save to reconfigure the RADIUS server.
9 Update the DNS so that the DNS name of the lost GMS resolves the IP address of the server
being converted.
IMPORTANT: Do not change the IP addresses of working servers.
10 Update the load balancer configuration if required.

11 Install a new server with an ISO file of the same version as on the new GMS and configure a new
DB server instead of the converted one.
NOTE: If you have two DB servers in the site, you must reinstall the second DB server to get the
latest database.
12 Log in to the Administration portal on Web servers. If you are not able to log in, reboot the Web
servers. If you are still unable to log in, redeploy the Web servers.

6 Enrolling the Authentication Methods
6
Advanced Authentication server supports the following ways to enroll the authentication methods:
 Automatic enrollment: This type of enrollment is used for the SMS, Email, RADIUS, LDAP
Password, and Swisscom Mobile ID methods.
The methods are enrolled automatically if the chains containing them are assigned to any event.
 Enrollment by Administrator: This type of enrollment is used for the OATH Tokens.
An administrator can import tokens from the PSKC or CSV files in the Administration portal >
Methods > OATH OTP > OATH Tokens tab. You can assign tokens to the specific users.
 Enrollment by Helpdesk administrator: This type of enrollment is used by the Helpdesk
administrator.
A Helpdesk administrator can access the Helpdesk portal with the address: https://<NetIQ
Server>/helpdesk. In the Helpdesk portal, the Helpdesk administrator can enroll the
authentication methods for users. A Helpdesk administrator must be a member of the Enroll
Admins group (Repositories > Local > Edit > Global Roles) to manage users' authenticators.
 Enrollment by User: This method is applicable for the users. A user can access the Self-Service
portal with the address: https://<NetIQ Server>/account, where the users can enroll any of
the authentication methods.
Enrolling the Authentication Methods 107

II Configuring Integrations
I
Advanced Authentication facilitates clients to integrate with the third-party solutions using the
following interface.
 OAuth 2.0
 RADIUS Server
 SAML 2.0
 REST API
The information about configuring Advanced Authentication with some of the third party solutions is
as follows:
 Configuring Integration With Barracuda

 Configuring Integration With Citrix NetScaler
 Configuring Integration With Dell SonicWall SRA EX-Virtual Appliance
 Configuring Integration With FortiGate
 Configuring Integration With OpenVPN
 Configuring Integration With Salesforce
 Configuring Integration With ADFS
Configuring Integrations 109

7 OAuth 2.0
7
In OAuth 2.0 authorization, the third-party client requests access to the resources that are controlled
by the resource owner. Instead of using the resource owner's credentials to access the protected
resources, the third-party client obtains an access token. The third-party clients can be web
applications, mobile phones, handheld devices, and desktop applications.
This section contains the following topics:
 Section 7.1, “Building Blocks of OAuth 2.0,” on page 111

 Section 7.2, “Sample OAuth 2.0 Application Integrated with Advanced Authentication,” on
page 114
 Section 7.3, “OAuth 2.0 Attributes,” on page 119
 Section 7.4, “Non Standard Endpoints,” on page 120
7.1 Building Blocks of OAuth 2.0

The following are the building blocks of OAuth 2.0.
 OAuth 2.0 Roles

 OAuth 2.0 Grants
7.1.1 OAuth 2.0 Roles

OAuth 2.0 consists of the following four roles:
 Resource Owner: Entity that grants access to a protected resource. It can be a system or a
person (end-user) owning the resources.
 Resource Server: Server that hosts the protected resources. It accepts and responds to the
protected resource requests using the access tokens.
 Client: Application that requests and get authorization on behalf of the resource owner to access
a protected resource.
 Authorization Server: Server that issues access tokens to the client after the successful
authentication of the resource owner and obtaining authorization.
7.1.2 OAuth 2.0 Grants

By default, Advanced Authentication supports the following OAuth 2.0 grant types. However, if you
require to use the Resource owner password credential grant, you have to enable it using Advanced
Authentication settings. For more information on OAuth 2.0 grant types, see the link (https://
tools.ietf.org/html/rfc6749).
 “Authorization Code” on page 112

 “Implicit Grant” on page 113
OAuth 2.0 111

Authorization Code
In authorization code, an authorization server acts as an intermediary between the client and the
resource owner. Instead of requesting authorization directly from the resource owner, the client
directs the resource owner to an authorization server, which in turn directs the resource owner back
to the client with the authorization code.
The authorization grant type depends on the method used by the application to request authorization,
and the grant types supported by the API.
The following diagram describes the workflow of authorization code grant.
The workflow for authorization code includes the following steps:
1. The OAuth client initiates the flow when it directs the user agent of the resource owner to the
authorization endpoint. The OAuth client includes its client identifier, requested scope, local
state, and a redirection URI.
2. The authorization server authenticates the resource owner through the user agent and
recognizes whether the resource owner grants or denies the access request.
3. If the resource owner grants access, the OAuth client uses the redirection URI provided earlier to
redirect the user agent back to the OAuth client. The redirection URI includes an authorization
code and any local state previously provided by the OAuth client.
4. The OAuth client requests an access token from the authorization server through the token
endpoint. The OAuth client authenticates with its client credentials and includes the authorization
code received in the previous step. The OAuth client also includes the redirection URI used to
obtain the authorization code for verification.
5. The authorization server validates the client credentials and the authorization code. The server
also ensures that the redirection URI received matches the URI used to redirect the client in Step
3. If valid, the authorization server responds back with an access token.

Implicit Grant
The implicit grant is similar to the authorization code grant with two distinct differences.
 It is used for user-agent-based clients. For example, single page web apps that cannot keep a
client secret because all the application code and storage is easily accessible.
 Secondly, instead of the authorization server returning an authorization code which is exchanged
for an access token, the authorization server returns an access token.
The following diagram describes the workflow of Impicit grant.
The workflow for implicit grant includes the following steps:
1. The OAuth client initiates the flow by directing the user agent of the resource owner to the
authorization endpoint. The OAuth client includes its client identifier, requested scope, local
state, and a redirection URI. The authorization server sends the user agent back to the
redirection URI after access is granted or denied.
2. The authorization server authenticates the resource owner through the user agent and verifies
whether the resource owner grants or denies the access request.
3. If the resource owner grants access, the authorization server redirects the user agent back to the
client using the redirection URI provided earlier. The redirection URI includes the access token in
the URI fragment.
4. The user agent follows the redirection instructions by making a request to the web server without
the fragment. The user agent retains the fragment information locally.
OAuth 2.0 113

5. The web server returns a web page, which is typically an HTML document with an embedded
script. The web page accesses the full redirection URI including the fragment retained by the
user agent. It can also extract the access token and other parameters contained in the fragment.
6. The user agent runs the script provided by the web server locally, which extracts the access
token and passes it to the client.
7.2 Sample OAuth 2.0 Application Integrated with

Advanced Authentication
To create a sample web application, you need Python v3 (the sample script prepared on v3.4.3).
The following web application describes the functionalities supported when Advanced Authentication
is integrated with OAuth 2.0. OAuth 2.0 server is an authorization and resource server. As an
Authorization Server, the OAuth server can prompt the users to go through authentication chains and
as a resource server, the OAuth server can prompt the users to provide user details.
You must create the following five files:
1. Sample script (oauth2_test.py)
from bottle import Bottle, request, run, redirect, SimpleTemplate, template

from urllib.parse import urlparse, urlunparse, urlencode,quote
import urllib.request
import base64
import ssl
import json
app = Bottle()
client_id = 'id-rSCzuBLQgXCATfkXZ4fsedAo8sPsWxSs'
client_secret = 'secret-91DpzWFD26RriURR7KJ1pryFx7V9QeDm'
redirect_uri = 'http://localhost:8088/' # this app callback URI
authorization_endpoint = 'https://192.168.0.151/osp/a/TOP/auth/oauth2/grant'
attributes_endpoint = 'https://192.168.0.151/osp/a/TOP/auth/oauth2/
getattributes'
state = {}
@app.get('/getattr')
def get_attributes():
params = urlencode({
'attributes': 'client username userRepository user_dn user_cn mail sid
upn netbiosName',
'access_token': state['access_token']
})
url = attributes_endpoint + '?' + params
print('getattr url: {}\n'.format(url))
req = urllib.request.Request(url)
gcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) # avoid cert checking
with urllib.request.urlopen(req, context=gcontext) as response: # perform
GET request and read response
rsp = response.read()
attributes = json.loads(rsp.decode('utf-8'))
return template('attributes.html', items=attributes.items(),
refresh_token=urllib.parse.quote(state['refresh_token']))
@app.get('/')

def do_get():
code = request.query.get('code')
if code:
# got code from OAuth 2 authentication server
token = get_token_code(code)
state.update(token)
return template('token.html', items=token.items(),
refresh_token=urllib.parse.quote(token['refresh_token']))
else:
return template('main.html')
@app.get('/logon')
def do_logon():
pr=list(urlparse(authorization_endpoint))
# set query
pr[4]=urlencode({
'response_type': 'code',
'client_id': client_id,
'redirect_uri': redirect_uri
})
# perform redirection to OAuth 2 authentication server
redirect(urlunparse(pr))
@app.get('/logon-implicit')
def do_logon_implicit():
# parse authorization_endpoint URL
pr = list(urlparse(authorization_endpoint))
# set query
pr[4] = urlencode({
'response_type': 'token',
'client_id': client_id,
})
# perform redirection to OAuth 2 authentication server
redirect(urlunparse(pr))
@app.get('/logon-creds')
def do_logon_creds():
return template('logonform.html')
@app.post('/logon-creds')
def do_logon_creds_post():
username = request.forms.get('username')
password = request.forms.get('password')
token = get_token_password(username, password)
state.update(token)
refresh_token=urllib.parse.quote(token['refresh_token']))
def get_token_password(username, password):

# prepare POST parameters - encode them to urlencoded
data = urlencode({
'grant_type': 'password',
'username': username,
'password': password
})
data = data.encode('ascii') # data should be bytes
resp_text = post_data(data, prepare_headers())
print(resp_text)
return json.loads(resp_text)
OAuth 2.0 115

@app.get('/refresh')
def do_refresh():
token = refresh_access_token(request.query.get('refresh_token'))
state.update(token)
refresh_token=state.get('refresh_token', ''))
def get_token_code(code):
data = urlencode({
'grant_type': 'authorization_code',
'code': code,
'redirect_uri': redirect_uri
})
print(resp_text)
def refresh_access_token(refresh_token):
print('refresh_token: {}'.format(refresh_token))
data = urlencode({
'grant_type': 'refresh_token',
'refresh_token': refresh_token,
})
print(resp_text)
def prepare_headers(use_content_type_hdr = True):

hdrs = {
'Authorization': 'Basic {}'.format(base64.b64encode(
'{}:{}'.format(quote(client_id, safe=''), quote(client_secret,
safe='')).encode('ascii')).decode(
'ascii')),
}
if use_content_type_hdr:
hdrs.update({'Content-type': 'application/x-www-form-urlencoded'})
return hdrs
def post_data(data, headers):

print('post_data\nheaders:\n{}\ndata:\n{}'.format(headers, data))
req = urllib.request.Request(authorization_endpoint, data, headers)
gcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) # avoid cert checking
with urllib.request.urlopen(req, context=gcontext) as response: # perform
POST request and read response
rsp = response.read()
return rsp.decode('utf-8')
run(app, host='0.0.0.0', port=8088)
NOTE: In the script, you must change the values for client_id, client_secret, and Advanced
Authentication server address in authorization_endpoint and attributes_endpoint (lines
10-14).

2. Main menu (main.html)
<!DOCTYPE html>
<html>
<head lang="en">
<meta charset="UTF-8">
<title></title>
<script type="text/javascript">
//<![CDATA[
function getHashParam(name) {
var hash = window.location.hash;
if (hash) {
if (name = (new RegExp('[#&]' + encodeURIComponent(name) +
'=([^&]*)')).exec(hash))
return decodeURIComponent(name[1]);
}
}
function showResult() {
if (window.location.hash) {
document.getElementById('result').innerHTML = '<table
border="1">'+
'<tr><td>access_token</
td><td>'+getHashParam('access_token')+'</td></tr>'+
'<tr><td>token_type</
td><td>'+getHashParam('token_type')+'</td></tr>'+
'<tr><td>expires_in</
td><td>'+getHashParam('expires_in')+'</td></tr>'+
'</table>';
} else {
document.getElementById('result').innerHTML = 'Implicit
granted token is not found';
}
}
// ]]>
</script>
</head>
<body onload="showResult();">
<div id="result">result</div><br/>
<br/>
Click <a href="/logon">here</a> to obtain an authentication token through
Authorization Code Grant<br/>
Click <a href="/logon-implicit">here</a> to obtain an authentication token
through Implicit Grant (the token will be received in hash part of THIS
page)<br/>
Click <a href="/logon-creds">here</a> to obtain an authentication token through
Resource Owner Password Credentials Grant<br/>
</body>
</html>
3. Token information (token.html)
OAuth 2.0 117

<!DOCTYPE html>
<html>
<head lang="en">
<title></title>
</head>
<body>
Token<br/>
<table border="1">
% for k, v in items:
<tr>
<td>{{k}}</td>
<td>{{v}}</td>
</tr>
% end
</table>
<br/>
<a href="/getattr">Get attributes</a><br/>
<a href="/refresh?refresh_token={{refresh_token}}">Refresh token</a>
</body>
</html>
4. Attributes information (attributes.html)
<!DOCTYPE html>
<html>
<head lang="en">
<title></title>
</head>
<body>
Attributes<br/>
<table border="1">
% for k, v in items:
<tr>
<td>{{k}}</td>
<td>{{v}}</td>
</tr>
% end
</table>
<br/>
<a href="/refresh?refresh_token={{refresh_token}}">Refresh token</a>
</body>
</html>
5. Logon form for Resource Owner Password Credentials Grant mode (logonform.html)
<!DOCTYPE html>
<html>
<head lang="en">
<title></title>
</head>
<body>
<form method="post" action="/logon-creds">
User name: <input type="text" name="username"><br/>
Password: <input type="password" name="password"><br/>
<input type="submit">
</form>
</body>
</html>

7.2.1 Running the Sample Web Application
Perform the following steps to run the sample web application.
1 Run the script python oauth2_test.py.

2 Open the URL http://localhost:8088.
A message is displayed with the following modes:
Authorization Code Grant

Implicit Grant (the token will be received in hash part of THIS page)
Resource Owner Password Credentials Grant (is not supported by default but it
can be activated in AAF)
3 Select the grant based on your requirement.

 Authorization Code Grant
1. Ensure that Use for Owner Password Credentials is set to OFF in the Advanced
settings section for the OAuth 2.0 event.
2. Click the first link.
The NetIQ Access page is displayed with the user name request.
3. Specify the Username.
4. Click Next.
5. Authenticate using all required methods of the chain.
The result page shows the access_token, token_type and expires_in.
 Click Get attributes to look at the attributes.
 Click Refresh token to refresh token. The access_token value is updated.
 Implicit Grant
1. Ensure that Use for Owner Password Credentials is set to OFF in the Advanced
settings section for the OAUTH 2.0 event.
2. Click the first link.
The NetIQ Access page is displayed with the user name request.
3. Specify the Username.
4. Click Next.
5. Authenticate using all the required methods of the chain.
The result page shows the access_token, token_type and expires_in.
 Resource Owner Password Credentials Grant
1. Open Advanced settings for the OAUTH 2.0 event.
2. Set Use for Owner Password Credentials to ON.
3. Click the third link.
A request for Username and Password is displayed.
4. Specify the username and password, then click Submit.
The result page displays the access_token, token_type, and expires_in.
7.3 OAuth 2.0 Attributes

The following table displays the OAuth 2.0 attributes for a test user from the Active Directory.
OAuth 2.0 119

Attribute Value
user_name pjones
repository_name TESTCOMPANY
naafUserSID S-1-5-21-3320677580-2179873152-1514081409-1103
naafUserDN CN=Paul
Jones,CN=Users,DC=testcompany,DC=local
naafUserCN Paul Jones
naafUserUPN [email protected]
naafUsernameNetBIOS TESTCOMPANY\pjones
client id-0TRljvJEe3qKwJiXvy3IbjvcixfiiY1Q
naafUserEmail [email protected]
The following table displays the OAuth 2.0 attributes for a local user.
Attribute Value
user_name ADMIN
repository_name LOCAL
client id-0TRljvJEe3qKwJiXvy3IbjvcixfiiY1Q
The client attribute is a Client ID specified in the OAuth 2.0 settings.
7.4 Non Standard Endpoints

OSP provides a non-standard OAuth 2.0 endpoint for signing additional data that can be passed
during the grant request. The URL of the sign endpoint is: https://<serverip>/osp/a/TOP/auth/
oauth2/sign.
The sign endpoint helps to create a signed and encrypted data packet that can be used to supply data
to other endpoints. For more information, see the Sign class documentation.
The only endpoint with which the signed data is currently used is the grant endpoint when it is used
with the authorization code grant and implicit grant types.
The signed data can be used to supply one or both of the following:
 Username: Supplying the username for a client application is useful when you already know the
username.
 Advanced Authentication chain: An Advanced Authentication server (5.6 or later) can be used
to supply one or more additional authentication factors by authenticating with Advanced
Authentication OAuth 2.0 for a user who is already authenticated. The username and name of
the desired authentication chain containing the factor(s) is supplied.
You must be able to resolve username in an Advanced Authentication repository and you must
configure the chain in the Advanced Authentication event for the OAuth 2.0 client used.
Submitting the Data

The sign endpoint is used by submitting a string value to the endpoint. The output is returned in a
JSON structure.The output can be used with the grant endpoint with the parameters attribute.
You can accomplish OAuth 2.0 client authentication with HTTP Basic or Bearer authorization header
value.
Request parameters
 data (required): The data to be signed and encrypted.
See OAuth2Constants.OAUTHX_REQUEST_PARAM_DATA.
 ttl (optional): The time-to-live period of the result data in milliseconds. If no value is supplied,
then the default value of 30 seconds is used.
OAuth 2.0 121

8 RADIUS Server
8
The Advanced Authentication server provides a built-in RADIUS server that can authenticate any
RADIUS client using one of the chains configured for the event.
IMPORTANT
 The built-in RADIUS server supports only the PAP method.

 The RADIUS server supports all authentication methods except Card, FIDO U2F, Notaris ID,
Fingerprint, and PKI methods.
 By design, Advanced Authentication does not support the single-factor authentication with a
Smartphone method for RADIUS. It is recommended to use it in a two-factor chain with the
LDAP Password method.
To configure an authentication event for RADIUS, perform the following steps:
1 Click Events.
2 Click Edit next to the Radius Server event.
3 Ensure that Is enabled is set to ON.
4 Select the chains that you want to assign to the event.
5 Select Radius from Endpoint whitelist.
6 Click Add to add and assign a RADIUS Client to the event:
6a Specify the IP address of the RADIUS Client in IP Address.
6b Specify the RADIUS Client name in Name.
6c Specify the RADIUS Client secret and confirm the secret.
6d Ensure that the RADIUS Client is set to ON.
6e Click next to the RADIUS Client.

6f Add more RADIUS Clients if required.
7 Specify NAS ID of the RADIUS Client.
NOTE: It is mandatory to specify NAS ID for new RADIUS event but not for the default RADIUS
server event.
9 Click Save.
RADIUS Server 123

IMPORTANT: If you use more than one chain with the RADIUS server, follow one of the following
ways:
1. Each chain assigned to the RADIUS event may be assigned to a different LDAP group. For
example, LDAP Password+Smartphone chain is assigned to a Smartphone users group, LDAP
Password+HOTP chain is assigned to a HOTP users group. If a RADIUS user is a member of
both groups, the top group is used.
2. You can use the RADIUS authentication using any chain when entering <username>&<chain
shortname> in username. For example, pjones&sms. Ensure that you have the short names
specified for the chains. You cannot use this option in your RADIUS client (similar to FortiGate).
3. By default, the top chain specified in the Radius Server event in which all the methods are
enrolled is used. But, you can authenticate with the RADIUS authentication using another chain
from the list when specifying <username>&<chain shortname> in username. For example,
pjones&sms. Ensure that you have specified the short names for chains. Advanced
Authentication does not support this option for some RADIUS clients such as FortiGate.
NOTE: If you use the LDAP Password+Smartphone chain, you can use an offline authentication by
specifying the following the password in the <LDAP Password>&<Smartphone OTP> format. For
example, Q1w2e3r4&512385. This option is supported for LDAP Password+OATH TOTP,
Password+Smartphone, Password+OATH TOTP, Password+OATH HOTP.
Challenge-Response Authentication
If you have configured a multi-factor chain such as LDAP Password&SMS OTP or any other
combination chain, some users (during the authentication) might not be able to specify the
<Password>&<OTP> in a single line (because of the Password length limit in RADIUS). In this case,
you can configure the existing RADIUS Client by performing the following steps:
1. Specify an LDAP password in Password and send the authentication request.
Advanced Authentication server returns the access-challenge response with State=<some

value> (example: State=WWKNNLTTBxP6QYfiZIpvscyt7RYrYsGag4h8s0Rh8R) and Reply-
Message=SMS OTP. You will receive an SMS with a one-time password on the registered mobile.
2. Specify the OTP in Password and add an additional RADIUS attribute with State=<value>
where, value is the value that is obtained in step 1.
3. Send the authentication request.
When you enable Multitenancy, you can use one of the following formats to represent the user name:
 <repository_name>\<username>
 <tenant_name>\<repository_name>\<username>
 <username>@<tenant_name>
 <repository_name>\<username>@<tenant_name>
Advanced Authentication stores the RADIUS event settings only on a server where the administrator
performs the configuration (typically this is the DB Master server). After the DB Slave server is
converted to DB Master server, the configuration may be lost. Goto the Radius Server event settings
and click Save to apply the configuration.
The following are the examples of integration with a RADIUS Server:
 Configuring Integration With Barracuda

 Configuring Integration With Citrix NetScaler

 Configuring Integration With Dell SonicWall SRA EX-Virtual Appliance
 Configuring Integration With FortiGate
 Configuring Integration With OpenVPN
RADIUS Server 125

9 SAML 2.0
9
SAML 2.0 is an XML-based protocol that uses security tokens containing assertions. The assertions
are used for sending the information about a subject (an entity that is often a human user) from a
SAML authority (Identity Provider) to a SAML consumer (Service Provider).
To integrate Advanced Authentication with the third-party solutions using SAML 2.0, perform the
following steps
1 Click Server Options in the Advanced Authentication Administration portal.

2 : Enable the WebAuth option and confirm the selection.
NOTE: You must enable the WebAuth option separately for each server where ever required.

4 Specify a name for the new event.
5 Change the Event type to SAML2.
6 Select the required chains for the event.
7 (Conditional) If you require Geo-fencing, enable Geo-fencing.
NOTE: Geo-fencing can be enabled only for the Smartphone method.
8 Copy and paste your Service Provider's SAML 2.0 metadata to SP SAML 2.0 metadata.
OR
Click Browse and select a Service Provider's SAML 2.0 metadata XML file to upload it.
9 Click Policies > SAML 2.0 options.
10 (Conditional) If required in External URL, specify the Identity Provider’s URL.
11 Click Download IdP SAML 2.0 Metadata to open a metadata.The metadata opens in a new
browser page.
12 Save the metadata (XML text) from the browser.
13 (Conditional) If required, use the downloaded metadata file in your Service Provider.
14 (Conditional) If required, use the Identity Provider certificate in your Service Provider.
SAML 2.0 127

-----BEGIN CERTIFICATE-----
MIIDkzCCAnugAwIBAgIESsmdMzANBgkqhkiG9w0BAQsFADB6MRAwDgYDVQQGEwdVbmtub3duMRAw
DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMREwDwYDVQQKEwhBdXRoYXNhczESMBAG
A1UECxMJQXV0aGFzYXNhMRswGQYDVQQDExJvc3AuYXV0aGFzYXMubG9jYWwwHhcNMTYwNTI2MDUz
NjI0WhcNMjYwNDA0MDUzNjI0WjB6MRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3du
MRAwDgYDVQQHEwdVbmtub3duMREwDwYDVQQKEwhBdXRoYXNhczESMBAGA1UECxMJQXV0aGFzYXNh
MRswGQYDVQQDExJvc3AuYXV0aGFzYXMubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCw3YLz03qhSZPXjBc/Ws+cZ2/E5oogqKeJ3p4RR6USOoarjnmvQPq+maRfvexriwQjRDgS
OFRb58cert/misqzsHBVmQDnfMwicFVzuuKjDEbWFp9vL1gRkDzIlpCyl3eNmBWuWXM49Z6mm8XS
fIwlAoydNp5DK0o0Yrk6FNOi0nOrnI5kHGVD0bd5SpDtvXSF1WLfc5YT9UBUpfZneKsVPWSkbeBX
F84hYJWBtdzcTEyjdso9Ra7UtxLIUW0UH3LWTgn9zS97nLkmhetmD1I3mEAeAE9SAmqTRyH1FNXZ
ZOfi/BJF4+sz86f6pBbwYM2KTvXaABgzSpZpJ1pQrZKPAgMBAAGjITAfMB0GA1UdDgQWBBTL8PbA
+e6YkBIk4yELTZ+AbfdA6DANBgkqhkiG9w0BAQsFAAOCAQEAm87lNyAO8CtN5jlLe3CupLAAbUWR
NY6av7LpPail1JRIw+uvddMyOz1vOS1IwpDDNtcPtxGXsaZI1CKgNPBpLvSxePVUXNfFgUCtu+bT
cuUtiQbkiDWwFLmAS6KeA+EBFOeqBiudEfkAZZT87DF9gKvM6VWdzJ7BvWi2YPbH/FRM82fLoyAd
RbphF215we3rvsfeWbwXw70UGNyBUTb3zUcAmB3sHbcZiXJZj3pJYgDaN9Ss60sz/yG1ZLEYluvL
R1T2PPEfEcA1Eij0R1A31Z5hJ3zDlXoCeNYLoMg4522QYekTwvQeWkeYejBXEcxdL7VP6F91zmfZ
bm1A4PY5jw==
-----END CERTIFICATE-----
15 Change used hash to SHA-1 in your Service Provider, if the option is presented.
The following are the examples of integration with SAML 2.0.
 Configuring Integration With Salesforce

 Configuring Integration With ADFS

10 Examples of Integrations
10
This chapter contains the following examples of third- party integrations.
 Section 10.1, “Configuring Integration With Barracuda,” on page 129

 Section 10.2, “Configuring Integration With Citrix NetScaler,” on page 131
 Section 10.3, “Configuring Integration With Dell SonicWall SRA EX-Virtual Appliance,” on
page 132
 Section 10.4, “Configuring Integration With FortiGate,” on page 134
 Section 10.5, “Configuring Integration With OpenVPN,” on page 135
 Section 10.6, “Configuring Integration With Palo Alto GlobalProtect Gateway,” on page 137
 Section 10.7, “Configuring Integration With Salesforce,” on page 138
 Section 10.8, “Configuring Integration With ADFS,” on page 140
 Section 10.9, “Configuring Integration With Google G Suite,” on page 142
10.1 Configuring Integration With Barracuda

The instructions in this section will help you to configure the integration of Advanced Authentication
with the Barracuda SSL VPN virtual appliance to prevent insecure passwords in Barracuda SSL VPN
connection.
The following diagram represents Advanced Authentication in Barracuda SSL VPN.
To configure the Advanced Authentication integration with Barracuda SSL VPN, perform the following
steps.
Examples of Integrations 129

Configure the Advanced Authentication RADIUS server:
1 Open the Advanced Authentication Administration portal.
2 Click Events.
3 Open the properties of the Radius Server event.
4 Set the Radius Server event to ON.
5 Select one or more chains from Used chains (ensure that they are enabled and set to the users
group in the Chains section).
6 Click Client > Add.
7 Specify an IP address of the Barracuda SSL VPN appliance.
8 Specify a secret and confirm it.
9 Set Enabled to ON.
10 Click Save in Client.
11 Click Save in Events.
Configure the Barracuda SSL VPN Appliance:

1 Sign-in to the Barracuda SSL VPN Configuration portal as ssladmin.
2 Click Access Control > Configuration.
3 Scroll down to RADIUS.

4 Specify an Advanced Authentication appliance IP address in RADIUS Server.
5 Specify a shared secret in Shared Secret.
6 Set Authentication Method to PAP.
7 Set Reject Challenge to No to allow challenge response.
8 Click Save Changes.
9 Click Access Control > User Databases.
10 Create a User Database using the same storage as you are using for Advanced Authentication.
11 Click Access Control > Authentication Schemes.
12 Click Edit for the Password scheme for the User Database.
13 Move RADIUS from Available modules to Selected modules.
14 Remove the Password module from the Selected modules.
15 Apply the changes.
Authenticate in Barracuda SSL VPN Using Advanced Authentication

1 Specify the user’s credentials.
2 Click More and select the configured User Database (if the database is not selected by default).
3 Click Log In and approve the authentication on the user’s smartphone.

NOTE: Advanced Authentication can be configured with the other authentication chains.
10.2 Configuring Integration With Citrix NetScaler

with the Citrix NetScaler VPX to prevent insecure passwords.
The following diagram represents Advanced Authentication in Citrix NetScaler.
Ensure that the following requirements are met:
 Citrix NetScaler VPX (version NS11.0 has been used to prepare these instructions) is installed.
 Advanced Authentication 5 appliance is installed.

2 Click Events.
7 Specify an IP address of the Citrix NetScaler appliance.

Configure the Citrix NetScaler Appliance:
1 Sign-in to the Citrix NetScaler configuration portal as nsroot.
2 Click Configuration > Authentication > Dashboard.
3 Click Add.
4 Select RADIUS from Choose Server Type.
5 Specify the Name of the Advanced Authentication server, the IP Address, Secret Key, and
Confirm Secret Key.
6 Change Time-out (seconds) to 120-180 seconds if you are using the Smartphone, SMS, Email
or Voice methods.
7 Click More and ensure that pap is selected in Password Encoding.
8 Click Create. If the connection to the RADIUS server is valid, the Up status is displayed.
9 Click Configuration > System > Authentication > RADIUS > Policy.
10 Click Add.
11 Specify Name of the Authentication RADIUS Policy.
12 Select the created RADIUS server from Server and select ns_true from the Saved Policy
Expressions list.
13 Click Create.
14 Select the created policy and click Global Bindings.
15 Click Select Policy.
16 Select the created policy.
17 Click Bind.
18 Click Done.
A check mark is displayed in the Globally Bound column.
Authenticate in Citrix NetScaler Using Advanced Authentication

1 Specify the user’s credentials and click Login.
2 Accept the authentication on your smartphone.
NOTE: Advanced Authentication can be configured with other authentication chains.
10.3 Configuring Integration With Dell SonicWall SRA

EX-Virtual Appliance
with the Dell SonicWall SRA EX-virtual appliance to prevent insecure passwords in the Dell SonicWall
SRA connection.
The following diagram represents Advanced Authentication in Dell SonicWall.

 Dell SonicWall SRA EX-Virtual appliance v11.2.0-258 is installed.

 Advanced Authentication v5 appliance is installed.

2 Click Events.
7 Specify an IP address of the Dell SonicWall appliance.
Configure the Dell SonicWall SRA Appliance:

1. Sign-in to the Dell SonicWall SRA Management console as admin.
2. Click User Access > Realms.
3. Create New realm.
4. Create a New Authentication Server and set the Radius authentication directory.
5. Set Radius Server and Shared key.
6. Save and apply the configuration.
7. Click User Access > Realms. Review the realm diagram.

Authenticate in Dell SonicWall Workspace Using Advanced Authentication
1 Open a browser and go to the workplace.
2 Specify your username and ldap password.
3 Specify the SMS OTP and click OK.
10.4 Configuring Integration With FortiGate

with the FortiGate appliance to prevent insecure passwords in the FortiGate connection.
The following diagram represents Advanced Authentication in FortiGate.
 Fortinet FortiGate virtual appliance v5 (Firmware version 5.2.5, build 8542 has been used to
prepare these instructions) is installed.
 Advanced Authentication v5 appliance is installed.
Configure the Advanced Authentication RADIUS Server

2 Click Events.
7 Specify an IP address of the FortiGate appliance.

Configure the FortiGate Appliance
1. Sign-in to FortiGate configuration portal as admin.
2. Check which Virtual Domain is bound to the network interface.
3. Open the RADIUS Server configuration for an appropriate Virtual Domain and setup the required
settings.
4. Click Test Connectivity and specify the credentials of Advanced Authentication administrator to
test the connection.
5. Create a user group and bind it to remote authentication server.
6. Create user and place in the created group.
Authenticate in FortiGate Using Advanced Authentication

1 Specify the user’s credentials and click Login.
2 Specify the OTP and click Login.
NOTE: The Token Code field has a limitation of 16 digits. Hence you may face issues when using the
YubiKey tokens that enters 18-20 digits code.
10.5 Configuring Integration With OpenVPN

with the OpenVPN virtual appliance to prevent insecure passwords in the OpenVPN connection.
The following diagram represents Advanced Authentication in OpenVPN.
 OpenVPN v2 appliance (version 2.0.10 was used to prepare these instructions) is installed.
 Advanced Authentication v5 appliance with a configured repository is installed.

Configure the Advanced Authentication RADIUS Server
2 Click Events.
7 Specify an IP address of the OpenVPN appliance.
Configure the OpenVPN Appliance

1 Open the OpenVPN Access Server site.
2 Go to Authentication > RADIUS.
3 Enable the RADIUS authentication.
4 Select PAP authentication method.
5 Add an IP address of the Advanced Authentication v5 appliance and specify the secret.
You must specify the <repository name>\<username> or only <username>, if:
 You have selected a chain from the Used section in the Radius Server settings for connecting to
OpenVPN.
 You have set the default repository name in Policies > Login options of the Advanced
Authentication v5 appliance.
You must specify a Short name of the chain in the username after the <username> and space (you
can specify the Short name in the Chains section of the Advanced Authentication v5 appliance), if:
 You have selected multiple chains from the Used section for connecting to OpenVPN.
NOTE: Some of the authentication methods require a correct time on the OpenVPN appliance. You
can sync the time of the OpenVPN appliance using the following commands:
/etc/init.d/ntp stop
/usr/sbin/ntpdate pool.ntp.org
User Account Locks After Three Successful Authentications with SMS AP to

OpenVPN
Issue: While using the SMS authentication method to connect to OpenVPN, after three successful
authentications, the user account is locked by the OpenVPN.
Workaround: OpenVPN assumes each attempt of the challenge response (request of additional
data in chain) as an error.

To resolve the issue, you must change the number of failures that can be accepted. For more
information, see the Authentication failure lockout policy.
10.6 Configuring Integration With Palo Alto

GlobalProtect Gateway
with the Palo Alto GlobalProtect Gateway to prevent insecure passwords.
 Section 10.6.1, “Adding the RADIUS Server,” on page 137

 Section 10.6.2, “Adding an Authentication Profile,” on page 137
 Section 10.6.3, “Configuring GlobalProtect Gateway,” on page 137
NOTE: This configuration has been tested with PAN-OS 6.1.5 to 7.1.x and GlobalProtect 2.1x.
10.6.1 Adding the RADIUS Server

1 Log in to the Palo Alto administrative interface.
2 Click Device > Server Profiles > RADIUS.
3 Click Add to add a new RADIUS server profile.
4 Specify NetIQ RADIUS in Name, and in Timeout specify 30.
5 In the Servers section, click Add to add a RADIUS server, and specify the following information:
 Profile Name
 Set Timeout and Retries in Server Settings
 Details in the Servers section
6 Click Add and configure a connection to the RADIUS server built-in to the Advanced
7 Click OK.
10.6.2 Adding an Authentication Profile

1 Click Device > Authentication Profile.
2 Click New to add a new authentication profile.
3 Specify the Authentication Profile details such as the server type, User Domain.
10.6.3 Configuring GlobalProtect Gateway

1 Click Network > GlobalProtect > Gateways.
2 Click on your configured GlobalProtect Gateway to open the properties window.
3 In the Authentication section of the GlobalProtect Gateway General properties tab, select the
NetIQ authentication profile created in Add an Authentication Profile from the list.
4 Click OK to save the GlobalProtect Gateway settings.

10.7 Configuring Integration With Salesforce
with the Salesforce to prevent insecure passwords in the Salesforce connection.
The following diagram represents Advanced Authentication in Salesforce.
Perform the following steps to configure the integration of Advanced Authentication appliance with
Salesforce using SAML 2.0:
1 Login to your Salesforce account.

2 Create a domain, if the domain is not created.
2a Click Gear and select Setup Home in the Lightning Experience interface.
2b Scroll down the Setup toolbar and navigate to Company Settings.
2c Click My Domain.
2d Specify your own domain name and click Save. The domain is activated. Use your domain
name to open Salesforce. For example, https://CompanyName.my.salesforce.com/.
SAML provider requires the domain name.
3 Configure the SAML provider.
3a Click Settings > Identity > Single Sign-On Settings.
3b Create a new text file and add the Identity Provider Certificate to the file.
MIIDkzCCAnugAwIBAgIESsmdMzANBgkqhkiG9w0BAQsFADB6MRAwDgYDVQQGEwdVbmtub3duMR
Aw
DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMREwDwYDVQQKEwhBdXRoYXNhczESMB
AG
A1UECxMJQXV0aGFzYXNhMRswGQYDVQQDExJvc3AuYXV0aGFzYXMubG9jYWwwHhcNMTYwNTI2MD
Uz
NjI0WhcNMjYwNDA0MDUzNjI0WjB6MRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3
du
MRAwDgYDVQQHEwdVbmtub3duMREwDwYDVQQKEwhBdXRoYXNhczESMBAGA1UECxMJQXV0aGFzYX
Nh
MRswGQYDVQQDExJvc3AuYXV0aGFzYXMubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwgg
EK
AoIBAQCw3YLz03qhSZPXjBc/Ws+cZ2/
E5oogqKeJ3p4RR6USOoarjnmvQPq+maRfvexriwQjRDgS
OFRb58cert/
misqzsHBVmQDnfMwicFVzuuKjDEbWFp9vL1gRkDzIlpCyl3eNmBWuWXM49Z6mm8XS
fIwlAoydNp5DK0o0Yrk6FNOi0nOrnI5kHGVD0bd5SpDtvXSF1WLfc5YT9UBUpfZneKsVPWSkbe
BX
F84hYJWBtdzcTEyjdso9Ra7UtxLIUW0UH3LWTgn9zS97nLkmhetmD1I3mEAeAE9SAmqTRyH1FN
XZ

ZOfi/
BJF4+sz86f6pBbwYM2KTvXaABgzSpZpJ1pQrZKPAgMBAAGjITAfMB0GA1UdDgQWBBTL8PbA
+e6YkBIk4yELTZ+AbfdA6DANBgkqhkiG9w0BAQsFAAOCAQEAm87lNyAO8CtN5jlLe3CupLAAbU
WR
NY6av7LpPail1JRIw+uvddMyOz1vOS1IwpDDNtcPtxGXsaZI1CKgNPBpLvSxePVUXNfFgUCtu+
bT
cuUtiQbkiDWwFLmAS6KeA+EBFOeqBiudEfkAZZT87DF9gKvM6VWdzJ7BvWi2YPbH/
FRM82fLoyAd
RbphF215we3rvsfeWbwXw70UGNyBUTb3zUcAmB3sHbcZiXJZj3pJYgDaN9Ss60sz/
yG1ZLEYluvL
R1T2PPEfEcA1Eij0R1A31Z5hJ3zDlXoCeNYLoMg4522QYekTwvQeWkeYejBXEcxdL7VP6F91zm
fZ
bm1A4PY5jw==
3c In Single Sign-On Settings, click New and specify the required details.
1. Name: Advanced Authentication
2. API Name: AAF
3. Issuer: https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/
saml2/metadata, where you must replace AdvancedAuthenticationServerAddress
with the domain name or IP address of your Advanced Authentication server.
4. Entity ID: https://CompanyName.my.salesforce.com/
5. Click Choose File to open the Identity Provider Certificate.
6. SAML Identity Type: Select Assertion contains the Federation ID from the User
object.
7. SAML Identity Location: Select Identity is in an Attribute element.
8. Attribute Name: upn.
9. Service Provider Initiated Request Binding: Select HTTP Redirect.
10. Identity Provider Login URL: https://AdvancedAuthenticationServerAddress/
osp/a/TOP/auth/saml2/sso.
11. Select User Provisioning Enabled.
12. Click Save.
3d Click Edit for Federated Single Sign-On Using SAML.
3e Select SAML Enabled.
3f Click Save.
3g Click Settings > Users.
3h Click Edit for the required Salesforce users by adding Federation ID for the user accounts.
The Federation ID corresponds to userPrincipalName attribute in Active Directory. For
example, [email protected].
NOTE: The name that you specify in Federation ID is case sensitive. The following error
may occur, if you ignore the case:
We can't log you in. Check for an invalid assertion in the SAML Assertion
Validator (available in Single-Sign On Settings) or check the login history
for failed logins.
3i Click your profile icon and click Switch to Salesforce Classic. This mode is required to tune
the domain options.

3j Click Setup Administrator > Domain Management > My Domain > Edit to access the
Authentication Configuration screen.
3k Select Login Page and osp options and click Save.
4 Configure the Advanced Authentication SAML 2.0 Event.
4a Click username and click Switch to Lightning Experience.
4b Click Gear and select Setup Home.
4c Navigate to Identity - Single Sign-On Settings.
4d Click the created configuration (not for Edit).
4e Click Download Metadata.
4f Open the Advanced Authentication Administration portal.
4g Click Events.
4h Click Add to add a new event.
4i Create an event with the following parameters.
 Name: Salesforce
 Chains: select the required chains.
 Click Browse to Upload SP SAML 2.0 metadata file. Open the Salesforce metadata file
and click Save.
5 Click Policies.
6 Set External URL to https://AdvancedAuthenticationServerAddress/ and replace
AdvancedAuthenticationServerAddress with domain name or IP address of your Advanced
IMPORTANT: You must use the server name or IP address specified in the Issuer field of
Salesforce.
7 Open the URL https://CompanyName.my.salesforce.com/ and click Advanced

Authentication to check the SAML 2.0 authentication.
10.8 Configuring Integration With ADFS

with the ADFS to prevent insecure passwords.
The following diagram represents Advanced Authentication in ADFS.

ADFS (Active Directory Federation Services) using SAML 2.0. These instructions are valid for ADFS
3 and 4.
1 Configure the Advanced Authentication SAML 2.0 event.

1a Open the Advanced Authentication Administration portal.
1b Click Server Options.
1c Enable WebAuth.
1d Click Events.
1e Click Add to add a new event.
1f Create an event with the following parameters.
 Name: ADFS_SAML.
 Event Type: Select SAML 2.
 Chains: Select the required chains.
 Paste the content of the file https://<adfs_hostname>/FederationMetadata/2007-
06/FederationMetadata.xml to SP SAML 2.0 meta data or click Browse and upload
the saved XML file.
 Click Save.
NOTE: Verify that you can access the file in your browser. If the file is not displayed, you
have an issue on ADFS that you need to resolve.
1g Click Policies.
1h Set External URL to https://AdvancedAuthenticationServerAddress/ and replace
AdvancedAuthenticationServerAddress with the domain name or IP address of your
1i Click Download IdP SAML 2.0 Metadata. You must open the file as an XML file.
NOTE: If {"Fault":{... ` is displayed, it indicates that you have not configured properly.
Verify the configuration.
2 Make the corresponding changes on ADFS:

2a Open the ADFS management console.
2b Expand Trust Relationships.
2c Click Add Claims Provider trust.
2d Paste OSP metadata URL https://<AAF_server_hostname>/osp/a/TOP/auth/saml2/
metadata.
It may not work for self-signed certificate. You can copy metadata from OSP URL to an XML
file and provide the file name.
2e Specify the Display name.
2f Select Open the Edit Claim Rules dialog for this claims provider when the wizard closes.
2g In Edit Claims Rules, click Add Rule.
2h Select Send Claims Using a Custom Rule and click Next.
2i Specify Claim rule name.
2j Paste Custom rule and click Finish.
c:[Type == "upn"]

=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/
upn", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value =
c.Value, ValueType = c.ValueType);
2k In ADFS snap-in, double click on the provider name.
2l Click Advanced.
2m Move the hash algorithm from SHA-256 to SHA1.
2n Click OK.
10.9 Configuring Integration With Google G Suite

with the Google G Suite appliance to prevent insecure passwords.
The following diagram represents Advanced Authentication in Google G Suite.
Google G Suite using SAML 2.0:
NOTE: As a prerequisite, ensure that you finalize the setup of G Suite by accepting the agreement
and clicking Finalize setup.
1 Login to the Google’s Administration console.

2 Open the Security section.
3 Expand Set up single sign-on (SSO).
4 Enable Setup SSO with third party identity provider.
5 Specify the following parameters:
5a Sign-in page URL: https://<AdvancedAuthenticationServerAddress>/osp/a/TOP/
auth/saml2/sso. Replace AdvancedAuthenticationServerAddress with the domain
name or IP address of your Advanced Authentication server.
5b Sign-out page URL: https://<AdvancedAuthenticationServerAddress>/osp/a/TOP/
auth/app/logout.
5c Change password URL: https://<AdvancedAuthenticationServerAddress> or Self-
Service Password Reset URL.
5d Create a text file and add the Identity Provider Certificate to it.

MIIDkzCCAnugAwIBAgIESsmdMzANBgkqhkiG9w0BAQsFADB6MRAwDgYDVQQGEwdVbmtub3duMR
Aw
DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMREwDwYDVQQKEwhBdXRoYXNhczESMB
AG
A1UECxMJQXV0aGFzYXNhMRswGQYDVQQDExJvc3AuYXV0aGFzYXMubG9jYWwwHhcNMTYwNTI2MD
Uz
NjI0WhcNMjYwNDA0MDUzNjI0WjB6MRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3
du
MRAwDgYDVQQHEwdVbmtub3duMREwDwYDVQQKEwhBdXRoYXNhczESMBAGA1UECxMJQXV0aGFzYX
Nh
MRswGQYDVQQDExJvc3AuYXV0aGFzYXMubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwgg
EK
AoIBAQCw3YLz03qhSZPXjBc/Ws+cZ2/
E5oogqKeJ3p4RR6USOoarjnmvQPq+maRfvexriwQjRDgS
OFRb58cert/
misqzsHBVmQDnfMwicFVzuuKjDEbWFp9vL1gRkDzIlpCyl3eNmBWuWXM49Z6mm8XS
fIwlAoydNp5DK0o0Yrk6FNOi0nOrnI5kHGVD0bd5SpDtvXSF1WLfc5YT9UBUpfZneKsVPWSkbe
BX
F84hYJWBtdzcTEyjdso9Ra7UtxLIUW0UH3LWTgn9zS97nLkmhetmD1I3mEAeAE9SAmqTRyH1FN
XZ
ZOfi/
BJF4+sz86f6pBbwYM2KTvXaABgzSpZpJ1pQrZKPAgMBAAGjITAfMB0GA1UdDgQWBBTL8PbA
+e6YkBIk4yELTZ+AbfdA6DANBgkqhkiG9w0BAQsFAAOCAQEAm87lNyAO8CtN5jlLe3CupLAAbU
WR
NY6av7LpPail1JRIw+uvddMyOz1vOS1IwpDDNtcPtxGXsaZI1CKgNPBpLvSxePVUXNfFgUCtu+
bT
cuUtiQbkiDWwFLmAS6KeA+EBFOeqBiudEfkAZZT87DF9gKvM6VWdzJ7BvWi2YPbH/
FRM82fLoyAd
RbphF215we3rvsfeWbwXw70UGNyBUTb3zUcAmB3sHbcZiXJZj3pJYgDaN9Ss60sz/
yG1ZLEYluvL
R1T2PPEfEcA1Eij0R1A31Z5hJ3zDlXoCeNYLoMg4522QYekTwvQeWkeYejBXEcxdL7VP6F91zm
fZ
bm1A4PY5jw==
5e Upload the Identity Provider Certificate.

6 Clear Use a domain specific issuer if you have one domain in G Suite or select the option if you
have more than one domain in G Suite.
Ensure that you have a user account in a repository that corresponds to a user account in
Google. An email address specified in the Contact information for the Google account must be
the same as an address from email attribute for the corresponding account of your repository.
NOTE: You cannot use the Google administrator account with SAML.
7 Create a new text file and add the Service Provider metadata to it:
<EntityDescriptor entityID="google.com"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</
NameIDFormat>
<AssertionConsumerService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/mycompany.com" />
</SPSSODescriptor>
</EntityDescriptor>

Replace mycompany.com in the Location URL to your primary domain from the Domains settings
in Google.
NOTE: You must use the Service Provider metadata when one domain exists in the G Suite. If
you have more than one domain in G Suite, then every Service Provider metadata for each
domain must have google.com as entityID replaced with google.com/mycompany.com, where
mycompany.com is your domain name.
8 Save the text file with a.xml extension.

9 Open Advanced Authentication Administration portal and click Events.
10 Click Add to add a new event and create an event with the following options.
10a Name: Google
10b Chains: select the required chains.
10c Click Browse to upload the XML file.
10d Set Send E-Mail as NameID (suitable for G-Suite) to ON.
10e Click Save.
11 In Policies, set External URL to https://AdvancedAuthenticationServerAddress/ and
replace AdvancedAuthenticationServerAddress with the domain name or IP address of your
12 Open the Google Sign in page and specify an email address of the user from Basic information
of the Google account (email address of Google account).
Google redirects to the Advanced Authentication server, where the user must authenticate. After
successful authentication, the Advanced Authentication server redirects the user back to
Google.

III Maintaining Advanced
I
Authentication
 Chapter 11, “Reporting,” on page 147

 Chapter 12, “Logging,” on page 149
 Chapter 13, “Managing Tokens,” on page 163
 Chapter 14, “Searching a Card Holder’s Information,” on page 165
 Chapter 15, “Monitoring Performance of Advanced Authentication Servers,” on page 167
 Chapter 16, “Troubleshooting,” on page 169
Maintaining Advanced Authentication 145

11 Reporting
1
The Advanced Authentication provides a reporting functionality. To log in to the Advanced

Authentication Reporting Portal, open the following address: https://<NetIQServer>/report and sign-in
using your account.
NOTE: It is required to assign chains to the Report logon event in the Events section.
The Reporting portal does not work behind a load balancer. You need to open it directly.
The following data is displayed:
Failed authentications per event

 Logon failed per event - 1
 Logon failed per event - 2
 Logon failed (total)
 Events failed
 Logon failed per user for the top 25 failed users in the AuCore stats 2 dashboard
Successful authentications per event

 Logon succeeded per repo
 Events succeeded
 Logon succeeded per user for the top 25 successful users in the AuCore stats 2 dashboard
List of endpoints connecting to an event

 Endpoints activity for the top 50 most active in the AuCore stats 2 dashboard
System
 CPU load in the AuCore stats 3 dashboard
 Memory load in the AuCore stats 3 dashboard
You can select Last N minutes in the top-right corner to change the period of the report. To switch
dashboard, click Load saved dashboard icon in the toolbar and select a required dashboard.
FULL ADMINS can view the reports from all tenants. To view the reports of a specific tenant, you
must login to the Reporting portal as the tenant admin.
Reporting 147
12 Logging
12
Advanced Authentication provides the logging functionality. All the administrative and user actions
and events are logged. You can export the logs to a compressed file in the tar.gz format.
Advanced Authentication supports the following types of logs:
 Syslog
 RADIUS
 Async
 Web server
 Replication
 Superuser
 Background tasks
 NGINX Errors
 WebAuth logs (OAUTH 2.0, SAML 2.0)
NOTE: A tenant administrator cannot access the Web server logs, Replication logs, Superuser logs,
and Background tasks logs.
You must enable Debug logging to generate the WebAuth logs.
You can change a time zone in the upper-right section that displays your local time zone. The
changes are applied for only the logs displayed and are not applied for the exported logs. Advanced
Authentication resets the time zone when you switch from the Logs section or close the
Administration portal.
You can export the log files. To export logs, perform the following steps:
1. Click Export in the Logs page.

2. Specify a Start date and End date to determine the required logging period.
3. Click Export. A File Name block appears.
4. Click on a name of the logs package ( aucore-logs_<logging_period>.tar ) to download it.
NOTE: A tenant administrator cannot export the logs.
You can clear all the logs on the server that you are currently logged on. To clear the logs, perform the
following steps:
1. In the Logs page, click Clear.
A message appears to confirm that you want to continue clearing the logs.
NOTE: It is a good practice to export the logs to save as backup before you delete them.
2. Click OK to clear the logs.
Logging 149
12.1 Syslog
These logs contain information about the system events and actions.
The Syslogs are classified as follows:
 0 - 100: Maintenance
 100 - 200: Access
 200 - 300: App data
 300 - 400: Endpoints
 400 - 500: Repositories
 500 - 600: Local users
 600 - 700: Repository users
 700 - 800: User templates
 800 - 900: Policies
 900 - 1000: Licenses
 1000 - 1100: Settings
 1100 - 1200: Password filter
 1201 - 1300: Background logon
Code Name Class Severity Optional Example

Parameters
1 New Request Operational 1 None June 10 20:10:11 host

CEF:0|AAA|Core|5.0|1|New
Request|1|
2 Request failed Operational 1 None June 10 20:10:11 host

CEF:0|AAA|Core|5.0|1|Reque
st failed|1|
10 Server started Operational 4 None June 10 20:10:11 host

CEF:0|AAA|Core|5.0|1|Server
started|4|
12 Server stopped Operational 7 None June 10 20:10:11 host

stopped|7|
13 Server Operational 10 None June 10 20:10:11 host

unexpectedly CEF:0|AAA|Core|5.0|3|Server
stopped unexpectedly stopped|10
50 Server Message Operational 5 Message June 10 20:10:11 host

Message|4|This is my
message

Parameters
100 User logon started Security 4 Username Ep June 10 20:10:11 host

Ep_addr Sid CEF:0|AAA|Core|5.0|4|User
Unit_id logon
Session_id Event started|4|username=Mycompa
Tenant_name ny\\demo sid=S-1-5-XXX
session_id=123
event=Windows Logon
ep=aaadev1.Mycompany.local
ep_addr=192.168.91.1
tenant_name=Mycompany
101 User was Security 7 Username Ep June 10 20:10:11 host

successfully Ep_addr Sid CEF:0|AAA|Core|5.0|5|User
logged on Session_id was successfully logged
method_name on|7|username=Mycompany\\
method_commen demo sid=S-1-5-XXX
t session_id=123
method_infoEve method_name=card
nt Tenant_name method_comment=white card
Template_owner method_info=YYY password
ep_addr=192.168.91.1
event=Windows Logon
template_owner=Mycompany\
\demo
102 User was failed to Security 9 Username Ep June 10 20:10:11 host

authenticate Ep_addr Sid CEF:0|AAA|Core|5.0|6|User
Session_id was failed to
Method_name authenticate|9|Username=Myc
Tenant_name ompany\\demo sid=S-1-5-XXX
Template_owner session_id=123
method_name=card
ep_addr=192.168.91.1
template_owner=Mycompany\
\demo
103 User was switched Security 2 Username Ep June 10 20:10:11 host

to different method Ep_addr Sid CEF:0|AAA|Core|5.0|7|User
Session_id was switched to different
New_method_ method|2|username=Mycomp
name any\\demo sid=S-1-5-XXX
Tenant_name new_method_name=fingerprin
t session_id=123
ep_addr=192.168.91.1
Logging 151
Parameters
104 User logon Security 2 Username Ep June 10 20:10:11 host

session was Ep_addr Sid CEF:0|AAA|Core|5.0|8|User
ended Session_id logon session was
Tenant_name ended|2|username=Mycompa
ny\\demo sid=S-1-5-XXX
session_id=123
ep_addr=192.168.91.1
105 User logon Security 9 Username Ep June 10 20:10:11 host

unwanted Ep_addr CEF:0|AAA|Core|5.0|8|User
Method_name logon session was
Tenant_name ended|9|username=Mycompa
ny\\demo sid=S-1-5-XXX
session_id=123
ep_addr=192.168.91.1
method_name=voice
106 User failed to Security 2 Username Ep June 10 20:10:11 host

authenticate the Ep_addr CEF:0|AAA|Core|5.0|8|User
method in the Method_name failed to authenticate the
chain Tenant_name method|9|username=Mycomp
any\\demo sid=S-1-5-XXX
session_id=123
ep_addr=192.168.91.1
method_name=voice
200 User read app Security 3 Username Ep June 10 20:10:11 host

data Ep_addr Sid CEF:0|AAA|Core|5.0|9|User
Session_id read app
Data_id data|3|username=Mycompany
Record_id \\demo sid=S-1-5-XXX
Tenant_name session_id=123
data_id=Windows Logon
record_id=password
ep_addr=192.168.91.1
201 User write app Security 4 Username Ep June 10 20:10:11 host

data Ep_addr Sid CEF:0|AAA|Core|5.0|10|User
Session_id write app
Data_id data|4|username=Mycompany
Record_id \\demo sid=S-1-5-XXX
Tenant_name session_id=123
data_id=Windows Logon
record_id=password
ep_addr=192.168.91.1

Parameters
300 Endpoint joined Security 4 Ep_name June 10 20:10:11 host

Ep_addr Ep_id CEF:0|AAA|Core|5.0|11|Endp
Username oint
Tenant_name joined|4|ep_name=xp_client
ep_id=123
username=Mycompany\Admin
ep_addr=192.168.91.1
301 No rights to join Security 7 Ep_name June 10 20:10:11 host

endpoint Ep_addr Ep_id CEF:0|AAA|Core|5.0|12|No
Username rights to join
Tenant_name endpoint|7|ep_name=xp_clien
t ep_id=123
ep_addr=192.168.91.1
302 Failed to join Operational 7 Ep_name June 10 20:10:11 host

endpoint Ep_addr Ep_id CEF:0|AAA|Core|5.0|13|Failed
Username to join endpoint
Reason |7|ep_name=xp_client
Tenant_name ep_id=123
ep_addr=192.168.91.1
reason=Duplicated
303 Endpoint remove Security 4 Ep_name June 10 20:10:11 host

Ep_addr Ep_id CEF:0|AAA|Core|5.0|14|Endp
Username oint
Tenant_name remove|4|ep_name=xp_client
ep_id=123
ep_addr=192.168.91.1
304 No rights to Security 7 Ep_name June 10 20:10:11 host

remove endpoint Ep_addr Ep_id CEF:0|AAA|Core|5.0|15|No
Username rights to remove
Tenant_name endpoint|7|ep_name=xp_clien
t ep_id=123
ep_addr=192.168.91.1
305 Failed to remove Operational 7 Ep_name June 10 20:10:11 host

endpoint Ep_addr Ep_id CEF:0|AAA|Core|5.0|16|Failed
Username to remove endpoint
Reason |7|ep_name=xp_client
Tenant_name ep_id=123
ep_addr=192.168.91.1
reason=Duplicated
Logging 153
Parameters
306 Endpoint session Operational 2 Ep_name June 10 20:10:11 host

started Ep_addr Ep_id CEF:0|AAA|Core|5.0|17|Endp
Tenant_name oint session
started|2|ep_name=xp_client
ep_id=123
ep_addr=192.168.91.1
307 Endpoint session Operational 2 Ep_name June 10 20:10:11 host

ended Ep_addr Ep_id CEF:0|AAA|Core|5.0|18|Endp
Tenant_name oint session
ended|2|ep_name=xp_client
ep_id=123
ep_addr=192.168.91.1
308 Invalid endpoint Security 7 Ep_name June 10 20:10:11 host

secret Ep_addr Ep_id CEF:0|AAA|Core|5.0|17|Invali
Tenant_name d endpoint
secret|2|ep_name=xp_client
ep_id=123
ep_addr=192.168.91.1
309 Failed to create Operational 7 Ep_name June 10 20:10:11 host

endpoint session Ep_addr Ep_id CEF:0|AAA|Core|5.0|18|
Reason Failed to create endpoint
Tenant_name session |7|ep_name=xp_client
ep_id=123
ep_addr=192.168.91.1
reason=No memory
310 Failed to end Operational 7 Ep_name June 10 20:10:11 host

endpoint session Ep_addr Ep_id CEF:0|AAA|Core|5.0|18|
Reason Failed to create endpoint
Tenant_name session |7|ep_name=xp_client
ep_id=123
ep_addr=192.168.91.1
reason=No memory
401 New repository Operational 4 repo_name June 10 20:10:11 host

was added repo_type CEF:0|AAA|Core|5.0|19|New
session_id repository was added
tenant_name |4|repo_name=Mycompany
repo_type=LDAP
session_id=123

Parameters
402 Failed to add Operational 7 repo_name June 10 20:10:11 host

repository repo_type CEF:0|AAA|Core|5.0|20|
session_id Failed to add
reason repository|7|repo_name=Myco
tenant_name mpany repo_type=LDAP
session_id=123 reason=repo
already exists
403 Repository was Operational 4 repo_name June 10 20:10:11 host

removed repo_type CEF:0|AAA|Core|5.0|21|Repo
session_id sitory was
tenant_name removed|4|repo_name=Myco
mpany repo_type=LDAP
session_id=123
404 Failed to remove Operational 7 repo_name June 10 20:10:11 host

repository repo_type CEF:0|AAA|Core|5.0|22|Failed
session_id to remove repository|7|
reason repo_name=Mycompany
tenant_name repo_type=LDAP
session_id=123 reason=not
empty
405 Repository Operational 4 repo_name June 10 20:10:11 host

configuration was repo_type CEF:0|AAA|Core|5.0|23|Repo
changed session_id sitory configuration was
reason changed|4|
tenant_name repo_name=Mycompany
repo_type=LDAP
session_id=123
501 Local user was Operational 4 user_name June 10 20:10:11 host

created session_id CEF:0|AAA|Core|5.0|24|Local
tenant_name user was
created|4|user_name=admin
session_id=123
502 Local user was Operational 5 user_name June 10 20:10:11 host

removed session_id CEF:0|AAA|Core|5.0|25|Local
tenant_name user was
removed|5|user_name=admin
session_id=123
503 Failed to create Operational 4 user_name June 10 20:10:11 host

local user session_id CEF:0|AAA|Core|5.0|26|ailed
reason to create local
tenant_name user|4|user_name=admin
session_id=123
reason=already exists
Logging 155
Parameters
504 No rights to Security 7 user_name June 10 20:10:11 host

remove local user session_id CEF:0|AAA|Core|5.0|26|ailed
tenant_name to create local
user|4|user_name=admin
session_id=123
505 Failed to remove Operational 5 user_name June 10 20:10:11 host

local user session_id CEF:0|AAA|Core|5.0|28|Failed
reason to remove local
tenant_name user|5|user_name=admin
session_id=123 reason=can't
remove currently logged on
user
506 No rights to create Security 7 user_name June 10 20:10:11 host

local user session_id CEF:0|AAA|Core|5.0|29|Failed
tenant_name to create local
user|7|user_name=admin
session_id=123
601 User was created Operational 4 user_name June 10 20:10:11 host

session_id CEF:0|AAA|Core|5.0|30|User
repo_name was
tenant_name created|4|username=Someon
e session_id=123
repo_name=Mycompany
602 No rights to create Security 7 user_name June 10 20:10:11 host

user session_id CEF:0|AAA|Core|5.0|31|No
repo_name rights to create
tenant_name user|7|username=Someone
session_id=123
repo_name=Mycompany
603 Failed to create Operational 4 user_name June 10 20:10:11 host

user session_id CEF:0|AAA|Core|5.0|32|Failed
repo_name to create
reason user|4|user_name=someone
tenant_name session_id=123
repo_name=123
604 User was removed Operational 5 user_name June 10 20:10:11 host

session_id CEF:0|AAA|Core|5.0|33|User
repo_name was
tenant_name removed|5|username=Someo
ne session_id=123
repo_name=Mycompany

Parameters
605 No rights to Security 7 user_name June 10 20:10:11 host

remove user session_id CEF:0|AAA|Core|5.0|34No
repo_name rights to remove
tenant_name user|7|username=Someone
session_id=123
repo_name=Mycompany
606 Failed to remove Operational 5 user_name June 10 20:10:11 host

user session_id CEF:0|AAA|Core|5.0|35|Failed
repo_name to remove
reason user|5|user_name=someone
tenant_name session_id=123
repo_name=123 reason=not
found
701 Template was Security 7 user_name June 10 20:10:11 host

assigned to the session_id CEF:0|AAA|Core|5.0|36|Templ
user ap_name ate was assigned to the
comment user|7|user_name=Mycompan
tenant_name y\some session_id=123
ap_name=Card
comment=white card

enrolled for the session_id CEF:0|AAA|Core|5.0|37|Templ
user ap_name ate was enrolled for the
comment user|7|user_name=Mycompan
ap_name=hand 3D
comment=left hand
703 User enroll the Security 7 user_name June 10 20:10:11 host

assigned template session_id CEF:0|AAA|Core|5.0|38|User
ap_name enroll the assigned
comment template|7|user_name=Myco
tenant_name mpany\some session_id=123
ap_name=hand 3D
comment=left hand
704 Template is linked Security 8 user_name June 10 20:10:11 host

target_user_nam CEF:0|AAA|Core|5.0|39|Templ
e session_id ate is
ap_name linked|8|user_name=Mycomp
comment any\some
tenant_name target_user_name=Mycompa
ny\boss session_id=123
ap_name=hand 3D
comment=left hand
Logging 157
Parameters
705 Failed to assign Security 7 user_name June 10 20:10:11 host

template to the session_id CEF:0|AAA|Core|5.0|40|Failed
user ap_name to assign template to the
comment reason user|7|user_name=Mycompan
ap_name=Card
comment=white card
reason=no license
706 Failed to enroll Security 7 user_name June 10 20:10:11 host

template for the session_id CEF:0|AAA|Core|5.0|41|Failed
user ap_name to enroll template for the
comment reason user|7|user_name=Mycompan
ap_name=hand 3D
comment=left hand reason=ap
error
707 User can't enroll Security 7 user_name June 10 20:10:11 host

the assigned session_id CEF:0|AAA|Core|5.0|41|User
template ap_name can't enroll the assigned
comment reason template|7|user_name=Myco
ap_name=hand 3D
comment=left hand
reason=AP not installed on
client side
709 Failed to link Security 8 user_name June 10 20:10:11 host

template target_user_nam CEF:0|AAA|Core|5.0|42|Failed
e session_id to link
ap_name template|8|user_name=Myco
comment reason mpany\some
ap_name=hand 3D
comment=left hand
reason=target user can't be
found
709 Template link was Security 6 user_name June 10 20:10:11 host

removed target_user_nam CEF:0|AAA|Core|5.0|43|Templ
e session_id ate link was
ap_name removed|6|user_name=Myco
comment mpany\some
ap_name=hand 3D
comment=left hand

Parameters
710 Failed to remove Security 6 user_name June 10 20:10:11 host

template link target_user_nam CEF:0|AAA|Core|5.0|44|Failed
e session_id to remove template
ap_name link|6|user_name=Mycompany
comment reason \some
ap_name=hand 3D
comment=left hand
reason=too small carma

removed ap_name CEF:0|AAA|Core|5.0|45|Templ
comment ate was
session_id removed|6|user_name=Myco
ap_name=hand 3D
comment=left hand
712 Failed to remove Security 6 user_name June 10 20:10:11 host

template ap_name CEF:0|AAA|Core|5.0|46|Failed
comment to remove
session_id template|6|user_name=Myco
reason mpany\some session_id=123
tenant_name ap_name=hand 3D
comment=left hand
reason=only owner can
remove template

changed ap_name CEF:0|AAA|Core|5.0|47|Templ
comment ate was
session_id changed|7|user_name=Myco
ap_name=hand 3D
comment=left hand
714 Failed to change Security 6 user_name June 10 20:10:11 host

template ap_name CEF:0|AAA|Core|5.0|48|Failed
comment to change
session_id template|6|user_name=Myco
reason mpany\some session_id=123
tenant_name ap_name=hand 3D
comment=left hand
reason=only owner can
change template
Logging 159
Parameters

changed during ap_name CEF:0|AAA|Core|5.0|49|Templ
logon comment ate was changed during
session_id logon|7|user_name=Mycompa
tenant_name ny\some session_id=123
ap_name=TOTP
comment=ASA (iPhone)
801 Policy was Security 7 session_id scope June 10 20:10:11 host

changed comp_name CEF:0|AAA|Core|5.0|50|Policy
policy_name was
old_value changed|7|session_id=123
new_value scope=global
comp_name=password
poliices policy_name=minimal
password length old_value=4
new_value=8
802 No rights to Security 8 session_id scope June 10 20:10:11 host

change policy comp_name CEF:0|AAA|Core|5.0|51|No
policy_name rights to change
policy|8|session_id=123
scope=global
comp_name=password
password
803 Failed to change Operational 7 session_id scope June 10 20:10:11 host

policy comp_name CEF:0|AAA|Core|5.0|52|Failed
policy_name to change
reason policy|7|session_id=123
scope=global
comp_name=password
password
reason=policy not found
901 New license was Operational 3 session_id June 10 20:10:11 host

added license_id CEF:0|AAA|Core|5.0|53|New
users_count license was
enabled_features added|3|session_id=123
expire_date license_id=111
users_count=101
enabled_features=client,rte,np
s expire_date=31/12/2014
902 Failed to add Operational 8 session_id June 10 20:10:11 host

license license_id CEF:0|AAA|Core|5.0|54|Failed
users_count to add
enabled_features license|8|session_id=123
expire_date license_id=111
reason users_count=101
enabled_features=client,rte,np
s expire_date=31/12/2013
reason=already expired

Parameters
1001 Global setting was Security 9 session_id June 10 20:10:11 host

changed setting_name CEF:0|AAA|Core|5.0|55|Globa
l setting was
changed|9|session_id=123
setting_name=syslog_server
1002 No rights to Security 9 session_id June 10 20:10:11 host

change global setting_name CEF:0|AAA|Core|5.0|56|No
setting rights to change global
setting|9|session_id=123
1003 Failed to change Operational 9 session_id June 10 20:10:11 host

global setting setting_name CEF:0|AAA|Core|5.0|57|Failed
reason to change global
setting|9|session_id=123
reason=server is unavailable
1101 Password was Security 5 user_name ep June 10 20:10:11 host

changed ep_addr CEF:0|AAA|Core|5.0|15|Pass
tenant_name word was
changed|5|ep=xp_client
user_name=Mycompany\Admi
n ep_addr=192.168.91.1
1102 Password was Security 8 user_name ep June 10 20:10:11 host

reset ep_addr CEF:0|AAA|Core|5.0|15|Pass
tenant_name word was reset|8|ep=xp_client
user_name=Mycompany\Admi
n ep_addr=192.168.91.1
1201 User successfully Security 8 user_name June 10 20:10:11 host

logged on using ep_addr event CEF:0|AAA|Core|5.0|15|User
local cache chain_name successfully logged on using
logon_time local cache|8|ep=xp_client
tenant_name user_name=Mycompany\Admi
n ep_addr=192.168.91.1
event=windows logon
chain_name=LDAP+SMS
logon_time=2017-11-05
08:10:03
To configure logs forwarding to a third-party syslog server, see CEF Log Forward Policy.
12.2 RADIUS Logs

These logs contain information about the logs that are recorded for the RADIUS client or server.
Logging 161
12.3 Async Logs
These logs contain information about the asynchronized delivery of OTP messages for the SMS,
Email, and Voice methods.
12.4 Web Server Logs

These logs contain information about requests to REST API, Administration portal, and so on.
12.5 Replication Logs

These logs contain information about the replication events for a cluster.
12.6 Superuser Logs

These logs contain information about the process that is used to execute shell commands under the
root account (used by updates, reboot through Administration portal).
12.7 Background Tasks Logs

These logs contain information about the queue tasks and about periodically running tasks (such as
LDAP sync).
12.8 NGINX Errors Logs

These logs contain information about the errors of the nginx web server.
12.9 WebAuth Logs

These logs contain information about the SAML 2.0 and OAuth 2.0 integrations.
There is a hard coded log rotation based on the file size. The maximum size of a log file is 20 MB and
for WebAuth logs it is 10 MB. Advanced Authentication stores last ten log files of each type.

13 Managing Tokens
13
With Managing Tokens you can import a file that contains information about multiple tokens and
assign the tokens to users.
You must assign chains to the Tokens Management event in the Events section to access Tokens
Management portal.
To import token files, perform the following steps:
1 Log in to the Advanced Authentication Tokens Management portal (https://

<AdvancedAuthenticationServer>/tokens).
2 Click Add.
3 Click Browse and add a PSKC or CSV file.
4 Select the File type. The options available are:
 OATH compliant PSKC: This file type must be compliant with OAuth. For example, HID
OATH TOTP compliant tokens.
 OATH csv: This file type must contain the format as described in CSV File Format To Import
OATH Compliant Tokens. You cannot use the YubiKey CSV files.
 Yubico csv: In this file type, you must use one of the supported Log configuration output
(see YubiKey Personalization Tool > Settings tab > Logging Settings) formats with comma
as a delimiter.
 Traditional format: In this file type, OATH Token Identifier must be enabled.
 Yubico format: This file type is supported only for HOTP Length set to 6 Digits and
OATH Token Identifier set to All numeric.
IMPORTANT: Moving Factor Seed must not exceed 100000.
5 Add the encrypted PSKC files. For this, select Password or Pre-shared key in PSKC file
encryption type and provide the information.
6 Click Upload to import tokens from the file.
NOTE: Advanced Authentication receives an OTP format from the imported tokens file and stores
the information in the enrolled authenticator. Therefore, Advanced Authentication Administrator need
not change the default value of OTP format on the Method Settings Edit tab. For more information on
the OTP format, see OATH OTP.
When the tokens are imported, you can see the list of tokens. You must assign these tokens to the
users. The token is assigned in the following ways:
 You can do the following:

1. Click Edit next to the token.
2. Select Owner.
3. Click Save.
 A user can self-enroll a token in the Self-Service portal. Administrator must let the user know an
appropriate value from the Serial column for the self-enrollment.
Managing Tokens 163

13.1 CSV File Format To Import OATH Compliant
Tokens
A CSV file, which is imported as OATH csv file in the Administration portal > Methods > OATH OTP >
OATH Tokens tab, must contain fields with the following parameters:
 Token’s serial number

 Token’s seed
 (Optional) Type of the token: TOTP or HOTP (by default HOTP)
 (Optional) OTP length (default value is 6 digits)
 (Optional) Time step (default value is 30 seconds)
Comma is a delimiter.
The following is an example of a CSV file:
Token001, 15d2fa517d3c6b791bd4cc2044c241429307001f
Token002, 8c557fc050721037fd31e1d3345b5d3263263e0f, totp, 8
Token003, 658208efea5ac49d5331ba781e66f2c808cccc8e, hotp, 6
Token004, 89f0dfe1c90379da6a11aaca2fc1070f606efe36, totp, 6, 60
IMPORTANT: For the YubiKey tokens, you must use the traditional format of the CSV (check
YubiKey Personalization Tool > Settings tab > Logging Settings) with comma as a delimiter. Use
Yubico csv file type (Advanced Authentication Administration portal > Methods > OATH OTP >
OATH Tokens).

14 Searching a Card Holder’s Information
14
With the Search Card portal, you can get a card holder’s contact information by tapping the card on
the card reader. Information such as name of the card holder, repository information, email address,
and mobile number of the user can be obtained.
You must assign chains to the Search card event in the Events section.
IMPORTANT: To use this feature, you must have the Device Service installed on the computer.
To get the user information from the card, perform the following steps:
1. Log in to the Advanced Authentication Search Card portal (https://

<AdvancedAuthenticationServer>/search-card).
2. Tap a card on the card reader. The card holder’s user name, repository information, email
address, and mobile number are displayed.
NOTE: If the card was not enrolled before, a message No user was found for this card is
displayed.
Searching a Card Holder’s Information 165

15 Monitoring Performance of Advanced
15
Authentication Servers
You can monitor the performance of Advanced Authentication servers by performing the following:
1 When you are in the configuration console, press ALT+F9 to get access to CPU/Memory usage
data.
2 If you want to see stats ordered by memory usage:
2a Press F6 to open Sort by options.
2b Press the down arrow to switch to MEM%.
2c Press Enter to save.
3 Press ALT+F12 to get information about active connections and IOSTAT.
For more information, see Determining the Number of Web Servers for Load Balancing.
Monitoring Performance of Advanced Authentication Servers 167

16 Troubleshooting
16
NOTE: This chapter contains solutions for known issues. If you encounter any problems that are not
mentioned here, contact the support service.
This chapter contains the following topics:
 Section 16.1, “Error During the Deployment of ISO File and Installation in the Graphic Mode,” on
page 169
 Section 16.2, “Partition Disks to Avoid Removal of Data,” on page 169
 Section 16.3, “Networking Is Not Configured,” on page 169
 Section 16.4, “Error While Coying the DB Master Database,” on page 170
 Section 16.5, “The ON/OFF Switch Is Broken If the Screen Resolution Is 110%,” on page 170
 Section 16.6, “Error When Requesting For Update,” on page 170
16.1 Error During the Deployment of ISO File and

Installation in the Graphic Mode
While trying to install Advanced Authentication server appliance, the following error is displayed:
Server is already active for display 0. If this server is no longer running, remove
/tmp/ .XO-lock and start again.
This issue can occur if you click Continue without selecting I agree in End User License Agreement.
As a result I don't agree is automatically selected and Yes is selected on the next screen.
To resolve the issue, perform the following steps:
1 Run the installer.

2 Select I agree and continue installation.
16.2 Partition Disks to Avoid Removal of Data

It is recommended to perform disk partitioning while installing the Advanced Authentication server.
Otherwise, the installation will destroy all data on any partitions you have removed as well as on the
partitions that are going to be formatted.
To perform disk partitioning, select Yes and click Continue.
16.3 Networking Is Not Configured

After the installation of Advanced Authentication Server appliance, an error occurs. This can be
because your network does not use the DHCP protocol.
As a solution to this issue, perform the following:
Troubleshooting 169
Select OK and configure networking manually using the Configuration Console. For more
information, see the Configuring Appliance Networking chapter.
16.4 Error While Coying the DB Master Database

A DB Master setup is available with a DB Slave. While copying the DB Master database, the following
error is displayed: "Error. (Exception) Warning: Using a password on the command line
interface can be insecure. Warning: Using a password on the command line interface
can be insecure. mysqldump: Got error: 1045: Access denied for user
'aunet'@'192.168.3.47' (using password: YES) when trying to connect".
192.168.3.47 is the IP address of DB Slave.
The error occurs due to the incorrect reverse DNS and incorrect hostname specified during the
installation:
 While installing the DB Master, the pre-populated aucore.your-router DNS hostname was
selected
 DB Slave is up and re-registered the aucore host in DHCP/DNS on the router
 the pre-populated aucore.your-router DNS hostmane was selected on the DB Slave
The pre-populated DNS names cannot be used during the installation. In such scenarios, you must
specify the IP address. DNS hostnames must be specified on the corporate DNS server.
16.5 The ON/OFF Switch Is Broken If the Screen

Resolution Is 110%
While trying to edit the Lockout options policy, the ON/OFF switch is broken when the screen
resolution is 110%.
As a solution, change the screen resolution to 100%.
16.6 Error When Requesting For Update

When requested for the update, the following error is displayed:
E: Could not get lock /var/lib/apt/lists/lock - open (11: Resource temporarily

unavailable)
E: Unable to lock directory /var/lib/apt/lists/ (AuCore)
After rebooting, the following error is displayed and the problem repeats:
Command '('sudo','apt-get','update')' timed out after 28 seconds (AuError)
As a solution, perform the following.
 Check the networking configuration and HTTP Proxy configuration in the Configuration Console.
 Ensure that the DNS servers you have specified are able to resolve the address
repo.authasas.com.
 Ensure your company's firewall does not lock Internet connection to the address on the
appliance.

Server Administrator Guide

Uploaded by

Copyright:

Available Formats

Server Administrator Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Server Administrator Guide

Uploaded by

Copyright:

Available Formats

Administration Guide

About NetIQ Corporation 7

1 Advanced Authentication Overview 11

Part I Configuring Advanced Authentication 19

2 Logging In to the Advanced Authentication Administrative Portal 21

3 Configuring Advanced Authentication Server Appliance 23

4 Configuring Ports and Firewall 91

4 Advanced Authentication - Administration

6 Enrolling the Authentication Methods 107

Part II Configuring Integrations 109

7 OAuth 2.0 111

8 RADIUS Server 123

9 SAML 2.0 127

10 Examples of Integrations 129

Part III Maintaining Advanced Authentication 145

14 Searching a Card Holder’s Information 165

15 Monitoring Performance of Advanced Authentication Servers 167

6 Advanced Authentication - Administration

Enabling critical business services, better and faster

Driving your success is our passion

About NetIQ Corporation 7

United States and Canada: 1-888-323-6768

Web Site: www.netiq.com

Contacting Technical Support

North and South America: 1-713-418-5555

Europe, Middle East, and Africa: +353 (0) 91-782 677

Web Site: www.netiq.com/support

Contacting Documentation Support

Contacting the Online User Community

8 Advanced Authentication - Administration

About this Book 9

Authentication comprises of the following three factors:

This section contains the following topics:

1.1 How Is Advanced Authentication Better Than

 Works on multiple platforms such as Windows, Mac OS X, Linux and so on.

1.2 Key Features

Advanced Authentication Overview 11

1.3 Advanced Authentication Server Components

For more information, see Section 1.3.1, “Administration Portal,” on page 12

1.3.1 Administration Portal

12 Advanced Authentication - Administration

1.3.2 Self-Service Portal

1.3.3 Helpdesk Portal

1.3.4 Reporting Portal

Advanced Authentication Overview 13

For more information, see Section 1.4.1, “Basic Architecture,” on page 14

1.4.1 Basic Architecture

An Advanced Authentication server is connected to a directory such as Active Directory Domain

14 Advanced Authentication - Administration

Figure 1-1 Enterprise Level Architecture

Advanced Authentication Overview 15

16 Advanced Authentication - Administration

Advanced Authentication Overview 17

1.5.1 Authentication Method

1.5.2 Authentication Chain

1.5.3 Authentication Event

18 Advanced Authentication - Administration

This chapter contains the following sections:

 Chapter 2, “Logging In to the Advanced Authentication Administrative Portal,” on page 21

Configuring Advanced Authentication 19