3.4 Creating a Chain

A chain is a combination of authentication methods. A user must pass all methods in the chain to be successfully authenticated. For example, if you create a chain with LDAP Password and SMS OTP, a user must first specify the LDAP Password. If the LDAP password is correct, the system sends an SMS with a One-Time-Password (OTP) to the user’s mobile. The user must specify the correct OTP to be authenticated.

Advanced Authentication contains the following chains that are created by default:

  1. LDAP Password Only: Any user from a repository can use this chain to get authenticated with the LDAP Password (single-factor) method.

  2. Password Only: Any user who has a Password method enrolled can use this chain to get authenticated with the Password (single-factor) method.

You can create any number of chains with multiple authentication methods. To achieve better security, you can include multiple methods in a chain.

Authentication comprises of the following three factors:

  • Something that you know such as password, PIN, and security questions.

  • Something that you have such as smartcard, token, and mobile phone.

  • Something that you are such as biometrics (fingerprint or iris).

You can achieve multi-factor or strong authentication by using any two factors out of this list. For example, multi-factor authentication can include a combination of password and a token or a smartcard and a fingerprint.

After you create a chain, you can use the chain on specific user groups in your repository. The chain is then mapped to an event.

To create a new chain or edit an existing chain, perform the following steps:

  1. Click Chains.

  2. Click Add to create a chain. You can also click the edit icon against the chain that you want to edit.

  3. Specify a name of the chain in Name.

  4. Specify a Short name. The short name is used by a user to move to a chain. For example, if you name a chain containing the LDAP Password and SMS methods as SMS, then a user can specify <username> sms and the user is forced to use SMS as the chain. This is helpful in scenarios when the primary chain is not available.

    NOTE:This is applicable only for the RADIUS Server event.

  5. Set Is enabled to ON to enable the chain.

  6. Select the methods that you want to add to the chain from the Methods section. You can prioritize the methods in the list. For example, if you create a chain with LDAP Password and HOTP methods, then the user will be prompted for the LDAP Password method first and then the OTP.

  7. Specify the groups that will use the authentication chain in Roles and Groups.

    You can specify the following roles and groups based on your requirement:

    • ALL USERS: To use all the users and groups of all the added repositories.

    • <REPO\Group>: To use a specific group from the repository. For example to specify users of an IT staff group, specify FOCUS\IT staff.

    • <REPO Users>: To use all the users of a specific repository. For example to use all users in the repository FOCUS, specify FOCUS Users.

    IMPORTANT:It is recommended not to use those groups from which you will not be able to exclude users because you will not be able to free up a user's license. For example, you use a Repo Users group or ALL USERS group. If an employee from these groups leaves the company and you do not delete the user’s domain account but just disable it, the license will not be freed.

  8. Expand Advanced Settings by clicking +.

  9. Set Apply if used by endpoint owner to ON if an Endpoint owner must use the chain.

    NOTE:The Endpoint owner feature is supported for Windows Client, Mac OS Client, and Linux PAM Client only.

  10. Specify the MFA tags. When a user logs in to Windows on a workstation with Advanced Authentication Windows Client installed, the user's account is moved to the group specified in MFA tags.

    NOTE:This functionality is available when you set the Enable filter to ON in the Logon Filter for AD policy and have configured the Logon Filter.

    For example if you specify a Card users group from Active Directory in MFA tags, then the user will be moved from the legacy group (specified in the Advanced Settings of Active Directory repository) to the Card users group.

    NOTE:If the user credentials are saved with Remember my credentials, the MFA tag does not work while connecting to the Remote Desktop.

  11. Set Required chain to Nothing, if this is a required (high-security) chain. To configure a linked chain within a specific time period after successful authentication with a required chain, choose an appropriate required chain. You also need to specify a Grace period (mins). Within this time period, the linked chain can be used instead of the required chain. The maximum value for grace period is 44640 minutes (31 days).

    NOTE:You must assign both a required and a linked chain to an Event. The linked chain must be of higher order than the corresponding required chain. The option is available when the Linked Chains policy is set to ON.

    For example, LDAP Password+Card is a required chain and Card is a linked chain. The users must use LDAP Password+Card chain once in every 8 hours and within this period, they can provide only card without the LDAP Password to authenticate.

  12. (Conditional) In Custom names, you can specify the chain name in a specific language. To do this click + to expand the settings and specify the chain name.

  13. Click Save.

    IMPORTANT:If you have configured more than one chain using one method (for example, LDAP Password, LDAP Password+Smartphone) and assigned it to the same group of users and the same event, then the top chain is always used if the user has enrolled all the methods in the chain. An exception is the use of a high-security chain and its appropriate simple chain, where the simple chain must be higher than its high-security chain.