11.1.10 Mainframe Logon Event
Configure the settings of this event to enable login to the Mainframe system.
Example of Mainframe logon event is Advanced Authentication Connector.
Click Events > New Event.
Specify a name of the event in Name.
Ensure that Is enabled is set to ON if you want to use the event.
Select the Event type.
For most of the predefined events, you cannot change the Event type. For events such as Windows logon, Linux logon, and Mac OS logon, you can change the Event type from OS Logon (domain) to OS Logon (local) if the workstations are not joined to the domain.
Select OS Logon (domain) to allow only the domain joined users to login to the event.
Select OS Logon (local) to allow any Advanced Authentication user from any repository to access the event. However, users must map themselves to a local user account during their first login by providing the credentials.
Enable the reCAPTCHA option to ON if you want the Google reCAPTCHA option to be displayed in the login page for the particular event.
The reCAPTCHA option is displayed only when you enable the Google reCAPTCHA Options policy.
NOTE:The reCAPTCHA option is supported only for the Admin UI event, Authenticators Management event, Helpdesk event, Helpdesk user event, Report logon event, Tokens Management event, and the Search Card event.
By default, All Categories is set to ON. When the multiple event categories are created, users can enroll an authentication method multiple times (one enrolled method per category).
When All Categories is set to ON, users can authenticate to the event using any of the supported methods (Card, FIDO U2F, HOTP, Password, and TOTP) and Advanced Authentication automatically chooses an appropriate authentication method.
To use other methods, Advanced Authentication prompts for the category selection.
The All Categories option is displayed only if you have added categories in the Event Categories
policy.
For example, an administrator has configured two categories CAT1 and CAT2. The Default category is predefined in the Administration portal. Users can enroll three devices. The All Categories is set to ON for the Windows logon event. A user has three cards and enrolls each to a category as follows:
Card 1 to Default
Card 2 to CAT1
Card 3 to CAT2
After enrolling cards, the user can authenticate to the Windows event by using one of the enrolled cards.
You can set All Categories to OFF if you want to disable support for multi-enrollment of supported methods.
The Authenticator category is displayed when All Categories is set to OFF. Select the preferred category from Authenticator category.
Select the chains that you want to assign to the current event.
In an event, you can configure a prioritized list of chains that can be used to get access to that specific event.
(Conditional) In Risk Policy, select the policy that you want to assign to this event for assessing the risk associated with a login attempt.
(Conditional) Click Create New Policy to create a new risk policy for this event.
Clicking this option opens the Risk Settings page.
IMPORTANT:Risk Policy and Create New Policy options are available when you enable Risk Settings. For more information, see Section III, Configuring Risk Settings.
If you want to restrict access of some endpoints to the event, add all the endpoints that must have access to the Endpoints whitelist. The remaining endpoints are blacklisted automatically. If the Endpoints whitelist blank, all the endpoints are considered for authentication.
IMPORTANT:Endpoints whitelist supports only the Windows Logon, Linux Logon, and Mac OS Logon events.
Set Geo-fencing to ON to enable geo-fencing. Move the permitted zones from Available to Used. For more information about configuring geo-fencing, see the Smartphone method.
IMPORTANT:You must enable the Geo Fencing Options policy to use the geo-fencing functionality.
Select Allow Kerberos SSO if you want to enable single sign-on (SSO) to the Advanced Authentication portals. Kerberos SSO is supported for AdminUI, Authenticators Management, Helpdesk, and Report logon events.
IMPORTANT:To use the Kerberos SSO feature, you must configure the Kerberos SSO Options policy and upload a keytab file.
Set Logon with Expired Password with one of the following options based on your requirement:
Allow: Select this option to allow users to log in to the event with the expired LDAP password.
Ask to change: If the password has expired this option prompts users to change the password during logon. Change in the LDAP Password is supported only for the Active Directory repositories. However, the LDAP Password change in Advanced Authentication is not allowed when the LDAP Servers in the Repository settings are configured with port 389. The LDAP server rejects the new password.
Deny: Select this option to deny access to the event with the expired LDAP password. When the access is denied, the following message is displayed to users:
You must change your password to logon.
Set Bypass user lockout in repository to ON, if you want to allow users who are locked on repository to authenticate on the Advanced Authentication. By default, Bypass user lockout in repository is set to OFF and users who are locked on repository are not allowed to authenticate.
Set Return groups on logon to ON if you want to retrieve the group details of users who authenticated to the event in the authentication response.
With Return groups on logon set to ON, if Groups is empty, all the groups that the users are associated with are returned in the response. However, to return the required groups, specify the preferred groups in Groups.
Sometimes, the authentication response of RADIUS event is lengthy if a user is associated with several groups. Therefore, it is recommended to use Groups to limit the groups' in the response.
By default, Return groups on logon is set to ON for all events except for Authenticators Management, Smartphone Enrollment, and SAML 2.0 events.
When this option is set to OFF, the groups of users authenticated to the event are not returned in the response.
You as a top administrator can enforce the configuration of events (except the RADIUS Server event) on secondary tenants. After configuring the settings for the event, you can freeze those settings for a specific tenant. The tenant cannot edit the settings in the tenant administrator console that have been enforced by the top administrator for that event.
To enforce the configurations for a specific tenant, perform the following steps:
In the Tenancy settings, click +.
Select the tenant to in Force the configuration for the tenants to whom you want to enforce the configurations.
After you select a tenant, the Hide forced settings option is displayed. You can set Hide forced settings to ON if you want to hide the configurations that you have enforced on the tenant. When this option is set to ON, the tenant administrator console does not show setting changes.
Select the Allow to logon to this event by shared authenticator option to allow users to login using shared authenticators. By default this option is disabled for the Authenticators Management, Helpdesk, Helpdesk User, AdminUI, Search Card, Token Management, and Report Logon events and enabled for all the other events.
Click Save.
Click Initialize default chains to revert the changes that are applied to the default configuration.
NOTE:If you have configured more than one chain using one method (for example, LDAP Password, LDAP Password+Smartphone) and assigned it to the same group of users and to the same event, the top chain is always used if the user has enrolled all the methods in the chain. An exception is the use of a high-security chain and its appropriate simple chain, where the simple chain must be higher than its high-security chain.
HINT:It is recommended to have a single chain with the Emergency Password method at the top of the chains list in the Authenticators Management event and other events, which are used by users. The chain will be ignored if the user does not have the Emergency Password enrolled. The user can use the Emergency Password immediately after the helpdesk administrator enrolls the user with the Emergency Password authenticator.
By default, Advanced Authentication contains the following events:
This event is used to integrate Advanced Authentication with ADFS using the previous ADFS plug-in for Advanced Authentication 5.x.
For 6.0, you can use the new ADFS MFA plug-in. For more information see the Configuring the Advanced Authentication Server for ADFS Plug-in guide.
Use this event to access the Administration portal. You can configure the chains that can be used to get access to the /admin URL.
IMPORTANT:You must be careful when changing the default chains that are assigned to this event. You may block the access to the Administration portal.
NOTE:You can promote users or group of users from a repository to the FULL ADMINS role in Repositories > Local. After this, you must assign chains in which the methods are enrolled for users with the AdminUI event (at a minimum with an LDAP Password).
WARNING:If you have enabled the Google reCAPTCHA policy for the Admin UI event, you must consider the following guidelines. Otherwise, a deadlock scenario can happen and you will not be able to access the Administration portal without the cluster re-installation:
If the site key or secret key gets deleted at the Google server, you will not be able to get the same site key or secret key. The site key and secret key used on the Administration portal are no more valid and there is no way to bypass the reCaptcha on the Administration portal.
If you have registered the reCAPTCHA for one domain name and you change the domain name or migrate the Advanced Authentication server to another domain name, the site key or secret key used on the Administration portal are no more valid.
Configure the settings of this event to enable a login to the Authentication Agent for Windows in Advanced Authentication 6.3 SP4 and prior versions.
From Advanced Authentication 6.3 SP5, the OOB UI Logon Event is used instead of this event.
Use this event to access the Self-Service portal. In the Self-Service portal, users can enroll to any of the methods that are configured for any chain and they are a member of the group assigned to the chain.
Add an LDAP Password chain as the last chain in the list of chains to ensure secure access to the portal for users who have methods enrolled.
IMPORTANT:If the Administration portal uses a repository that does not have any user, you must enable a chain with Password only (Authenticators Management - Password) for this event. This action enables you accessing the Self-Service portal or changing the password in the Self-Service portal.
You can also perform basic authentication with Advanced Authentication. To achieve basic authentication, set the Allow basic authentication option to ON in the Event Edit screen for Authenticators Management.
NOTE:The basic authentication is supported only for the Authentication Management event and for the Password, LDAP Password, and HOTP methods.
You must specify /basic with the URL to login to the enrollment page. The Login page appears and the format of the Username you must provide is: username:PASSWORD|LDAP_PASSWORD|HOTP:1. For example: admin:PASSWORD:1.
When you log in to the Self Service portal, by default the chain with the highest priority is displayed. To display the other chains with the enrolled methods, set Show chain selection to ON.
NOTE:If you enable to show the chain selection, but a chain is not displayed in the list of available chains in the Self-Service portal, ensure that all the methods of the chain are enrolled by the user.
For more information, see Managing Authenticators
in the Advanced Authentication- User guide.
Use this event to enroll the TOTP method using the Desktop OTP tool. This event supports a chain with either LDAP Password or Password method as a single factor authenticator.
Configure the settings of this event to enable the Helpdesk administrator to access the Helpdesk portal. One of the roles of a Helpdesk administrator is to set an emergency password for users. An emergency password is a temporary password for users when they lose their smart card or smart phone. Some companies restrict self-enrollment and have the Helpdesk administrator who does the enrollment after hiring. You can promote the repository administrators or users as Helpdesk administrators in the Repositories > LOCAL > Edit > Global Roles > ENROLL ADMINS section.
You can manage the enrollment and re-enrollment of the authenticators in one of the following ways:
Restrict the self-enrollment and force users to enroll through the Helpdesk. Or
Restrict only the re-enrollment or deletion of authenticator from the Self-Service portal using the Disable re-enrollment option.
For more information, see Managing Authenticators
in the Advanced Authentication- Helpdesk Administrator guide.
Configure the settings of this event to enable the Helpdesk administrator to authenticate users in the Helpdesk portal. This event is applicable for the User to manage screen that appears on the Helpdesk portal.
You must enable the Ask credentials of management user option in the Helpdesk Options policy before using this event.
Configure the settings of this event to enable login to the Linux Client. If you want to use Linux Client on non-domain joined workstations, change the Event type from OS Logon (domain) to OS Logon (local).
Configure the settings of this event to enable login to the Mac OS Client. If you want to use Mac OS Client on non-domain joined workstations, change the Event type from OS Logon (domain) to OS Logon (local).
Configure the settings of this event to enable login to the Mainframe system.
Example of Mainframe logon event is Advanced Authentication Connector.
Configure the settings of this event to facilitate the integration of Advanced Authentication with NetIQ Access Manager.
Configure the settings of this event to facilitate the integration of Advanced Authentication with NetIQ CloudAccess. CloudAccess must be configured to use Advanced Authentication as an authentication card and user stores must be added for the repositories for the integration to work. For more information, see the Advanced Authentication CloudAccess documentation.
Configure the settings of this event to facilitate the third-party integrations with OAuth 2.0. For more information about configuring the OAuth 2.0 event, see OAuth 2.0
Once an OAuth event is created, the administrator cannot view the Client secret. If the administrator needs to reset the Client secret, open the OAuth event, and specify the new client secret in Reset Client Secret.
NOTE:Resetting the Client secret will disrupt the service that relies on the event. To resume the service, you need to share the new client secret in the consumer web application and authenticate.
Configure this event to log in to the Advanced Authentication OOB portal, Authentication Agent for Windows, and Authentication Agent for Web. These components enable users to manage the authentication requests of the Out-of-band method to authenticate to a specific event for which a chain with the Out-of-band method is assigned.
NOTE:You must not assign a chain containing the Out-of-band method to the OOB UI logon event.
The Advanced Authentication server contains a built-in RADIUS server to authenticate any RADIUS client using one of the chains configured for the event. For more information about configuring the RADIUS Server event, see RADIUS Server
.
Configure the settings of this event to log in to the Advanced Authentication Reporting portal. For more information about the Reporting portal, see Reporting
.
Configure the settings of this event to log in to the Advanced Authentication Search Card portal. The Search Card functionality helps you to get the card holder’s contact information by inserting the card in the card reader. For more information about searching a card holder’s information, see Searching a Card Holder’s Information
.
The Smartphone method can be enrolled in two ways:
By scanning a QR code that is shown in the Self-Service Portal.
By using an enrollment link that can be manually sent through SMS or Email.
This event allows managing enrollment using the enrollment link. For more information about preparing the enrollment link, see Configuring Enrollment Link.
This event supports a chain with either LDAP Password or the Password method as a single factor authenticator.
To enroll the Smartphone method using an enrollment link, users are required to click the link on their smartphone with the NetIQ Advanced Authentication app installed, then specify their user name and password. The users of LDAP repositories can use the LDAP password, the local users and users of other repo (for example, SQL repo) who do not have an LDAP password can use their enrolled password to enroll in the Smartphone method by link. If the app is not installed on the user's smartphone, the user will be prompted to install the app. After entering the credentials the authenticator is enrolled automatically and is ready to use.
Configure the settings of this event to log in to the Advanced Authentication Tokens Management portal. The Tokens Management functionality allows you to assign each token to specific user. For more information about assigning a token to user, see Managing Tokens.
Configure the settings of this event to log in to the Windows Client. If you want to use Windows Client on non-domain joined workstations, change the Event type from OS Logon (domain) to OS Logon (local).