9.0 Logging In to Out-of-Band Portal

The Out-of-band (OOB) portal allows you to manage the authentication requests that the OOB method sends to authenticate to any device or service.

You can use the enrolled authenticators to log in to the Out-of-band portal. You must pass through the authenticators in the chain to get authenticated successfully.

To log in to Out-of-band portal, perform the following steps:

  1. Log in to the Advanced Authentication OOB portal (https://<AdvancedAuthenticationServerdomainname>/oob/ui)

  2. Specify the username in the format: repositoryname\username (e.g. company\pjones) and click Next.

  3. Select the preferred authentication chain from the list.

  4. Authenticate with the preferred authentication method(s) of the chain.

    A prompt to select category might appear, if you have enrolled an authenticator for more than one category.

Instead of logging in to OOB portal for each authentication, you can install the Authentication Agent for Web on a desktop or mobile using the Google Chrome browser. Perform the following steps to install the Authentication Agent for Web:

  1. Log in to the Advanced Authentication OOB portal (https://<AdvancedAuthenticationServerdomainname>/oob/ui) using the Chrome browser.

  2. Authenticate with the preferred authentication method(s) of the chain.

    On successful authentication, the Authentication Requests page appears.

  3. Perform one of the following:

    • Desktop: Click the Install icon in the address bar.

    • Mobile: Tap the Install icon adjacent to the user name.

    A message is displayed to confirm the install.

  4. Click Install.

    The Authentication Agent for Web is installed on your desktop or mobile.

NOTE:To receive the push messages, you must enable the notifications in your browser for the OOB portal or Authentication Agent for Web app. By default, the notifications are blocked.

NOTE:After initiating the authentication if the push notification does not appear after 5 seconds, click the Refresh icon to view the push notification for the initiated authentication.

The following examples describe the different scenarios where the OOB portal is used:

Scenario 1: Authenticating to Linux using the OOB Method

The OOB method is enrolled for Paul in the Advanced Authentication Self-Service portal. Using the OOB portal, he has installed the Authentication Agent for Web on his Android smartphone.

Consider administrator has set-up the following:

  • Assigned a chain with the Password and TOTP methods to the OOB portal.

  • Assigned a chain with the OOB method to the Linux machine.

Following sequence describes the authentication process using the Authentication Agent for Web:

  1. Paul opens the Authentication Agent for Web that is installed on his Android smartphone and authenticates on it using the Password and TOTP methods.

  2. Specify user name and select the chain with Out-of-band method in Linux computer.

    This initiates an authentication request.

  3. An authentication request with Accept and Decline buttons is displayed on the Authentication Agent for Web.

    NOTE:After initiating the authentication if the push notification does not appear after 5 seconds, click the Refresh icon to view the push notification for the initiated authentication.

  4. Tap Accept.

    Paul logs in to the Linux computer successfully.

Scenario 2: Authenticating to VPN using the Out-of-Band Portal and Biometrics

An organization has secured the VPN network with strong multi-factor authentication using domain password and Windows Hello. Janet wants to connect to the corporate VPN. However, it is not possible to use fingerprint and face recognition directly in the RADIUS authentication. The organization has decided to use the Out-of-Band method for this scenario.

Janet has Windows laptop with a built-in fingerprint sensor.

Consider the following setup:

  • Assigned a chain with the Windows Hello method to the OOB portal.

  • Assigned a chain with the LDAP Password and Out-of-band methods to the RADIUS Server.

Following sequence describes the authentication process using the OOB portal:

  1. Specify username and domain password in the VPN connection request.

  2. Navigate to the OOB portal in any browser using the https://<AAFserver>/oob/ui.

  3. Authenticate to the OOB portal using the Windows Hello method.

  4. The pending authentication request appears.

    NOTE:After initiating the authentication if the push notification does not appear after 5 seconds, click the Refresh icon to view the push notification for the initiated authentication.

  5. Click Accept.

    Janet gets connected to the corporate VPN.

Scenario 3: Authenticating to z/OS Mainframe Using the Authentication Agent for Web on Smartphone

Nick wants to log in to the z/OS mainframe. The mainframe is secured with Advanced Authentication OOB method.

Consider the following setup:

  • The Authentication Agent for Web and NetIQ Advanced Authentication applications are installed on an Android smartphone.

  • Windows laptop has access to the z/OS terminal.

  • Assigned a chain with the Smartphone method to the OOB portal.

  • Assigned a chain with the OOB method to the Mainframe.

Following sequence describes the authentication process using the Authentication Agent for Web:

  1. Initiate login to z/OS mainframe on Windows laptop and specify oob in the Password.

    This initiates the authentication request.

  2. Authentication Agent for Web on the smartphone receives a notification about the pending authentication request.

  3. Tap the notification to open Authentication Agent for Web and authenticate using the Smartphone method.

  4. The pending authentication request is displayed in Authentication Agent for Web.

    NOTE:After initiating the authentication if the push notification does not appear after 5 seconds, click the Refresh icon to view the push notification for the initiated authentication.

  5. Click Accept.

    Nick connects to the z/OS mainframe.

Advanced Authentication provides the following authenticators for logging in to the Out-of-band portal: