8.1.10 Mainframe Logon Event
Configure the settings of this event to enable login to the Mainframe system.
Example of Mainframe logon event is Advanced Authentication Connector.
Specify a name of the event in.
Ensure thatis set to if you want to use the event.
For most of the predefined events, you cannot change the. For events such as , and , you can change the from to if the workstations are not joined to the domain.
Select OS Logon (domain) to allow only the domain joined users to login to the event.
Select OS Logon (local) to allow any Advanced Authentication user from any repository to access the event. However, users must map themselves to a local user account during their first login by providing the credentials.
Enable theoption to if you want the Google reCAPTCHA option to be displayed in the login page for the particular event.
The reCAPTCHA option is displayed only when you enable the Google reCAPTCHA Options policy.
NOTE:The reCAPTCHA option is supported only for theevent, event, event, event, event, event, and the event.
By default,is set to . When the multiple event categories are created, users can enroll an authentication method multiple times (one enrolled method per category).
Whenis set to ON, users can authenticate to the event using any of the supported methods (Card, FIDO U2F, HOTP, Password, and TOTP) and Advanced Authentication automatically chooses an appropriate authentication method.
To use other methods, Advanced Authentication prompts for the category selection.
Theoption is displayed only if you have added categories in the
For example, an administrator has configured two categories CAT1 and CAT2. Thecategory is predefined in the Administration portal. Users can enroll three devices. The is set to for the Windows logon event. A user has three cards and enrolls each to a category as follows:
Card 1 to Default
Card 2 to CAT1
Card 3 to CAT2
After enrolling cards, the user can authenticate to the Windows event by using one of the enrolled cards.
You can setto if you want to disable support for multi-enrollment of supported methods.
Theis displayed when is set to . Select the preferred category from .
Select the chains that you want to assign to the current event.
In an event, you can configure a prioritized list of chains that can be used to get access to that specific event.
(Conditional) In, select the policy that you want to assign to this event for assessing the risk associated with a login attempt.
(Conditional) Clickto create a new risk policy for this event.
Clicking this option opens the Risk Settings page.
IMPORTANT:Section III, Configuring Risk Settings.and options are available when you enable Risk Settings. For more information, see
If you want to restrict access of some endpoints to the event, add all the endpoints that must have access to the. The remaining endpoints are blacklisted automatically. If the blank, all the endpoints are considered for authentication.
IMPORTANT:Endpoints whitelist supports only the Windows Logon, Linux Logon, and Mac OS Logon events.
Set Smartphone method.to to enable geo-fencing. Move the permitted zones from to . For more information about configuring geo-fencing, see the
IMPORTANT:You must enable the Geo Fencing Options policy to use the geo-fencing functionality.
Selectif you want to enable single sign-on (SSO) to the Advanced Authentication portals. Kerberos SSO is supported for AdminUI, Authenticators Management, Helpdesk, and Report logon events.
Setwith one of the following options based on your requirement:
: Select this option to allow users to log in to the event with the expired LDAP password.
: If the password has expired this option prompts users to change the password during logon. Change in the LDAP Password is supported only for the Active Directory repositories. However, the LDAP Password change in Advanced Authentication is not allowed when the LDAP Servers in the Repository settings are configured with port 389. The LDAP server rejects the new password.
: Select this option to deny access to the event with the expired LDAP password. When the access is denied, the following message is displayed to users:
You must change your password to logon.
Setto , if you want to allow users who are locked on repository to authenticate on the Advanced Authentication. By default, is set to and users who are locked on repository are not allowed to authenticate.
Setto if you want to retrieve the group details of users who authenticated to the event in the authentication response.
Withset to , if is empty, all the groups that the users are associated with are returned in the response. However, to return the required groups, specify the preferred groups in .
Sometimes, the authentication response of RADIUS event is lengthy if a user is associated with several groups. Therefore, it is recommended to useto limit the groups' in the response.
By default,is set to for all events except for Authenticators Management, Smartphone Enrollment, and SAML 2.0 events.
When this option is set to, the groups of users authenticated to the event are not returned in the response.
Select the Authenticators Management, Helpdesk, Helpdesk User, AdminUI, Search Card, Token Management, and Report Logon events and enabled for all the other events.option to allow users to login using shared authenticators. By default this option is disabled for the
Clickto revert the changes that are applied to the default configuration.
NOTE:If you have configured more than one chain using one method (for example,, ) and assigned it to the same group of users and to the same event, the top chain is always used if the user has enrolled all the methods in the chain. An exception is the use of a high-security chain and its appropriate simple chain, where the simple chain must be higher than its high-security chain.
HINT:It is recommended to have a single chain with themethod at the top of the chains list in the event and other events, which are used by users. The chain will be ignored if the user does not have the enrolled. The user can use the Emergency Password immediately after the helpdesk administrator enrolls the user with the Emergency Password authenticator.
By default, Advanced Authentication contains the following events:
This event is used to integrate Advanced Authentication with ADFS using the previous ADFS plug-in for Advanced Authentication 5.x.
For 6.0, you can use the new ADFS MFA plug-in. For more information see the Configuring the Advanced Authentication Server for ADFS Plug-in guide.
Use this event to access the Administration portal. You can configure the chains that can be used to get access to the /admin URL.
IMPORTANT:You must be careful when changing the default chains that are assigned to this event. You may block the access to the Administration portal.
NOTE:You can promote users or group of users from a repository to the Repositories > Local. After this, you must assign chains in which the methods are enrolled for users with the event (at a minimum with an LDAP Password).role in
WARNING:If you have enabled the Google reCAPTCHA policy for the Admin UI event, you must consider the following guidelines. Otherwise, a deadlock scenario can happen and you will not be able to access the Administration portal without the cluster re-installation:
If the site key or secret key gets deleted at the Google server, you will not be able to get the same site key or secret key. The site key and secret key used on the Administration portal are no more valid and there is no way to bypass the reCaptcha on the Administration portal.
If you have registered the reCAPTCHA for one domain name and you change the domain name or migrate the Advanced Authentication server to another domain name, the site key or secret key used on the Administration portal are no more valid.
Configure the settings of this event to enable a login to the Authentication Agent for Windows in Advanced Authentication 6.3 SP4 and prior versions.
From Advanced Authentication 6.3 SP5, the OOB UI Logon Event is used instead of this event.
Use this event to access the Self-Service portal. In the Self-Service portal, users can enroll to any of the methods that are configured for any chain and they are a member of the group assigned to the chain.
Add anchain as the last chain in the list of chains to ensure secure access to the portal for users who have methods enrolled.
IMPORTANT:If the Administration portal uses a repository that does not have any user, you must enable a chain withonly (Authenticators Management - Password) for this event. This action enables you accessing the Self-Service portal or changing the password in the Self-Service portal.
You can also perform basic authentication with Advanced Authentication. To achieve basic authentication, set theoption to in the screen for Authenticators Management.
NOTE:The basic authentication is supported only for theevent and for the Password, LDAP Password, and HOTP methods.
You must specify /basic with the URL to login to the enrollment page. The Login page appears and the format of the Username you must provide is: username:PASSWORD|LDAP_PASSWORD|HOTP:1. For example: admin:PASSWORD:1.
When you log in to the Self Service portal, by default the chain with the highest priority is displayed. To display the other chains with the enrolled methods, setto .
NOTE:If you enable to show the chain selection, but a chain is not displayed in the list of available chains in the Self-Service portal, ensure that all the methods of the chain are enrolled by the user.
Use this event to enroll the TOTP method using the Desktop OTP tool. This event supports a chain with either LDAP Password or Password method as a single factor authenticator.
Configure the settings of this event to enable the Helpdesk administrator to access the Helpdesk portal. One of the roles of a Helpdesk administrator is to set an emergency password for users. An emergency password is a temporary password for users when they lose their smart card or smart phone. Some companies restrict self-enrollment and have the Helpdesk administrator who does the enrollment after hiring. You can promote the repository administrators or users as Helpdesk administrators in thesection.
You can manage the enrollment and re-enrollment of the authenticators in one of the following ways:
Restrict the self-enrollment and force users to enroll through the Helpdesk. Or
Restrict only the re-enrollment or deletion of authenticator from the Self-Service portal using the Disable re-enrollment option.
Configure the settings of this event to enable the Helpdesk administrator to authenticate users in the Helpdesk portal. This event is applicable for thescreen that appears on the Helpdesk portal.
You must enable the Helpdesk Options policy before using this event.option in the
Configure the settings of this event to enable login to the Linux Client. If you want to use Linux Client on non-domain joined workstations, change thefrom to .
Configure the settings of this event to enable login to the Mac OS Client. If you want to use Mac OS Client on non-domain joined workstations, change thefrom to .
Configure the settings of this event to enable login to the Mainframe system.
Example of Mainframe logon event is Advanced Authentication Connector.
Configure the settings of this event to facilitate the integration of Advanced Authentication with NetIQ Access Manager.
Configure the settings of this event to facilitate the integration of Advanced Authentication with NetIQ CloudAccess. CloudAccess must be configured to use Advanced Authentication as an authentication card and user stores must be added for the repositories for the integration to work. For more information, see the Advanced Authentication CloudAccess documentation.
Configure the settings of this event to facilitate the third-party integrations with OAuth 2.0. For more information about configuring the OAuth 2.0 event, see OAuth 2.0
Once an OAuth event is created, the administrator cannot view the. If the administrator needs to reset the , open the OAuth event, and specify the new client secret in .
NOTE:Resetting thewill disrupt the service that relies on the event. To resume the service, you need to share the new client secret in the consumer web application and authenticate.
Configure this event to log in to the Advanced Authentication OOB portal, Authentication Agent for Windows, and Authentication Agent for Web. These components enable users to manage the authentication requests of the Out-of-band method to authenticate to a specific event for which a chain with the Out-of-band method is assigned.
NOTE:You must not assign a chain containing the Out-of-band method to the OOB UI logon event.
The Advanced Authentication server contains a built-in RADIUS server to authenticate any RADIUS client using one of the chains configured for the event. For more information about configuring the RADIUS Server event, see
Configure the settings of this event to log in to the Advanced Authentication Reporting portal. For more information about the Reporting portal, see
Configure the settings of this event to log in to the Advanced Authentication Search Card portal. The Search Card functionality helps you to get the card holder’s contact information by inserting the card in the card reader. For more information about searching a card holder’s information, see
The Smartphone method can be enrolled in two ways:
By scanning a QR code that is shown in the Self-Service Portal.
By using an enrollment link that can be manually sent through SMS or Email.
This event allows managing enrollment using the enrollment link. For more information about preparing the enrollment link, see Configuring Enrollment Link.
This event supports a chain with either LDAP Password or the Password method as a single factor authenticator.
To enroll the Smartphone method using an enrollment link, users are required to click the link on their smartphone with the NetIQ Advanced Authentication app installed, then specify their user name and password. The users of LDAP repositories can use the LDAP password, the local users and users of other repo (for example, SQL repo) who do not have an LDAP password can use their enrolled password to enroll in the Smartphone method by link. If the app is not installed on the user's smartphone, the user will be prompted to install the app. After entering the credentials the authenticator is enrolled automatically and is ready to use.
Configure the settings of this event to log in to the Advanced Authentication Tokens Management portal. The Tokens Management functionality allows you to assign each token to specific user. For more information about assigning a token to user, see Managing Tokens.
Configure the settings of this event to log in to the Windows Client.