You can create a generic event for Windows Client, Mac OS X Client, and Linux PAM Client workstation when these clients are not joined or bound to a domain.Perform the following steps to create a generic event:
Click Events > New Event.
Specify a name for the event.
Set Is enabled to ON.
By default Generic is set in Event Type.
Select the Authenticator category. The Authenticator category option is displayed only if you have added categories in the Event Categories
policy.
Select the chains that you want to assign to the current event.
(Conditional) In Risk Policy, select the policy that you want to assign to this event for assessing the risk associated with a login attempt.
(Conditional) Click Create New Policy to create a new risk policy for this event.
Clicking this option opens the Risk Settings page.
IMPORTANT:Risk Policy and Create New Policy options are available when you enable Risk Settings. For more information, see Section III, Configuring Risk Settings.
If you want to restrict access of some endpoints to the event, add all the endpoints that must have access to the Endpoints whitelist. The remaining endpoints are blacklisted automatically. If you leave the Endpoints whitelist blank, all the endpoints will be considered for authentication.
IMPORTANT:Endpoints whitelist supports only Windows Logon, Linux Logon, and Mac OS Logon events.
Set Geo-fencing to ON to enable geo-fencing. Move the permitted zones from Available to Used. For more information about configuring geo-fencing, see the Smartphone method.
IMPORTANT:You must enable the Geo Fencing Options policy to use the geo fencing functionality.
Set Logon with Expired Password with one of the following options based on your requirement:
Allow: Select this option to allow users to log in to the event with the expired LDAP password.
Ask to change: If the password has expired this option prompts users to change the password during logon. Change in the LDAP Password is supported only for the Active Directory repositories. However, the LDAP Password change in Advanced Authentication is not allowed when the LDAP Servers in the Repository settings are configured with port 389. The LDAP server rejects the new password.
Deny: Select this option to deny access to the event with the expired LDAP password. When the access is denied, the following message is displayed to users:
You must change your password to logon.
Set Bypass user lockout in repository to ON, if you want to allow users who are locked on repository to authenticate on the Advanced Authentication. By default, Bypass user lockout in repository is set to OFF and users who are locked on repository are not allowed to authenticate.
Set Return groups on logon to ON if you want to retrieve the group details of users who authenticated to the event in the authentication response.
With Return groups on logon set to ON, if Groups is empty, all the groups that the users are associated with are returned in the response. However, to return the required groups, specify the preferred groups in Groups.
By default, Return groups on logon is set to OFF, the groups of users authenticated to the event are not returned in the response.
Select the Allow to logon to this event by shared authenticator option to allow users to login using shared authenticators. By default this option is disabled for the Authenticators Management, Helpdesk, Helpdesk User, AdminUI, Search Card, Token Management, and Report Logon events and enabled for all the other events.
NOTE:The Allow to logon to this event by shared authenticator option is displayed if you enable the Enable sharing of authenticators option in Authenticator Management Options policy.
A top administrator can enforce the configuration of events (except the RADIUS Server event) on secondary tenants. For more information, see Step 17.
Click Save.
NOTE:When you create a custom event, you must specify the custom event in the configuration file of the related endpoints. For more information, see the Advanced Authentication- Linux PAM Client, Advanced Authentication - Mac OS X Client, or Advanced Authentication - Windows Client guides related to the specific endpoint.