9.20.1 Authentication Agent for Windows

Authentication Agent for Windows is supported only on Microsoft Windows. It enables users to perform multi-factor authentication on one device to get authorized access to an event or another device that does not have a user interface or where it is not possible to connect or use a required authentication device.

When a user initiates the out-of-band authentication, an Authentication Agent window appears automatically. User must authenticate using any available chain to access the authentication request with the Accept and Reject buttons.

For more information, see Advanced Authentication - Windows Authentication Agent.

NOTE:To allow the use of Authentication Agent for Windows, you must configure the Authentication Agent policy appropriately.

The following image describes the authentication flow for the Out-of-band method when the Authentication Agent for Window is in use.

A user wants to authenticate on an endpoint such as a laptop or a website with the Out-of-band method. The following steps describe the authentication flow:

  1. When the authentication request is initiated on the Client side (application, Client, RADIUS, etc), the endpoint contacts the Advanced Authentication server.

  2. The Advanced Authentication server validates the user’s credentials.

  3. After validating the credentials, the Advanced Authentication server sends an authentication request to the Windows machine with Authentication Agent for Windows. A restricted browser window prompts to authenticate. User authenticates using any available chain to log in to the OOB portal. The authentication is indicated by the Accept and Reject options. The user’s response is then sent to the server.

  4. Finally, the server validates the authentication and the endpoint gets authenticated.

    HTTPS protocol is used for the communication.