Hi,
Can safeguard be integrated with defender?, So it can provide 2FA in one of 2 cases
1- login to safegaurd
2- login to SSH or RDP session using OTP Adding to Password authentication
Hi,
Can safeguard be integrated with defender?, So it can provide 2FA in one of 2 cases
1- login to safegaurd
2- login to SSH or RDP session using OTP Adding to Password authentication
Hi Mahmoud,
1. Yes SPP supports adding a Radius Server as secondary authentication for user login to SPP and Defender is a Radius Server.
2. SPS also supports adding a AA Plugin for Radius which can be configured to point to Defender to add OTP on SSH or RDP sessions proxied via SPS.
Thanks!
Do you have documentation guide how to do it ?
The SPP admin guide has a section on adding Radius as a secondary authentication for SPP login here:
This assumes that you already have Defender Server installed and configured to accept authentications from SPP nodes (Defender is the Radius Server in this example)
SPP will then point to Defender for Radius Secondary authentications to prompt for 2FA
Thanks!
Hi Tawfiq
How to define access node for SPP ?
as I know we define access node to secure windows based computers , Unix systems , VPN access and secure access websites for application hosted on IIS server.
Also we always need a defender agent installed on the systems that we have to protect.
Hi Tawfiq
How to define access node for SPP ?
as I know we define access node to secure windows based computers , Unix systems , VPN access and secure access websites for application hosted on IIS server.
Also we always need a defender agent installed on the systems that we have to protect.
Defender Access node for SPP would the same as a Windows based Access node but no Defender Desktop Client is needed to be installed on SPP because it is a hardened appliance and no access to the OS, instead SPP supports Radius without the need for the agent:
In the Defender Access node, Include the IP address range of all SPP Nodes
You can use a different authentication port (For example 1645 instead of 1812) if you prefer not to conflict with other access nodes using similar IP address range
Type: Radius Agent
Defender policy is Token only
Then in SPP, you would add the Radius settings as Secondary authentication (SPP > Safeguard Access > Identity and authentication > Radius > Secondary Authentication) pointing to Defender IP address with same port and shared secret as in the Access node in Defender
Then enable secondary authentication on the user settings in SPP selecting Radius as secondary authentication.
Thanks!
You may also need to disable push notification on Defender side if you are running Defender 6.2 or above as it may not work correctly yet with SPP
To disable Push notifications in Defender, add the registry key below on all Defender security servers:
thanks for your reconnandations.
I have installed Defender 6.1
I am testing and send you feedback
Hi Tawfiq
It works fine.thank you very much
the only thing is that defender ask for a fist password that is not define on configution before asking for windows password and the token.
When I press enter I can continue.
there is a way to remove this step????
If you are using a Directory User to authenticate to SPP in the first step using AD password then there should be no need to have Defender enforce AD password again on the secondary authentication.
You can have Defender handle the token response only as the second step by setting the Defender Policy on the SPP Access node to be Token only
Unless there is another Defender policy on the Defender Security Server object that could be conflicting, you can remove the Defender policy from ADUC > Defender OU > Security Server > properties > Policy Tab > Clear it from here.
You can create a new Defender policy that is Token only rather than (AD password followed by Token) and assign that to the SPP access node so that way you can have different Access nodes with different Defender policy requirements based on what you want to enforce for that access node endpoint.
Please what is the Defender one-time password number??
Defender OTP or One time password is just another name for the token response
Hi
Hope you are doing fine.
I have configure for one client assurance company SPP 6.13 integration with Defender 6.1 2fa authentication for SPP's users following your instrction...good
I tried the same configuration for bank SPP 6.13 and Defender 6.14---error message '''access dinied -- no valide route'''' SPP and defender are in the same subnets..What can be the possible cause and how to solve it???
you can try disable of Push Notification in Defender and test again and may have to upgrade SPP as 6.13 version is out of support now.
To turn the notifications off, the user needs to manually create the following registry value at:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\PassGo Technologies\Defender\DSS Active Directory Edition
Value type: REG_DWORD
Value name: PushOff
Value data: 1
Hello Tawfiq, my customer have installed SPP and Defender, the integration works fine, but they want to know if SPP gonna support PUSH Notification from Defender in the future, they want to receive Approve or Denied notification when access to SPP portal and 2FA with Defender.