Validation server configuration settings

A Validation server can take the following configuration settings.
Enter the following settings to configure your Validation server. Not all settings are displayed, depending on whether the configuration is a custom configuration or a pre-defined configuration, and what application you chose.
Field
Description
Server Information
Server Name
Enter a name for the new validation server. The name must not include any spaces. The only characters that are allowed are numbers, letters, dashes (-), and underscores ( _ ).
Local IP
Select the local IP address (in IPV4 format) of this validation server (for example, 192.168.142.100). If the host has multiple IP addresses, select the IP address that you want the Validation server to listen for network connections.
Port
Enter the server port number (the default is 1812). If you have other processes (such as IAS on Windows, or a RADIUS server) running on port 1812, you must change the UDP port default or shut down the other server.
RADIUS Shared Secret
Enter the secret used by the Validation server. Client applications such as VPN gateways need this secret to connect to this Validation Server to authenticate the user.
RADIUS Shared Secret must be between 7 to 32 characters in length and can contain alphanumeric characters.
Confirm RADIUS Shared Secret
Reenter the shared secret that you entered in the RADIUS Shared Secret field.
Logging Level
Set the level of detail that the logs capture. (The default is INFO.) The logging level set here is the level that is used by other VIP Enterprise Gateway components if they are set to the Default log level. You can configure each Validation server to a particular level of logging detail as desired. Select the appropriate level from the drop-down list:
  • Debug: The log captures general details, and stack traces of all exception events.
  • Info: The log captures general details that are needed to track how the server is functioning.
  • Warn: The log captures details of potentially harmful events—rejected transactions and exception events that affect the server.
  • Error: The log captures details of events that hinder the server or transaction, but which may still allow the server to function (except events that affect the server.)
Log Rotation Interval
Select how frequently you want to create a log file. The default is 1 day. When you create a log file, the Validation server archives the old log file, and pre-pends Year-Month-Date to the filename.
Number of Files to Keep
Select the number of old log files that the Validation server keeps. To determine how many days of log files the server keeps, multiply the
Number of files to Keep
by the
Log File Rotation Interval
.
For example, to keep logs for 28 days, select 7 for
Log File Rotation Interval
, and 4 for
Number of Files to Keep
, or 1 for
Log File Rotation Interval
and 28 for
Number of Files to Keep
. After 28 days, the server will write over the oldest archived log file.
You should archive your log files on another server for auditing purposes, and so that you can set the
Number of Files to Keep
at a lower number.
Enable Syslog
Select
Yes
to allow the Validation server to use syslog to write logs to a syslog server. You must configure Syslog Settings (
Logs
>
Syslog Settings
) for this feature to work.
Password Encoding
  Specify the format in which the password, which is part of the client's RADIUS request to the validation service, is encoded. Validation service uses the same format to decode the client's password information.
On Windows, you can select
UTF - 8
or
Default
in the list box.
Default
represents the default platform encoding value. On Linux, you can either enter
UTF - 8
or the value that the
iconv –l
function returns.
RADIUS Access Challenge
Enable Access Challenge
Select
Yes
to enable RADIUS Access Challenge. Enabling Radius Access Challenge causes the Validation server to have the VIP Service send a security code to users during validation. Users must provide the security code to complete validation.
Challenge Timeout
Set the time (in seconds) that the RADIUS server waits for the user to enter a security code. This value must be from 10 through 300 seconds.
VIP Push Authentication
Enable VIP Push
Select
Yes
to enable VIP Push authentication. Enabling VIP Push authentication allows the Validation server to have the VIP Service send a VIP Push notification to users during validation, in place of a security code. Users can approve the VIP Push notification to complete validation.
VIP Push Title
Enter a title to display in the VIP Push notification. The title must be no more than 32 characters.
VIP Push Text
Enter the text that appears in the body of the VIP Push notification. The text must be no more than 256 characters.
Remote Access Service Name/URL
Enter the name or URL for the remote access service (such as the web server, application server, VPN, or similar) where you want to use VIP Push to authenticate your users.
The name or URL you set here is displayed in the user's security code prompt.
VIP Authentication Timeout
Set the maximum time (in seconds) that is allowed to complete second-factor authentication using VIP Access Push. This value must be from 10 through 300 seconds.
Enable Number Challenge
Set whether to use a number challenge when authenticating your end users. Number challenge requires end users to authenticate by entering a challenge number displayed when authenticating to your application into a push notification on their mobile device.
Number challenge must be enabled in VIP Manager, and the end user must be using a device capable of receiving a challenge number.
Number Challenge Message
Customize the text that your end users see when authenticating to your web application if number challenge is enabled. You must include the string %d in your message. VIP replaces %d with the challenge number. The message cannot exceed 256 characters.
Enforce Local Authentication
If your organization requires you to define additional device authentication mechanisms to meet security requirements, the user is prompted for additional device credentials such as Touch ID, PIN, pattern, password, or fingerprint.
First-Factor Authentication
Enable First Factor
Select this check box to enable first-factor authentication.
Authentication on
Select whether to perform first-factor authentication against users in the local enterprise data store (
Enterprise
) or the user store residing in VIP Services (
VIP Services
). By default,
Enterprise
is selected.
Authentication Sequence
Select the order of authentication method that the Validation server uses to authenticate users.
  • LDAP Password + VIP Authentication: The Validation server authenticates the LDAP Password first, and then performs VIP authentication. (This setting is the default.)
  • VIP Authentication + LDAP Password: The Validation server performs VIP authentication first, and then the LDAP Password. Users will not receive security codes on the configured out-of-band parameters such as SMS and Voice. However, if the Validation server is in Business Continuity mode and Access Challenge is enabled, the challenge for security code continues to work.
The specific VIP authentication method is decided based on the configuration of the Validation server. If you enable VIP Push Authentication, the Validation server uses VIP Push for VIP authentication. Otherwise, the Validation server uses the security code for VIP authentication.
User Store Configuration
User Resides in User Store
Select
Yes
to configure the specific user stores that are searched for the LDAP user. VIP Enterprise Gateway uses the LDAP attribute value as the VIP User Name. This VIP User Name is used for second-factor authentication, along with the security code or VIP Push authentication. If no user stores are selected, VIP Enterprise Gateway searches for users in all configured user stores.
This field appears only when you edit an existing user store that is configured in one of the following modes:
  • User ID - LDAP Password - Security Code
  • User ID - LDAP Password - Security Code (RADIUS Access Challenge mode)
Enable User Store data for Out-of-Band
Select this check box to use LDAP attribute values, such as phone number or email address, to send a security code through an out-of-band channel (SMS, Voice call, or email). This security code is used for second-factor authentication.
User Store
Select the user store or user stores to use for out-of-band data from the drop-down list. If you have not configured a user store, you must add a user store.
Business Continuity
Business Continuity
To enable Business Continuity, do one of the following steps:
  • Select
    Disabled
    to disable Business Continuity. In this case, the Validation server does not detect connectivity issues, and no action is taken if connectivity goes up or down.
  • Select
    Automatic
    to enable Business Continuity in the automatic mode. In this mode, the Validation Server detects connectivity issues automatically. If it cannot reach the VIP Authentication Service, the Validation Server uses only first-factor authentication. The users can log on with just a valid LDAP user name and password, based on the Validation Server configuration. When connectivity is restored, the Validation automatically switches back to two-factor authentication mode automatically.
    Select
    Notify Only
    to notify the administrator by email when VIP Enterprise Gateway gains or loses connectivity. In this mode, VIP Enterprise Gateway does not switch into or out of Business Continuity mode.
  • Select
    Enabled
    to enable Business Continuity in manual mode. In this mode, you must manually switch to Business Continuity mode if the Validation server suffers connectivity issues.
Make sure that the Health Check service is enabled and running when you start your Validation server. To receive emails when VIP Enterprise Gateway switches into and out of Business Continuity mode, configure the email template on the
Settings > Health Check Settings
page.
Delegation
Enable Delegation
Select this check box if you want to create a delegation server to send authentication requests to a third-party authentication solution. If more than one server configured, it acts as a failover server and not as a load balancer.
Retries
Select the number of times VIP Enterprise Gateway attempts to connect to the delegation server.
Timeout
Select the amount of time (in seconds) VIP Enterprise Gateway should wait for a Validation server to respond to each retry.
Local IP
Enter the local IP address of the machine hosting the delegate Validation server (in IPV4 format).
Host Name
Enter the fully qualified domain name of the delegate server.
Port
Enter the port for the machine hosting the delegate server. Choose any unused port number from 1 through 65535. The default is 1812.
Choose a port number that does not conflict with another component or service. If you choose a port number that is being used by another component or service, the Validation server does not send validation requests to the delegate server.
RADIUS Shared Secret
Enter the RADIUS shared secret used to access the delegate server.
LDAP to RADIUS Mapping
Configure LDAP to RADIUS Mapping
Select this check box if you want to enable LDAP to RADIUS mapping.
If you enable LDAP to RADIUS mapping, you must also add the LDAP to RADIUS mapping.
RADIUS Mapping Attribute
Select from the drop-down list. This attribute can be Class, which is most common for VPN devices such as Cisco, or an option you define with your VPN administrator.
If you select
Vendor specific
, you must also define the following settings for your VPN vendor by clicking
Customize vendor specific attributes
:
  • Vendor ID: Select from the provided vendors (Cisco or Juniper), or select
    Other
    to configure a custom vendor and enter the vendor ID (as an integer).
  • Vendor Type: Enter the vendor type as an integer.
Refer to your vendor documentation for details on vendor IDs and vendor types.
For example, select
Cisco
as the vendor and enter
1
as the vendor type. If the LDAP query returned the value of
ACS:CiscoSecure-Group-Id=37
, then the RADIUS response includes a value saying it is a Cisco, vendor-specific AV-Pair attribute with a value of
ACS:CiscoSecure-Group-Id=37
.
Data Type
Add New link
Select this link to add a RADIUS to LDAP mapping.
Select the data type (string or integer) for the LDAP query data that is returned in the RADIUS response.
Select this link to add a RADIUS to LDAP mapping.