Validation server configuration settings
A Validation server can take the following configuration settings.
Enter the following settings to configure your Validation server. Not all settings are displayed, depending on whether the configuration is a custom configuration or a pre-defined configuration, and what application you chose.
Field | Description |
|---|---|
Server Information | |
Server Name | Enter a name for the new validation server. The name must not include any spaces. The only characters that are allowed are numbers, letters, dashes (-), and underscores ( _ ). |
Local IP | Select the local IP address (in IPV4 format) of this validation server (for example, 192.168.142.100). If the host has multiple IP addresses, select the IP address that you want the Validation server to listen for network connections. |
Port | Enter the server port number (the default is 1812). If you have other processes (such as IAS on Windows, or a RADIUS server) running on port 1812, you must change the UDP port default or shut down the other server. |
RADIUS Shared Secret | Enter the secret used by the Validation server. Client applications such as VPN gateways need this secret to connect to this Validation Server to authenticate the user. RADIUS Shared Secret must be between 7 to 32 characters in length and can contain alphanumeric characters. |
Confirm RADIUS Shared Secret | Reenter the shared secret that you entered in the RADIUS Shared Secret field. |
Logging Level | Set the level of detail that the logs capture. (The default is INFO.) The logging level set here is the level that is used by other VIP Enterprise Gateway components if they are set to the Default log level. You can configure each Validation server to a particular level of logging detail as desired. Select the appropriate level from the drop-down list:
|
Log Rotation Interval | Select how frequently you want to create a log file. The default is 1 day. When you create a log file, the Validation server archives the old log file, and pre-pends Year-Month-Date to the filename. |
Number of Files to Keep | Select the number of old log files that the Validation server keeps. To determine how many days of log files the server keeps, multiply the Number of files to Keep by the Log File Rotation Interval . For example, to keep logs for 28 days, select 7 for Log File Rotation Interval , and 4 for Number of Files to Keep , or 1 for Log File Rotation Interval and 28 for Number of Files to Keep . After 28 days, the server will write over the oldest archived log file. You should archive your log files on another server for auditing purposes, and so that you can set the Number of Files to Keep at a lower number. |
Enable Syslog | Select Yes to allow the Validation server to use syslog to write logs to a syslog server. You must configure Syslog Settings (Logs > Syslog Settings ) for this feature to work. |
Password Encoding | Specify the format in which the password, which is part of the client's RADIUS request to the validation service, is encoded. Validation service uses the same format to decode the client's password information. On Windows, you can select UTF - 8 or Default in the list box. Default represents the default platform encoding value. On Linux, you can either enter UTF - 8 or the value that the iconv –l function returns. |
RADIUS Access Challenge | |
Enable Access Challenge | Select Yes to enable RADIUS Access Challenge. Enabling Radius Access Challenge causes the Validation server to have the VIP Service send a security code to users during validation. Users must provide the security code to complete validation. |
Challenge Timeout | Set the time (in seconds) that the RADIUS server waits for the user to enter a security code. This value must be from 10 through 300 seconds. |
VIP Push Authentication | |
Enable VIP Push | Select Yes to enable VIP Push authentication. Enabling VIP Push authentication allows the Validation server to have the VIP Service send a VIP Push notification to users during validation, in place of a security code. Users can approve the VIP Push notification to complete validation. |
VIP Push Title | Enter a title to display in the VIP Push notification. The title must be no more than 32 characters. |
VIP Push Text | Enter the text that appears in the body of the VIP Push notification. The text must be no more than 256 characters. |
Remote Access Service Name/URL | Enter the name or URL for the remote access service (such as the web server, application server, VPN, or similar) where you want to use VIP Push to authenticate your users. The name or URL you set here is displayed in the user's security code prompt. |
VIP Authentication Timeout | Set the maximum time (in seconds) that is allowed to complete second-factor authentication using VIP Access Push. This value must be from 10 through 300 seconds. |
Enable Number Challenge | Set whether to use a number challenge when authenticating your end users. Number challenge requires end users to authenticate by entering a challenge number displayed when authenticating to your application into a push notification on their mobile device. Number challenge must be enabled in VIP Manager, and the end user must be using a device capable of receiving a challenge number. |
Number Challenge Message | Customize the text that your end users see when authenticating to your web application if number challenge is enabled. You must include the string %d in your message. VIP replaces %d with the challenge number. The message cannot exceed 256 characters. |
Enforce Local Authentication | If your organization requires you to define additional device authentication mechanisms to meet security requirements, the user is prompted for additional device credentials such as Touch ID, PIN, pattern, password, or fingerprint. |
First-Factor Authentication | |
Enable First Factor | Select this check box to enable first-factor authentication. |
Authentication on | Select whether to perform first-factor authentication against users in the local enterprise data store ( Enterprise ) or the user store residing in VIP Services (VIP Services ). By default, Enterprise is selected. |
Authentication Sequence | Select the order of authentication method that the Validation server uses to authenticate users.
The specific VIP authentication method is decided based on the configuration of the Validation server. If you enable VIP Push Authentication, the Validation server uses VIP Push for VIP authentication. Otherwise, the Validation server uses the security code for VIP authentication. |
User Store Configuration | |
User Resides in User Store | Select Yes to configure the specific user stores that are searched for the LDAP user. VIP Enterprise Gateway uses the LDAP attribute value as the VIP User Name. This VIP User Name is used for second-factor authentication, along with the security code or VIP Push authentication. If no user stores are selected, VIP Enterprise Gateway searches for users in all configured user stores. This field appears only when you edit an existing user store that is configured in one of the following modes:
|
Enable User Store data for Out-of-Band | Select this check box to use LDAP attribute values, such as phone number or email address, to send a security code through an out-of-band channel (SMS, Voice call, or email). This security code is used for second-factor authentication. |
User Store | Select the user store or user stores to use for out-of-band data from the drop-down list. If you have not configured a user store, you must add a user store. See Adding a user store. |
Business Continuity | |
Business Continuity | To enable Business Continuity, do one of the following steps:
Make sure that the Health Check service is enabled and running when you start your Validation server. To receive emails when VIP Enterprise Gateway switches into and out of Business Continuity mode, configure the email template on the Settings > Health Check Settings page. |
Delegation | |
Enable Delegation | Select this check box if you want to create a delegation server to send authentication requests to a third-party authentication solution. If more than one server configured, it acts as a failover server and not as a load balancer. |
Retries | Select the number of times VIP Enterprise Gateway attempts to connect to the delegation server. |
Timeout | Select the amount of time (in seconds) VIP Enterprise Gateway should wait for a Validation server to respond to each retry. |
Local IP | Enter the local IP address of the machine hosting the delegate Validation server (in IPV4 format). |
Host Name | Enter the fully qualified domain name of the delegate server. |
Port | Enter the port for the machine hosting the delegate server. Choose any unused port number from 1 through 65535. The default is 1812. Choose a port number that does not conflict with another component or service. If you choose a port number that is being used by another component or service, the Validation server does not send validation requests to the delegate server. |
RADIUS Shared Secret | Enter the RADIUS shared secret used to access the delegate server. |
LDAP to RADIUS Mapping | |
Configure LDAP to RADIUS Mapping | Select this check box if you want to enable LDAP to RADIUS mapping. If you enable LDAP to RADIUS mapping, you must also add the LDAP to RADIUS mapping. |
RADIUS Mapping Attribute | Select from the drop-down list. This attribute can be Class, which is most common for VPN devices such as Cisco, or an option you define with your VPN administrator. If you select Vendor specific , you must also define the following settings for your VPN vendor by clicking Customize vendor specific attributes :
Refer to your vendor documentation for details on vendor IDs and vendor types. For example, select Cisco as the vendor and enter 1 as the vendor type. If the LDAP query returned the value of ACS:CiscoSecure-Group-Id=37 , then the RADIUS response includes a value saying it is a Cisco, vendor-specific AV-Pair attribute with a value of ACS:CiscoSecure-Group-Id=37 . |
Data Type | |
Add New link | Select this link to add a RADIUS to LDAP mapping. |
Select the data type (string or integer) for the LDAP query data that is returned in the RADIUS response. | |
Select this link to add a RADIUS to LDAP mapping. | |