Configuring the Agent

This section describes the steps to configure an Auth Node in the SafeNet server and explains the management console settings to configure various options available within the agent.

• Configuring Auth Node in SafeNet server
• Configuring Settings within the Agent

Configuring Auth Node in SafeNet server

An Auth Node enables you to configure the macOS Logon agent so that it can send authentication requests to your Virtual Server in the SafeNet server. To add an Auth Node, perform the following steps:

1. Click Virtual Servers > Comms > Auth Nodes (Module) > Auth Nodes (Task).

   

2. Click Add to add an Auth Node.

   

   You can click Change Log to view the last five changes to Auth Nodes.

   Note

   The number of Auth Nodes that can be added is limited to the Max. Auth Nodes value entered in On-Boarding > Services. For more information, refer to the SAS Service Provider Administrator Guide. To increase this value, contact your Service Provider.

3. The Add Auth Node section displays. Complete the fields provided to accurately describe the Auth Node.

   • Auth Node Name — Enter a descriptive name of the device that can be used to indicate the vendor and model of the Auth Node product.
   • Resource Name — Identifies in a push notification which authentication node it relates to, so the user can be sure they are authenticating a valid node. By default, this is the Auth Node Name. Unlike Auth Node Name, the Resource Name does not have to be unique.

   Note

   If authentication nodes are shared, the Resource Name is inherited from the parent account. If authentication nodes are shared with child accounts, make sure that the Resource Name is also meaningful to users of these child accounts.

   • Host Name — Indicates the FQDN (Fully Qualified Domain Name) of the Auth Node. This entry is optional.
   • IP Address — Indicates the external IP address of the agent (that is, the address from which the Accounts virtual server will receive authentication requests). This field must conform to IPv4 or IPv6 address standards.

4. Click Save to save your changes or click Cancel to discard your changes.

   The Auth Nodes section lists the configured auth nodes. Click Edit to edit and Remove to remove the corresponding Auth Node configuration.

Configuring Settings within the Agent

Use the SafeNet Logon Configuration to configure various options available within the agent. To configure settings, the following tabs are available:

• Settings
• Offline
• Logs

Settings

This tab deals with the connection options for the SafeNet server.

Choose Authentication Options

Authentication options are used in the process of authenticating information received from authentication sources.

• Turn on agent: This option is used to enable or disable the agent. Default: Disabled

• Bypass strong authentication for domain administrators: This option allows the following user groups to be exempt from SafeNet authentication during login. Default: Enabled

  – Domain Admins

  – Administrators

  – Enterprise Admins

  – Schema Admins

  – DNS Admins

• Allow use of emergency passwords: This feature allows to authenticate using an emergency password in offline mode. Default: Enabled
• Automatically trigger MobilePASS+ Push, GrIDsure or SMS/Email authentication: Select this option to trigger the automatic challenge. If this option is not selected, the user must submit an empty passcode manually for using MobilePASS+ Push , GrIDsure or SMS/Email authentication. Default: Enabled

Submit the username in one of the following formats:

Select any of the following format, based on the user synchronization between AD and STA:

• username: Selecting this option validates the username that is synced in the SafeNet server. Default: Enabled
• domain\username (NetBIOS format): Select if the username exists in the SafeNet server with the prefix domain. Default Setting: Disabled
• username@domain.com (UPN format): Select if the username exists in the SafeNet server with the suffix @domain. Default: Disabled

Load Your Configuration File

• STA configuration: [Default] This option enables the configuration of macOS Logon agent using STA. It requires a unique agent configuration file. After configuring the agent using this option, the SAS PCE configuration option will be disabled.

  • Configuration file: Use this setting to select the agent configuration file, which you have previously downloaded from the Download and Deploy section in STA. Click Browse to specify the location of the agent’s configuration file.

  Note

  For more information, refer to SafeNet Agent for macOS Logon STA documentation.

• SAS PCE configuration: Select this option to configure the agent using SAS PCE. It requires a unique BSID key file.

  • Primary Server: Enter the Primary Server Hostname of the SafeNet server.
  • Secondary Server: Enter the Secondary Server Hostname of the SafeNet server.

– Check SSL certificate: If selected, the agent validates the certificate from the SafeNet server. The SSL certificate check is enabled by default.

• Agent BSID key: This setting is used to specify the location of the Agent’s BSID key File. Click Load from file to select the file. To use the AES-GCM key standard, the administrator needs to download a new Agent.bsidkey file from the SafeNet server. Perform the following steps:

• Login to your SafeNet server account, and navigate to COMMS > Authentication Processing.

• Under Task list, click Authentication Agent Settings link and download the Agent.bsidkey file.

• Click Browse to update the Agent.bsidkey file at SafeNet Agent Configuration > Settings > Agent BSID key.

  Note

  • If you want to upgrade, you can select STA configuration later. There is no need to uninstall the agent explicitly.
  • If you select STA configuration, agent cannot be configured for SAS PCE.

Check Connectivity

Under this section, click Test to run a communication test to verify the connection to the SafeNet server.

Test Authentication

This allows administrators to test authentication between the agent and the SafeNet server.

Apply Agent Settings

Click Apply/Ok for saving the agent settings. If it is the first time testing the authentication, a confirmation dialog will be displayed. If the authentication is not tested previously, the below pop-up is displayed:

If you click Apply anyway, a dialog box prompting administrator password will be displayed.

Offline

The Offline tab deals with the end-user offline authentication settings. It displays the current amount of offline authentication attempts, allows for the customization of the minimum warning notification threshold, and the ability to replenish manually the offline OTP store.

Offline Authentication Settings

The SafeNet Agent for macOS Logon allows users to log in to their workstations when the SafeNet server is not available. It deals with the following end-user offline authentication settings:

• Remaining offline authentication: The number of SafeNet authentication available before the user must authenticate against the SafeNet server or perform a manual replenish. The offline authentication value is a global configuration setting configured within the Policy Admin, Authentication Policy section of the SafeNet Manager. Default Value: 100

• Minimum offline threshold: The user will see a warning to authenticate against the SafeNet server or perform a manual replenish if this value is reached. The value may range between 5 and 99. Default Value: 10

Manually Replenish

The offline store is automatically replenished when a user returns and logs in to the corporate network. If the offline store expires while the user is still at a remote location, the Manually Replenish option allows the admin user to refill their offline authentication store remotely.

To replenish an offline authentication store manually, perform the following steps:

1. Establish a VPN connection to the corporate network.

2. Open the SafeNet Agent for macOS Logon Configuration tool as an administrator.

3. Enter user's SafeNet credentials in the Username and Passcode field, and click Authenticate.

4. The SafeNet Agent for macOS Logon contacts the SafeNet server to verify the logon credentials. If the credentials are valid, the offline authentication is restored, otherwise, the user will receive a warning message to retry the authentication attempt.

Logs

This tab depicts the logging level and specifies the log file location.

Log Level

This setting is used to adjust the logging level. Each log message has an associated LogLevel, which depicts the importance and urgency of the message. The logs are maintained according to the set LogLevel. For log levels 1, 2, and 3, only the initial connection between the agent and the server, and any failed connection attempts are logged.

Drag the pointer on the Logging level adjustment scale to the required level:

• 1 – Critical: [Only critical] Very severe error events that might cause the application to terminate.
• 2 – Error: [Critical and errors] Error events that prevent normal program execution, but might still allow the application to continue running.
• 3 – Warning: [Critical, errors, and warnings] Potentially harmful error events.
• 4 – Info: [Critical, errors, warnings, and information messages] Informational error events that highlight the progress of the application. (Default)
• 5 – Debug: [All available information] Detailed tracing error events that are useful to debug an application. (Recommended)

Log File Location

It specifies the location where the log files are saved. The Log files are stored at a fixed location (/usr/local/thales/MLA/log).