Advanced Authentication Service › Configuring Advanced Authentication › How to Disable Advanced Authentication

How to Disable Advanced Authentication

Advanced authentication flows, authentication methods, and applications are components of Advanced Authentication in the User Console. When a tenant administrator sends a request to disable any one or a combination of these components, the effect of the procedure that you perform as the hosting administrator depends on the components that you disable.

The following diagram shows the various options for disabling all or individual Advanced Authentication components:

Depending on the configuration request from the tenant administrator, perform the required combination of the following tasks:

• Remove an Authentication Method from an Application
• Disable an Authentication Method
• Disable an Advanced Authentication Flow
• Disable the Advanced Authentication Manager Role

Remove an Authentication Method from an Application

Remove an authentication method from an application if you do not want to provide end users the option of using that authentication method to log in to the application. Other applications in which the same authentication method has been added would continue to provide the option of using that authentication method to log in.

Follow these steps:

1. Log in to the User Console.
2. Select Applications, Applications, Modify Application.
3. Enter a search string for the Application in which the authentication method has been added, and then click Search.

   The search results appear.

4. Select the Application, and then click Select.

   The Modify Application screen is displayed.

5. Click the icon (-) in the last column for removing the authentication method.
6. Click Submit.

   The authentication method is removed from the application.

Disable an Authentication Method

Disable an authentication method if you do not want any application to provide end users the option of using that authentication method for logging in.

Note: If you plan to disable an advanced authentication flow, first disable each authentication method that is based on that flow.

Follow these steps:

1. Log in to the User Console.
2. Select Applications, Authentication Methods, Modify Authentication Method.
3. Enter a search string for the authentication method that you want to disable, and then click Search.

   The search results appear.

4. Select the authentication method, and then click Select.

   The Modify Authentication Method screen opens.

5. Clear the Enabled check box, and click Submit.

   The Authentication Method is disabled.

More information:

Troubleshooting Advanced Authentication Errors

Disable an Advanced Authentication Flow

You can disable an advanced authentication flow. Before you disable an advanced authentication flow, you must disable all the authentication methods that are based on that flow.

Note: While disabling an advanced authentication flow, it is optional to disable the underlying credential types.

Follow these steps:

1. Log in to the User Console.
2. Select Advanced Authentication, Configure Advanced Authentication Flow.

   The Select Flow Types screen opens.

3. Use the left arrow icon to move the advanced authentication flow to the Disabled list.
4. Click Next.

   The Enabled Flow Types screen opens.

5. Click Finish.

   The advanced authentication flow is disabled.

Disable the Advanced Authentication Manager Role

The Advanced Authentication Manager role is one of the roles that control Advanced Authentication. To disable Advanced Authentication, disable all authentication methods that are based on Advanced Authentication, disable all advanced authentication flows, and then disable the Advanced Authentication Manager role. The outcome is that Advanced Authentication is not available to any application. No further configuration changes can be made to Advanced Authentication until you re-enable the role.

Follow these steps:

1. Log in to the User Console.
2. Select Admin Roles, Enable/Disable Admin Role.

   The Enable/Disable Admin Role screen opens.

3. Clear the Advanced Authentication Manager check box, and click Select.
4. Click Yes on the next screen that opens.

   The Advanced Authentication service is disabled.

How to Configure CA CloudMinder for RADIUS

CloudMinder 1.5 supports RADIUS. RADIUS offers two-factor authentication for VPN systems protected by CloudMinder. RADIUS is enabled by default, and you configure RADIUS clients as outlined in the following diagram:

As a prerequisite, configure the ArcotID OTP application to use the ArcotID OTP authentication type. To configure a CA CloudMinder RADIUS Client, complete the following tasks:

1. Review Network Configuration
2. Add a RADIUS Client
3. Assign a Default RADIUS Credential Type Resolution Configuration
4. Update or Delete a RADIUS Client

Review Network Configuration

Review this section before adding RADIUS clients and configuring a firewall and load balancer.

Network

Authentication Manager is not exposed outside the network. A proxy server runs on the web server, which forwards authentication requests. All requests must go through the proxy.

Ports

AuthMinder is on the app tier and listens on port 1812 for UDP traffic. The web-tier proxy server listens to client requests on 1812, and listens to AuthMinder responses on 1814. This information is important when configuring your firewall and load balancer.

Source NAT

If SNAT is enabled on the web-tier load balancer, each external IP of the VPN servers that sends requests to CA CloudMinder should be mapped to a unique, static, internal IP. The same internal IP should be used when you add RADIUS clients.

Add RADIUS Clients

You can add a RADIUS client for an organization from the Arcot Administration Console.

Follow these steps:

1. Log in to the Arcot Administration Console http://<server name>:9090/arcotadmin/adminlogin.htm as a global admin.
2. Click the Organizations tab, and search for the organization.
3. Select the organization, and click the Webfort Configuration tab.
4. From the left pane, click RADIUS Client.
5. From the main window, click Add.
6. Complete the following:

   RADIUS Client IP Address

   Specifies the IP Address of the RADIUS client through which users authenticate to AuthMinder Server.

   Shared Secret Key

   Specifies the secret key shared between the RADIUS client and the AuthMinder Server.

   Note: Keys must be between 1 and 512 characters.

   Description

   Specifies a short description of the RADIUS client. If you configure multiple clients, the description of each client helps distinguish between clients.

   Authentication Type

   Select In-Band Password.

7. In the RADIUS Retry Handling section, specify the following:
   • Select the Enable Retry option if you want the RADIUS client to retry sending the request to AuthMinder Server if it does not receive a response.
   • In the Retry Window field, enter the duration in seconds within which the client can retry connecting to the AuthMinder Server if it does not receive a response. After this period, the retry is considered invalid. Ensure that the retry window period is greater than the client timeout period.
8. In the Additional RADIUS Response Attributes section, specify the attributes that you want the AuthMinder Server to include in the response sent to the RADIUS client after successful authentication:

   Attribute ID

   Specify 224.

   Attribute Value

   Specifies the value corresponding to the attribute ID. You can pass static values, such as user attributes or a combination of static values and variables. For example ,for the user JSmith, you can include the full name in RADIUS response as:

   Name=$$LNAME$$,$$FNAME$$
   

   to return:

   224= [Name=Smith, John]
   

   Note: The mapped attributes FNAME, LNAME, TELEPHONENUMBER, and EMAILADDR can be returned.

9. In the RADIUS Packet Drop Options section, select the event or events when AuthMinder Server must drop RADIUS packets.
10. Click Add.

    The RADIUS client is added.

Assign a Default RADIUS Credential Configuration

This section shows you how to assign a default RADIUS credential type resolution configuration.

Follow these steps:

1. Log in to the Arcot Administration Console as global admin.
2. Complete the following steps:
   1. Click the Organizations tab.
   2. Search for the organization.
   3. Select the organization from the search results.
   4. Click the Webfort Configuration tab.
3. From the left pane, click Assign Default Configuration.
4. For the field ArcotOTP-OATH Profile, select MobileArcotOTPProfile_<TENANT GUID>.
5. From ArcotOTP-OATH Policy drop down list, select MobileArcotOTPPolicy_<TENANT GUID>.
6. For the field RADIUS Credential Type Resolution Configuration, select VerifyArcotOTP-OATH.
7. Click Save.

   The default RADIUS credential type resolution configuration is assigned.

Update or Delete a RADIUS Client

If a RADIUS client is configured, the RADIUS Configuration page displays the configured clients in the Configured RADIUS Clients table. You can use this table to update or delete the RADIUS client IP addresses.

Follow these steps:

1. From the Arcot Administration Console, click the Organizations tab, and search for the organization.
2. Select the organization, and click the Webfort Configuration tab.
3. From the left pane, click RADIUS Client.
4. Log in to the Administration Console.
5. From the Configured RADIUS Clients section, select the IP address of the machine that requires updates.
6. Edit the fields as needed, and click the Update or Delete button.