Mobile Access Authentication

Mobile Access has multiple login and authentication options.

User Authentication to the Mobile Access Portal

To enter the Mobile Access portal and get access to its applications, users defined in SmartConsole must authenticate to the Security Gateway. Authentication ensures that a user is who he or she claims to be. Users authenticate using one or more of these authentication schemes:

• Username and password - Users enter a user name and password.
• Client Certificates - Digital Certificates are issued by the Internal Certificate Authority or by a third party OPSEC certified Certificate Authority.
• RADIUS Server - Remote Authentication Dial-In User Service (RADIUS) is an external authentication scheme. The Security Gateway forwards authentication requests by remote users to the RADIUS server. The RADIUS server, which stores user account information, authenticates the users. The RADIUS protocol uses UDP for communications with the gateway. RADIUS Servers and RADIUS Server Group objects are defined in SmartConsole.

  For more about configuring a Security Gateway to use a RADIUS server, see the R80.10 Security Management Administration Guide.

• SecurID - SecurID is a proprietary authentication method of RSA Security. An external SecurID server manages access by changing passwords every few seconds. Each user carries a SecurID token, a piece of hardware or software that is synchronized with the central server and displays the current password. The Security Gateway forwards authentication requests by remote users to the ACE/Server.

  For more about configuring a Security Gateway to use SecurID, see the R80.10 Security Management Administration Guide.

• DynamicID One Time Password - DynamicID One Time Password can be required as a secondary or later authentication method (not the first). When this is configured, users who successfully complete the first-phase or phases of authentication are challenged to enter an additional credential: a DynamicID One Time Password (OTP). The OTP is sent by email or text message to a mobile phone, or other mobile communication device.
• Defined on user record (Legacy Authentication) - The authentication method for each user is defined on the user record. For internal users, it is in the Authentication page of the User Properties. For LDAP users, it is on the user record in LDAP.

A user who tries to authenticate with an authentication scheme that is not configured for the Mobile Access gateway will not be allowed to access resources through the gateway.

Configuring Authentication for Pre-R80.x Gateways

Permitted authentication schemes must be configured for each Security Gateway.

On the Security Gateway, configure authentication in the Gateway Properties window of a gateway in Mobile Access > Authentication. If you select an authentication method on this page, that is the method that all users must use to authenticate to Mobile Access. You can configure other authentication methods that users must use for different blades on different pages.

The default authentication scheme is Username and Password.

In the Mobile Access tab in SmartConsole, select Authentication to show an overview of the Mobile Access Security Gateways and their authentication schemes.

On this page you can also configure settings for Two- Factor Authentication with a DynamicID One Time Password. Configure settings for the gateway or global settings that are used for all gateways that do not have their own DynamicID settings.

Requiring Certificates for Mobile Devices on Pre-R80.x Gateways

To require client certificates for mobile devices:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. From the navigation tree, click Mobile Access > Authentication.
3. Make sure that the Authentication Method is one of these options:
   • Username and password
   • RADIUS
   • SecurID
4. From the Certificate Authentication for mobile devices section, click Require client certificate when using ActiveSync applications or Capsule Workspace Mail.
5. Click OK.
6. Install the policy.

Multiple Login Options for R80.xx Gateways

On R80.10 and higher Mobile Access and IPsec VPN gateways, you can configure multiple login options. The options can be different for each gateway and each supported Software Blade, and for some client types. Users select one of the available options to log in with a supported client.

By default, all clients connect with the pre-R80.xx method. When you create new login options, newer clients can see them in addition to the pre-R80.xx option, but older clients cannot.

To see which clients support the new multiple login options, see sk111583.

Each configured login option is a global object that can be used with multiple gateways and the Mobile Access and IPsec VPN Software Blades.

Compatibility with Older Clients

Older clients connect with the same login options available on pre-R80 gateways. If you upgrade all or most clients to versions that support multiple login options, you can block older clients from connecting. After you do this, only clients that support multiple login options can connect to the gateway.

By default, Allow older clients to connect to this gateway is selected in Mobile Access > Authentication. If you clear the option, older clients are blocked.

You can choose if newer clients that support multiple login options can connect with the authentication settings defined for older clients.

Configuring the Authentication Method for Newer Clients

To block newer clients from using the authentication method defined for older clients:

1. In the Gateway Properties, select Mobile Access > Authentication or VPN Clients > Authentication.
2. In the Compatibility with Older Clients section, click Settings.

   The Single Authentication Clients Settings window opens.

3. Clear Allow newer clients that support Multiple Login Options to use this authentication method.
4. Click OK.
5. Install policy.

To let newer clients connect to the gateway with the authentication settings defined for older clients:

Select Allow newer clients that support Multiple Login options to use this authentication method.

Configuring Authentication Settings for Older Clients

To let older clients connect to the R80.10 gateway:

1. In the Gateway Properties, select Mobile Access > Authentication or VPN Clients > Authentication.
2. Select Allow older clients to connect to this gateway.

   If this is not selected, older clients cannot connect to the gateway.

To change the authentication method for older clients:

1. In the Gateway Properties, select Mobile Access > Authentication or VPN Clients > Authentication.
2. In the Compatibility with Older Clients section, click Settings.

   The Single Authentication Clients Settings window opens.

3. Change the Display Name to change the way the authentication method is shown in SmartConsole.
4. Select an Authentication method.
5. Click Customize to change the description of fields that are shown to users in the login window. See Customize Display Settings.
6. To require DynamicID with the selected authentication method, select Enable DynamicID. After you select this, you must configure the DynamicID settings for the gateway from Authentication > DynamicID Settings > Edit.
7. Define the settings for Capsule Workspace:
   • Select Require client certificate to require Capsule Workspace to always use client certificates.
   • Select Allow DynamicID to require DynamicID in addition to the selected authentication method. After you select this, you must configure the DynamicID settings for the gateway from Authentication > DynamicID Settings > Edit.
8. Click OK.
9. Click OK.
10. Install policy on the gateway.

To configure global DynamicID settings that all gateways use:

1. For each gateway, in Gateway Properties > Mobile Access > Authentication > DynamicID Settings, select Use Global Settings.
2. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartConsole.

   SmartConsole opens and shows the Mobile Access tab.

3. Configure the global settings in Mobile Access tab > Authentication > Two-Factor Authentication with DynamicID.
4. Close SmartConsole
5. Install policy in SmartConsole.

Configuring Multiple Log-in Options

You can configure login options from:

• Gateway Properties > Mobile Access > Authentication
• Gateway Properties > VPN Clients > Authentication
• SmartConsole > Mobile Access tab > Authentication

The login options selected for Mobile Access clients, such as the Mobile Access portal and Capsule Workspace, show in the Mobile Access > Authentication page in the Multiple Authentication Client Settings table.

The login options selected for VPN clients, such as Endpoint Security VPN, Check Point Mobile for Windows, and SecuRemote, show in the VPN Clients > Authentication page in the Multiple Authentication Client Settings table.

To configure multiple login options for Mobile Access Clients:

1. From the Gateway Properties tree of a gateway select Mobile Access > Authentication.
2. In the Multiple Authentication Clients Settings table, see a list of configured login options.

   The default login options are:

   • Personal_Certificate - Require a user certificate.
   • Username_Password - Require a username and password.
   • Cert_Username_Password - Require a username and password and a user certificate.
3. Click Add to create a new option or Edit to change an option. Each configured login option is a global object that can be used with multiple gateways and Software Blades.
4. For each login option select one or more Authentication Factors and relevant Authentication Settings.

   For example, if you select SecurID, select the SecurID Server and Token Card Type. If you select Personal Certificate, select which certificate field the gateway uses to fetch the username. See Certificate Parsing.

5. Select Customize Display to configure what users see when they log in with this option. See Customize Display Settings.
6. Click OK.
7. Use the Up and Down arrows to set the order of the login options.
   • If you include Personal Certificates, it must be first.
   • If you include DynamicID, it cannot be first.
8. On each Login Option > Usage in Gateway, select if the login option is available from:
   • The Mobile Access Portal
   • Capsule Workspace
9. Click OK.

Selecting a Client for a Login Option

For login options created from the Mobile Access > Authentication page, you can select if the login option is available for the Mobile Access Portal, Capsule Workspace, or both.

The login option will only be visible for the clients that you select.

Customize Display Settings

Enter descriptive values to make sure that users understand what information to input. These fields must all be the same language but they do not need to be in English.

• Headline - The title of the login option, for example, Log in with a Certificate or Log in with your SecurID Pinpad.
• Username label - A description of the username that users must enter, for example, Email address or AD username.
• Password label - A description of the password that users must enter, for example, AD password.

Certificate Parsing

When you select Personal Certificate as a Login option, you can also configure what information the gateway sends to the LDAP server to parse the certificate. The default is the DN. You can configure the settings to use the user's email address or a serial number instead.

To change the certificate parsing:

1. In the Multiple Authentication Clients Settings table on the Authentication page, select a Personal_Certificate entry and click Edit.

   The Authentication Factor window opens.

2. In the Authentication Settings area in the Fetch Username from field, select the information that the gateway uses to parse the certificate.
3. Click OK.
4. Install policy.

Deleting Login Options

To permanently delete a Login option:

1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartConsole.
2. In SmartConsole go to the Mobile Access tab > Authentication page.
3. From the list of login options, select an option and click Delete.

Viewing all Gateways Authentication Settings

To see all gateways and their authentication settings:

1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartConsole.
2. In SmartConsole go to the Mobile Access tab.
3. From the tree, select Gateways.
4. Click a gateway to see its authentication settings.

Multi-Factor Authentication with DynamicID

Multi-factor authentication is a system where two or more different methods are used to authenticate users. Using more than one factor delivers a higher level of authentication assurance. DynamicID is one option for multi-factor authentication.

Users who successfully complete the first-phase authentication can be challenged to provide an additional credential: a DynamicID One Time Password (OTP). The OTP is sent to their mobile communications device (such as a mobile phone) via SMS or directly to their email account.

On R80.x and higher gateways, DynamicID is supported for all Mobile Access and IPsec VPN clients.

How DynamicID Works

When logging in to the Mobile Access portal, users see an additional authentication challenge such as:

Please type the verification code sent to your phone.

Users enter the one time password that is sent to the configured phone number or email address and they are then admitted to the Mobile Access portal.

On the User Portal sign in screen, the I didn’t get the verification code link shows. If the user does not receive an SMS or email with the verification code within a short period of time, the user can click that button to receive options for resending the verification code.

Administrators can allow users to select a phone number or email address from a list. Only some of the phone number digits are revealed. Users can then select the correct phone number or email address from the list and click Send to resend the verification code. By default, users can request to resend the message three times before they are locked out of the Portal.

Match Word

The Match Word feature ensures that users can identify the correct DynamicID verification code in situations when they may receive multiple messages. Users are provided with a match word on the Login page that will also appear in the correct message. If users receive multiple SMS messages, they can identify the correct one, as it will contain the same match word.

The SMS Service Provider

In r77.30 and lower versions, proxy settings for the SMS service provider were configured in Gateway Properties > Mobile Access > HTTP Proxy.

In R80.10 and higher, this is configured in Gateway Properties > Network Management > Proxy.

To access the SMS service provider, configure the proxy settings on the gateway:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. From the navigation tree, click Network Management > Proxy.
3. Define the Proxy settings.

   If no proxy is defined on this page, no proxy is used for the SMS provider.

Whichever provider you work with, in order for the SMS messages to be sent to users, valid account details must be obtained from the provider and be configured in Mobile Access.

DynamicID Authentication Granularity

You can make multi-factor authentication with DynamicID a requirement to log in to the gateway. Alternatively, you can make DynamicID a requirement to access specified applications. This flexibility gives you different security clearance levels.

To make multi-factor authentication with DynamicID a requirement to access specified applications, configure a Protection Level to require multi-factor authentication, and associate the Protection Level with Mobile Access applications.

In an environment with multiple Mobile Access gateways, make multi-factor authentication a requirement for a specified gateway, configure multi-factor authentication for that gateway.

On R80.x gateways, DynamicID authentication can be part of a login option that is required for the Mobile Access portal or Capsule Workspace, or both.

Basic DynamicID Configuration for SMS or Email

The workflow for basic configuration of two-factor authentication via DynamicID is:

1. Obtaining the SMS provider credentials and/or email settings.
2. Configuring the Phone Directory.
3. Basic SmartConsole Configuration of DynamicID.
4. Testing DynamicID Two-Factor Authentication.

Obtaining the SMS Provider Credentials

Get these required SMS service provider settings from your SMS provider.

• A URL in the format specified by the SMS provider or a valid email address.
• Account credentials:
  • User name
  • Password
  • API ID (optional and may be left empty)

Note - If DynamicID is configured to work with email only, an SMS Service Provider is not necessary.

Configuring the Phone Directory

The default phone number and email search method is that the gateway searches for phone numbers or email addresses in user records on the LDAP account unit, and then in the phone directory on the local gateway. If the phone number configured is actually an email address, an email will be sent instead of an SMS message. The phone number and email search method can be changed in the Phone Number or Email Retrieval section of the Two-Factor Authentication with DynamicID - Advanced window.

Configuring Phone Numbers or Email Addresses in LDAP

If users authenticate via LDAP, configure the list of phone numbers on LDAP by defining a phone number or email address for each user. By default, Mobile Access uses the Mobile field in the Telephones tab. If the phone number configured is actually an email address, an email will be sent instead of an SMS message.

Configuring Phone Numbers or Email Addresses on Each Security Gateway

Configure the list of phone numbers or email addresses on each Mobile Access gateway. For a Mobile Access cluster, configure the directory on each cluster member.

To configure a list of phone numbers on a gateway:

1. Log in to the Mobile Access gateway using a secure console connection.
2. Change to Expert mode: Type expert and then the expert mode password.
3. Backup $CPDIR/conf/dynamic_id_users_info.lst

   Note - If this file does not yet exist, create it.

4. Edit $CPDIR/conf/dynamic_id_users_info.lst, and add to it a list of user names and phone numbers, and/or email addresses. The list must be followed by a blank line. Use this syntax:

   <user name | Full DN> <phone number | email address>

Parameter	Meaning
user name or Full DN	Either a user name or, for users that log in using a certificate, the full DN of the certificate.
phone number	All printable characters can be used in the phone number, excluding the space character, which is not allowed. Only the digits are relevant.
email address	A valid email address in the format user@domain.com

Example of acceptable ways to enter users and their phone numbers or email addresses in $CPDIR/conf/dynamic_id_users_info.lst

bob +044-888-8888 jane tom@domain.com CN=tom,OU=users,O=example.com +044-7777777 CN=mary,OU=users,O=example.com +mary@domain.com

Configuring Multiple Phone Numbers

You can let users choose from multiple phone numbers when resending the verification code.

To configure choice of numbers:

Enter one number in the LDAP directory in the Mobile field and one or more in the gateway configuration file:
$CPDIR/conf/dynamic_id_users_info.lst

Enter multiple phone numbers separated by white space in the gateway configuration file:
$CPDIR/conf/dynamic_id_users_info.lst

For example, user_a 917-555-5555 603-444-4444

Note - If the configuration file does not yet exist, create it.

Basic SmartDashboard Configuration of DynamicID

Configure the Authentication settings to make two-factor authentication necessary for all mobile devices.

This table explains parameters used in the SMS Provider and Email Settings field. The value of these parameters is automatically used when sending the SMS or email.

Parameter	Meaning
$APIID	The value of this parameter is the API ID.
$USERNAME	The value of this parameter is the username for the SMS provider.
$PASSWORD	The value of this parameter is the password for the SMS provider.
$PHONE	User phone number, as found in Active Directory or in the local file on the gateway, including digits only and without a + sign.
$EMAIL	The email address of the user as found in Active Directory or in the local dynamic_id_users_info.lst file on the gateway. If the email address should be different than the listed one, it can be written explicitly. if the file does not exist, create it.
$MESSAGE	The value of this parameter is the message configured in the Advanced Two-Factor Authentication Configuration Options in SmartConsole.
$RAWMESSAGE	The text from $Message but without HTTP encoding.

To configure DynamicID settings for all gateways in SmartConsole:

1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartConsole.

   SmartConsole opens and shows the Mobile Access tab.

2. From the navigation tree, click Authentication.
3. From the Dynamic ID Settings section, click Edit.
4. Select Challenge users to provide the DynamicID one time password.
5. Fill in the SMS Provider and Email Settings field using one of these formats:
   1. To let the DynamicID code to be delivered by SMS only, use the following syntax:

      https://api.example.com/http/sendmsg?api_id=$APIID&user=
$USERNAME&password=$PASSWORD&to=$PHONE&text=$MESSAGE

   2. To let the DynamicID code to be delivered by email only, without an SMS service provider, use the following syntax:
      • For SMTP protocol:

      mail:TO=$EMAIL;SMTPSERVER=smtp.example.com;FROM=sslvpn@example.com;BODY=$RAWMESSAGE

      • For SMTPS protocol on port 465:

      mail:TO=$EMAIL;SMTPSERVER=smtps://username:password@smtp.example.com;FROM=sslvpn@example.com;BODY=$RAWMESSAGE

      • For SMTP protocol with START_TLS:

      mail:TO=$EMAIL;SSL_REQUIRED;SMTPSERVER=smtp://username:password@smtp.example.com;FROM=sslvpn@example.com;BODY=$RAWMESSAGE

      Note – The username and password values must not contain the following characters: /:@;"%

   3. To let the DynamicID code to be delivered by SMS or email, use the following syntax:

      sms:https://api.example.com/sendsms.php?username=$USERNAME&password=
$PASSWORD&phone=$PHONE&smstext=$MESSAGE mail:TO=$EMAIL;
SMTPSERVER=smtp.example.com;FROM=sslvpn@example.com;
BODY=$RAWMESSAGE

6. In the SMS Provider Account Credentials section, enter the credentials received from the SMS provider:
   • Username
   • Password
   • API ID (optional)
7. For additional configuration options, click Advanced.
8. Click OK.
9. Click Save and then close SmartConsole.
10. From SmartConsole, install policy.

To configure the Mobile Access Security Gateway to let computers and devices use DynamicID:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. From the navigation tree, click Mobile Access > Authentication.
3. In the Two-Factor Authentication section, configure these settings:
   • For a Security Gateway that uses the global authentication settings, select Global settings.
   • For a Security Gateway that uses different authentication settings, select Custom settings.
   • For mobile devices, select Allow DynamicID for mobile devices.
4. Click OK.
5. Install the policy.

Testing Two-Factor Authentication

To test the two-factor authentication via DynamicID, after completing the configuration:

1. Browse to the URL of the Mobile Access portal.
2. Log in as a user.
3. Supply the gateway authentication credentials.
4. Wait to receive the DynamicID code on your mobile communication device or check your email.
5. Enter the DynamicID code in the portal.

   Make sure that you are logged in to the Mobile Access portal.

Advanced Two-Factor Authentication Configuration

To configure settings for a specified gateway:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. From the navigation tree, click Mobile Access > Authentication.
3. From the Two-Factor Authentication with DynamicID section, click Custom settings for this gateway.
4. Click Configure.

   The Two-Factor Authentication with DynamicID window opens.

To configure global settings for all the gateways:

1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartConsole.

   SmartConsole opens and shows the Mobile Access tab.

2. From the navigation tree, click Authentication.
3. From the DynamicID Settings section, click Edit.
4. Click Advanced.

   The Two-Factor Authentication with DynamicID window opens.

DynamicID Message

• Message text to be sent to the user

  By default, the text of the message is "Mobile Access DynamicID one time password:". The message can contain the template fields shown in the following table to include the user's name and prompt users to use enter a One Time Password.

  For example, the message could say: $NAME, use the verification code $CODE to enter the portal.

  Parameter	Meaning
  $NAME	User name used in the first phase of authentication to the portal.
  $CODE	Replaced with the One Time Password. By default, $CODE is added to the end of the message.

DynamicID Settings

• Length of one time password is 6 digits by default
• One time password expiration (in minutes) is 5 minutes by default. Ensure there is a reasonably sufficient time for the message to arrive at the mobile communication device or email account, for the user to retrieve the password, and to type it in.
• Number of times users can attempt to enter the one time password before the entire authentication process restarts. By default the user has 3 tries.

Display User Details

• In the portal, display the phone number or email address that received the DynamicID. By default, the phone number to which the SMS message was sent is not shown.

Country Code

• Default country code for phone numbers that do not include country code. The default country code is added if the phone number stored on the LDAP server or on the local file on the gateway starts with 0.

Phone Number or Email Retrieval

• Active Directory and Local File
  Try to retrieve the user details from the Active Directory user record. If unsuccessful, retrieve from the local file on the gateway. The LDAP account unit is defined in the Users and Authentication > Authentication > LDAP Account Units page of the SmartConsole Mobile Access tab. The phone directory on the local gateway is in $CPDIR/conf/dynamic_id_users_info.lst

  Note - If the directory file does not exist yet, create it.

• Active Directory Only
  Retrieve phone numbers from Active Directory user record without using the local file on the gateway. The LDAP account unit is defined in the Users and Authentication > Authentication > LDAP Account Units page of the SmartConsole Mobile Access tab.
• Local File Only
  Retrieve the user details from the local file on the gateway. The phone directory on the local gateway is in $CPDIR/conf/dynamic_id_users_info.lst

Configuring Resend Verification and Match Word

The DynamicID troubleshooting and match word features are configured in GuiDBedit Tool (see sk13009) or dbedit (see skI3301).

The GuiDBedit Tool table to edit depends on the Two Factor Authentication with SMS One Time Password (OTP) setting that you configured in SmartConsole in the Mobile Access Gateway Properties page > Authentication.

• If your DynamicID One Time Password settings are global across all of your gateways (use the global settings configured in the Mobile Access tab is selected), in GuiDBedit Tool select Other > Mobile Access Global Properties.
• If your DynamicID One Time Password settings are configured for a specific gateway (this gateway has its own two-factor authentication settings is selected), in GuiDBedit Tool select network_objects and then select the specific gateway you want to edit.

This table shows the DynamicID features that can be configured, and where in GuiDBedit Tool to configure them.

Feature	Field Name/s to Edit	Value Options
Match Word	use_message_matching_helper	true: match word provided false: match word not provided (default)
Resend message	enable_end_user_re_transmit_message	true: enable resend SMS feature (default) false: disable resend SMS feature
Display multiple phone numbers	enable_end_user_select_phone_num	true: enable option to choose from multiple phone numbers or email addresses when resending the verification code (default) false: one phone number or email address from the LDAP server or local file is used automatically without choice
Conceal displayed phone numbers	Edit both: reveal_partial_phone_num and number_of_digits_revealed	true: conceal part of the phone number or email address (default) false: display the full phone number or email address 1-20: Choose the amount of digits to reveal (default is 4)

After editing the values in GuiDBedit Tool, save the changes, connect to SmartConsole, and install the policy.

Configuring the Number of Times Messages are Resent

By default, users can request to resend the verification code message three times by clicking the I didn’t get the verification code link before they are locked out of the Mobile Access Portal. The number of times the message can be resent is configured using the cvpnd_settings command from the Mobile Access CLI in expert mode.

The instructions below relate to actually resending the verification code message. The number of times users can try to input the verification code is configured in SmartConsole in the Two Factor Authentication Advanced window.

To change the number of times the verification code message can be resent to 5, run:

cvpnd_settings set smsMaxResendRetries 5

You can replace "5" with any other number to configure a different amount of retries.

After making the changes, run cvpnrestart to activate the settings.

If the Mobile Access gateway is part of a cluster, be sure to make the same changes on each cluster member.

Two-Factor Authentication per Gateway

To configure two-factor authentication Globally on, with custom settings per gateway:

1. Set up basic two-factor authentication.
2. For each Security Gateway, go to Gateway Properties > Mobile Access > Authentication.
3. Do one of these options:
   • To use the global settings - Select Global settings and the global settings are used from the Authentication to Gateway page of the Mobile Access tab. This is the default.
   • To turn off two-factor authentication for the gateway - Select Custom Settings for this Gateway and click Configure. In the window that opens, do not select the check box. This turns off two-factor authentication for this gateway.
   • To activate two-factor authentication for the gateway with custom settings - Select Custom Settings for this Gateway and click Configure. In the window that opens, select the check box. You must then configure custom SMS Provider Credentials for this gateway. Optionally, configure Advanced options.
4. Repeat step 2 to step 3 for all other gateways.
5. Install the policy.

Two-Factor Authentication per Application

To configure two-factor authentication per application:

1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartConsole.

   SmartConsole opens and shows the Mobile Access tab.

2. Configure basic two-factor authentication.
   1. Configure the phone directory.
   2. Configure the application settings in Mobile Access tab > Authentication.
   3. Configure the Mobile Access Security Gateways to let the mobile devices use DynamicID.
3. Configure the Protection Level.
   1. In the Protection Level window, from the navigation tree click Authentication.
   2. Select User must successfully authenticate via SMS.
   3. Click OK.
4. Assign the protection level to Mobile Access applications that require two-factor authentication.
5. Click Save and then close SmartConsole.
6. From SmartConsole, install the policy.

Changing the SMS Provider Certificates and Protocol

By default, it is recommended to use a secure (https) protocol for communication with the SMS provider. Mobile Access also validates the provider server certificate using a predefined bundle of trusted CAs.

If your SMS provider uses a non-trusted server certificate you can do one of the following:

• Add the server certificate issuer to the trusted CA bundle under $CVPNDIR/var/ssl/ca-bundle/ and run:
  $CVPNDIR/bin/rehash_ca_bundle
• Ignore the server certificate validation by editing $CVPNDIR/conf/cvpnd.C and replacing the SmsWebClientProcArgs value with ("-k").

If your SMS provider is working with the non-secure http protocol, edit the file $CVPNDIR/conf/cvpnd.C and replace the SmsWebClientProcArgs value with ("").

Multiple Log-in Options for Pre-R80 Gateways

On Pre-R80 gateways Multiple Log-in options is called Multiple Realms and is configured in GuiDBedit Tool (see sk13009) or dbedit (see skI3301). It gives support for multiple authentication realms in the Mobile Access Portal. If you use this feature, we recommend that you upgrade your gateways to R80.10 and configure Multiple Login Options for R80.x Gateways in SmartConsole.

If you upgrade your server and gateways to R80.10, see sk115856 for information about upgrading the multi-realms configuration.

If you upgrade your Security Management Server to R80.x and do not upgrade the gateways, reconfigure Multiple Realms in GuiDBedit Tool after the upgrade.

How the Gateway Searches for Users

If you configure authentication for a blade from the main Security Gateway Legacy Authentication page, the Security Gateway searches for users in a standard way when they try to authenticate. The gateway searches in this order:

1. The internal users database.
2. If the specified user is not defined in this database, the gateway queries the User Directory (LDAP) servers defined in the Account Unit one at a time, and according to their priority.

   If more than one Account Unit exists, the gateway searches in all at the same time. With multiple servers, the priority for servers can be set only in the scope of one account unit, but not between several account units.

3. If the information still cannot be found, the gateway uses the external users template to see if there is a match against the generic profile. This generic profile has the default attributes applied to the specified user.

Session Settings

To open the Session window:

1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartConsole.

   SmartConsole opens and shows the Mobile Access tab.

2. From the navigation tree, click Additional Settings > Session.

Simultaneous Logins to the Portal

Having a single user logged in to Mobile Access more than once, from two different locations for example, is a potential security issue.

Simultaneous login prevention enables a gateway to automatically disconnect a remote user who is logged more than once.

When simultaneous login prevention is enabled, and a user's authentication information used to log in from two different computers, only the later login is considered legitimate, and the earlier session is logged out.

Configuring Simultaneous Login Prevention

Simultaneous login prevention is configured in SmartConsole from the Mobile Access tab by selecting Additional Settings > Session.

The options are:

• User is allowed several simultaneous logins to the Portal

  Simultaneous login detection is disabled. This is the default option.

• User is allowed only a single login to the portal
  Inform user before disconnecting his previous session (option not selected)

  The earlier user is disconnected and the later user is allowed. The earlier user is logged out. For Mobile Access portal users, the following message appears: "Your Mobile Access session has timed out. would you like to sign in again now?". The later user is not informed that an earlier user is logged in.

• User is allowed only a single login to the portal selected
  Inform user before disconnecting his previous session (option selected)

  The later user is informed that an earlier user is logged in, and is given the choice of canceling the login and retaining the existing session, or logging in and terminating the existing session. If the existing session is terminated, the user is logged out with the message: "Your Mobile Access session has timed out. would you like to sign in again now?".

Tracking of Simultaneous Logins

To track simultaneous login events, select All Events in the Tracking section of the Additional Settings > Session page.

When the gateway disconnects a user, the gateway records a log of the disconnection, containing the connection information of both logins.

All disconnect and connect events create a corresponding entry in the traffic log. The following values of the authentication status field relate to simultaneous logins:

• Success - User successfully logged in. Existing active sessions were terminated.
• Inactive - User successfully authenticated, but existing sessions need to be terminated prior to logging on.
• Disconnected - An existing user session has been terminated because the same user has logged on to another session.

Simultaneous Login Issues

These issues may arise in connection with simultaneous login:

Endpoint Connect- Simultaneous Login Issues

For Endpoint Connect users, Mobile Access does not prevent simultaneous login. This is equivalent to the User can have several simultaneous logins to the portal option. An Endpoint Connect user cannot log out another user with the same user name, and cannot be logged out by another user with the same user name.

SecureClient Mobile - Simultaneous Login Issues

With User can have only a single simultaneous login to the portal selected and Inform user before disconnecting previous sessions not selected SecureClient Mobile users can be logged off by another user, and can log off other users.

However, the Inform user before disconnecting his previous session option does not work, because no message can be sent to those users. User can be logged off, but cannot log off other users.

Other Simultaneous Login Issues

1. When a session is disconnected by another user and SSL Network Extender application mode client is being used, the SSL Network Extender window remains open, while the session is disconnected. Similarly, when a session is disconnected by another user and Secure Workspace is being used, Secure Workspace remains open, while the session is disconnected.
2. When a session is disconnected by another user and Citrix is being used, the Citrix window remains open, while the session is disconnected.
3. All current sessions are deleted when changing the section from User can have only a single login to the Portal to User is allowed several simultaneous logins to the Portal.

Session Timeouts

Once authenticated, remote users work in a Mobile Access session until they log out or the session terminates. Security best practices provide for limiting the length of active and inactive Mobile Access sessions to prevent abuse of secure remote resources.

Note - Mobile Access uses the system time to keep track of session timeouts. Changing the system time may disrupt existing session timeouts. Therefore, it is recommended to change the system time during low activity hours.

Mobile Access provides two types of session timeouts, both of which are configured in SmartConsole from the Mobile Access tab by selecting Additional Settings > Session.

• Re-authenticate users every is the maximum session time. When this period is reached, the user must log in again. The default value is 60 minutes. Changing this timeout affects only future sessions, not current sessions.
• Disconnect idle sessions after is the disconnection time-out if the connection remains idle. The default value is 15 minutes. When users connect via SSL Network Extender, this timeout does not apply.

Roaming

The Roaming option allows users to change their IP addresses during an active session.

Note - SSL Network Extender users can always change IP address while connected, regardless of the Roaming setting.

Tracking

Configure Mobile Access to log session activity, including login attempts, logouts, timeouts, activity states and license expiration warnings.

Securing Authentication Credentials

Having multiple users on the same machine accessing the Mobile Access portal can be a security hazard. A user logged in to the Mobile Access portal can open a new browser window and get the access of the earlier session. Then the user can browse directly to the Mobile Access portal without entering the login credentials again.

To make sure authentication credentials are not stolen by others, recommend to users that they log off or close all browser windows when done using a browser.

Mobile Access Authentication Use Cases

Use Case: Two-Factor Authentication with Certificates in Pre-R80 Gateways

Select a main authentication method for pre- R80.x gateways. If you also select Require client certificate when using Mobile applications on the Authentication page, you require two-factor authentication for Capsule Workspace users: the main authentication method, and certificate.

With these settings, users authenticate to the Mobile Access portal with only the main authentication method.

Capsule Workspace users receive the certificate information and register only one time. They provide the main authentication method credentials one time per session. Users might also need to enter a passcode, based on settings in the Capsule Workspace Settings in the Mobile Access tab.

To configure two-factor authentication with certificates for mobile devices on pre-R80.x gateways:

1. Open the gateway object.
2. Select Mobile Access > Authentication.
3. Select a main authentication method from these options:
   • Username and Password
   • RADIUS
   • SecurID
4. Select Require client certificate when using Mobile applications or Require client certificate when using ActiveSync applications.
5. Click OK.
6. Install policy.

To configure two-factor authentication with the Mobile Access portal in pre-R80 gateways, see sk86240.

Use Case: Two Factor Authentication with Certificates on R80.x Gateways

You can configure two factor authentication with certificate on an R80.x gateway in these ways:

• Create a new Login Option with Personal Certificate as the first factor and one or more additional methods that you choose as additional factors.
• Use the default Login Option, Cert_Username_Password, which includes a personal certificate as the first factor, and username and password as the second factor.

To create a new multi-factor login option that includes certificates:

1. Open the gateway object.
2. Select Mobile Access > Authentication.
3. In the Multiple Authentication Clients Settings table, click Add to create a new option.
4. Click New.
5. In the Multiple Login Options window, enter the Login Option's Name and Display Name.

   The Display Name represents this Login Option to the user upon login and can be a descriptive name.

6. Under Authentication Methods, click Add to add the first factor.
   1. In the Authentication Factor window, select Personal Certificate. Note that Personal Certificate must be the first authentication factor.
   2. Configure the Authentication settings.
   3. Click OK.
7. Under Authentication Methods, click Add to add the second factor.
   1. In the Authentication Factor window, select RADIUS, SecurID, DynamicID or Username and Password.
   2. Configure the Authentication settings, if necessary.
   3. Click OK.
8. To apply this Login Option only to the Mobile Access portal or only to Capsule Workspace on mobile devices, under Usage in Gateway, select one or both client types.
9. Click OK.
10. Install policy.

To use the built-in default Login Option Cert_Username_Password:

1. Open the gateway object.
2. Select Mobile Access > Authentication.
3. In the Multiple Authentication Clients Settings table, click Add.
4. Select Cert_Username_Password from the list.
5. To apply this Login Option only to the Mobile Access portal or only to Capsule Workspace on mobile devices:
   1. In the Multiple Authentication Clients Settings table, select Cert_Username_Password and click Edit.
   2. Under Usage in Gateway, select one or both client types.
6. Click OK.
7. Install policy.

Note - The Login Options configured in the Multiple Authentication Clients Settings list are only available to clients that support multiple login options. To see which clients support the new multiple login options, see sk111583.

Use Case: Users Selecting a Login Option on R80.x Gateways

When more than one Login Option is configured, and users connect with clients that support Multiple Login Options, users select a Login Option to use when they log in.

In the Mobile Access portal, in the login page, users see a drop-down list with all available login options, shown by their Display Name.

In the Capsule Workspace mobile application, users select the Login Option on the first connection to the gateway. On subsequent connections, the same login option is shown automatically.