To setup MFA for computer logon, complete the following steps.

Build Application 

If you are new to DualShield, then you might want to first refer to the general instruction on how to build an application in DualShield.

Complete the following steps to build an application for computer MFA logon.

Create logon procedure for computer MFA

For computer MFA logon, the type of logon procedure is called Windows. It is named as such due to historical reasons. 

Below is the general guide for creating a logon procedure in DualShield 

In the Admin Console, in the side panel, select "Authentication | Logon Procedure"

Click the "CREATE" button on the toolbar

In the "Name" field, enter a name for this new logon procedure, e.g. "Office 365"

In the "Type" field, select the type of the logon procedure from the drop list, e.g. "Web SSO"

Click the "SAVE" button to save it.


Now that a new logon procedure is created, you want to add logon steps.

To add logon steps to a logon procedure or to change logon steps, firstly navigate to the logon procedure.

Navigate to Authentication | Logon Procedures

Click the context menu icon "..." of the application to be edited, e.g. "Office 365"

select "Logon Steps" to bring up the logon steps editor

To add a logon step, click the "ADD" button

Select the one or multiple authentication methods that you want to add to this step, e.g. "One-Time Password" 

Click the "SAVE" button to save it

You can change the order of the steps by clicking the "UP" and "DOWN" buttons.

Make sure that the type of the Logon Procedure you have created is Windows 

Once a logon procedure has been created, you need to add logon steps into the newly created logon procedure.

Logon Step for Computer MFA Logon 

The computer 2FA or MFA logon process is a 2-step or multi-step verification procedure. The first step is the AD credential (i.e. AD password) verification, and the second step is the second factor such as one-time passcode etc. The first factor, i.e. AD password, is always required and actually verified by the AD itself, and the second factor, such as an OTP token or FIDO key, is verified by the DualShield MFA server. Therefore, for 2FA, you only need to add one logon step into the logon procedure and you only need to add a second factor into the logon step.

The example below is a logon step that includes 2 authentication options, one-time password and on-demand password, which means that the users will be allowed to authenticate themselves using either of the credentials. 



Create application for computer MFA

In DualShield, an application does not have a type. Therefore, creating an application for any integration is the same. 

In the Admin Console, in the side panel, select "Authentication | Applications"

Select "CREATE" on the toolbar

Select the Realm to be linked to this application, e.g. Deep.Net

Select the Logon Procedure to be used by this application, e.g.. Office 365

Click "SAVE" to save the application.



However, you must select a Logon Procedure that is of the type of Windows. In the example below, we create an application with a name called "Computer Logon" and the logon procedure we select is a logon procedure called "Computer Logon" that we have already created.

 


Setup Policies

In the initial stage of deploying MFA across your entire domain and user base, you might not want to enforce MFA on all user accounts on day one. Instead, you might consider enforcing MFA gradually across your user base, in stages. To do so, you need to create a special user group in AD and a couple of logon policies in DualShield. For the simplicity of this guide, let's call this AD group as DualShield MFA group. 

The strategy is that MFA will only be enforced on users who are a member of the DualShield MFA group. All other domain users will be able to continue to login into the domain with password only.

The first step is to create the DualShield MFA group in your AD server. 

Then, create 2 logon policies in your DualShield server. A domain policy and a group policy.

The domain policy is bound to the entire domain, and multi-factor authentication is not required on all users. 

The group policy is bound to the DualShield MFA user group, and multi-factor authentication is required on all users.

Below is an example.

Domain Logon Policy

OptionValue
Category:Logon
Holder:Domain
Domain:Select your AD domain
Name:Describe the purpose of this policy
Apply policy to these applications:Select the application that this policy will be applied to
Authentication:Select "Multi-factor authentication is not required for all users"

Group Logon Policy

OptionValue
Category:Logon
Holder:Group
Domain:Select your AD domain
GroupSelect the DualShield MFA group
Name:Describe the purpose of this policy
Apply policy to these applications:Select the application that this policy will be applied to
Authentication:Select "Multi-factor authentication is required for all users"

For the general guide of creating a logon policy, expand the link below

To create or edit a policy, we need to open the policy editor window first.

Select "Administration | Policies" on the side panel,


To create a new policy, click the "CREATE" button on the toolbar to open the policy editor window.


In the policy editor, firstly select Logon from the Category drop-down list

Policy Bindings

Enter or select the following policy bindings:
Holder:

The policyholder defines the scope of the policy. 

Name:A unique name that describes this policy
Applications:

Optionally, you can bind the policy to a specific application or a list of applications. To specify the application(s),  select the field: Apply policy to these applications

If the field Apply policy to these applications is left empty, then the policy will be applied to all applications. 

Policy Options

Editing the Logon Policy

Logon policy settings can be edited using the following procedure;

  • From the Home page of the Management Console, left click on the menu item "Administration", select "Policies", then in the new tab "POLICIES", select the category "Logon", then click the  button;.

    The Logon policy settings can now be viewed (or edited) by left clicking on the context menu of the Logon policy, then selecting either "View" or "Edit";


After editing the policy setting, a new window titled "Policy - Edit" will open that can be used to edit the policy settings;




The category for this policy is "Logon" (this property cannot be edited).

The holder of this policy is "System" (this property cannot be edited).

The name assigned to identify the Logon policy by the System Administrator.

The System Administrator may use this field to annotate this policy.

This option allows the System Administrator to enable or disable this policy.


Expandable Sections

The remaining policy settings are grouped into the following expandable sections;

  • The purpose of the section "Authentication" is to provide the system administrator with with policy settings that determine when multi-factor authentication is required.

    image-2025-4-3_13-31-44.png



    This setting determines if user authentication is required when logging in;

    • Multi-factor authentication is not required for all users
      This option means that all users will be exempted from 2FA or MFA. This option is typically used to exempt a group of users from 2FA or MFA.

    • Multi-factor authentication is required for users with tokens only
      This option means that users who have a 2FA/MFA token in their account will be enforced to login with 2FA/MFA, while those users who do not have a token 2FA/MFA token will be exempted from 2FA/MFA in the logon process. .
    • Multi-factor authentication is required for all users

      This option means that all users will be enforced to login with 2FA/MFA

      Please note that users in the context of a policy include users in the scope of the policy only, i.e. the policy holder.

    This option allows the administrator to specify if authentication can be skipped on subsequent logon attempts (for the specified length of time).

    If this value is set to zero, then the feature is disabled, and authentication skipping does not take place.


    If authentication skipping is enabled, this setting will determine if the password is kept (and the second factor skipped), or if all factors are skipped;

    • Skip the second factor and keep the password
      The second factor is skipped, but the password is kept.

    • Skip Al factors including the password
      All factors are skipped.

    If this checkbox is ticked, then name guessing will be prevented (the user will not be informed if the username he supplies is known).

    if this checkbox is enabled then a CAPTCHA will be presented during logon (to ensure a human is supplying the authentication factors).

  • The purpose of the section "IP Filter" is to specify when to allow or deny logon based on the users' IP address.



    This setting determines if user authentication is required when logon attempts are made from the specified IP address;

    • required
      If this option is selected, then the user will be asked to provide multi-factor authentication prior to logging on.

    • not required
       f this option is selected, then the user will not be asked to provide multi-factor authentication prior to logging on..

    This option is used to store the IP Address range that will be subject to the previous option.

    Single IP address or IP ranges, e.g. 192.168.0.1; 192.168.0.10-192.168.0.20

    • IP with proxy: 1.2.3.4[192.168.0.254],
    • IP range with proxy: (1.2.3.0-1.2.3.255)[192.168.0.254],

    Note: 192.168.0.254 is the proxy server

  • The purpose of the section "User Agent Filter" is to specify when to allow or deny logon based on the agent used by the user agent.

     


    This setting determines if user authentication is required when logon attempts are made the matching agent;

    • required
      If this option is selected, then the user will be asked to provide multi-factor authentication prior to logging on.

    • not required
       f this option is selected, then the user will not be asked to provide multi-factor authentication prior to logging on..

    This setting allows you to list the agents that this policy will apply to;;

    The user agent are listed ass a text string (regular expressions are supported).

    e.g. (MacOutlook|Apple-iPhone6C) will match both "MacOutlook" and "Apple-iPhone6C"

  • Unable to render {include} The included page could not be found.

  • The purpose of the section "Geo Location Filter" is to specify when to allow or deny logon based on the geographic location of the user.



    This setting determines if user authentication is required when logon attempts are made from the specified IP address;

    • required
      If this option is selected, then the user will be asked to provide multi-factor authentication prior to logging on.

    • not required
       f this option is selected, then the user will not be asked to provide multi-factor authentication prior to logging on..

    After clicking on the icon the following window will open;

    Location details are then supplied that identify the which geographic locations the policy will apply to during logon. (based up IP addresses).


  • The purpose of the section "Geo Location Filter" is to specify when to allow or deny logon based on the geographic location of the user.



    This setting determines if user authentication is required when logon attempts are made from the specified IP address;

    • required
      If this option is selected, then the user will be asked to provide multi-factor authentication prior to logging on.

    • not required
       f this option is selected, then the user will not be asked to provide multi-factor authentication prior to logging on..

    After clicking on the icon the following window will open;

    Location details are then supplied that identify the which geographic locations the policy will apply to during logon. (based up IP addresses).


  • The purpose of the section "Others" is to provide logon policy settings that don't fit into the other main sections.



    This options determines if passwords can be cached in the browser.

    When set to a non-zero value this policy setting will allow One-Time Passwords to be reused within the specified number of minutes.

    If selected, this checkbox will ensure that the last used login name is remembered on the local client after the user has logged in.

    If selected, this checkbox will ensure that the last used login method is remembered on the local client after the user has logged in.

Domain Logon Policy

OptionValue
Category:Logon
Holder:Domain
Domain:Select your AD domain
Name:Describe the purpose of this policy
Apply policy to these applications:Select the application that this policy will be applied to
Authentication:Select "Multi-factor authentication is not required for all users"


Group Logon Policy

OptionValue
Category:Logon
Holder:Group
Domain:Select your AD domain
GroupSelect the DualShield MFA group
Name:Describe the purpose of this policy
Apply policy to these applications:Select the application that this policy will be applied to
Authentication:Select "Multi-factor authentication is not required for all users"



Install Logon Agent

DualShield Computer Logon Agent is a bridge that connects DualShield Computer Logon clients and the DualShield Authentication Server. 

The Windows Logon Agent can be installed on any Windows server machine in the network. For a small or medium system, you can install the computer logon agent on the same machine where your DualShield authentication server is installed and running. Please note, you should not install the logon agent on a client PC.

Prerequisites

Before you run the setup wizard, you must have your DualShield Authentication Server installed and operating, and make sure that the computer on which you are going to install the Windows Logon Agent meets the following minimum hardware and software requirements:

  • A Windows  2008 R2, 2012 R2, 2016 or 2019 Server with the latest service pack installed.
  • TCP/IP Networking
  • TCP ports 8086, 8088 and 12841 must be available on the Windows server for use by the DualShield Computer Logon Agent.

Install DualShield Computer Logon Agent 

To install the DualShield Computer Logon Agent, launch the installer Computer-Logon-Agent-Installer-xxx.yyyy.exe (where xxx is the version number and yyyy the build number) and go through the following steps:

Step 1: Welcome

Step 2: License Agreement

Step 3: Installation Path

Step 4: Installation Completed




Register Logon Agent

After the DualShield Computer Logon Agent has been successfully installed, it needs to be set up first.

On the machine where the Logon Agent in installed, start a Web browser and enter "http://localhost:8086" in the address bar go through the following steps:

Step 1 - Agent Console FQDN

The admin console of the Logon Agent is a web portal, therefore it needs to have a hostname, or fully qualified domain name (FQDN). By default, the full computer name is suggested as the Agent's hostname. 

Step 2 - Server FQDN

Server FQDN: Enter the FQDN of your DualShield authentication server

Click "Next" to continue

Step 3 - Agent Registration

In order to register the Logon Agent with the Authentication Server, we need to first enable the Agent Registration option.

For an authentication agent to be able to connect to the DualShield authentication server, the agent must be registered in the DualShield authentication server.

For security purposes, the agent registration function is disabled by default. You need to enable the Agent Auto Registration function in your DualShield authentication server.

From the management console, navigate to "Authentication | Agents", then click  


A new window will now open titled "Auto Registration", ensure the "Enabled" option is selected, then click ;


Tick the "Enabled" option first, then fill in the Starts and Expires date.

You may want to enable the "Check IP" option for extra security. If this option is enabled, then in the "IP Addresses" field you must enter the IP address of the machine where the authentication agent is being installed.

Click on the button, and Auto-Registration will now take place during the installation of the RADIUS server.

Agent Name: A agent name is only used to describe the agent. If you are going to install multiple agents, make sure that you name each of the agent with a distinctive and easy to identify name.

Click "Next" to continue

Step 4 - Service Provider Setup

For security,  the agent console will require user authentication, therefore it needs to be registered with your DualShield SSO as a service provider. 

Please note, if you are installing multiple logon agents, then you need to make sure that every agent has its own service provider. In other words, a service provider cannot be shared by multiple agents.

If this is the very first time that you're setting up this agent, click the "Create New Service Provider" button to create a new service provider for this agent.

A service provider needs to be associated with an application in your DualShield server. 

Please note, in contrary to that a service provider should not be shared by multiple agents, an application can be shared and generally should be shared by all logon agents.

If this is the very first time that you're setting up an agent, select the existing "Management Console" application from the application list. Do not create a new application. 

Now, click the "Create" button to create a new service provider for this agent

Click "Next" to continue

Step 5 - Completion

The agent has now been successfully registered. 

Click "Finish" to continue. The agent admin console will be launched

Step 6 - Set up Agent Application

Sign in to the admin console

Click "Agent" in the main menu on the top

In the Computer Logon section, from the application list, select the application that you have set up earlier for computer logon, e.g. Computer Logon

Click the "Save" button in the Computer Logon section.

You have now completed the agent registration and application setup.

Discover Logon Agent

The DualShield computer logon clients are designed to be installed and running without the need for configuration by the user. Therefore, the logon clients need a way to automatically discover the logon agents.

The way that the logon client locates the logon agent is by DNS lookup. The logon client will look up a hostname called “dsagent” in the domain's DNS server. For instance, if the domain name of your organization is “acme.org” then it will look for “dsagent.acme.org” 

The diagram below illustrates the data flow of the computer logon process

In order for the computer logon client to discover the logon agent, you must add the hostname "dsagent" to your DNS server.

For the purpose of redundancy, you might want to install multiple instances of the Logon Agent. In that case, you must add multiple entries of the "dsagent" hostname in the domain DNS server. 


Install Logon Client

Windows Logon Client

Download the installer file windows-computer-client-client.msi, and execute it to initiate the installation (whereas x.y.z is the version and build number, e.g. 1.0.0)



Mac Logon Client

Download the installer file mac-computer-client-client.pkg, and execute it to initiate the installation (whereas x.y.z is the version and build number, e.g. 1.0.0)



Linux Logon Client

DualShield Computer Logon Client is available for both RPM and DEB based Linux operating systems.

Prerequisites

Prior to the installation of the DualShield logon client, the Linux workstation must be domain joined.

Mandatory Configuration

Disable use_fully_qualified_names, otherwise 1. unlock would fail if UPN user name is not the same with the login name or custom UPN suffix is enabled 2. User console displaying name could be wrong.

$ sudo vi /etc/sssd/sssd.conf

# line 16: change True to False
use_fully_qualified_names = False

$ sudo systemctl restart sssd


Install Logon Client on CentOS / Fedora / RHEL

Download the installer file dshield-client-service-x.y.z-x86_64.rpm, and execute the command below to install it (whereas x.y.z is the version and build number, e.g. 1.0.0)

$ sudo yum install ./dshield-client-service-1.0.0-x86_64.rpm

Install Logon Client on Ubuntu

Download the install file dshield-client-service-x.y.z-x86_64.deb, and execute the command below to install it

$ sudo apt install ./dshield-client-service-1.0.0-x86_64.deb

SSH Login

If you want to enable 2FA on SSH login, then you need to enable challenge/response and also enable keyboard-interactive.

For Ubuntu 18 & 20, and CentOS

$ sudo vi /etc/ssh/sshd_config

ChallengeResponseAuthentication yes
AuthenticationMethods keyboard-interactive

For Ubuntu 22

$ sudo vi /etc/ssh/sshd_config

KbdInteractiveAuthentication yes

For RHEL & CentOS version 9

$ sudo vim /etc/ssh/sshd_config.d/50-redhat.conf

UsePAM yes
ChallengeResponseAuthentication yes
KbdInteractiveAuthentication yes
AuthenticationMethods keyboard-interactive


Restart SSHD service after the above change:

$ sudo systemctl restart sshd



  • No labels