DualShield supports multiple authentication methods and various authentication tokens. However, due to the limitation in the RADIUS protocol, for VMWare View, DualShield only supports the following authentication methods and tokens:
| Method | Tokens |
|---|---|
| One-Time Password | SafeID, MobileID |
| On-Demand Password | T-Pass |
| Grid Card | GridID |
In DualShield, you define the authentication methods (authenticators) to be used in the application's logon procedure. You can create a logon procedure that consists of one or two logon steps. In each logon step, you can specify the authenticators that the users can use to authenticate themselves.
One-Time Password
If you plan to deploy one-time password tokens, such as SafeID and MobileID, to your user base, then you will only need to create one logon step in your VMWare View’s logon procedure. In the logon step, add One-Time Password as the authenticator.
When a user attempts to connect to a VMware View Server that has DualShield two-factor authentication enabled and the DualShield is configured to authenticate users by one-time passwords, they are first presented with a login prompt as shown below:
Users enter their user name (which is normally their Active Directory user name), and a passcode. The passcode is normally a one-time password generated from their OTP tokens. If the token’s PIN is required, then the passcode is the combination of an OTP and the token’s PIN.
After users click the OK button, their user name and password will be submitted to the DualShield. If the user name and passcode are successfully verified by DualShield, the user then gets a second prompt to enter their Microsoft Active Directory credentials:
Users enter their AD password which will be submitted to your AD server to be verified. If the user name and AD password are successfully verified by your AD server, the logon process completed.
On-Demand Password
If you plan to let your users authenticate to VMware View with on-demand passwords, i.e. Deepnet T-Pass, then you have two options.
Option A: Two Logon Steps
Create two logon steps: Step 1: Static Password; Step 2: On-Demand Password
In this option, when a user attempts to connect to a VMware View Server they are first presented with a login prompt as shown below:
Users will enter their username and AD password in the passcode box, then click "OK".
The user name and AD password will be submitted to DualShield to be verified. If the user’s credentials are successfully verified, DualShield will generate an on-demand password to the user via the specified channel. VMware View will then prompt the following screen:
Users will wait for the password to arrive and then enter the on-demand password received in the “Next response” box.
VMware View client will finally prompt the user to enter their AD password:
At this time, the user name and AD password will be submitted to your AD server to be verified. If the user name and AD password are successfully verified by your AD server, the logon process completed.
Option B: One Logon Step
Create one logon step only and add "On-Demand Password" in the logon step.
When a user attempts to connect to VMware View Server, they are first presented with a login prompt as shown below:
Users are required to enter their on-demand passwords in the Passcode box. Where do users get their on-demand passwords? Again, there are two ways that users can obtain their on-demand passwords:
Pre-Delivery
The T-Pass authenticator in DualShield will automatically send a new password to the user each time the user has successfully logged in. Pre-Delivery is a policy option in T-Pass:
The very first password has to be pushed out by the administrator to the user from the Management Console or by the user from the Self-Service Console. Subsequently, users can user the passwords received after previous login.
Delivery by Commands
Users can request a password to be sent in real time by entering a T-Pass delivery command. The T-Pass command has to be entered in the “user name” field:
A T-Pass command starts with the “>” character, followed by one of the following commands and the user name itself.
- >sms
- >text
- >tweet
- >call
- >phone
>sms and >text commands are for sending OTP via SMS text message
>email command is for sending OTP by email message
>tweet is for sending OTP by twitter direct message
>call and >phone are for sending OTP by voice over telephone calls
If the T-Pass policy requires static password authentication prior to sending OTP, then the user must also enter their static password in the passcode field.
After the user has entered a T-Pass delivery command and their static password, and press the OK button, DualShield will generate an on-demand password and send it to the user via the specified channel. VMWare View will display a “Access Denied” error message. The user must then remove the T-Pass delivery command and enter the correct user name and the on-demand password they just received.