Configuring ActivID Appliance Applications

You can configure the ActivID Appliance applications (such as the ActivID Management Console) by editing the application’s settings.

To modify a property, change the value in the relevant field.

If necessary, click Reset to revert the property to the default value.

Alternatively, you can select Reset All to reset all the properties to their default values.

Warning! ONLY modify the settings if you are sure that you are making the correct changes. Modifying the settings incorrectly can render the system unusable.

It is recommended that you contact HID Global Technical Support before modifying these settings.

View the Applications

You can view the configuration of the various ActivID Appliance components in the Applications menu.

Log on to the ActivID Console and, under Configuration in the left-hand menu, select Applications.

To configure an application, click the Edit Settings for the application:
- ActivID Authentication Server – the core server that provides the authentication infrastructure to meet cross-channel requirements.
- ActivID Authentication Portal – the portal that provides the authentication services. This component is required for authentication to the ActivID Management Console.
- ActivID Management Console – the web-based interface to manage the authentication system.
- ActivID Self-Service Portal – the web-based interface that offers end users activation and management services for soft and hardware authentication devices.
- ActivID RADIUS Front End – enables OTP and static password authentication using the RADIUS protocol
To initiate a restart of all the deployed applications, Restart All Applications.
If you have made any changes to the RADIUS configuration, then click Restart RADIUS Front End to restart the RADIUS service.

Configure the ActivID Authentication Server Settings

Log on to the ActivID Console and, under Configuration in the left-hand menu, select Applications.
Click Edit Settings for the ActivID Authentication Server in the Applications list.

For backward compatibility, legacy ActivID SOAP API based on AXIS 1.4 web service is still supported for client applications that cannot be migrated to the new JAX-WS web service.

Select Enable ActivID Legacy API (backward compatibility with AXIS 1.4 clients) to activate the support.

Edit the settings as required.

The properties are organized into the following categories:

General

CASE_SENSITIVE

By default, user search and user authentication are not case-sensitive and the user case sensitivity is set to false. This means that:

The user “jdoe” can authenticate if you enter “JDOE” in the login page username field.
The user “jdoe” is returned in a user search if you enter “JDOE” in the search field.
You are unable to create simultaneously a “JDOE” and a “jdoe” user. A warning message appears reporting the user already exists.

If user case sensitivity is set to true:

The user “jdoe” is unable to authenticate if you enter “JDOE” in the login page username field, they can only authenticate if they enter “jdoe”.
The user “jdoe” is not returned in a user search if you enter “JDOE” in the search field, only if you enter “jdoe”.
You are able to create simultaneously a “JDOE” and a “jdoe” user.

Value

false

Description

To enable user case sensitivity, set this property to true.

Possible values:

true
false (default)

ALLOW_AUTO_SYNC_WITHOUT_SOFT_PIN

Value

true

Description

It is possible to automatically resynchronize soft PIN-enabled devices by entering either OTP only, or soft PIN + OTP.

This flag can be set to false if you want to define that entering both the soft PIN and the generated OTP is mandatory to resynchronize soft PIN-enabled devices.

ASYNC_DEVICES_IMPORT_TEMPO_MS

Value	5
Description	Defines a tempo (in milliseconds) to wait between the devices import inside a batch. This avoids overloading the CPU by device import background task.

DEVICEIMPORT_SCHED_EXPR

Value	,,0/10
Description	Configuration for scheduling Large Device Import timer using cron expressions.

LDAP_CONNECTION_TIMEOUT

Value	10000
Description	Used by the LDAP adaptors. Defines the LDAP connection timeout in milliseconds.

LDAP_READ_TIMEOUT

Value	10000
Description	Used by the LDAP adaptors. Defines the LDAP read timeout in milliseconds.

PROXY_INTERCEPTOR

Value

none

Description

Adapter class to be invoked on UserManager calls. For example:

com.hid.ai.interceptor.LoggingInterceptor

AUDIT_TOKENIZATION_ENABLED

Value

true

Description

Defines if the audit log is tokenized (anonymized) to protect PII data. For further information about anonymization, see Protecting Personal Data with ActivID Appliance.

Possible values:

True (default)
False

Important: By default, in order to assist customers in meeting the requirements of certain data protection regulations, personal data in the audit log is tokenized/anonymized.

Disclaimer: If your organization requires audit log data to be detokenized for specific needs and usages, HID Global offers guidance in the form of APIs, sample code, and utilities, and it is recommended to adopt that approach while leaving the audit tokenization feature enabled.

Prior to disabling audit tokenization, it is recommended that you consult with your legal department to align with your organization’s policies with regard to the processing of personal data.

Search Limits

Searches performed in the ActivID Appliance portals can place a large load on the application. The number of records displayed should be limited to a reasonable size. The ActivID Authentication Server contains a method to limit the number of records that can be returned from the database. Returning larger result sets does place a strain on the server in terms of memory (need to keep the result set) and in terms of HSM load since ActivID Appliance verifies each records data signature.

If search performance is slow, very slowly, or there are 'out of memory' errors on ActivID Appliance nodes, you might need to adjust the search limits.

It is recommended that search limits (with a property name starting with SEARCH_) should be kept to a reasonable size (such as the default values).

For example, to configure User or Device search parameters, update the following:

SEARCH_LIMIT_USER
SEARCH_LIMIT_TOKEN

SEARCH_LIMIT_USER

Value	100
Description	Defines the maximum number of users returned in the search results.

SEARCH_LIMIT_ASSET

Value	20
Description	Defines the maximum number of assets returned in the search results.

SEARCH_LIMIT_AUDIT

Value	100
Description	Defines the maximum number of audit log records returned in the search results.

SEARCH_LIMIT_TOKEN

Value	100
Description	Defines the maximum number of tokens returned in the search results.

SEARCH_LIMIT_UATSP

Value	100
Description	Defines the maximum number of user asset transaction set privileges returned in the search results.

SEARCH_LIMIT_DEVICE_ISSUANCE

Value	150
Description	Defines the maximum number of device issuance requests returned in the search results.

SEARCH_LIMIT_LDAP_USER

Value	100
Description	Defines the maximum number of LDAP users returned in the search results.

Important: As these settings might impact the search result display performance in the ActivID Management Console, you can restrict the portal's search limit to a value lower than the value set for the ActivID Authentication Server application.

The user or device search performed in the ActivID Management Console will take into account the portal-specific limits.

User Attribute Mapping

The user attribute mapping is used in the context of the Authorization Profiles Selection Rules:

Always Succeeds check before
Always Fails check before

Note:

This mapping is shared by all security domains.
Setting FORCE_SERVER_GENERIC_RULE to true enables this mapping for generic dictionary attribute used in check before authorization profile rules when the comparison attribute selected in the check before rule is a static value. When the comparison attribute selected in the check before rule is dynamic (ActivID AS attribute), the check before attribute from generic dictionary is mapped to the attribute coming with the authentication request.

This is the default configuration.

When the setting is false, the check before attribute from generic dictionary is mapped to authentication request attribute.

FORCE_SERVER_GENERIC_RULE

Value	true
Description	Defines if the attribute mapping defined below is used to force the mapping of generic attributes to ActivID Appliance attributes.

The following entries define the mapping of attributes that applies when FORCE_SERVER_GENERIC_RULE is true.

Mapping names and values

Property name	Property value
Date-of-Birth	DOB
Title	TITLE
User-Type	USER_TYPE
Last-Success-Auth	LAST_AUTH
Type-Of-System	ATR_SYSTYP
E-Mail-Address	ATR_EMAIL
Mobile-Phone-Number	ATR_MOBILE
Address-Line-1	ADDRESS1
Address-Line-2	ADDRESS2
Address-Line-3	ADDRESS3
Address-Line-4	ADDRESS4
City	CITY
Post-Code	POSTCODE
First-Name	FIRSTNAME
Last-Name	LASTNAME
Custom-Attribute-1
Custom-Attribute-2
Custom-Attribute-3
Custom-Attribute-4
Custom-Attribute-5
Custom-Attribute-6
Custom-Attribute-7
Custom-Attribute-8
Custom-Attribute-9
Custom-Attribute-10

Note: When the “Property value” is not defined, any custom value can be set.

RADIUS

The following codes are the RFE forward reasons codes that are enabled by default. The complete list of reason codes can be found in the ActivID Appliance API Javadoc documentation.

To modify the settings, update the values in the following settings.

REASON_CODES_AUTHENTICATION

Value	0 − Reason indicating that the authenticator could not be found 1 − Reason indicating that the authenticator is disabled 7 − Reason indicating that the authenticator is not yet valid 8 − Reason indicating that the authenticator is expired 15 − Reason indicating that the user was not found 19 − Reason indicating a password's maximum usages has been reached 20 − Reason indicating the device is not valid 23 − Reason indicating that no valid credentials were found 26 − Reason indicating that amount value for EMV CAP verification is invalid, It must not have decimal character and it should be a numeric value
Description	Defines the authentication RFE forward reason codes.

Value

0 − Reason indicating that the authenticator could not be found

1 − Reason indicating that the authenticator is disabled

7 − Reason indicating that the authenticator is not yet valid

8 − Reason indicating that the authenticator is expired

15 − Reason indicating that the user was not found

19 − Reason indicating a password's maximum usages has been reached

20 − Reason indicating the device is not valid

23 − Reason indicating that no valid credentials were found

26 − Reason indicating that amount value for EMV CAP verification is invalid, It must not have decimal character and it should be a numeric value

Description

Defines the authentication RFE forward reason codes.

REASON_CODES_CHALLENGE

Value	1 − Reason indicating that challenge counter reached disable threshold
Description	Defines the challenge RFE forward reason codes.

REASON_CODES_ERROR

Value	1200 − A user with the specified code (external reference) could not be found 1261 − A device with the specified ID could not be found 1270 − An authenticator could not be found 6058 − There was no active device on the authenticator 6200 − No active authenticator was found for dynamic authenticator selection get Challenge request 6201 − No active authenticator was found for dynamic authenticator selection Device Authentication request 6202 − No active authenticator was found for dynamic authenticator selection UP Authentication request
Description	Defines the error RFE forward reason codes.

Value

1200 − A user with the specified code (external reference) could not be found

1261 − A device with the specified ID could not be found

1270 − An authenticator could not be found

6058 − There was no active device on the authenticator

6200 − No active authenticator was found for dynamic authenticator selection get Challenge request

6201 − No active authenticator was found for dynamic authenticator selection Device Authentication request

6202 − No active authenticator was found for dynamic authenticator selection UP Authentication request

Description

Defines the error RFE forward reason codes.

Audit

AUDIT.IGNORE.EVENTID

Value	^get\\S,^search\\S,hasFunctionPrivilege,isRFEConfigurationStale
Description	Defines the audit events that should not be stored in the database (to avoid filling the database with unnecessary events). The value is a regular expression of EventID to exclude.

Value

^get\\S*,^search\\S*,hasFunctionPrivilege,isRFEConfigurationStale

Description

Defines the audit events that should not be stored in the database (to avoid filling the database with unnecessary events).

The value is a regular expression of EventID to exclude.

audit.verify.strategy

Value	sequencesAndMatchedRows
Description	Define the behavior for verifying the audit record during audit search (using the API or using the ActivID Management Console Reporting tab). Possible values: none – no audit verification will occur. sequences – defines that only the sequential integrity of audit data will be verified. allRows – defines that all audit data found within the search date range will be verified, regardless of other criteria. sequencesAndMatchedRows – defines that the sequential integrity* of audit data will be verified, in addition to audit data that matches all the search criteria.

Value

sequencesAndMatchedRows

Description

Define the behavior for verifying the audit record during audit search (using the API or using the ActivID Management Console Reporting tab).

Possible values:

none – no audit verification will occur.
sequences – defines that only the sequential integrity of audit data will be verified.
allRows – defines that all audit data found within the search date range will be verified, regardless of other criteria.
sequencesAndMatchedRows – defines that the sequential integrity* of audit data will be verified, in addition to audit data that matches all the search criteria.

ALLOW_AUTHENTICATION_TO_PROCEED_WITHOUT_AUDIT_DOMAIN1

Value	DENY
Description	Defines if ActivID Appliance will allow authentication to the domain when the audit log fails: When set to ALLOW, authentications will continue but they will not be audited. When set to DENY, authentications will fail. For further information about log resilience, see Change the Audit Log Resilience Levels.

Value

DENY

Description

Defines if ActivID Appliance will allow authentication to the domain when the audit log fails:

When set to ALLOW, authentications will continue but they will not be audited.
When set to DENY, authentications will fail.

For further information about log resilience, see Change the Audit Log Resilience Levels.

ALLOW_ADMINISTRATION_TO_PROCEED_WITHOUT_AUDIT_DOMAIN1

Value	DENY
Description	Defines if ActivID Appliance will allow other configuration processes for the domain when the audit log fails: When set to ALLOW, all other operations will continue but they will not be audited. When set to DENY, all other operations will fail. For further information about log resilience, see Change the Audit Log Resilience Levels.

Value

DENY

Description

Defines if ActivID Appliance will allow other configuration processes for the domain when the audit log fails:

When set to ALLOW, all other operations will continue but they will not be audited.
When set to DENY, all other operations will fail.

For further information about log resilience, see Change the Audit Log Resilience Levels.

Security

ERROR_NOTIFICATION

Value	1019,1017,1001,1015,1020,1024,1028,1018,1027,1026,1007,1006,1010,1009,1000,1021,1030,1008,1016,1901,1904,301,1200
Description	ActivID Appliance also provides a system to send notifications of runtime errors generated by Web service API calls. This allows monitoring systems (listening JMX notifications) to detect systemic attacks (such as denial-of-service attacks) performed by external applications calling the ActivID public API. The error notifications enabled by default are: InvalidParameterException (Constants) ILLEGAL_ADAPTER_TYPE [1019] The adapter type is invalid. ILLEGAL_AUTHENTICATION_MODE [1017] Illegal authentication mode. ILLEGAL_AUTHENTICATOR_STATUS [1001] An authenticator status parameter is not one of the allowed values. ILLEGAL_DEVICE_ISSUANCE_REQUEST_STATUS [1015] A device issuance request status parameter is not one of the allowed values. ILLEGAL_EXTERNAL_CREDENTIAL_TYPE [1020] The external credential type is invalid. ILLEGAL_LDAP_MAPPING [1024] Illegal LDAP Mapping attribute. ILLEGAL_RESOURCE_TYPE [1028] Resource Type is invalid. ILLEGAL_SECURITY_DOMAIN [1018] The security domain is invalid. ILLEGAL_TRANSACTION_TYPE [1027] Transaction Type is invalid. ILLEGAL_USER_STATUS [1026] User status is invalid. INVALID_DATE_ORDER [1007] Date parameters are in an invalid order, for example start date after end date. INVALID_FORMAT [1006] A parameter was of an invalid format. NOT_A_NUMBER [1010] A parameter representing a numeric value is too large (positive or negative) to be converted into a number. PARAMETER_NOT_SUPPORTED [1009] A value has been specified for a parameter that is not supported. PARAMETER_NULL [1000] A parameter was null. PROFILE_INVALID [1021] Profile is invalid. STM_INVALID_PARAMETERS [1030] STM device activation failed due to invalid parameter. TOO_LONG [1008] A parameter is too long. USERCODE_OR_DEVICESEARCHCRITERIA_SHOULD_BE_SPECIFIED [1016] The device authentication request should have a usercode or device search criteria. ALSIInvalidException (Constants) SESSION_DOES_NOT_EXIST [1901] The session does not exist. SESSION_INVALID_USER [1904] The session has an invalid user associated with it.

Value

1019,1017,1001,1015,1020,1024,1028,1018,1027,1026,1007,1006,1010,1009,1000,1021,1030,1008,1016,1901,1904,301,1200

Description

ActivID Appliance also provides a system to send notifications of runtime errors generated by Web service API calls.

This allows monitoring systems (listening JMX notifications) to detect systemic attacks (such as denial-of-service attacks) performed by external applications calling the ActivID public API.

The error notifications enabled by default are:

InvalidParameterException (Constants)

ILLEGAL_ADAPTER_TYPE [1019] The adapter type is invalid.
ILLEGAL_AUTHENTICATION_MODE [1017] Illegal authentication mode.
ILLEGAL_AUTHENTICATOR_STATUS [1001] An authenticator status parameter is not one of the allowed values.
ILLEGAL_DEVICE_ISSUANCE_REQUEST_STATUS [1015] A device issuance request status parameter is not one of the allowed values.
ILLEGAL_EXTERNAL_CREDENTIAL_TYPE [1020] The external credential type is invalid.
ILLEGAL_LDAP_MAPPING [1024] Illegal LDAP Mapping attribute.
ILLEGAL_RESOURCE_TYPE [1028] Resource Type is invalid.
ILLEGAL_SECURITY_DOMAIN [1018] The security domain is invalid.
ILLEGAL_TRANSACTION_TYPE [1027] Transaction Type is invalid.
ILLEGAL_USER_STATUS [1026] User status is invalid.
INVALID_DATE_ORDER [1007] Date parameters are in an invalid order, for example start date after end date.
INVALID_FORMAT [1006] A parameter was of an invalid format.
NOT_A_NUMBER [1010] A parameter representing a numeric value is too large (positive or negative) to be converted into a number.
PARAMETER_NOT_SUPPORTED [1009] A value has been specified for a parameter that is not supported.
PARAMETER_NULL [1000] A parameter was null.
PROFILE_INVALID [1021] Profile is invalid.
STM_INVALID_PARAMETERS [1030] STM device activation failed due to invalid parameter.
TOO_LONG [1008] A parameter is too long.
USERCODE_OR_DEVICESEARCHCRITERIA_SHOULD_BE_SPECIFIED [1016] The device authentication request should have a usercode or device search criteria.

ALSIInvalidException (Constants)

SESSION_DOES_NOT_EXIST [1901] The session does not exist.
SESSION_INVALID_USER [1904] The session has an invalid user associated with it.

ERROR_AUDIT

Value	1400,301,951
Description	The default audit error codes. NO_FUNCTION_PRIVILEGE [1400] No function privilege to call this method INVALID_SIGNATURE [301] database Record is tainted STM_PUSH_ACTIVATION [951] Error has occurred while activating a push-based HID Approve™ device

Value

1400,301,951

Description

The default audit error codes.

NO_FUNCTION_PRIVILEGE [1400] No function privilege to call this method
INVALID_SIGNATURE [301] database Record is tainted
STM_PUSH_ACTIVATION [951] Error has occurred while activating a push-based HID Approve™ device

FAILURE_TYPE

Value	all
Description	Define the level of details returned for direct authentication failure. Possible values: all – allows permissive responses for direct authentications (not safe), then exceptions and reason codes are returned none – does not allow permissive responses for direct authentications (recommended), only a Response code is returned

Value

all

Description

Define the level of details returned for direct authentication failure.

Possible values:

all – allows permissive responses for direct authentications (not safe), then exceptions and reason codes are returned
none – does not allow permissive responses for direct authentications (recommended), only a Response code is returned

LOGIN_POLICY_SESSION_DUPLICATE_FAIL_<DOMAIN>

When LOGIN_POLICY_SESSION_DUPLICATE_FAIL_<DOMAIN> is false (the default), then the ActivID Authentication Portal allows concurrent login.

The Concurrent Login Policy enables you to limit active sessions to a single session at a time for a single user account. Concurrent Login Policy is configured globally per domain.

When the concurrent login policy is enabled, only one login session is permitted per user. Within the same browser session, different service providers/channels can be accessed for the same user account using the same session.

When the same user tries to access a service provider (for example, the ActivID Management Console) from another browser session, the authentication is denied as long as the other session remains opened. The user must wait until the other session is closed or is timed-out.

If a user tries to launch a concurrent login session, the error message “Login is denied. You cannot log on as long as your previous session remains open. Log out from the previous session or wait for the session to time out and try again” is displayed.

Value

false

Description

Defines how the ActivID Authentication Portal manages concurrent login for the same user account, where <DOMAIN> is the domain name.

Possible values:

true
false

Certificates Validation

You can define the settings to check the trust chain of client certificate on import and certificate revocation status for PKI C/R authentication.

CERT_REVOC_CONNECTION_TIMEOUT_S

Value	15
Description	TCP connection timeout in seconds.

CERT_REVOC_READ_TIMEOUT_S

Value	10
Description	TCP read timeout in seconds.

CRL_CACHE_TIMEOUT_H

Value

Description

For performance reasons, certificate revocation lists (CRL) are cached.

Defines the validity of cached CRL responses in hours.

OCSP_CACHE_TIMEOUT_H

Value

Description

For performance reasons, Online Certificate Status Protocol (OCSP) responses concerning intermediate CA certificates are cached.

Defines the validity of cached OCSP responses in hours.

This setting only applies to responses for intermediate CA certificates. OCSP responses for end-user certificates are not cached.

URL_BLACKLIST_TIMEOUT_S

Value	30
Description	Defines the black list period for URLs of unreachable CDP or OCSP responders in seconds. During this period, the system will failover, if available, to the redundant URL.

Value

Description

Defines the black list period for URLs of unreachable CDP or OCSP responders in seconds.

During this period, the system will failover, if available, to the redundant URL.

CERT_REVOC_CHECK_AUTHENTICATION

Value

true

Description

Defines if certificate revocation check is performed at authentication time.

If the certificate revocation status is already checked at the TLS termination, you do not need to perform this check at authentication.

CERT_REVOC_CHECK_DEVICE_IMPORT

Value	true
Description	Defines if certificate revocation check is performed when importing certificates.

CERTPATH_VALIDATION_LEGACY_CRED

Value	true
Description	Defines if the certificate path validation is disabled for any legacy certificates credentials that could not be validated (due to missing intermediate certificates).

CERT_REVOC_DISABLE_OCSP_RESP_NONCE_CHECK

Value	false
Description	As many OCSP responders do not use the nonce to create a different response for each request, you can disable the nonce verification.

CERT_REVOC_PREFER_OCSP_METHOD

Value

true

Description

OCSP and CRL can both be used to check the revocation status of a certificate.

If both methods are available, defines if OCSP is the preferred method.

CERT_REVOC_PROXY_REQUESTS

Value

true

Description

If a forward proxy is configured, web-based (not LDAP) CRL downloads and OCSP requests will use this proxy by default.

To use a local OCSP responders or CRL Distribution Points, set this setting to false.

CERT_REVOC_SUPPORT_OCSP_SHA256_REQUEST

Value	true
Description	By default OCSP requests use SHA256-based certificate ID. In case of compatibility issues, you might have to use SHA1 certificate ID by setting this to false.

CERT_REVOC_VALID_OCSP_RESP_ALGO

Value

none

Description

By default, there is no restriction on the OCSP response signature algorithms.

Specifies a comma separated list of valid OCSP response signature algorithm OID (see RFC 2313).

CRL_URLS

Value	none
Description	Specifies a comma-separated list of redundant CDP URLs that will be used in place of the CDPs defined in the certificates.

Click Save and Restart All Applications to apply your changes.

Configure the ActivID Authentication Portal Settings

Log on to the ActivID Console and, under Configuration in the left-hand menu, select Applications.
Click Edit Settings for the ActivID Authentication Portal in the Applications list.

Edit the settings as required.

PushLogon.Timeout

Value	60
Description	Timeout (in seconds) for Push-based logon.

DomainRequired

Value

false

Description

Constraint on Domain (required or optional in the authentication request).

For further information, see Enforce the Domain Requirement in the Authentication Request.

AuthorizedVpnUrl

Value	http://
Description	Authorized URLs for VPN Push operations.

Click Save and Restart All Applications to apply your changes.

Note: To modify the Authentication Process and GUI templates, see Customize the User Authentication Process.

Configure the ActivID Management Console Settings

You can define user and device search limits that will override those set in the ActivID Authentication Server settings.

Log on to the ActivID Console and, under Configuration in the left-hand menu, select Applications.
Click Edit Settings for the ActivID Management Console in the Applications list.

Edit the settings as required.

com.actividentity.iasp.ui.maxdevicesearch

Value	100
Description	Maximum numbers of devices displayed by the ActivID Management Console for a device search.

Note: This setting is ignored if the value is greater than the SEARCH_LIMIT_TOKEN.

com.actividentity.iasp.ui.maxusersearch

Value	100
Description	Maximum numbers of users displayed by the ActivID Management Console for a user search.

Note: This setting is ignored if the value is greater than the SEARCH_LIMIT_USER.

Click Save and Restart All Applications to apply your changes.

Configure ActivID RADIUS Front End Settings

Log on to the ActivID Console and, under Configuration in the left-hand menu, select Applications.
Click Edit Settings for the ActivID RADIUS Front End in the Applications list.

Edit the settings as required.

endpoint_port

Value	8443
Description	Port number to communicate with ActivID Appliance. The default port is for TLS with mutual authentication.

Value

8443

Description

Port number to communicate with ActivID Appliance.

The default port is for TLS with mutual authentication.

monitoring_configuration_interval_in_minutes

Value

Description

RFE configuration monitoring interval in minutes.

Defines the interval (in minutes) between each check of RFE configuration updates. The RFE configuration updates are retrieved by the RFE from the appliance.

Values allowed:

Minimum: 0 (disables monitoring)
Maximum: 1440

http_connect_timeout_in_seconds

Value

Description

The timeout (in seconds) allowed for the http connection to the server. This only applies to connection phase and has no impact once the connection is established.

Values allowed:

Minimum: 1
Maximum: 30

http_request_timeout_in_seconds

Value

Description

The timeout (in seconds) allowed for the HTTP request operation.

Values allowed:

Minimum: 0
Maximum: 60

The value 0 means no timeout is applied.

reconnect_delay_between_attempts_in_seconds

Value

Description

Number of seconds between each direct user reconnection attempt.

Values allowed:

Minimum: 5
Maximum: 600

reconnect_max_number

Value

Description

Maximum number of direct user reconnection attempts before rejecting the current authentication request.

The direct user reconnection attempt is typically used when a direct user session has expired and has to be renewed.

Values allowed:

Minimum: 0
Maximum: 10

retry_delay_between_attempts_in_seconds

Value

Description

Number of seconds between operation attempts (direct user authentication at RFE startup, indirect user authentication, reset authenticator counter, is RFE configuration stale).

Values allowed:

Minimum: 1
Maximum: 600

retry_max_number

Value

Description

Maximum number of retries to perform the current operation (direct user authentication at RFE startup, indirect user authentication, reset authenticator counter, is RFE configuration stale).

If the maximum number of retries is reached, the current operation is rejected.

Values allowed:

Minimum: 0
Maximum: 10

mppe_use_mppe

Value	yes
Description	Indicates if MPPE attributes (“MS-MPPE-Encryption-Policy”, “MS-MPPE-Encryption-Types”) have to be sent to the NAS after a successful indirect user authentication using protocol MSCHAPv1 or MSCHAPv2.

mppe_require_encryption

Value

Description

Indicates which value should be set for the “MS-MPPE-Encryption-Policy” attribute.

If no, value is set to 0x00000001
If yes, value is set to 0x00000002

Note: This setting is only taken into account if mppe_use_mppe is set to yes.

mppe_require_strong

Value

Description

Indicates which value should be set for the “MS-MPPE-Encryption-Types” attribute.

If no, value is set to 0x00000006
If yes, value is set to 0x00000004

Note: This setting is only taken into account if mppe_use_mppe is set to yes.

challenge_remove_space

Value	no
Description	Generates challenges without a space in RADIUS challenge/response authentication.

Click Save to apply your changes.
Click Return to Applications, and, in the Applications page, click Restart RADIUS Front End.

When prompted to restart RADIUS Front End, click Ok.
When the success message appears, click Close.