AuthPoint Identity Security Essentials

Question 1

MFA requires any combination of these three things.

Answer 1

Something you know | Password
Something you have | Phone
Something you are | Fingerprint

Question 2

AuthPoint is WatchGuard’s MFA service, it includes what 2 products?

Answer 2

AuthPoint MFA
AuthPoint Total Identity Security

Question 3

For AuthPoint, there are two authentication device routes you can have. What are they?

Answer 3

Mobile App
Hardware Token

Question 4

What is a token?
What is it used for?

Answer 4

Something, such as a digital signature or fingerprint, that identifies a user and associates the user with a device.
They require activation.

Used in addition to, or in place of, a password when a user logs in to a protected resource.

Question 5

Benefits of Authentication.

Answer 5

Gives admins a way to identify the users that access resources.

To authenticate, you must provide something that proves your identity.

Question 6

What is Authorization? Give AuthPoint specifics.

Answer 6

It is how admins define which users are allowed access to a resource.
Groups and authentication policies control authentication.

Question 7

What are the three MFA methods?
Describe them.

Answer 7

Push Notification: When a user logs in, AuthPoint sends a push notification to the user’s mobile device. The
user approves the push notification to authenticate, or denies it to prevent an unauthorized access attempt.

QR Code: When a user logs in, a QR code appears. The AuthPoint app uses the phone camera to scan the
QR code and displays a verification code, which the user must type to authenticate. AuthPoint uses secure
QR codes that only the AuthPoint mobile app can decrypt.

One-Time Password (OTP): When a user logs in, the user must provide a unique, temporary password
generated by the AuthPoint app to authenticate.

Question 8

What is the AuthPoint Management UI?
What does it manage? 10 sections on the main screen.
Where is Dark Web Monitoring configured?

Answer 8

It’s the management platform for AuthPoint in WatchGuard Cloud.
It’s where you set up and manage:

policies
resources
groups
objects
users
ext ids
gateway
hardware tokens
user inheritance
corporate applications

It also provides reports and audit logs for monitoring authentication activity and issue troubleshooting.

It’s managed under Administration in WatchGuard Cloud.

Question 9

Within the context of AuthPoint:
What are Resources?
What are Authentication policies?
What are External Identities?

Answer 9

Resources are the applications that you define for use with AuthPoint.

Authentication Policies specify which resources AuthPoint users can authenticate to, and which authentication methods they can use.

External Identities connect to a user databases to get user account information and validate passwords.

Question 10

What can the AuthPoint Mobile App do?

Answer 10

View and manage tokens, approve Push Notifications, get OTP’s, scan QR codes, and view and manage saved credentials (password manager).

You can protect tokens behind PIN or Biometric ID.

Question 11

What can the AuthPoint Browser Extension do?

Answer 11

Password management.
Can save and manage credentials in a personal password vault.

Question 12

What is the AuthPoint Gateway application?
Where can you download/install it from?

Answer 12

It’s a lightweight software application that you install on your network so that AuthPoint can securely communicate with your RADIUS clients and LDAP databases.
The Gateway operates as a RADIUS server for RADIUS authentication, and is also used to import LDAP users and validate their passwords.

Downloads page in AuthPoint Management UI.

Question 13

What is the Logon App?
What is it used for?
Requirements?

Answer 13

Used to require authentication when users log on to a computer or server.
Includes protection for RDP and RD Gateway (remote access).
For windows and mac.
Download application to computer and configure AuthPoint Resource.

Question 14

Define ADFS.
What can you use the AuthPoint Agent for ADFS for?
What 3 parts make the Agent?

Answer 14

Microsoft Active Directory Federation Services is a Windows Server component that provides users with authenticated access to applications.

You can add MFA to ADFS for added security.

Installed agent, Gateway, configured Resource.

Question 15

Define RD Web.
What does the AuthPoint Agent for RD Web do?
What 2 parts make the Agent?

Answer 15

Microsoft Remote Desktop Web Access is a web page that shows a list of applications published from a server. From the webpage, authenticated users can launch each application.

Provides MFA to RD Web Access.

Installed Agent, configured Resource.

Question 16

What Resource types are supported? What are they?
There are 8.

Answer 16

IdP Portal: A portal page that shows users the SAML resources available to them.
Logon App: Used to configure and define authentication policies for the Logon App.
RD Web: Used to add MFA to RD Web.
Firebox: Enable AuthPoint as an auth. server on a locally managed firebox connected to WG Cloud.
RADIUS Client: An application or service that uses RADIUS authentication.
SAML: An application or service that uses SAML authentication.
ADFS: Used to add MFA to ADFS authentication.
RESTful API Client: Used to configure and define authentication policies for a RESTful API client.

Question 17

What are the 10 AuthPoint settings tiles?
Give a brief description of uses.

Answer 17

Authpoint Policies: Configure auth. policies to specify which resources AuthPoint users can authenticate to and which authentication methods they can use.

Resources: Configure the applications and services that your users connect to.

Groups: Configure user groups.

Policy Objects: Configure th policy objects to define specific scenarios that authentication policies apply to.

Users: Manage AuthPoint users and tokens. Add users directly in AuthPoint or import from an external LDAP server.

External Identities: Configure the information required for AuthPoint to connect to AD or LDAP databases to get user account info and validate passwords.

Gateway: Confiugre settings for the AP Gateway, which allows AP to communicate with RADIUS clients, ADFS agent, and AD or LDAP database.

Tokens: Import and associate hardware tokens.

User Inheritance: Send and manage user inheritance requests. Service Providers cam request that managed accounts inherit an AP user from the Service Provider account.

Corporate Credentials: Configure Corporate Credentials to share a direct link to a specific website with specific user groups.

Question 18

In what order does WatchGuard recommmend you configure the settings tiles in the AuthPoint management UI?

Answer 18

From top to bottom.

Question 19

In WatchGuard cloud you can monitor AuthPoint.
Where can you find this?
What can you monitor?
There are 6 sections.

Answer 19

Monitor > AuthPoint.

User Activity: Bar graph showing how many times each active user has authenticated, and the last time an inactive user logged in. Also shows how and when users were blocked.

Authentication: Bar graph showing successful and failed authentication attempts for each user. For each attempt, a list shows the authentication date, the token used, authentication method, and the resource authenticated to.

Resource Activity: Bar graph showing successful and failed auth. attemps for each Resource. For each attempt, a list shows which user auth.cated, the auth date, the token used, and the auth. method.

Denied Pist Notifications: Bar graph showing how many push notifications have been denied by users.

Activation Activity: List of user tokens that have not been activated.

Sync Activity: Information about the synchronization of your ldap database, if added external identity.

Question 20

Where can you find additional information about AuthPoint Events useful for troubleshooting?

Answer 20

Administration > Audit logs and notifications.

Question 21

Custom Branding, you can customise these items for AuthPoint:
Logos and images in…
The reply-to email address for…
The logo and thumbnail on…
The logo, thumbnail, and background image for…

Answer 21

emails sent by AuthPoint.
emails sent by AuthPoint.
the Set Password and Token Activation web pages.
the IdP Portal.

Question 22

This is regarding AuthPoints SSO feature.
When a user authenticates, the web browser creates a session and remembers the user. While the session is active, what 3 resources don’t need to authenticate again?
What’s the exception?

Answer 22

SAML resources
RD Web resources
IdP Portal

The resource requires a more secure authentication method than the initial authentication provided.

Question 23

In regards to SSO and requiring extra Authentication.
Order the following from least secure to most:
OTP
Password
Push Notification
QR Code

Answer 23

Password
OTP
QR Code
Push Notification
[AuthPoint considers QR and Push equally secure]

Question 24

AuthPoint supports 2 types of tokens, what are they?
How many can a user have?

Answer 24

Software Tokens
20

Hardware Tokens
Any number

Question 25

Where do you migrate tokens from?

Answer 25

AuthPoint Mobile App

Question 26

Does the AuthPoint Mobile App support third party tokens?

Answer 26

yes

Question 27

I have multiple mobile devices, can I use the same software token across all of them?

Answer 27

No, need unique tokens each.

Question 28

What are the two ways to activate a token?

Answer 28

Click the link in the token activation email.
Navigate to te IdP Portal annd click the Activate Token Link.

Question 29

How to authenticate with a RADIUS server and OTP?

Answer 29

password+OTP

Question 30

What is the process to occur if a user forgets/misplaces their tokens?

Answer 30

1. A user forgets or misplaces the mobile device they use for authentication. They must contact their AuthPoint administrator.
2. The user provides the AuthPoint administrator with the Activation Code value shown in the Forgot Token window.
3. The AuthPoint administrator provides the user with a Period value and a Verification Code.
4. The user types their password and validates the Period and Verification Code. Once validated, the user can log in with their password.

Question 31

What are the third-party hardware token requirements?
There are 3

Answer 31

Response Format: 6 digit, numerical, time-based OTP witha 30 or 60 second interval.

Algorithym: OATH time-based OTP (RFC 6238)

Seed Delivery: OATH PSKC file (RFC 6030)

Question 32

What two things need to be uploaded to AuthPoint in order to import third-party hardware tokens?

Answer 32

Seed File: A Portable Symmetric Key Container (PSKC) file. Imports token/device information. XML PSKC TXT VIP

Key:Used to decrypt Seed File. Can be a manually entered string or a file. TXT BIN

Question 33

When you make a local AuthPoint user, two emails are sent to the user.
What are they?

Answer 33

Email to set their AuthPoint Password.
Email to activate their AuthPoint Token.

Question 34

In regards to LDAP or AD external identities…
What are Queries?

Answer 34

They specify which users to sync to AuthPoint. Queries request account information from the external database.
Queries also need an AuthPoint Group to sync the accounts to.

Question 35

When an external user authenticates, what method is used to validate the password.

Answer 35

AuthPoint sends entered password to external server for validation.

Question 36

LDAP, AD and Azure AD.
Which needs an AuthPoint Gateway?

Answer 36

Azure AD doesn’t need an AP Gateway.

Question 37

There are two types of LDAP queries, what are they?

Answer 37

Group Sync: Select the LDAP groups you want to sync. AuthPoint creates the query.

Advanced Query: Create your own LDAP query.

Question 38

What 3 properties does an external user need to be synced to AuthPoint?

Answer 38

Username
Firstname
Email Address

Question 39

On the user page, what do the coloured dots in the user status mean?
Green
Yellow
Red

Answer 39

Activated: User can authenticate with any active tokens.

Quarantined: LDAP user cannot auth. because the LDAP user was moved or deleted, the external identity was deleted, or other domain information was changed.
Cannot access their Password Vault.

Blocked: Cannot authenticate to any resource or Password Vault. Can still use third party tokens.

Question 40

Token status colours under users:
Grey
Green
Red

Answer 40

Pending: Token not activated.
Activated: Activated and can be used.
Blocked: Cannot use to authenticate.

Question 41

What must a user have to access their Password Vault?

Answer 41

Active Token

Question 42

There are two ways to Block Authentication.
Use cases.

Answer 42

Block a User: Useful if an employee leaves or their user account is compromised.

Block a Token: A user loses their phone or Hardware Token.

Question 43

When you configure an authentication policy, you specify 5 things.
What are they?

Answer 43

Whether the policy allows or denies authentications.
Which authentication methods are required.
Which resources the policy applies to.
Which user groups the policy applies to.
Which policy objects apply to the authentications.

Question 44

Authentication Policies
RADIUS Resources have an authentication exception.
What is it?
How does it change id RADIUS client resources use MS-CHAPv2?

Answer 44

If you enable both PUSH and OTP, only PUSH is used.
Cannot use QR code.

Only PUSH auth. supported.

Question 45

How are Authentication Policy conflicts handled?

Answer 45

Highest priority Policy takes precedence.

Question 46

There are 5 conditions that can go into a policy to determine what method of Authentication can be used.
What are they?

Answer 46

The resource the user auth.s to.
The AP groups the user is a member of.
The user’s IP address.
The time of the authentication.
The location of the user.

Question 47

You can configure 4 types of policy object.
Name them.

Answer 47

Network Locations.
Time Schedules.
Geofences.
Geokinesis.

Question 48

What makes Geokinesis different from the other 3 policy object types?

Answer 48

They apply after authentication is complete.

Question 49

What two types of authentication cannot be used with Network Location policy objects?

Answer 49

RADIUS and basic (ECP) authentication.

Question 50

For Remote Desktop Protocol (RDP) connections how does AuthPoint determine if the authentication comes from a network location.

Answer 50

Uses the IP address connected to port 3389 or 443.

Question 51

Requirements to use geofencing with ADFS.

Answer 51

Need to use the custom WG ADFS theme or another custom ADFS theme.

Question 52

Requirements to use geofencing and geokinesis with RD Web.

Answer 52

You must edit the webscripts-domain.js file on your RD Web Access server and configure the client to save the user location as a cookie on the RDWeb server.

Question 53

Two resources don’t support geofenceing or geokinesis.
What are they?

Answer 53

AuthPoint agent for macOS
RADIUS

Question 54

Which 4 resources use browser-based location data?

Answer 54

IdP Portal
SAML
RD Web
ADFS

Question 55

What authentication types only support IP address location data?
3 of them

Answer 55

RDP connections
Firebox resources
Windows virtual machines

Question 56

If an AuthPoint user account is…
blocked
deleted
…can they access their password vault?

Answer 56

No
No

Question 57

Other than accesing SAML sites and corporate credentials, what 2 things can the IdP Portal be used for?

Answer 57

Activate software tokens.
Activate the Forgot Token Feature.

Question 58

There are two parts to the Logon App, what are they?

Answer 58

The application you install on a computer or server (AuthPoint Agent).
The resource you configure in AuthPoint.

Question 59

There are 3 things you must do to set up the Logon App, what are they?

Answer 59

Configure a Logon App Resource in AuthPoint Management UI.
Configure an auth. policy for the Logon App Resource.
Download the installer and config. file for the Logon App. Make sure in same directory.

Question 60

Does the Logon App auto update.

Answer 60

No

Question 61

What conditions needs to be met before a user logs onto a computer through Logon App for the first time?

Answer 61

Must have an internet connection

Question 62

Before you install an AuthPoint Gateway there are 3 things to make sure of.

Answer 62

The computer it will be installed on has internet access.

The computer can communicate with your RADIUS clients and AD or LDAP database.

You have the registration key for your Gateway, if setup fails you will need another key.

Question 63

The AuthPoint Gateway runs 4 services.
What are they?

Answer 63

The Gateway Service handles connections to your AuthPoint account in the cloud and sends config. settings to the other 3 services.
The other 3 services handle RADIUS, ADFS, and LDAP communication on the local network.

Question 64

AuthPoint Gateway status:
Green
Grey
Red

Answer 64

Installed and can communicate with WatchGuard Cloud.

Gateway not installed

Not connected and cannot communicate with WG Cloud.

Question 65

To configure MFA for a RADIUS client, you must do these 5 things.

Answer 65

Conf. or set up your RADIUS client.

Add a RADIUS Client Resource.

Download and install the AuthPoint Gateway.

Add the RADIUS Client Resource to the config. for your Gateway.

Conf. an auth. policy for the RADIUS Client Resource.

Question 66

RADIUS MS-CHAPv2 requires an additional server, what server?

Answer 66

NPS RADIUS Server.

Question 67

Is the IdP Portal required for SAML authentication?

Answer 67

No

Question 68

SAML
To configure MFA for a service provider, you must do these 4 things.

Answer 68

Create an AP SAML certificate.
Conf. SAML authentication for your third-part service provider.
Add an SAML Resource in AP Management UI.
Conf. an auth. policy for the SAML Resource.

Question 69

What is AuthPoint Metadata used for?

Answer 69

Configure third party SAML Resources.

Question 70

When you add a SAML Resource in AuthPoint, you must configure these 3 settings.

Answer 70

Service Provider Entity ID and Assertion Consumer Service.
User ID.
AuthPoint Certificate.

Question 71

Where are AuthPoint Gateway logs stored?

Answer 71

C:\ProgramData\WatchGuard\AuthPoint\Logs