Overview
The RCDevs Mobile Badging solution is an integral part of the WebADM Framework, OpenOTP web-service, and the OpenOTP Token application. It offers the following key features:
- Time tracking of users;
- Work location verification and audit proof generated;
- Automated group membership management based on badge-in/badge-out operations;
- Automatic badge-in operation with NAC implementation on Wi-Fi/Ethernet networks. Device authentication through a client certificate can be linked to a user, and the device is not allowed to access the network until the user has badged in.
- Restriction of badging operations to specific countries or area;
- User accounts remain inactive at the LDAP level until the user has badged-in or checked-in;
- Can be utilized as a third factor of authentication. Badging operation can be required to access a system or a set of system.
To enable this feature in your WebADM infrastructure, the following requirements must be met:
- Push mechanisms configured within your WebADM infrastructure.
- WebADM version 2.1.16 or later.
- OpenOTP version 2.1.6 or later.
- OpenOTP Token application version 1.5.16 or later.
- BADGE option included in your freeware, enterprise, or trial license.
- Optionally, the
Sign & Seal
feature included in your license with signature credits to use an eIDAS-trusted certificate for timestamping each transaction.
Enabling Mobile Badging
To configure mobile badging, navigate to the WebADM Admin interface and select the Applications
tab. Under this tab, click the CONFIGURE
link under MFA Authentication Server
.
On the next page, locate the Mobile Badging
section, where you can enable the Mobile Badging
feature and choose between three modes: BADGE
, CHECK
, or MIXED
.
- The
BADGE
mode allows users tobadge-in
andbadge-out
with atime-tracking
feature and badge-only access policies. - The
CHECK
mode only allows forbadge-in
without anybadge-out
or time-tracking involved. - The
MIXED
mode combines the previous two modes, with functionality depending on the user’s location.
Combined with client policies, you can prevent a user from logging into a system if they haven't badged-in
during the current day.
You can configure which information is collected by selecting Data Collection
and then checking the options you want, such as GPS
, DN
, IP
, and Mobile
. This data will be stored in the SQL database configured with your WebADM and submitted directly from the mobile device to your OpenOTP mobile endpoint URL. It is never forwarded through RCDevs' cloud infrastructure, and RCDevs does not have access to this data.
The next option pertains to the certificate used for timestamping
badging operations. You can choose between local CA
or eIDAS
. The eIDAS
option requires purchasing signature credits from RCDevs and communicating with https://cloud.rcdevs.com for timestamping operations. The local CA
option uses the WebADM PKI service for timestamping and do not require signature credits.
The Allowed Locations
feature allows you to restrict badging operations to specific countries. By enabling this option, you can select the countries from which badging operations are permitted. If this option is not enabled, badging operations are allowed from all locations.
The Allowed Area
setting lets you define a GPS location with a radius where badging operations are allowed.
Except for the Timestamping
feature, all listed settings can be configured per group or per user for better granularity and flexibility.
OpenOTP Token Badging
Push Token registered before enabling the badging feature
If you enable the badging feature after push token registration, users will be prompted to resynchronize their token during the next push notification they receive. The resynchronization will enable the badging feature on the Token.
The user must click the Continue
button to perform the resync operation. Afterward, the badging feature will appear on their token, along with the Badge-In
button.
Users can also manually resynchronize the server configuration by clicking the Resync
icon in the token view.
If the resynchronization operation is successful, a confirmation message will appear at the top of the screen, and the Badge-In
button will be visible.
The Token is now ready for badging purposes.
Push Token registered after enabling the badging feature
If the Badging feature is enabled in the OpenOTP configuration before token registration, it will be automatically activated on the registered Token.
Badge Mode
Once you have a compatible token, click on it, and you will see the Badge-In
button. Click the Badge-In
button to proceed with the operation. A confirmation message will appear at the top of the screen when the operation is successful, and the Badge-In
button will automatically switch to the Badge-Out
button for the next badge-out operation.
Click on Badge-Out
button to badge-out and the Badge-Out
button will automatically switch to the Badge-In
button for the next badge-in operation.
The time between the use of the two buttons is held in WebADM to calculate the time that the user has been badged in.
Check Mode
This time we switched the Mobile Badging
setting in the OpenOTP configuration from BADGE
mode to CHECK
mode.
On the Token side, the main difference is that after the Badge-In
operation, the button swith to Checked
and is greyed-out.
If you leave the Token and come back on it, the Badge-In
button will re-appears.
Mixed Mode
To enable this mode, you must configure the office's geolocation in the WebADM LDAP OptionSets. Without this configuration, the mode will not function correctly.
This mode adapts based on the user's location. If the user is at the office, badging will operate in CHECK
mode. If the user is remote, such as working from home or another location, mobile badging will function in BADGE
mode with time tracking.
WebADM Configuration
LDAP Option Sets
Mobile Badging
Some mobile badging options are configurable through LDAP Option Sets
features of WebADM. You can configure multiple LDAP Option Sets
to apply different settings based on the branch of your LDAP tree where the Option Sets
are applied.
To edit an LDAP Option Set
, go to the Admin
tab, select the LDAP Option Sets
box, and click the CONFIGURE
button next to the set you want to modify.
If you haven’t created any LDAP Option Sets
, please refer to the LDAP Option Set documentation for instructions on creating and configuring them.
In the LDAP Option Sets
, navigate to the Mobile Badging
section to configure the following settings:
Office Coordinates
: Set the location(s) of your office(s) to manage badging/check operations from these locations. Define the country (or countries) where your office is located to avoid being considered remote when badging from these areas. You can configure GPS coordinates for precise location tracking. Use the edit button to set the office position via Google Maps and define an acceptable radius around the coordinates. You can specify the office location either by entering the address or by pinpointing it directly on the map.
Office Networks
: Configure your office network subnets to detect badging/check operations from your office networks.Check Badging Expire
: The minimum time for which access remains allowed after a badge-in inCHECK
mode (in hours). If not set, client access will remain allowed for one hour by default.- `Check Badging Hours: Daily time slots during which a badge-in under Check mode remains active.
Badged Users Group
: LDAP group that is automatically populated with users who have badged in.Office Users Group
: LDAP group that is automatically populated with users who have badged in from the office.User Lockout
: This setting allows you to lock a user account at the LDAP level when they perform a badge-out operation or through an automatic badge-out operation performed by WebADM background jobs. The account remains unusable at the LDAP level until the user performs a badge-in operation.- On Active Directory, the
logonHours
attribute is used. When badged out, the "Logon Hours" is set to "Logon Denied," and when badged in, it is set to "Logon Permitted." - On OpenLDAP, the
pwdAccountLockedTime
attribute is used (password lockout must be enabled in the password policy object). - On DS389, the
nsAccountLock
attribute is used. - On Novell eDirectory, the
loginDisabled
attribute is used.
Enabling that feature requires ensuring no other applications manipulate these attributes to avoid conflicts or inconsistent data.
- On Active Directory, the
For that same setting, the Network
option allows you to lock network access for devices associated with a user until the user badges in.
If the OptionSet is disabled while accounts have been locked out through that feature, a badge-in operation will be needed by users to re-enable their accounts. The next badge-out operation by the user will not lock them out.
Multiple offices/countries
If you have multiple offices location, you may configure multiple LDAP Option Sets
in order to apply different settings per office (office location, office networks, badging hours...). In that case, your LDAP database should be structured by country or by office for example, in order apply different configuration per country/office as the LDAP option Set
is applied on a specific LDAP container/tree, Organizational Unit or Organization and can not enter in conflict on the target subtree with another LDAP option Set
.
Remote Work Accounting
There is a whole section dedicated to the Remote Work Accounting
which is related to the mobile badging.
Depending on the country from which you work, the quota for remote work differs. That's why the option remote quota offers you the opportunity to dedicate a specific number of remote work allowed per country.
Client Policy
Client policies defined for your systems can be configured to require a daily badging/check
operation from your users in order to access that 3rd party system with their account. The advantage of that feature is to prevent access to a system when user is not badged-in
or checked
on the servers. Users' authentication become automatically unusable on these third-party systems until the user who is trying to login perform the badge-in/check
operation from his mobile.
The first of these two options allow you to enforce the badging in this particular client policy. It means that the user won't be able to authenticate without being badged-in or checked-in, depending on the mode of badging activated.
The second option is to enforce an IP address matching between the badging operation and the user IP retrieved during the authentication on a third party system.
- If you use
Address
, then the user mustbadge-in/check
from the same network location than where he is establishing an authentication on that third party system. - If you use
Country
then the user mustbadge-in/check
from the same country as where he is establishing an authentication on that third party system.
Database
Go to the Databases tab where you will find the database Physical Access & Mobile Badging
in the section SQL Data Tables. That's where information about checks and badging of the users are stored.
In this table, there is the time spent while being badged-in or checked-in by each user each day for the last month. While being badged-in, the case of the day remains orange until the user badge-out, then it runs into green.
A Time range is configurable to define the range the users are allowed to badge-in and badge-out. However, being out of this range won't block the badging, but it will turn the cases in pink and the time spent outside the range won't be counted in the column presence.
There is also the possibility to restrain the choice among the users you want to display on the database with filters such as: Active Users, Remote Work, Office Work, Has Absences, No Badge-out.
You can also create some filters to display only relevant information :
To have the location In Office
and the little white triangle in the cases, the Office Position must be configured in the LDAP Option Sets.
Every single check-in, badge-in or badge-out is stored and available to see all the details of these actions. To have a view on the information of these actions, just click on the time spent one day, and you will then find everything.
If you have configured the remote options in the LDAP option sets, two more columns are added at the right of the table. It will display the days worked remotely out of the days allowed by the quota defined in the options available during the configuration of the LDAP option sets.
Here, another WebADM Option Set
has been defined for Jane Doe, whose office is located in France but who badged in from Luxembourg. In the database report, she is considered a remote worker.
Badging and Network Access Control (NAC)
Badging and Network Access Control allows a device, such as a computer, mobile phone, or laptop, to be linked to a specific user or group. Once a device is linked to specific user, when it performs an EAP authentication on Wi-Fi or Ethernet networks, the user associated with the device can be automatically badged-in if automatic badging is enabled.
In scenarios where EAP-TLS authentication is used, a client certificate can be linked to the device. This linkage ensures that the certificate is only usable from that specific device, as the certificate is tied to the device's MAC address, adding an additional layer of security and ensuring that network access is restricted to authorized devices. A device authentication linked to a user which is not badged will not be authorized.
Automatic User Badging from Trusted Devices and Trusted Networks
When the NAC (Network Access Control) feature of OpenOTP and Radius Bridge (Authentication Servers) is enabled and configured with your network devices (Authenticators), the MAC addresses of your end-users' devices (Supplicants) will be populated in the SQL table specified in WebADM, within the Network table. Additionally, you can enable automatic badging by clicking on the Auto Badge
radio button, which will automatically badge the user when their device is authenticated. Accesses requiring badging will then be granted, and if the user account was locked through the User Lockout
feature of the LDAP Option Set
, the account will also be automatically unlocked.
In the example below, the device with MAC address 1E:45:C1:F3:BE:51
belongs to John Doe's mobile phone. When John is at the office, his phone will attempt to connect and log in to access the Wi-Fi network. Since auto-badging is enabled for this MAC address, John will be automatically badged in.
Automatic badging should not be enabled on devices that remain constantly connected, such as a computer. Otherwise, the user will always be badged in, even when they are not physically at the office.
Check worker location
At any time, you can send a location check request to your end users. To do this, log in to the WebADM Administrator portal, click on the user account in the LDAP tree, or search for it through the Search
menu. In the Application Actions
box, click on MFA Authentication Server
. Scroll down to find the Check on a Remote Worker
menu.
You will then reach a form that allows you to send the request to the end user. You can customize the message that will appear in the request.
Once arrived at this page, you can change and set up the different settings and then just click on start to send the notification to the user's mobile phone.
Finally, you have the confirmation of the check and the location of the user on the WebADM GUI after the actions on the mobile phone have been completed.
The remote worker check API used behind the previous form can be integrated into an HR system by implementing API calls.