Overview

The RCDevs Mobile Badging solution is an integral part of the WebADM Framework, OpenOTP web-service, and the OpenOTP Token application. It offers the following key features:

  • Time tracking of users;
  • Work location verification and audit proof generated;
  • Automated group membership management based on badge-in/badge-out operations;
  • Automatic badge-in operation with NAC implementation on Wi-Fi/Ethernet networks. Device authentication through a client certificate can be linked to a user, and the device is not allowed to access the network until the user has badged in.
  • Restriction of badging operations to specific countries or area;
  • User accounts remain inactive at the LDAP level until the user has badged-in or checked-in;
  • Can be utilized as a third factor of authentication. Badging operation can be required to access a system or a set of system.

To enable this feature in your WebADM infrastructure, the following requirements must be met:

  • Push mechanisms configured within your WebADM infrastructure.
  • WebADM version 2.1.16 or later.
  • OpenOTP version 2.1.6 or later.
  • OpenOTP Token application version 1.5.16 or later.
  • BADGE option included in your freeware, enterprise, or trial license.
  • Optionally, the Sign & Seal feature included in your license with signature credits to use an eIDAS-trusted certificate for timestamping each transaction.

Enabling Mobile Badging

To configure mobile badging, navigate to the WebADM Admin interface and select the Applications tab. Under this tab, click the CONFIGURE link under MFA Authentication Server.

On the next page, locate the Mobile Badging section, where you can enable the Mobile Badging feature and choose between three modes: BADGE, CHECK, or MIXED.

  • The BADGE mode allows users to badge-in and badge-out with a time-tracking feature and badge-only access policies.
  • The CHECK mode only allows for badge-in without any badge-out or time-tracking involved.
  • The MIXED mode combines the previous two modes, with functionality depending on the user’s location.
badging

Combined with client policies, you can prevent a user from logging into a system if they haven't badged-in during the current day.

You can configure which information is collected by selecting Data Collection and then checking the options you want, such as GPS, DN, IP, and Mobile. This data will be stored in the SQL database configured with your WebADM and submitted directly from the mobile device to your OpenOTP mobile endpoint URL. It is never forwarded through RCDevs' cloud infrastructure, and RCDevs does not have access to this data.

The next option pertains to the certificate used for timestamping badging operations. You can choose between local CA or eIDAS. The eIDAS option requires purchasing signature credits from RCDevs and communicating with https://cloud.rcdevs.com for timestamping operations. The local CA option uses the WebADM PKI service for timestamping and do not require signature credits.

The Allowed Locations feature allows you to restrict badging operations to specific countries. By enabling this option, you can select the countries from which badging operations are permitted. If this option is not enabled, badging operations are allowed from all locations.

The Allowed Area setting lets you define a GPS location with a radius where badging operations are allowed.

Except for the Timestamping feature, all listed settings can be configured per group or per user for better granularity and flexibility.

OpenOTP Token Badging

Push Token registered before enabling the badging feature

If you enable the badging feature after push token registration, users will be prompted to resynchronize their token during the next push notification they receive. The resynchronization will enable the badging feature on the Token.

badging

The user must click the Continue button to perform the resync operation. Afterward, the badging feature will appear on their token, along with the Badge-In button.

badging

Users can also manually resynchronize the server configuration by clicking the Resync icon in the token view.

badging

If the resynchronization operation is successful, a confirmation message will appear at the top of the screen, and the Badge-In button will be visible.

badging

The Token is now ready for badging purposes.

Push Token registered after enabling the badging feature

If the Badging feature is enabled in the OpenOTP configuration before token registration, it will be automatically activated on the registered Token.

Badge Mode

Once you have a compatible token, click on it, and you will see the Badge-In button. Click the Badge-In button to proceed with the operation. A confirmation message will appear at the top of the screen when the operation is successful, and the Badge-In button will automatically switch to the Badge-Out button for the next badge-out operation.

badging

Click on Badge-Out button to badge-out and the Badge-Out button will automatically switch to the Badge-In button for the next badge-in operation.

badging

The time between the use of the two buttons is held in WebADM to calculate the time that the user has been badged in.

Check Mode

This time we switched the Mobile Badging setting in the OpenOTP configuration from BADGE mode to CHECK mode.

badging

On the Token side, the main difference is that after the Badge-In operation, the button swith to Checked and is greyed-out.

badging

If you leave the Token and come back on it, the Badge-In button will re-appears.

Mixed Mode

To enable this mode, you must configure the office's geolocation in the WebADM LDAP OptionSets. Without this configuration, the mode will not function correctly.

This mode adapts based on the user's location. If the user is at the office, badging will operate in CHECK mode. If the user is remote, such as working from home or another location, mobile badging will function in BADGE mode with time tracking.

WebADM Configuration

LDAP Option Sets

Mobile Badging

Some mobile badging options are configurable through LDAP Option Sets features of WebADM. You can configure multiple LDAP Option Sets to apply different settings based on the branch of your LDAP tree where the Option Sets are applied.

To edit an LDAP Option Set, go to the Admin tab, select the LDAP Option Sets box, and click the CONFIGURE button next to the set you want to modify.

If you haven’t created any LDAP Option Sets, please refer to the LDAP Option Set documentation for instructions on creating and configuring them.

In the LDAP Option Sets, navigate to the Mobile Badging section to configure the following settings:

  • Office Coordinates: Set the location(s) of your office(s) to manage badging/check operations from these locations. Define the country (or countries) where your office is located to avoid being considered remote when badging from these areas. You can configure GPS coordinates for precise location tracking. Use the edit button to set the office position via Google Maps and define an acceptable radius around the coordinates. You can specify the office location either by entering the address or by pinpointing it directly on the map.
badging
  • Office Networks: Configure your office network subnets to detect badging/check operations from your office networks.
  • Check Badging Expire: The minimum time for which access remains allowed after a badge-in in CHECK mode (in hours). If not set, client access will remain allowed for one hour by default.
  • `Check Badging Hours: Daily time slots during which a badge-in under Check mode remains active.
  • Badged Users Group: LDAP group that is automatically populated with users who have badged in.
  • Office Users Group: LDAP group that is automatically populated with users who have badged in from the office.
  • User Lockout: This setting allows you to lock a user account at the LDAP level when they perform a badge-out operation or through an automatic badge-out operation performed by WebADM background jobs. The account remains unusable at the LDAP level until the user performs a badge-in operation.
    • On Active Directory, the logonHours attribute is used. When badged out, the "Logon Hours" is set to "Logon Denied," and when badged in, it is set to "Logon Permitted."
    • On OpenLDAP, the pwdAccountLockedTime attribute is used (password lockout must be enabled in the password policy object).
    • On DS389, the nsAccountLock attribute is used.
    • On Novell eDirectory, the loginDisabled attribute is used.
      Enabling that feature requires ensuring no other applications manipulate these attributes to avoid conflicts or inconsistent data.

For that same setting, the Network option allows you to lock network access for devices associated with a user until the user badges in.

If the OptionSet is disabled while accounts have been locked out through that feature, a badge-in operation will be needed by users to re-enable their accounts. The next badge-out operation by the user will not lock them out.

badging

Multiple offices/countries

If you have multiple offices location, you may configure multiple LDAP Option Sets in order to apply different settings per office (office location, office networks, badging hours...). In that case, your LDAP database should be structured by country or by office for example, in order apply different configuration per country/office as the LDAP option Set is applied on a specific LDAP container/tree, Organizational Unit or Organization and can not enter in conflict on the target subtree with another LDAP option Set.

Remote Work Accounting

There is a whole section dedicated to the Remote Work Accounting which is related to the mobile badging.

badging

Depending on the country from which you work, the quota for remote work differs. That's why the option remote quota offers you the opportunity to dedicate a specific number of remote work allowed per country.

Client Policy

Client policies defined for your systems can be configured to require a daily badging/check operation from your users in order to access that 3rd party system with their account. The advantage of that feature is to prevent access to a system when user is not badged-in or checked on the servers. Users' authentication become automatically unusable on these third-party systems until the user who is trying to login perform the badge-in/check operation from his mobile.

badging

The first of these two options allow you to enforce the badging in this particular client policy. It means that the user won't be able to authenticate without being badged-in or checked-in, depending on the mode of badging activated.

The second option is to enforce an IP address matching between the badging operation and the user IP retrieved during the authentication on a third party system.

  • If you use Address, then the user must badge-in/check from the same network location than where he is establishing an authentication on that third party system.
  • If you use Country then the user must badge-in/check from the same country as where he is establishing an authentication on that third party system.

Database

Go to the Databases tab where you will find the database Physical Access & Mobile Badging in the section SQL Data Tables. That's where information about checks and badging of the users are stored.

badging

In this table, there is the time spent while being badged-in or checked-in by each user each day for the last month. While being badged-in, the case of the day remains orange until the user badge-out, then it runs into green.

A Time range is configurable to define the range the users are allowed to badge-in and badge-out. However, being out of this range won't block the badging, but it will turn the cases in pink and the time spent outside the range won't be counted in the column presence.

There is also the possibility to restrain the choice among the users you want to display on the database with filters such as: Active Users, Remote Work, Office Work, Has Absences, No Badge-out.

You can also create some filters to display only relevant information :

badging

To have the location In Office and the little white triangle in the cases, the Office Position must be configured in the LDAP Option Sets.

Every single check-in, badge-in or badge-out is stored and available to see all the details of these actions. To have a view on the information of these actions, just click on the time spent one day, and you will then find everything.

badging

If you have configured the remote options in the LDAP option sets, two more columns are added at the right of the table. It will display the days worked remotely out of the days allowed by the quota defined in the options available during the configuration of the LDAP option sets.
Here, another WebADM Option Set has been defined for Jane Doe, whose office is located in France but who badged in from Luxembourg. In the database report, she is considered a remote worker.

badging

Badging and Network Access Control (NAC)

Badging and Network Access Control allows a device, such as a computer, mobile phone, or laptop, to be linked to a specific user or group. Once a device is linked to specific user, when it performs an EAP authentication on Wi-Fi or Ethernet networks, the user associated with the device can be automatically badged-in if automatic badging is enabled.

In scenarios where EAP-TLS authentication is used, a client certificate can be linked to the device. This linkage ensures that the certificate is only usable from that specific device, as the certificate is tied to the device's MAC address, adding an additional layer of security and ensuring that network access is restricted to authorized devices. A device authentication linked to a user which is not badged will not be authorized.

Automatic User Badging from Trusted Devices and Trusted Networks

When the NAC (Network Access Control) feature of OpenOTP and Radius Bridge (Authentication Servers) is enabled and configured with your network devices (Authenticators), the MAC addresses of your end-users' devices (Supplicants) will be populated in the SQL table specified in WebADM, within the Network table. Additionally, you can enable automatic badging by clicking on the Auto Badge radio button, which will automatically badge the user when their device is authenticated. Accesses requiring badging will then be granted, and if the user account was locked through the User Lockout feature of the LDAP Option Set, the account will also be automatically unlocked.

In the example below, the device with MAC address 1E:45:C1:F3:BE:51 belongs to John Doe's mobile phone. When John is at the office, his phone will attempt to connect and log in to access the Wi-Fi network. Since auto-badging is enabled for this MAC address, John will be automatically badged in.

badging

Automatic badging should not be enabled on devices that remain constantly connected, such as a computer. Otherwise, the user will always be badged in, even when they are not physically at the office.

Check worker location

At any time, you can send a location check request to your end users. To do this, log in to the WebADM Administrator portal, click on the user account in the LDAP tree, or search for it through the Search menu. In the Application Actions box, click on MFA Authentication Server. Scroll down to find the Check on a Remote Worker menu.

badging

You will then reach a form that allows you to send the request to the end user. You can customize the message that will appear in the request.

badging

Once arrived at this page, you can change and set up the different settings and then just click on start to send the notification to the user's mobile phone.

badging

Finally, you have the confirmation of the check and the location of the user on the WebADM GUI after the actions on the mobile phone have been completed.

badging

The remote worker check API used behind the previous form can be integrated into an HR system by implementing API calls.