EquitracCreate and Manage AccountsUser authentication

User authentication

If your Equitrac deployment uses Client Billing, or embedded devices, you can configure CAS to validate user accounts against primary and secondary PINs. PIN information connects an Equitrac account with user logon information when a user logs in a frontend (e.g. at a device client to release a print job).

The primary PIN is the alpha-numeric sequence that uniquely identifies the user, and can be data encoded on a magnetic swipe card or entered via a keypad. The secondary PIN acts as a device password, and is entered via a keypad.

To configure user authentication settings, do the following:

  1. In System Configuration select Global Configuration Settings > Security and Authentication > User Authentication.
  2. Click Authentication Options from the left menu.
  3. In the User Input > Device clients section, set how users log in at a device.
    At least one login method must be enabled, but both can be enabled and configured.
    1. Select Allow card swipe login if you want users to be able to authenticate with a swipe card.
    2. Select how the user authenticates at the device with a registered card from the Require additional authentication with Equitrac password drop-down list.
      • Disabled - No additional Equitrac password is needed when logging on with a swipe card.
      • Enabled - The Equitrac password is needed when logging on with a swipe card. The device client displays the password prompt. If Enabled, decide if users Require password only if PIN2 available. If this PIN2 checkbox is selected, the user must enter a secondary PIN if they have a PIN 2 value associated with their user account. Users with a PIN 2 value will be prompted to enter it. This option only applies to select legacy devices.
    3. Select Allow keyboard login if you want users to enter their credentials using the MFP keyboard.
    4. Select how the user authenticates at the device with the keyboard from the Equitrac authentication drop-down list.
      The keyboard login cannot be set to less strict than the card swipe login. For example, if the password prompt is enabled for card swipe login, then login without password cannot be set for the keyboard. However, if login with password is enabled for the keyboard, then login without password can be set for card swipe.
      • Enabled with password prompt - The Equitrac password is needed when logging on with the keyboard. The device client displays the password prompt.

        If using the Enabled with password prompt, you can select one or both of the available options.

        • Require password only if PIN2 available. If this checkbox is selected, the user must enter a secondary PIN if they have a PIN 2 value associated with their user account. Users with a PIN 2 value will be prompted to enter it. This option only applies to select legacy devices.
        • Deny login with empty password. If this checkbox is selected, the user must enter a password in order to access the device. If the password field is empty, then authentication fails.
      • Enabled without password prompt - No additional Equitrac password is needed. The device client displays only the username prompt.
  4. In the User Input > Workstation clients and Web client section, set the client authentication methods.
    At least one authentication method must be enabled, but both can be enabled and configured.
    1. Select the client login options from the Equitrac authentication drop-down list.
      • Disabled - Login with Equitrac credentials is not allowed. The workstation client ‘Prompt for Login’ dialog and the Web Client user login page do not display the username prompt.
      • Enabled with password prompt - The Equitrac password for the user is needed for authentication. The workstation client ‘Prompt for Login’ dialog and Web Client user login page display the password prompt.
      • Enabled without password prompt - No additional Equitrac password is needed. The workstation client ‘Prompt for Login’ dialog and Web Client user login page display only the username prompt.
      Mac clients require Equitrac authentication. Therefore, if the 'Disabled' option is selected, the 'Enabled with password prompt' is used by default for the Mac Clients.
    2. Select how Azure AD authentication works from the Identity provider drop-down list.
      • Disabled - Azure AD authentication is not allowed.
      • Enabled - Azure AD authentication is allowed. The workstation client ‘Prompt for Login’ dialog and Web Client user login page display the Azure AD login option.
      If both Equitrac and identity provider authentication are enabled, the workstation client ‘Prompt for Login’ dialog and Web Client user login page display both the username prompt and the Azure AD login option. The user can use one of them.
  5. In the Equitrac Authentication section, select one or more authentication method.
    At least one authentication method must be enabled, but any combination can be selected.
    • Equitrac primary or alternate PIN with secondary PIN - This allows login with only Equitrac PINs. The username can be either the primary PIN or the alternate PIN (typically used at card swipes) and the password is the secondary PIN.
    • External username and password - This allows login with an external user account outside of Equitrac. The credentials are validated with the configured AD/LDAP external authentication settings.
    • Equitrac primary or alternate PIN with external password - This allows a mixed login. The username can be either the primary PIN or the alternate PIN (typically used at card swipes). The password is validated with the configured AD/LDAP external authentication settings.
    Equitrac cross-checks the database for the corresponding Equitrac account name, then verifies the credentials against the selected external authority for network logon. See External User Authentication for details.
  6. In the Card Registration section, select what type of authentication is needed to register a new card.
    At least one login method must be enabled, but both can be selected.
    • Equitrac authentication - This allows Equitrac authentication for card registration. The device client displays the username and password prompts.
    • Identity provider - This allows Azure AD authentication for card registration. The device client displays the Azure AD login option.
    If both the Equitrac and identity provider authentication are allowed, the device client displays both the Equitrac username/password prompts and the Azure AD login option. The user can use either one for authentication.
    Even if Equitrac authentication is not set for card registration, it will be enabled by default for older clients that do not support Azure AD only if card registration is enabled. The regular card registration screen (Equitrac PINs or Windows) will display for older clients.
    If the Azure AD tenant is changed in Configuration Assistant after registering a card with identity provider authentication, the new Azure AD tenant settings are not applied and a new card registration will fail as the original tenant is still in use. You must restart DRE or force a cache update.
  7. Select where to store the number of a newly registered card from the Card number storage drop-down list.
    • Do not allow card registration - If an unknown card is swiped, an authentication error occurs.
    • Store as primary PIN - The card number is stored in the primary PIN field.
    • Store as alternate PIN - The card number is stored in the alternate PIN field.
  8. Select Store secondary PIN encrypted check box if you want the secondary PIN to be encrypted in the database.
  9. Click Card Setup from the left menu, and determine the User authentication card setup. For details on entering the decoding parameters, see HID Decoding.
  10. Click CAS offline behavior from the left menu, and set the following:
    1. Select Disabled or Enabled from the Login caching drop-down list.
      • Disabled – Prevents user login when CAS is offline.
      • Enabled – Allows only previously CAS-validated users to login when CAS is offline.

      DCE login caching determines whether a user login is accepted or denied when CAS is offline. If DCE caching is disabled when CAS is offline, then users cannot login. If DCE caching is enabled when CAS is offline, then DCE allows users to login only if they had previously logged in when CAS was online.

      For example, if DCE caching is enabled, and User1 authenticated while CAS was online, but User2 did not, then if CAS goes offline, User1 can still login, but User2 cannot login until CAS comes online again. Once CAS is back online, then User2 can login, and continue to login even if CAS goes offline again.

      Account limits are not enforced, and Billing Codes are not validated when DCE is operating without a connection to CAS.
    2. From the Print behavior drop-down list select one of the following options to determine how DRE servers handle print jobs when CAS is offline:
      • Auto select - If account limits are enforced, then the Do not print option is used. If account limits are not enforced, then the Print, charge accounts later option is used.
      • Do not print - Users cannot print, and must wait until CAS is back online in order to print.
      • Print, charge accounts later - Users can print, and then the print job is charged to their account when CAS is back online.
  11. Click Save to save the settings.