Custom Authentication Module

MetaDefender Kiosk allows you to audit the users that transfer data to and from the organization as well as to create a secure dataflow. Commonly used as a checkpoint to protect infrastructure from the risk of removable media devices (such as USB drives, CDs/DVDs, and other portable media), MetaDefender Kiosk allows you to configure detailed content filters for unknown removable devices brought in by employees, contractors, vendors and others.

This section provides instructions for developers who intend to build or integrate their own authentication method of these users into MetaDefender Kiosk. We recommend that you have a strong understanding of C/C++ before reading this section.

The bundled code included in this section is a sample of how the authentication module can be implemented. You should modify the contents in each method described in this section to accommodate your integration needs. You can remove any additional methods in the sample code not described in this section if not needed.

Important: Any configuration pertaining to the custom authentication module are not saved if you uninstall and re-install MetaDefender Kiosk. You must keep a copy of your module before uninstalling and then copy it back to the same directory once your installation or upgrade is complete.

System requirements

The system requirements for implementing custom authentication are as follows:

  • MetaDefender Kiosk 3.2.0 or later

  • Visual Studio 2017 or later

  • NET 4.5 or later for running the Custom Authentication Sample for the sample UI (optional)

Deploying and configuring custom authentication

The steps necessary to deploy custom authentication are as follows:

  1. Obtain a custom authentication template package from the OPSWAT Portal downloads

Note: Use the template for C++ custom authentication module (vc15).

  1. Implement the custom authentication interface & build the custom authentication module (authenticationModule.dll)

  2. Deploy the custom authentication module

  3. Configure MetaDefender Kiosk to load and use the custom authentication

Configuring custom authentication

After successfully building the custom authentication module, you can configure the module.

  1. Place the module (authenticationModule.dll) in the expected directory (e.g. <MetaDefender Kiosk Install Directory>\Client\Authentication)

  2. Open the MetaDefender Kiosk Management Console and go to the Configuration tab

  3. Go to the User Authentication section and click "View and configure user authentication"

  4. Select User Authentication, then select Custom Authentication and click Apply

Note: If Custom Authentication does not appear, the authentication module is either named incorrectly or not in the expected directory.

Understanding C++ code in the custom authentication template

The following section describes the C++ code in the custom authentication template.

Init

This is the first method called. It allows you to initialize your authentication module.

Copy

Arguments

ArgumentDescription
showUI

Output indicates if the authentication module has a UI to display to the user.

  • True: Has a UI.

  • False: Has no UI.

Return value

ValueDescription
0The module initialized correctly.
Non-zeroInitialization failed and the module cannot be used.

Verify

This method initiates the authentication process to run. The return value has nothing to do with if the user is authenticated or not. It indicates if the authentication process was successful or not.

Copy

Arguments

ArgumentDescriptionNotes
verifiedIDThe ID associated with the user that successfully authenticated. If a user is denied, then this is empty.Implementer must allocate the memory required.
desktopNameMetaDefender Kiosk uses a second desktop for security reasons. If your authentication process has a UI to display to the user, this will indicate the desktop in which your authentication process will be launched.Disregard if your authentication process does not require a UI.
passwordThe verified user’s credentials which allows MetaDefender Kiosk to handle post processing permissions. If you don't want MetaDefender Kiosk to have the user’s permissions, leave this empty.Implementer must allocate the memory required.

Note: From 3.5.0, if verifiedID is empty, Guest workflow will be used.

Return value

ValueDescription
0Verification ran successfully.
Non-zeroVerification failed to run.

Denit

This method is called when MetaDefender Kiosk is shut down. Any resources acquired by your module should be released and any unsaved data should be stored.

Copy

Arguments

No arguments are required for this function.

Cancel

This method is called when the user tries to cancels while verification is running.

Copy

Arguments

No arguments are required for this function.

Return value

ValueDescription
0The cancel request was accepted.
Non-zeroThe cancel request was denied.

FreeString

This method is called to free allocated memory for wchar_t **. MetaDefender Kiosk calls this function when finished with the values allocated by your functionality.

Copy

Arguments

ArgumentDescriptionNotes
stringToFreeDouble pointer to wchar_tThis function must be de-allocated in the same way that memory is allocated.

Return value

ValueDescription
0The allocated memory was successfully released.
Non-zeroThe allocated memory failed to be released.

Using the custom authentication tester

The custom authentication testing package includes a file called TestCustomAuthentication.exe that lets you test and troubleshoot your authentication module before using it with MetaDefender Kiosk.

TestCustomAuthentication.exe behaves similarly to the component MetaDefender Kiosk uses to load the authentication module. Since MetaDefender Kiosk runs under a SYSTEM context, you should run the authentication module under SYSTEM as well. Attempting to run the authentication module under any other user may invalidate the module's results. You must run TestCustomAuthenticationModule.exe under SYSTEM to properly load authenticationModule.dll and test the methods.

You can use Windows Sysinternals to run the tool as SYSTEM.

To run the custom authentication tester:

  1. Download PsExec

  2. Open a command prompt (as an administrator) to where PsExec is installed and enter "PsExec.exe -s cmd.exe"

  1. Navigate to the <MetaDefender Kiosk Install Directory>\Client\Authentication directory

  2. Run TestCustomAuthentication.exe. At all points of method testing, the tester pauses and allows you to control when to move on to the next test

  3. A PASSED or FAILED result appears

pcProx Plus RFID Reader Custom Authentication Module

Overview of Module

This documentation describes usage of the pcProx Plus RFID Reader custom authentication module. This authentication module can be used with any version of MetaDefender Kiosk version 3.2.0 or later to allow RFID cards to be used for MetaDefender Kiosk authentication.

Required Components

Configuration

MetaDefender Kiosk Configuration

If MetaDefender Kiosk has not already been installed on the system, the installer is available on the OPSWAT Portal at https://portal.opswat.com/products/high-security-networks.

Reader Configuration

pcProxConfig Installation

  1. Download the pcProxConfig installer from https://www.rfideas.com/support/product-support/pcprox-plus

  2. Run the installer to install the pcProxConfig configuration tool

  3. Connect the pcProx reader to the Metadefender Kiosk system and wait for the driver to be installed. The LED on the reader will turn red

  4. Launch the pcProxConfig tool, the device should be automatically detected

    1.

2. If the reader is not automatically detected you can click on the 'Connect' button to detect the reader

3. The reader should be shown in the device list

  1. Select 'Card Analyzer' from the menu

    1.

  1. Click 'Learn Card'

    1. Click Start Scan, and when prompted put the RFID card that you want the device to learn on the scanner. The card will need to stay on the reader until the scanning is complete.

    2.

3.

  1. Click the 'Auto Config>' button

  2. Select the Configuration # to set and click the 'Write' button

    1.

  1. After the configuration has been written click 'Exit' to close the Card Analyzer dialog or click the 'Learn Card' button to learn another card type

  2. Confirm that the configuration has the 'High priority' checkbox selected

    1.

2. If two configurations are saved make sure this is selected for both

  1. Select the 'Format' tab. On the 'Data Format' subtab do the following.

    1. Confirm the 'Send ID' checkbox is selected

    2. OPSWAT recommends that the 'Send FAC' checkbox is also selected

    3.

  1. On the 'Delimiters' subtab, do the following

    1. Confirm the Pre-data delimiter is set to <NONE>

    2.

3. Confirm the Post-data delimiter is set to <NONE>

4. Confirm the Termination Keystroke is set to <ENTER>

5.

  1. Click the 'Write Active' button to save the configuration. If there are two configurations set this needs to be done for both configurations.

  2. Test the configuration by opening the Notepad application and scanning a card. The card ID should be written into Notepad.

Adding pcProx Custom Authentication Module to MetaDefender Kiosk

  1. Copy the following files from the custom authentication module download package into your C:\Program Files (x86)\OPSWAT\Metadefender Kiosk\Client\Authentication directory

    1. authenticationModule.dll

    2. CustomAuthExample.exe

    3. omsConfig_CAM.ini

    4. db

  2. If you would like to restrict users to the RFID cards that are listed in the database

    1. Set the property validate_ID=1 in omsConfig_CAM.ini

    2. Open the 'db' file with a text editor, such as Notepad. Update/add the valid card IDs (can be read by pcProxConfig tool, step 14) with the corresponding user names in the format <Card ID>:<Name>. Only card IDs that are listed in this file can be used for authentication.

  3. In the MetaDefender Kiosk Management Console, enable Custom Authentication. Configuration → User Authentication → View and configure user authentication → User Authentication → Custom Authentication

    1.

2. Click the 'Apply' button

Using the pcProx Custom Authentication Module

  1. Users will be prompted to scan their RFID badge

    1.

  1. The ID from the card will be saved as the user ID for the session

    1. In the session log viewable through the Management Console

      1.

2. On the scan receipt

3. In the saved text log file

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Quarantine Manager Command Line Interface
On This Page
Custom Authentication ModuleSystem requirementsDeploying and configuring custom authenticationConfiguring custom authenticationUnderstanding C++ code in the custom authentication templateInitArgumentsReturn valueVerifyArgumentsReturn valueDenitArgumentsCancelArgumentsReturn valueFreeStringArgumentsReturn valueUsing the custom authentication testerpcProx Plus RFID Reader Custom Authentication ModuleOverview of ModuleRequired ComponentsConfigurationMetaDefender Kiosk ConfigurationReader ConfigurationpcProxConfig InstallationAdding pcProx Custom Authentication Module to MetaDefender KioskUsing the pcProx Custom Authentication Module