Identikey Server Getting Started Guide

IDENTIKEY ServerGetting Started Guide

3.3

Disclaimer of Warranties and Limitations of Liabilities

The Product is provided on an 'as is' basis, without any other warranties, or conditions, express or implied, including but not limited to warranties of merchantable quality, merchantability of fitness for a particular purpose, or those arising by law, statute, usage of trade or course of dealing. The entire risk as to the results and performance of the product is assumed by you. Neither we nor our dealers or suppliers shall have any liability to you or any other person or entity for any indirect, incidental, special or consequential damages whatsoever, including but not limited to loss of revenue or profit, lost or damaged data of other commercial or economic loss, even if we have been advised of the possibility of such damages or they are foreseeable; or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers and suppliers shall not exceed the amount paid by you for the Product. The limitations in this section shall apply whether or not the alleged breach or default is a breach of a fundamental condition or term, or a fundamental breach. Some states/countries do not allow the exclusion or limitation or liability for consequential or incidental damages so the above limitation may not apply to you.

Copyright

Copyright © 2011 VASCO Data Security, Inc., VASCO Data Security International GmbH. All rights reserved.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc.

Trademarks

VASCO®, Vacman®, IDENTIKEY®, aXsGUARD®, DIGIPASS®, and ® are registered or unregistered

trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries.

Date Last Modified : 26/07/11

Table of Contents

Table of Contents

1 Introduction.................................................................................................................................................... 41.1 About this guide .................................................................................................................................................. 4

1.2 IDENTIKEY Server Implementation........................................................................................................................ 5

1.3 IDENTIKEY Server Testing.................................................................................................................................... 5

1.4 Topics Not Included............................................................................................................................................. 5

1.5 Before you start................................................................................................................................................... 5

2 Install and Setup............................................................................................................................................. 72.1 Basic Setup Procedure......................................................................................................................................... 7

2.2 Install the RADIUS Client Simulator...................................................................................................................... 7

2.3 Install IDENTIKEY Server...................................................................................................................................... 8

2.4 Configure IDENTIKEY Server................................................................................................................................. 9

2.5 Set up New Local Server for Audit Viewer.......................................................................................................... 11

2.6 Set Up Auditing.................................................................................................................................................. 11

3 Testing......................................................................................................................................................... 133.1 Test Local Authentication................................................................................................................................... 14

3.2 Test Windows Back-End Authentication............................................................................................................. 16

3.3 Test RADIUS Back-End Authentication............................................................................................................... 19

3.4 Test Management Features............................................................................................................................... 23

4 Demo Tokens............................................................................................................................................... 284.1 Using the Demo DP300...................................................................................................................................... 28

4.2 Using the Demo Go 3 or Go 6............................................................................................................................. 29

5 Set up Live System....................................................................................................................................... 315.1 Checklist........................................................................................................................................................... 31

IDENTIKEY Server Getting Started Guide 3

Introduction

1 Introduction

1.1 About this guide

This Getting Started Guide will introduce you to IDENTIKEY Server. It will help you set up a basic installation of IDENTIKEY Server and get to know the product and the tools it includes. It covers only basic information and the most common configuration requirements. Other options and more in-depth instructions are covered in other manuals.

Who should read this guide?

This guide is designed for system managers, administrators, and developers using IDENTIKEY Server products. The reader should already be familiar with:

Online authentication and authorisation tools and protocols, including SOAP, RADIUS, WSDL, SSL, XML, HTML and TCP/IP.

Windows and Linux security software environments including IIS, Active Directory and ODBC.

Administration tasks including user management , policy, scheduling, reports, and performance monitoring.

Password management and encryption techniques.

EMV-CAP and other e-commerce transaction standards.

An understanding of programming languages, especially Java and ASP.NET, would also be helpful.

IDENTIKEY Server documentation suite

The following IDENTIKEY Server guides are available:

Product Guide - introduce the features and concepts of IDENTIKEY Server and explains various usage options.

Getting Started Guide - leads you through a standard setup and testing of key IDENTIKEY Server features.

Windows Installation Guide - planning and working through a Windows installation of IDENTIKEY Server.

Linux Installation Guide - planning and working through a Linux installation of IDENTIKEY Server.

Administrator Guide - in-depth information required for administration of IDENTIKEY Server.

Administrator Reference – detailed references such as data attributes, backup, recovery and utility commands.

Performance and Deployment Guide - information on common deployment models and performance statistics.

Release Notes – latest information on IDENTIKEY Server releases.

SDK Programmers Guides - information on the IDENTIKEY Server Software Development Kit (SDK), plus dedicated guides for .NET, Java and SOAP.

Authentication SDK Guides - in-depth information required to develop using the authentication SDK, plus dedicated guides for .NET, Java and SOAP.


Introduction

Further assistance

Comprehensive Help Files including context-sensitive assistance are available via IDENTIKEY Server user interfaces. For more information, please visit http://www.vasco.com.

1.2 IDENTIKEY Server Implementation

This guide covers a basic Windows implementation of IDENTIKEY Server, suitable for an evaluation or simple setup:

IDENTIKEY Server installed with standard configuration

Embedded PostgreSQL database as data store

RADIUS environment

Administration Web Interface

It includes information on configuration of IDENTIKEY Server for specific management scenarios.

1.3 IDENTIKEY Server Testing

This guide will lead you through testing of management features, such as setting up auto-assignment of DIGIPASS to DIGIPASS Users.

1.4 Topics Not Included

This guide does not cover topics such as:

Installation instructions

Detailed introduction to IDENTIKEY Server, its features and components

Detailed instructions on the use of IDENTIKEY Server

Additional components

Virtual DIGIPASS

Backup and recovery

1.5 Before you start

Before you start, you will need the following:

The encrypted DPX file provided with DIGIPASS (unless you will only use the provided demo DIGIPASS files)

Transport Key for the DPX file (if using your own file)

Installation disk or executable


http://www.vasco.com/

Introduction

Installation Guide


Install and Setup

2 Install and Setup

2.1 Basic Setup Procedure

The diagram below illustrates the basic procedure which this Guide will take you through in the initial setup for IDENTIKEY Server.

Image 1: Basic Setup Procedure

2.2 Install the RADIUS Client Simulator

The RADIUS Client Simulator (RCS) is a program that simulates RADIUS Authentication and Accounting processing in a similar fashion to RADIUS enabled Network Access Server and Firewall devices. The RCS can be used to test User authentication, Digipass authentication, estimate RADIUS Server performance or test system overload.

Install the RADIUS Client Simulator on a machine in the required Domain:

1. Locate and run radius-simulator_<version>.msi. This utility is normally found in the Software\Windows\<arch>\Utilities\Radius Simulator\ directory of the installation disk, where <arch> is the applicable architecture of your system (e.g. x86 or amd64).

2. Follow the prompts until the installation is complete.

If you chose the default install location, the Simulator will be installed to the C:\Program Files\VASCO\ RADIUS Client Simulator directory.

3. Launch the Simulator from the Start menu.


Install and Setup

Note

The RADIUS Client Simulator uses the port 1812 for authentication requests and port 1813 for accounting requests, by default.

If you are using Microsoft Windows Small Business Server 2008, these ports are used for other services, so configure the RADIUS Client Simulator to other ports by updating the Auth. Port and Acct. Port fields on the RADIUS Client Simulator. Ensure that the ports are available through the firewall, and that the RADIUS client is amended to use the same ports.

2.3 Install IDENTIKEY Server

Install IDENTIKEY Server according to the Basic Installation instructions in the Windows Installation Guide.

RADIUS Topology

When prompted to select a RADIUS topology, select either:

IDENTIKEY Server as standalone RADIUS Server (this will require you to skip the RADIUS Back-End Authentication topic)

IDENTIKEY Server in front of RADIUS Server

SSL Certificate Password

When prompted for a certificate password, note the password you enter. This will be used later in the Getting Started process.

Automatic Settings

Some settings which are created automatically for the IDENTIKEY Server are:

Example Policies

A Component record for the IDENTIKEY Server, which will point to a default Policy

A default RADIUS Client Component record

Auditing

The Audit Viewer will be installed with IDENTIKEY Server.


Install and Setup

2.4 Configure IDENTIKEY Server

The Administration Web Interface is the main administration tool available. It can be used to administer DIGIPASS User and DIGIPASS records, and to configure various settings and connections. See the Product Guide for more information.

1. Open the Administration Web Interface.

2. Enter your User ID and password.

3. Click on Log in.

2.4.1 Create a Test Policy

To create the required Test Policy:


2. Click on Policies -> Create.

3. Enter the required information:

a. Policy ID: Test

b. Inherits from: Identikey Local Authentication

4. Enter a description if desired.

5. Click on Create.

2.4.2 Set Up Client Record

Default RADIUS Client

Configure the default RADIUS Client record to use the Test Policy created in 2.4.1 Create a Test Policy . The RADIUS Client Simulator will use this Component record.

Note

The Shared Secret for the default RADIUS Client record, and the RADIUS Client Simulator, is set to default.


Install and Setup

2.4.3 Import User records

Demo Users may be used for the testing and familiarisation tasks in this guide. IDENTIKEY Server provides a sample .csv User import file for this purpose. To view it, navigate to <IK Install Directory>\VASCO\Identikey 3.x\DPX\ in Windows.

In Linux, this sample file is located in /usr/share/identikey/identikeyserver/user/ of the IDENTIKEY Server chroot environment.


2. Click on Users -> Import.

3. Enter or browse for the import path and filename for the .csv file. Click Upload.

4. On the Import Users tab, leave the settings as they are and click Import.

5. On the Schedule Task tab, leave the settings as they are and click Next.

6. Click on Finish.

2.4.4 Import DIGIPASS Records

Before a DIGIPASS may be assigned to a User, a record for it must be imported into the data store. This record includes all important information about the DIGIPASS, including its serial number, Applications, and programming information. This information is transported to you in the form of a .dpx file.

A Response Only DIGIPASS Application is required for Windows Logon.

Demo DIGIPASS may be used for the testing and familiarisation tasks in this guide. IDENTIKEY Server provides sample .dpx DIGIPASS import files. To view them, navigate to <IK Install Directory>\VASCO\Identikey 3.x\DPX\ in Windows.

In Linux, these sample files are located in /usr/share/identikey/identikeyserver/dpx/ of the IDENTIKEY Server chroot environment.

To import DIGIPASS records:


2. Click on Digipass -> Import.

3. Enter or browse for the import path and filename for the DPX file.

4. Enter the transport key – this is 11111111111111111111111111111111 for the installed demo DIGIPASS DPX files (press the 1 key 32 times).

5. Click on Upload.

6. On the Applications tab ensure the applications are selected, and click Next.

7. On the Options tab click Import.

8. On the Schedule Task tab, leave the settings as they are and click Next.


Install and Setup

9. Click Finish on the Summary tab.

2.4.5 Assign DIGIPASS to Test User

Before a User can use a DIGIPASS to login, the DIGIPASS must be assigned to their User account within the data store.

To assign a DIGIPASS record to the Test User account:


2. Click on Users -> Assign Digipass.

3. Leave all settings as they are. Click Search.

4. Click the check box to select a User. Click Next.

5. On the Search Digipass tab leave all the settings as they are. Click Search.

6. If more than one DIGIPASS is available, click the check box to select a DIGIPASS. Click Next.

7. On the Options tab click Assign.

8. Click Finish on the Finish tab.

2.4.6 Configure the RADIUS Client Simulator

Configure the RADIUS Client Simulator with the details for the IDENTIKEY Server:

Server IP

Shared Secret (if modified from the default)

Accounting and Authentication Port numbers (if modified from the defaults)

2.5 Set up New Local Server for Audit Viewer

1. Open the Audit Viewer (Start Menu -> Programs -> VASCO -> Identikey Server -> Audit Viewer).

2. Select New Audit Source -> Server from the File menu.

3. Enter a display name to be used for the messages within the Audit Viewer. Enter the IP address of the Server. Enter the port on which the Server will listen for auditing connections.

4. Click on OK.

2.6 Set Up Auditing

1. Open the Audit Viewer (Start Menu -> Programs -> VASCO -> Identikey Server -> Audit Viewer).

2. Expand the Servers item in the navigation pane.


Install and Setup

3. Click on Local Server.

4. Enter the User ID and password for an administrator account in IDENTIKEY Server.

5. Click on OK.

A live audit connection will be established.


Testing

3 Testing

This section will guide you through testing direct logins to IDENTIKEY Server and a back-end RADIUS server, testing Back-End Authentication, testing various management features, and the configuration or administration changes required.

At various points in the process, test logins are recommended to ensure that the previous steps have not caused unexpected problems. This also helps in troubleshooting, as it helps to pinpoint where in the process a problem occurred.

The diagram below illustrates the basic testing procedure.

Test Prerequisites

If you are going to test all types of login methods and authentication options available, you will need:

A DIGIPASS User account with:

A corresponding Windows User account

A stored static password which is the same as the Windows account's password

A DIGIPASS or Demo DIGIPASS with Response Only and Challenge/Response Applications, assigned to the DIGIPASS User account.

A new Policy named 'Test'.

Modifying the Test Policy

Each scenario will require modification of the Test Policy created in 2.4.1 Create a Test Policy . Use these instructions to edit the Test Policy:


2. Click on Policies -> List.


Testing

3. Find and click on the Test Policy.

4. Click on the required tab:

Local Authentication and Back-End Authentication settings can be found under the Policy tab

Dynamic User Registration, Password Autolearn and Stored Password Proxy settings can be found under the User tab.

Application Type, Assignment Mode, Grace Period, Serial Number Separator and Search Upwards in Org. Unit Hierarchy settings can be found under the DIGIPASS tab.

Challenge/Response settings can be found under the Challenge tab.

5. Click on Edit.

6. Make the required changes.

7. Click on Save.

Testing a Login via the RADIUS Client Simulator

In each scenario, you will need to attempt a login, using the RADIUS Client Simulator. Once it is configured correctly, simply follow the directions below to try a login:

1. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window.

2. Enter the User ID for the User account you are using for test logins in the User ID field.

3. Enter the password for the User account and (if required) an OTP from the DIGIPASS in the Password field.

4. Click on the Login button.

5. The Status information field will indicate the success or failure of your login.

3.1 Test Local Authentication

This topic covers testing logins handled by the IDENTIKEY Server, with no back-end authentication enabled. Three login methods will be covered:

Static password (does not require a DIGIPASS)

Response Only (requires a DIGIPASS with a Response Only application)

Challenge/Response (requires a DIGIPASS with a Challenge/Response application)

3.1.1 Static Password

Modify Test Policy

Make these changes to the Test Policy (see Modifying the Test Policy for instructions):

Set Local Auth. to DIGIPASS/Password.

Set Back-End Auth. to None.


Testing

Set Password Autolearn to Yes.

Check Grace Period

Check the record for the DIGIPASS being used for testing. The grace period should be set for a time in the future. If it is not, the static password login will fail.

Test Login

Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for instructions), using the DIGIPASS User ID and static stored password.

3.1.2 Response Only

Modify Test Policy


Set Application Type to Response Only.

Set Local Auth. to Digipass/Password.


Test Login

Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for instructions), using the DIGIPASS User ID and the OTP from your DIGIPASS.

3.1.3 Challenge/Response

Modify Test Policy


Set Application Type to Challenge/Response.

Set 2-step Challenge/Response Request Method to Keyword.

Set Keyword to 2StepCR.



Test Login

Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for instructions), using the DIGIPASS User ID and the keyword (2StepCR). Enter the Challenge provided by the RCS into your DIGIPASS. Enter the same DIGIPASS User ID and the Response provided by your DIGIPASS.


Testing

3.2 Test Windows Back-End Authentication

This topic covers testing the IDENTIKEY Server's use of Windows for back-end authentication. First, we test IDENTIKEY Server using only back-end authentication, then a combination of local and back-end authentication.

Three login methods will be covered:

Static password (does not require a DIGIPASS)

Response Only (requires a DIGIPASS with a Response Only application)

Challenge/Response (requires a DIGIPASS with a Challenge/Response application)

3.2.1 Back-End Authentication Only

3.2.1.1 Static Password

Modify Test Policy


Set Local Auth. to None.

Set Back-End Auth. to Always.

Set Back-End Protocol to Windows.

Check Grace Period

Check the record for the DIGIPASS being used for testing. The grace period should be set for a time in the future. If it is not, the static password login will fail.

Test Login


3.2.2 Local and Back-End Authentication

3.2.2.1 Static Password

Modify Test Policy




Testing



Test Login


3.2.2.2 Response Only

Modify Test Policy


Set Application Type to Response Only.




Set Stored Password Proxy to Yes.

Test Login

Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for instructions), using the DIGIPASS User ID and the OTP from your DIGIPASS.

3.2.2.3 Challenge/Response

Modify Test Policy


Set Application Type to Challenge/Response.

Set 2-step Challenge/Response Request Method to Keyword.

Set Keyword to 2StepCR.






Testing

Test Login

Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for instructions), using the DIGIPASS User ID and the keyword (2StepCR). Enter the Challenge provided by the RCS into your DIGIPASS. Enter the same DIGIPASS User ID and the Response provided by your DIGIPASS.


Testing

3.3 Test RADIUS Back-End Authentication

In this topic, you will be guided through configuring the IDENTIKEY Server to use a RADIUS Back-End Server, and testing Back-End Authentication using that Back-End Server.

3.3.1 Set up Back-End RADIUS Server

There are some steps you will need to follow in order to set up the RADIUS Server to be used for Back-End Authentication:

The diagram below shows the basic process involved. For help in completing each of these steps, see the relevant sub-section.

Image 2: RADIUS Server Setup

Requirements

To complete the recommended steps, you will need:

An installed RADIUS Server.


Testing

An administrator login for the RADIUS server.

Create RADIUS Client records

Create a RADIUS Client record within the RADIUS Server for the machine on which the RADIUS Client Simulator will be running and the machine on which the IDENTIKEY Server is installed.

Create a User account

Create a User account in the RADIUS Server, or identify an existing account that can be used if preferred. Make sure this account has the necessary permissions so that a RADIUS Access-Request from both the RADIUS Client Simulator and from the IDENTIKEY Server will be accepted (given the correct password of course). Also make sure this account has some RADIUS 'reply attributes'.

Enable Tracing

Depending on the RADIUS Server product, some facilities will be available for tracing. This may be referred to as “logging” or “debugging” instead. If this is enabled, it will help to find out what is happening if the observed behaviour is not as expected.

3.3.2 Test Direct Login to RADIUS Server

Once the RADIUS Server has been set up, attempt a direct login using the RADIUS Client Simulator and the User account created for testing.

1. Open the RADIUS Client Simulator.

2. Enter the IP address of the RADIUS Server.

3. Enter Authentication and Accounting port numbers if they vary from the default.

4. Enter the Shared Secret you entered for the RADIUS Client created earlier.

5. Select a protocol to use.

6. Click on any port icon to attempt a login.

7. Enter the User ID and password and click on Login.

8. The 'reply attributes' set up for that User account should be displayed in the RADIUS Client Simulator.


Testing

3.3.3 Configure IDENTIKEY Server for RADIUS Back-End Authentication

3.3.3.1 Local and Back-End Authentication

Local and back-end authentication means that both the IDENTIKEY Server and the RADIUS Server will authenticate a login. This allows RADIUS reply attributes to be retrieved from the RADIUS Server.

In this scenario, it is normal to use the Password Autolearn and Stored Password Proxy features. With these features enabled, the IDENTIKEY Server will learn the user's RADIUS Server password, so that the user does not need to log in with both their password and DIGIPASS One Time Password at each login. However, the first time that the user logs in, they will need to provide their RADIUS Server password so that the IDENTIKEY Server can learn it. In subsequent logins, they can just log in with their One Time Password and the IDENTIKEY Server will send the stored password to the RADIUS Server.




Set Back-End Protocol to RADIUS.



3.3.3.2 Create Back-End Server Record

The IDENTIKEY Server needs to be able to locate the RADIUS Server. This requires a Back-End Server record in the data store. To create a new Back-End Server record:


2. Click on Back-End -> Register RADIUS Back-End.

3. Enter a display name for the Back-End Server in the Back-End Server ID field.

4. Enter the Authentication and Accounting IP Address and Port values.

5. Enter the Shared Secret that was configured in the RADIUS Client record in the RADIUS Server for IDENTIKEYServer.

6. Enter a suitable Timeout and No. of Retries.

7. Click Create to create the record.

3.3.4 Test Logins with Local and Back-End Authentication

1. Configure the Test Policy for the login method to be tested – eg. Response-Only, Challenge/Response.


Testing

2. Ensure that the RADIUS Client Simulator client record is using the configured Policy.

In the RADIUS Client Simulator:

3. Enter the IP address of the IDENTIKEY Server.


5. Enter the User ID for the User account you are using for test logins in the User ID field.

6. Enter the User account's RADIUS Server password followed by an OTP from the DIGIPASS in the Password field. There should be no spaces between the password and the OTP.


8. The Status information field will indicate the success or failure of your logon. Below you should see the RADIUS reply attributes from the RADIUS Server.

9. Enter a new OTP from the DIGIPASS into the Password field, without the RADIUS Server password in front.


11. The Status information field will indicate the success or failure of your logon. Below you should see the RADIUS reply attributes from the RADIUS Server.


Testing

3.4 Test Management Features

In this topic, you will be guided through the testing of basic management features in IDENTIKEY Server.

3.4.1 Auto-Assignment

Initial Setup


2. Click on Clients -> List.

3. Click on the client record for the RADIUS Client Simulator.

4. Ensure that the Test Policy is selected in the Policy drop down list.

5. Click on OK.

6. Make these changes to the Test Policy (see Modifying the Test Policy for instructions):



Set Back-End Protocol to RADIUS.



Set Dynamic User Registration to No.

Set Assignment Mode to Neither.

Set Grace Period – 7 days is the standard time period used.

Set Search Upwards in Organizational Unit hierarchy to Yes.

Set Application Type to No Restriction.

7. Create or use a User account in the RADIUS Server which does not currently have a corresponding DIGIPASS User account.

8. Check that at least one unassigned DIGIPASS is available in the DIGIPASS Container.

Test Auto-Assignment - 1

In the following test, both Dynamic User Registration and Auto-Assignment should fail, meaning that a DIGIPASS User account will not be created, and a DIGIPASS will not be assigned to the User. This shows that the IDENTIKEYServer record has been configured successfully.



10. Enter the User ID for the RADIUS Server User account you created earlier (step 7) in the User ID field.


Testing

11. Enter the password for the RADIUS Server User account.


The Status information field will indicate the success or failure of your logon.

Check Test Results

To check whether a DIGIPASS User account has been created for the User, search for the User account record in the Administration Web Interface. If it does not exist, the test has been successful.

Modify Settings

13. Make these changes to the Test Policy (see Modifying the Test Policy for instructions):Set Dynamic User Registration to Yes.

Set Assignment Mode to Auto-Assignment.

Test Auto-Assignment - 2

In the following test, both Dynamic User Registration and Auto-Assignment should succeed, meaning that a DIGIPASS User account will be created, and an available DIGIPASS will be assigned to the User.




16. Enter the password for the User account.



Check Test Results

To check whether a DIGIPASS User account has been created for the User, search for the User account record in the Administration Web Interface.

To check whether a DIGIPASS has been assigned to the User:

18. Click on Assigned DIGIPASS.

19. If a DIGIPASS is listed, the User has been assigned the listed DIGIPASS.

20. Check the Grace Period End field to see that a Grace Period of the correct length (7 days by default) has been set.

Check Grace Period

Password login

21. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's User ID and password only. If the Grace Period is still effective, this should be successful.


Testing

OTP login

22. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's User ID and One Time Password. This should be successful.

Password login

23. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's User ID and password only. As the OTP login from the previous step should have ended the Grace Period for the DIGIPASS, this login should fail.

24. Check the Grace Period End in the User record. It should contain today's date.

3.4.2 Self-Assignment

To complete this test, you will need to have a DIGIPASS physically available, and free to be assigned to a test User account.

Initial Setup

1. Make these changes to the Test Policy (see Modifying the Test Policy for instructions):

Set Dynamic User Registration to No.

Set Assignment Mode to Neither.

Set Search Upwards in Organizational Unit hierarchy to Yes.

Set Serial Number Separator to : (colon).

2. Create or use a User account in the RADIUS Server which does not currently have a corresponding DIGIPASS User account.

3. Check that the desired DIGIPASS is in the DIGIPASS Container and unassigned.

Test Self-Assignment - 1

In the following test, both Dynamic User Registration and Self-Assignment should fail, meaning that a DIGIPASS User account will not be created, and the selected DIGIPASS will not be assigned to the User.




3. Enter the Serial Number for the DIGIPASS, the Separator, the RADIUS Server User's Password, a Server PIN (if required) and a One Time Password from the DIGIPASS into the Password field. eg. 98765432|password12340098787 (see the Login Permutations topic in the Administrator Reference for more information).




Testing

Check Test Results

A successful test should result in a failed login and no new DIGIPASS User account created.


Modify Settings

5. Make these changes to the Test Policy (see Modifying the Test Policy for instructions):Set Dynamic User Registration to Yes.

Set Assignment Mode to Self-Assignment.

Test Self-Assignment - 2

In the following test, both Dynamic User Registration and Self-Assignment should succeed, meaning that a DIGIPASS User account will be created, and the intended DIGIPASS will be assigned to the User.




8. Enter the Serial Number for the DIGIPASS, the Separator, the RADIUS Server User's Password, a Server PIN (if required) and a One Time Password from the DIGIPASS into the Password field. eg. 98765432|password12340098787 (see the Login Permutations topic in the Administrator Reference for more information).



Check Test Results


To check whether the DIGIPASS has been assigned to the User:

10. Click on DIGIPASS Assignment.

11. If the DIGIPASS is listed under this tab, it has been assigned to the DIGIPASS User account.

Check Grace Period

12. Check that a Grace Period has not been set.

Password login

13. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's User ID and password only. This should fail, as a Grace Period is not set for a Self-Assignment.


Testing

OTP login

14. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's User ID and One Time Password. This should be successful.


Demo Tokens

4 Demo Tokens

4.1 Using the Demo DP300

This topic explains the activation and use of the demonstration DP300.

4.1.1 Activate the Demo DP300

The Demo DP300 is turned on with the < button.

Each time the Demo DP300 is activated it will request a 4-digit PIN number (displayed on the LCD screen). The PIN for Demo DP300s is initially set to 1234.

The Demo DIGIPASS will then prompt you to indicate the application you wish to use:

Application 1 : Response only

When you press 1 on the keypad, the demo DP300 will produce a 6-digit number. This response number is generated based on the secret code stored within the token, and the current time.

The One Time Password displayed should be entered into the appropriate password field in the logon screen or web page.

Application 2 : Digital Signature

When you press 2 on the keypad, you will be prompted for 3 numbers (typically from an online transaction) comprising up to 5 digits each. When all three numbers required have been entered, a 6-digit number is generated (displayed on the LCD screen). This number is the digital signature for the transaction. This needs to be entered into the appropriate field in the digital signature web page or screen.

Application 3: Challenge / Response

When you press 3 on the keypad, the DIGIPASS will present you with four dashes (- - - -) to indicate that a ‘challenge’ must be entered.

You may have the option of holding the optical reader to the middle of the flash sequence (the white flashing panels) on the logon web page if one is presented.

Alternatively, if the challenge number is shown on the screen, you can key it in directly into the keypad.

The demo DP300 will then calculate and display a One Time Password based on the challenge and the secret code stored in the DP300. The One Time Password displayed should be entered into the appropriate password field in the logon screen or web page.


Demo Tokens

4.1.2 Change the PIN

Turn on the Demo DP300 and enter the current PIN to activate the token. Then hold down the On (<) button for 2 seconds, to be prompted for a new PIN. The DP300 will then prompt you to re-enter the new PIN to confirm it.

The new PIN can now be used to logon.

4.1.3 Auto-Off Function

To preserve the maximum battery life, the Demo DP300 automatically turns off after 30 seconds of inactivity.

4.1.4 Unlock the Demo DP300

If an incorrect PIN is entered into a Demo DP300 too many times (3), the DIGIPASS will lock itself from further use.

When a token is locked, it will display an unlock challenge on its LCD screen.

The Administration Web Interface allows DIGIPASS to be unlocked using the Unlock option. See the Help in the Administration Web Interface for more information.

4.2 Using the Demo Go 3 or Go 6

This topic explains the activation and use of the demonstration Go 3 or Go 6.

Note

The Demo Go 3 and Go 6, and other Go 3/Go 6 tokens, only produce a time-based One Time Password - referred to as a ‘Response’. This is referred to as the ‘Response Only’ authentication method. The Go 3 and Go 6 tokens are used with a PIN, which is entered before the Response.

4.2.1 Activating the Demo Go 3/Go 6

To turn on the Demo Go 3/Go 6, press the button on the token.

All Go 3/Go 6 tokens have an auto-off function, meaning that they automatically turn themselves off after short periods of inactivity.

4.2.2 Obtaining a One Time Password

Whenever the Demo Go 3/Go 6 is activated, it produces a 6-digit number on its LCD screen.


Demo Tokens

This response number is generated based on the secret code stored within the token, and the current time.

At logon, the Users' Server PIN and the One Time Password from the Go 3/Go 6 should be entered as into the appropriate password field in the logon screen or web page. The Server PIN is initially 1234.

For example, if the One Time Password generated by the Demo Go 3/Go 6 was 235761, 1234235761 should be entered in the login screen.

4.2.3 Changing the Demo Go 3/Go 6 Server PIN

The Demo Go 3/Go 6 Server PIN (1234) can be changed during the authentication process.

To change the Demo Go 3/Go 6 Server PIN:

1. Go to the login page or screen.

2. In the user ID field, enter the User ID for the account you are using for testing.

3. In the password field, enter the current Server PIN (1234) for the Demo Go 3/Go 6.

4. Activate the Demo DIGIPASS and enter the One Time Password generated in the response field directly after the Server PIN.

5. Next, enter the new PIN for the Demo Go 3/Go 6 after the response in the Response field, then enter it again to confirm it.

6. Submit your login to issue the new Server PIN information to the IDENTIKEY Server.

ExampleTo change the Server PIN for a Demo DIGIPASS from 1234 to 5678, where the OTP generated was 111111, enter:

123411111156785678

in the password field and login.

Any time you login using the Demo or another Go 3/Go 6, you may use this method to change your PIN, except for RADIUS authentications where any form of CHAP is in use (E.g., CHAP, MS-CHAP, MS-CHAP2). This is because the information is one-way hashed and cannot be retrieved from the packet.

If CHAP protocols are used, refer to the User Self-Management Web Site Guide for more information about alternative web based methods for PIN change (eg. using your intranet).


Set up Live System

5 Set up Live System

5.1 Checklist

Set up RADIUS ServerSet up your RADIUS Server with the necessary User accounts and RADIUS attributes.

Modify RADIUS Client ConfigurationConfigure the RADIUS Clients to send authentication requests to the IDENTIKEY Server.

Import More DIGIPASSImport all required DIGIPASS records

Create DIGIPASS User AccountsIf required, manually create DIGIPASS User accounts. Alternatively, enable Dynamic User Registration in IDENTIKEY Server.

Create New PolicyCreate the necessary Policies in the Administration Web Interface for login authentications requested by the RADIUS Clients.

Create Component Records for the RADIUS ClientsCreate a Component record for the RADIUS Clients in the Administration Web Interface, linking them to the correct Policies. You may wish to use the default RADIUS Client for some or all RADIUS Clients instead.

Test DIGIPASS LoginsTest DIGIPASS logins through the RADIUS Clients, using One Time Passwords.


Identikey Server Getting Started Guide

Documents

Transcript of Identikey Server Getting Started Guide