VACMAN Middleware Getting Started - Vasco

vasco

VACMAN Middleware Getting Started - Vasco

Modify these field values (right-click and select Fields) to change text throughout the

document:

NOTE: Diagrams may appear or disappear depending on these field settings – so BE CAREFUL

adding and removing diagrams, as you may be stuffing up formatting.

ADDITIONAL NOTE: Be careful adding and removing text, too. Just because you see something

in the document that looks like it shouldn't be there, doesn't mean removing it is a smart idea.

Do a print preview to check if it will show up in the final document before you do anything.

(the field values are currently just (relatively) rubbish values – modified at times to check that

text conditions are working correctly)

VACMAN Middleware

Authentication Server

Starter

RADIUS

IIS Module

RADIUS

ODBCAD

VACMAN_Middleware_300_setup.exe

Digipass Authentication Server

VACMAN Middleware

VM3

Authentication Server

VACMAN Middleware

RADIUS

RADIUS

Starter

IIS Module

ODBCAD

VACMAN_Middleware_300_setup.exe

Digipass Authentication Server

VACMAN Middleware

VM3

Getting S tarted


Disclaimer of Warranties and Limitations of Liabilities

Disclaimer of Warranties and Limitations of Liabilities

The Product is provided on an 'as is' basis, without any other warranties, or conditions, express

or implied, including but not limited to warranties of merchantable quality, merchantability of

fitness for a particular purpose, or those arising by law, statute, usage of trade or course of

dealing. The entire risk as to the results and performance of the product is assumed by you.

Neither we nor our dealers or suppliers shall have any liability to you or any other person or

entity for any indirect, incidental, special or consequential damages whatsoever, including but

not limited to loss of revenue or profit, lost or damaged data of other commercial or economic

loss, even if we have been advised of the possibility of such damages or they are foreseeable;

or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers

and suppliers shall not exceed the amount paid by you for the Product. The limitations in this

section shall apply whether or not the alleged breach or default is a breach of a fundamental

condition or term, or a fundamental breach. Some states/countries do not allow the exclusion

or limitation or liability for consequential or incidental damages so the above limitation may

not apply to you.

RADIUS Documentation Disclaimer

The RADIUS documentation featured in this manual is focused on supplying required

information pertaining to the RADIUS server and its operation in the VACMAN Middleware

environment. It is recommended that further information be gathered from your NAS/RAS

vendor for information on the use of RADIUS.

Copyright

© 2006 VASCO Data Security Inc. All rights reserved.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in

any form or by any means, electronic, mechanical, photocopying, recording, or otherwise,

without the prior written permission of VASCO Data Security Inc.

Trademarks

VACMAN and Digipass are registered trademarks of VASCO Data Security International Inc.

Microsoft and Windows are registered trademarks of Microsoft Corporation.

All other trademarks are the property of their respective holders.

© 2006 VASCO Data Security Inc. 2


VACMAN Middleware Getting Started Table of Contents

Table of Contents

1 Introduction.......................................................................................................... 5

1.1 What You Need to Know/Have before Starting.............................................................. 6

1.2 System Requirements.................................................................................................... 6

1.2.1 Requirements Specific to Active Directory...................................................................... 6

1.2.2 Requirements Specific to ODBC Database...................................................................... 6

1.3 Available Guides.............................................................................................................7

2 Initial Setup and Testing....................................................................................... 8

2.1 Basic Procedure............................................................................................................. 8

2.2 Install the RADIUS Client Simulator............................................................................... 9

2.3 Active Directory Changes............................................................................................... 9

2.4 Active Directory SSL....................................................................................................... 9

2.5 Install VACMAN Middleware........................................................................................... 9

2.6 Configure the Authentication Server............................................................................ 10

2.7 Log in to Administration Interfaces.............................................................................. 10

2.7.1 Administration MMC Interface.................................................................................... 10

2.7.2 Active Directory Users and Computers......................................................................... 11

2.8 Configure VACMAN Middleware.................................................................................... 11

2.9 Import and Assign Digipass Records............................................................................ 12

2.9.1 Assign Digipass Record(s)......................................................................................... 12

3 Test Logins..........................................................................................................14

3.1 Test Pre-requisites....................................................................................................... 14

3.1.1 Create a Test Policy.................................................................................................. 14

3.2 Configure Authentication Method................................................................................. 15

3.2.1 Local Authentication Only.......................................................................................... 15

3.2.2 Windows Back-End Authentication Only....................................................................... 15

3.2.3 Local and Windows Back-End Authentication................................................................ 15

3.3 Configure Login Methods..............................................................................................16

3.3.1 Static Password....................................................................................................... 16

3.3.2 Response Only......................................................................................................... 16

3.3.3 2-Step Challenge/Response....................................................................................... 16

3.4 Test Logins...................................................................................................................17

4 Test Back-End Authentication..............................................................................18

4.1 Set up Back-End RADIUS Server...................................................................................18

4.1.1 Requirements.......................................................................................................... 18

4.1.2 Create RADIUS Client records.................................................................................... 18

4.1.3 Create a User account.............................................................................................. 19

4.1.4 Enable Tracing......................................................................................................... 19

4.2 Test Direct Login to RADIUS Server..............................................................................19

4.3 Configure VACMAN Middleware for RADIUS Back-End Authentication.......................... 19

4.3.1 Local and Back-End Authentication............................................................................. 20

4.3.2 Create Back-End Server Record.................................................................................. 20

4.4 Test Logins with Local and Back-End Authentication....................................................21

© 2006 VASCO Data Security Inc. 3


VACMAN Middleware Getting Started Table of Contents

5 Test Management Features..................................................................................22

5.1 Auto-Assignment..........................................................................................................22

5.2 Self-Assignment........................................................................................................... 25

6 Demo Tokens.......................................................................................................28

6.1 Obtaining a Demo Digipass.......................................................................................... 28

6.2 Using the Demo Go 1 or Go 3........................................................................................28

6.2.1 Activating the Demo Go 1/Go 3.................................................................................. 28

6.2.2 Obtaining a One Time Password................................................................................. 28

6.2.3 Changing the Demo Go 1/Go 3 Server PIN................................................................... 29

6.3 Using the Demo DP300.................................................................................................29

6.3.1 Activate the Demo DP300.......................................................................................... 29

6.3.2 Change the PIN....................................................................................................... 30

6.3.3 Auto-Off Function..................................................................................................... 30

6.3.4 Unlock the Demo DP300........................................................................................... 30

7 Set up Live System.............................................................................................. 32

7.1 Checklist...................................................................................................................... 32

© 2006 VASCO Data Security Inc. 4


VACMAN Middleware Getting Started Introduction

1 Introduction

This Getting Started Guide will introduce you to VACMAN Middleware. It will help you set up a

basic installation of VACMAN Middleware and get to know the product and the tools it includes.

It covers only basic information and the most common configuration requirements. Other

options and more in-depth instructions are covered in other manuals.

This guide covers a standard implementation of VACMAN Middleware:

RADIUS environment

Typical installation:

Authentication Server

Active Directory or an ODBC database used as the data store

Administration MMC Interface

Digipass Extension for Active Directory Users and Computers (if Active Directory is

used as the data store)

It includes information on:

Basic configuration of VACMAN Middleware

Testing Digipass logins and administrative functionality

This guide does not cover topics such as:

Installation instructions

Detailed introduction to VACMAN Middleware, its features and components

Detailed instructions on the use of VACMAN Middleware

Additional components

Virtual Digipass

Backup and recovery

© 2006 VASCO Data Security Inc. 5


VACMAN Middleware Getting Started Introduction

1.1 What You Need to Know/Have before Starting

The encrypted DPX file provided with Digipass (unless you will only use the provided

demo Digipass files)

Encryption Key for the DPX file (if using your own file)

Installation Guide

1.2 System Requirements

Operating System

Windows Server 2003 (32-bit version only) with Service Pack 1 or above, or

Windows XP Professional (32-bit version only) with Service Pack 2 or above, or

Windows 2000 with Service Pack 4 or above

Language

VACMAN Middleware is designed to function on any language version of Windows.

However, the product has only been comprehensively tested on English language

versions of Windows.

1.2.1 Requirements Specific to Active Directory

Digipass Extension for Active Directory Users and Computers

Active Directory Users and Computers Snap-In

Active Directory set up for SSL

In the following cases, SSL must be available for VACMAN Middleware components to connect

to Active Directory:

Authentication Server not installed on a Domain Controller.

Administration Interfaces not installed on a Domain Controller.

Authentication Server and/or Administration Interface(s) on a Domain Controller, but

accessing data in another domain.

An Enterprise Certificate Authority must be installed in the forest to enable SSL. Windows

Certificate Services is available as an optional Windows component.

However, if you do not wish to install a CA, you can select during installation not to use SSL.

1.2.2 Requirements Specific to ODBC Database

VACMAN Middleware will support most modern ODBC-compliant relational, transactional

databases. It has been tested on the following databases:

Oracle 9i

Microsoft SQL Server 2000

Microsoft SQL Server 2005

DB2 8.1

Sybase Adaptive Server Anywhere 9.0

PostgreSQL 8.1.3

© 2006 VASCO Data Security Inc. 6


VACMAN Middleware Getting Started Introduction

1.3 Available Guides

The following guides are available:

Product Guide

The Product Guide will introduce you to the features and concepts of VACMAN Middleware and

the various options you have for using it.

Installation Guide

Use this guide when planning and working through an installation of VACMAN Middleware.

Getting Started

To get you up and running quickly with a simple installation and setup of VACMAN Middleware.

Administrator Reference

In-depth information required for administration of VACMAN Middleware. This includes

references such as data attribute lists, backup and recovery and utility commands.

Data Migration Tool Guide

Takes you through a data migration from one VASCO product to another, using the VASCO

Data Migration Tool.

Help Files

Context-sensitive help accompanies the administration interfaces.

© 2006 VASCO Data Security Inc. 7


VACMAN Middleware Getting Started Initial Setup and Testing

2 Initial Setup and Testing

2.1 Basic Procedure

The diagram below illustrates the basic procedure which this Guide will take you through in the

initial setup and tests for VACMAN Middleware. At various points in the process, test logins are

recommended to ensure that the previous steps have not caused unexpected problems. This

also helps in troubleshooting, as it helps to pinpoint where in the process a problem occurred.

Image 1: Basic Setup Procedure

© 2006 VASCO Data Security Inc. 8


VACMAN Middleware Getting Started Initial Setup and Testing

2.2 Install the RADIUS Client Simulator

The RADIUS Client Simulator is a program that simulates RADIUS Authentication and

Accounting processing in a similar fashion to RADIUS enabled Network Access Server and

Firewall devices. The RCS can be used to test User authentication, Digipass authentication,

estimate RADIUS Server performance or test system overload.

Install the RADIUS Client Simulator on a machine in the required Domain:

1. Locate and run the VACMAN RADIUS Client Simulator Setup.exe.

2. Follow the prompts until the installation is complete.

If you chose the default install location, the Simulator will be installed to the

C:\Program Files\VASCO\VACMAN RADIUS Client Simulator directory.

3. Launch the Simulator from the Start menu.

Note

The RADIUS Client Simulator uses the port 1812 for authentication requests

and port 1813 for accounting requests, by default.

2.3 Active Directory Changes

Extend the Active Directory Schema according to the instructions in the Installation Guide.

2.4 Active Directory SSL

Set up SSL if required. See the Pre-installation Tasks section of the Installation Guide for

more information.

2.5 Install VACMAN Middleware

Install VACMAN Middleware according to the instructions in the Installation Guide.

Some settings which are created automatically for the Authentication Server are:

Example Policies.

A Component for the Authentication Server, which will point to a default Policy.

A default RADIUS Client Component.

Permissions within Active Directory for the Authentication Server.

© 2006 VASCO Data Security Inc. 9


VACMAN Middleware Getting Started Initial Setup and Testing

2.6 Configure the Authentication Server

When the install process for VACMAN Middleware is completed, open the Authentication Server

Configuration Interface. In particular, these should be configured:

Auditing – log to a text file or to the Windows Event Log. You can also set up a live Audit

Viewer connection to the Authentication Server if preferred, but it is simpler if you are

working on the server machine anyway to use the text files.

Tracing.

Domain connection parameters (Active Directory only) – modify or select a Domain

Controller to connect to if required.

The Authentication Server must be enabled and licensed.

2.7 Log in to Administration Interfaces

2.7.1 Administration MMC Interface

The Administration MMC Interface is a standalone MMC snap-in that can be used to administer

Policies and Components for the Authentication Server.

Active Directory

If Active Directory is used as the data store, the Administration MMC Interface can be used for

administration of Policy, Component and Back-end Server records (see the Product Guide for

explanations of each term). The Digipass Extension for Active Directory Users and Computers

Snap-In is used for Digipass User accounts and Digipass records.

1. Select Programs -> VASCO -> VACMAN Middleware -> Administration MMC

Interface from the Start menu.

2. Expand the Digipass Administration node.

3. Right-click on the domain node.

4. Select Connect from the list.

ODBC Database or Embedded Database

If an ODBC database (including the embedded PostgreSQLdatabase) is used as the data store,

the Administration MMC Interface can be used for administration of all Digipass-related data.

1. Select Programs -> VASCO -> VACMAN Middleware -> Administration MMC

Interface from the Start menu.

2. Expand the Digipass Administration node.

3. Right-click on the DSN.

4. Select Connect from the list.

5. Enter your User ID and password.

6. Click on OK.

© 2006 VASCO Data Security Inc. 10


VACMAN Middleware Getting Started Initial Setup and Testing

2.7.2 Active Directory Users and Computers

The Digipass Extension for Active Directory Users and Computers can be used to administer

Digipass and Digipass User accounts where Active Directory is used as the data store.

1. Open the Active Directory Users and Computers Snap-In.

2.8 Configure VACMAN Middleware

To test stand-alone logins, the Authentication Server Component should use a Policy which has

Local Authentication enabled and Back-End Authentication disabled. The RADIUS Client

Simulator should use the default RADIUS Client Component which is automatically created

during installation.

Note

The Shared Secret for the default RADIUS Client record, and the RADIUS Client

Simulator, is set to default.

© 2006 VASCO Data Security Inc. 11


VACMAN Middleware Getting Started Initial Setup and Testing

2.9 Import and Assign Digipass Records

Before a Digipass may be assigned to a Digipass User, a record for it must be imported into

the data store. This record includes all important information about the Digipass, including its

serial number, Applications, and programming information. This information is transported to

you in the form of a .dpx file. Demo Digipass may be used for the testing and familiarisation

tasks in this guide.

Active Directory

To import Digipass records:

1. Open the Active Directory Users and Computers interface.

2. Right-click on the container or Organizational Unit where the test user account is

located.

3. Click on Import Digipass...

4. Enter or browse for the import path and filename for the DPX file.

5. Enter the encryption key – this is 11111111111111111111111111111111 for the

installed demo Digipass DPX files (press the 1 key 32 times).

6. Click on Import All Applications.

OR

a. Click on Show Applications.

b. Select the Digipass Applications to import.

c. Click on Import Selected Applications.

ODBC Database or Embedded Database

To import Digipass records:

1. Open the Administration MMC Interface.

2. Right-click on the Digipass node.

3. Click on Import Digipass...

4. Enter or browse for the import path and filename for the DPX file.

5. Enter the encryption key – this is 11111111111111111111111111111111 for the

installed demo Digipass DPX files (press the 1 key 32 times).

6. Click on Import All Applications.

OR

a. Click on Show Applications.

b. Select the Digipass Applications to import.

c. Click on Import Selected Applications.

2.9.1 Assign Digipass Record(s)

Before a User can use a Digipass to login, the Digipass must be assigned to their User account

within the data store.

© 2006 VASCO Data Security Inc. 12


VACMAN Middleware Getting Started Initial Setup and Testing

Active Directory

To assign a Digipass record to a User account:

1. Open the Active Directory Users and Computers Snap-In.

2. Select the User account to be assigned a Digipass.

3. Right-click on the record and select Assign Digipass...

4. Select the Digipass record to be assigned to the User account.

5. Click on OK.

This procedure will create a Digipass User account for an Active Directory User if one did not

previously exist.

ODBC Database or Embedded Database

To assign a Digipass record to a User account:

1. Open the Administration MMC Interface.

2. Click on the Users node.

3. Create the Digipass User account if it does not currently exist for the User.

4. Select the Digipass User account to be assigned a Digipass.

5. Right-click on the record and select Assign Digipass...

6. Enter the Serial Number for the Digipass.

7. Click on Find.

8. Select the Digipass record to be assigned to the User account.

9. Click on OK.

© 2006 VASCO Data Security Inc. 13


VACMAN Middleware Getting Started Test Logins

3 Test Logins

Using the User account to which you assigned a Digipass, and the Digipass, you can test the

various authentication methods, login methods and protocols needed.

You may wish to try various combinations of authentication method, login method and

protocol, or simply the combination required for your system.

3.1 Test Pre-requisites

If you are going to test all types of login methods available, you will need:

A Digipass User account to test logins with - this can be the same one as in previous

tests.

A Digipass or Demo Digipass with Response Only and Challenge/Response Applications,

assigned to the Digipass User account.

A new Policy named 'Test'.

3.1.1 Create a Test Policy

To create the required test Policy:

1. Open the Administration MMC Interface.

2. Click on the Policies node.

3. In the Policies list on the right, find and right-click VM3 Local Authentication.

4. Click on New Copy...

5. Enter Test in the Name field.

6. Enter an explanation of the Policy in the Description field.

7. Select the Inherit default settings from another Policy option button.

8. Select VM3 Local Authentication from the Inherit from Policy drop down list.

9. Click on OK.

10. If Active Directory is used as the data store, stop and start the Digipass Authentication

Server service.

© 2006 VASCO Data Security Inc. 14


VACMAN Middleware Getting Started Test Logins

3.2 Configure Authentication Method

Create a Policy for each authentication method required, or use a 'Test' Policy which can be

modified as desired.

At this stage we are testing authentication without a Back-End RADIUS Server. If you wish to

try out Windows Authentication, this can be done as detailed below with Windows Back-

End Authentication. In this case, make sure that a corresponding active Windows user

account exists.

You can test the following authentication methods:

Local Authentication only

Windows Back-End Authentication only

Local and Windows Back-End Authentication

Caution – Active Directory only

After changing a Policy, Component or Back-End Server record, ensure that

you stop and start the Digipass Authentication Server service, to be sure that

the new settings will take effect immediately.

This is not necessary for an ODBC Database or Embedded Database.

3.2.1 Local Authentication Only

Local authentication means that only the Authentication Server will authenticate a login.

The recommended Policy settings for Local Authentication tests are:

Local Auth. should be set to Digipass/Password.

Back-End Auth. should be set to None.

3.2.2 Windows Back-End Authentication Only

At this point, configuring the Authentication Server to use back-end authentication means that

only Windows will authenticate a login.

The recommended Policy settings for Back-end Authentication tests are:

Local Auth. should be set to None.

Back-End Auth. should be set to Always.

Back-End Protocol must be set to Windows.

3.2.3 Local and Windows Back-End Authentication

At this point, configuring the Authentication Server to use local and back-end authentication

means that both the Authentication Server and Windows will authenticate a login.

The recommended Policy settings for Local and Back-end Authentication tests are:

© 2006 VASCO Data Security Inc. 15


VACMAN Middleware Getting Started Test Logins

Local Auth. should be set to Digipass/Password.

Back-End Auth. should be set to Always.

Back-End Protocol must be set to Windows.

3.3 Configure Login Methods

You can test the following login methods:

Static password (does not require a Digipass)

Response Only (requires a Digipass with a Response Only application)

Challenge/Response (requires a Digipass with a Challenge/Response application)

For explanations of these login methods, see the Digipass Introduction topic in the Product

Guide.

3.3.1 Static Password

For static password logins, a Digipass User account is required with a Stored Password. If a

Digipass is assigned to the account, it must be within its grace period, or the login will be

rejected.

To configure the test Policy to allow static password logins:

1. Open the Administration MMC Interface.

2. Click on the Policies node.

3. Find and double-click on the Test Policy.

4. Click on the Main Settings tab.

5. Select Digipass/Password from the Local Auth. drop down list.

6. Click on OK.

3.3.2 Response Only

To configure the test Policy to allow only Response Only logins:

1. Open the Administration MMC Interface.

2. Click on the Policies node.

3. Find and double-click on the Test Policy.

4. Click on the Digipass Settings tab.

5. Select Response Only from the Application Type drop down list.

6. Click on OK.

3.3.3 2-Step Challenge/Response

To configure the test Policy to allow only Challenge/Response logins:

1. Open the Administration MMC Interface.

2. Click on the Policies node.

© 2006 VASCO Data Security Inc. 16


VACMAN Middleware Getting Started Test Logins

3. Find and double-click on the Test Policy.

4. Click on the Digipass Settings tab.

5. Select Challenge/Response from the Application Type drop down list.

6. Click on Apply.

7. Click on the Challenge Settings tab.

8. Select Keyword from the 2-step Challenge/Response Request Method drop down

list.

9. Enter a Keyword to use (eg. '2stepCR') in the Keyword field. You can leave this field

blank, so that an empty password can be used to get a challenge.

10. Click on OK.

3.4 Test Logins

1. Configure the Test Policy for the authentication method, login method and protocol to

be tested.

2. Ensure that the Authentication Server Component is using the Test Policy.

3. If Active Directory is used as the data store, stop and start the Digipass Authentication

Server service.

In the RADIUS Client Simulator:

4. Configure the RADIUS Client Simulator with the details for the Authentication Server:

a. IP address

b. Shared Secret (if modified from the default)

c. Accounting and Authentication Port numbers (if modified from the defaults)

5. Click on any port in the Simulated NAS Ports group to display the Manual Simulation

window.

6. Enter the User ID for the User account you are using for test logins in the User ID

field.

7. Enter the password for the User account and (if required) an OTP from the Digipass in

the Password field.

8. Click on the Login button.

9. The Status information field will indicate the success or failure of your logon.

© 2006 VASCO Data Security Inc. 17


VACMAN Middleware Getting Started Test Back-End Authentication

4 Test Back-End Authentication

In this section, you will guided through configuring the Authentication Server to use a RADIUS

Back-End Server, and testing Back-End Authentication using that Back-End Server.

4.1 Set up Back-End RADIUS Server

There are some steps you will need to follow in order to set up the RADIUS Server to be used

for Back-End Authentication:

The diagram below shows the basic process involved. For help in completing each of these

steps, see the relevant sub-section.

Image 2: RADIUS Server Setup

4.1.1 Requirements

To complete the recommended steps, you will need:

An installed RADIUS Server.

An administrator login for the RADIUS server.

4.1.2 Create RADIUS Client records

Create a RADIUS Client record within the RADIUS Server for the machine on which the RADIUS

Client Simulator will be running and the machine on which VACMAN Middleware is installed.

© 2006 VASCO Data Security Inc. 18


VACMAN Middleware Getting Started Test Back-End Authentication

4.1.3 Create a User account

Create a User account in the RADIUS Server, or identify an existing account that can be used if

preferred. Make sure this account has the necessary permissions so that a RADIUS Access-

Request from both the RADIUS Client Simulator and from the Authentication Server will be

accepted (given the correct password of course). Also make sure this account has some

RADIUS 'reply attributes'.

4.1.4 Enable Tracing

Depending on the RADIUS Server product, some facilities will be available for tracing. This may

be referred to as “logging” or “debugging” instead. If this is enabled, it will help to find out

what is happening if the observed behaviour is not as expected.

4.2 Test Direct Login to RADIUS Server

Once the RADIUS Server has been set up, attempt a direct login using the RADIUS Client

Simulator and the User account created for testing.

1. Open the RADIUS Client Simulator.

2. Enter the IP address of the RADIUS Server.

3. Enter Authentication and Accounting port numbers if they vary from the default.

4. Enter the Shared Secret you entered for the RADIUS Client created earlier.

5. Select a protocol to use.

6. Click on any port icon to attempt a login.

7. Enter the User ID and password and click on Login.

8. The 'reply attributes' set up for that User account should be displayed in the RADIUS

Client Simulator.

4.3 Configure VACMAN Middleware for RADIUS Back-End

Authentication

Create a Policy for RADIUS Back-End Authentication, or use a 'Test' Policy which can be

modified as desired.

Caution – Active Directory only

After creating or changing a Policy, Component or Back-End Server record,

make sure that you stop and start the Digipass Authentication Server service,

to be sure that the new settings will take effect immediately.

This is not necessary for an ODBC Database or Embedded Database.

© 2006 VASCO Data Security Inc. 19


VACMAN Middleware Getting Started Test Back-End Authentication

4.3.1 Local and Back-End Authentication

Local and back-end authentication means that both the Authentication Server and the RADIUS

Server will authenticate a login. This allows RADIUS reply attributes to be retrieved from the

RADIUS Server.

In this scenario, it is normal to use the Password Autolearn and Stored Password Proxy

features. With these features enabled, the Authentication Server will learn the user's RADIUS

Server password, so that the user does not need to log in with both their password and

Digipass One Time Password at each login. However, the first time that the user logs in, they

will need to provide their RADIUS Server password so that the Authentication Server can learn

it. In subsequent logins, they can just log in with their One Time Password and the

Authentication Server will send the stored password to the RADIUS Server.

The recommended Policy settings for Local and Back-End Authentication tests are:

Local Auth. should be set to Digipass/Password.

Back-End Auth. should be set to Always.

Back-End Protocol must be set to RADIUS.

Password Autolearn should be set to Yes.

Stored Password Proxy should be set to Yes.

4.3.2 Create Back-End Server Record

The Authentication Server must be instructed where to find the RADIUS Server. Create a Back-

End Server record as follows:

1. Open the Administration MMC Interface.

2. Click on the Back-End Servers node.

The Back-End Servers list will be displayed in the Result pane.

3. Right-click on the Back-End Servers node and select the New Back-End Server

menu option.

The New Back-End Server dialog will be displayed.

4. Enter a display name for the Back-End Server in the Back-End Server ID field.

5. Select RADIUS for the Protocol.

6. Enter the Authentication and Accounting IP Address and Port values.

7. Enter the Shared Secret that was configured in the RADIUS Client record in the

RADIUS Server for VACMAN Middleware.

8. Enter a suitable Timeout and No. of Retries.

9. Click OK to create the record.

10. If Active Directory is used as the data store, stop and start the Digipass Authentication

Server service.

© 2006 VASCO Data Security Inc. 20


VACMAN Middleware Getting Started Test Back-End Authentication

4.4 Test Logins with Local and Back-End Authentication

1. Configure a Policy for the authentication method, login method and protocol to be

tested.

2. Ensure that the RADIUS Client Simulator Component is using the configured Policy.

3. If Active Directory is used as the data store, stop and start the Digipass Authentication

Server service.

In the RADIUS Client Simulator:

4. Click on any port in the Simulated NAS Ports group to display the Manual Simulation

window.

5. Enter the User ID for the User account you are using for test logins in the User ID

field.

6. Enter the User account's RADIUS Server password followed by an OTP from the

Digipass in the Password field. There should be no spaces between the password and

the OTP.

7. Click on the Login button.

8. The Status information field will indicate the success or failure of your logon. Below

you should see the RADIUS reply attributes from the RADIUS Server.

9. Enter a new OTP from the Digipass into the Password field, without the RADIUS

Server password in front.

10. Click on the Login button.

11. The Status information field will indicate the success or failure of your logon. Below

you should see the RADIUS reply attributes from the RADIUS Server.

Now other protocols and login types can be tried out.

© 2006 VASCO Data Security Inc. 21


VACMAN Middleware Getting Started Test Management Features

5 Test Management Features

5.1 Auto-Assignment

Initial Setup

1. Open the Administration MMC Interface.

2. Click on the Components node.

The Components list will be displayed in the Result pane.

3. Double-click on the RADIUS Client Component for the RADIUS Client Simulator.

The Component property sheet will be displayed.

4. Ensure that the VM3 Local Authentication is selected in the Policy drop down list.

5. Click on OK.

6. If Active Directory is used as the data store, stop and start the Digipass Authentication

Server service.

7. Create or use a User account in the RADIUS Server which does not currently have a

corresponding Digipass User account.

8. Check that at least one unassigned Digipass is available in either:

the same Organizational Unit,

a parent Organizational Unit, or

the Digipass Container

If one of the latter two options, ensure that the Search Upwards in Organizational Unit

hierarchy option is enabled for the VM3 Local Authentication.

Test Auto-Assignment - 1

In the following test, both Dynamic User Registration and Auto-Assignment should fail,

meaning that a Digipass User account will not be created, and a Digipass will not be assigned

to the User. This shows that the Authentication Server Component has been configured

successfully.

In the RADIUS Client Simulator:

9. Click on any port in the Simulated NAS Ports group to display the Manual

Simulation window.

10. Enter the User ID for the RADIUS Server User account you created earlier (step 7) in

the User ID field.

11. Enter the password for the RADIUS Server User account.

12. Click on the Login button.

The Status information field will indicate the success or failure of your logon.

Check Test Results

To check whether a Digipass User account has been created for the User when Active Directory

is your data store:

© 2006 VASCO Data Security Inc. 22


VACMAN Middleware Getting Started Test Management Features

13. Open the Active Directory Users and Computers Snap-In.

14. Find the User account record and right-click on it.

15. Select Properties from the list.

The User property sheet will be displayed.

16. Click on the Digipass User Account tab.

17. If the Created On field is blank, a Digipass User account does not exist for the User.

If an ODBC or Embedded Database is your data store, simply search for the User account

record in the Administration MMC Interface.

Modify Settings

18. Modify the Authentication Server Component to use the VM3 RADIUS Auto-

Assignment Policy.

19. If Active Directory is used as the data store, stop and start the Digipass Authentication

Server service.

Test Auto-Assignment - 2

In the following test, both Dynamic User Registration and Auto-Assignment should succeed,

meaning that a Digipass User account will be created, and an available Digipass will be

assigned to the User.

In the RADIUS Client Simulator:

20. Click on any port in the Simulated NAS Ports group to display the Manual Simulation

window.

21. Enter the User ID for the RADIUS Server User account you created earlier (step 7) in

the User ID field.

22. Enter the password for the User account.

23. Click on the Login button.

The Status information field will indicate the success or failure of your logon.

Check Test Results

To check whether a Digipass User account has been created for the User when Active Directory

is your data store:

24. Open the Active Directory Users and Computers Snap-In.

25. Find the User account record and right-click on it.

26. Select Properties from the list.

The User property sheet will be displayed.

27. Click on the Digipass User Account tab.

If the Created On field is not blank, a Digipass User account exists for the User.

If an ODBC or Embedded Database is your data store, simply search for the User account

record in the Administration MMC Interface.

To check whether a Digipass has been assigned to the User:

© 2006 VASCO Data Security Inc. 23


VACMAN Middleware Getting Started Test Management Features

28. Click on the Digipass Assignment tab.

29. If a Digipass is listed under this tab, the User has been assigned the listed Digipass.

30. Check the Grace Period End field to see that a Grace Period of the correct length (7

days by default) has been set.

Check Grace Period

Password login

31. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's

User ID and password only. If the Grace Period is still effective, this should be

successful.

OTP login

32. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's

User ID and One Time Password. This should be successful.

Password login

33. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's

User ID and password only. As the OTP login from the previous step should have

ended the Grace Period for the Digipass, this login should fail.

34. Check the Grace Period End in the User record. It should contain today's date.

© 2006 VASCO Data Security Inc. 24


VACMAN Middleware Getting Started Test Management Features

5.2 Self-Assignment

Initial Setup

1. Open the Administration MMC Interface.

2. Click on the Components node.

The Components list will be displayed in the Result pane.

3. Double-click on the RADIUS Client Component for the RADIUS Client Simulator.

The Component property sheet will be displayed.

4. Ensure that the VM3 Local Authentication is selected in the Policy drop down list.

5. Click on OK.

6. If Active Directory is used as the data store, stop and start the Digipass Authentication

Server service.

7. Create or use a User account in the RADIUS Server which does not currently have a

corresponding Digipass User account.

8. Check that the record for the Digipass to be used in the Self-Assignment is available in

either:

the same Organizational Unit,

a parent Organizational Unit, or

the Digipass Container

If one of the latter two options, ensure that the Search Upwards in Organizational Unit

hierarchy option is enabled for the VM3 Local Authentication.

Test Self-Assignment - 1

In the following test, both Dynamic User Registration and Self-Assignment should fail,

meaning that a Digipass User account will not be created, and the selected Digipass will not be

assigned to the User.

In the RADIUS Client Simulator:

9. Click on any port in the Simulated NAS Ports group to display the Manual Simulation

window.

10. Enter the User ID for the RADIUS Server User account you created earlier (step 7) in

the User ID field.

11. Enter the Serial Number for the Digipass, the Separator, the RADIUS Server User's

Password, a Server PIN (if required) and a One Time Password from the Digipass into

the Password field. eg. 98765432|password12340098787 (see the Login

Permutations topic in the Administrator Reference for more information).

12. Click on the Login button.

The Status information field will indicate the success or failure of your logon.

Check Test Results

To check whether a Digipass User account has been created for the User when Active Directory

is your data store:

© 2006 VASCO Data Security Inc. 25


VACMAN Middleware Getting Started Test Management Features

13. Open the Active Directory Users and Computers Snap-In.

14. Find the User account record and right-click on it.

15. Select Properties from the list.

The User property sheet will be displayed.

16. Click on the Digipass User Account tab.

If the Created On field is blank, a Digipass User account does not exist for the User.

If an ODBC or Embedded Database is your data store, simply search for the User account

record in the Administration MMC Interface.

Modify Settings

17. Modify the Authentication Server Component to use the VM3 RADIUS Self-

Assignment Policy.

18. If Active Directory is used as the data store, stop and start the Digipass Authentication

Server service.

Test Self-Assignment - 2

In the following test, both Dynamic User Registration and Self-Assignment should succeed,

meaning that a Digipass User account will be created, and the intended Digipass will be

assigned to the User.

In the RADIUS Client Simulator:

19. Click on any port in the Simulated NAS Ports group to display the Manual Simulation

window.

20. Enter the User ID for the RADIUS Server User account you created earlier (step 7) in

the User ID field.

21. Enter the Serial Number for the Digipass, the Separator, the RADIUS Server User's

Password, a Server PIN (if required) and a One Time Password from the Digipass into

the Password field. eg. 98765432|password12340098787 (see the Login

Permutations topic in the Administrator Reference for more information).

22. Click on the Login button.

The Status information field will indicate the success or failure of your logon.

Check Test Results

To check whether a Digipass User account has been created for the User when Active Directory

is your data store:

23. Open the Active Directory Users and Computers Snap-In.

24. Find the User account record and right-click on it.

25. Select Properties from the list.

The User property sheet will be displayed.

26. Click on the Digipass User Account tab.

If the Created On field is not blank, a Digipass User account exists for the User.

© 2006 VASCO Data Security Inc. 26


VACMAN Middleware Getting Started Test Management Features

If an ODBC or Embedded Database is your data store, simply search for the User account

record in the Administration MMC Interface.

To check whether the Digipass has been assigned to the User:

27. Click on the Digipass Assignment tab.

28. If the Digipass is listed under this tab, it has been assigned to the Digipass User

account.

Check Grace Period

29. Check that a Grace Period has not been set.

Password login

30. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's

User ID and password only. This should fail, as a Grace Period is not set for a Self-

Assignment.

OTP login

31. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's

User ID and One Time Password. This should be successful.

© 2006 VASCO Data Security Inc. 27


VACMAN Middleware Getting Started Demo Tokens

6 Demo Tokens

6.1 Obtaining a Demo Digipass

If you do not have a demo Digipass, you can use a simulated DP300 at

http://demotoken.vasco.com/

The DPX files for the Demo DP300 and Demo Go 1/Go 3 are located in the DPX folder under

the VACMAN Middleware installation directory.

6.2 Using the Demo Go 1 or Go 3

This topic explains the activation and use of the demonstration Go 1 or Go 3

Note

The Demo Go 1 and Go 3, and other Go 1/Go 3 tokens, only produce a timebased

One Time Password - referred to as a ‘Response’ . This is referred to as

the ‘Response Only’ authentication method. The Go 1 and Go 3 tokens are

used with a PIN, which is entered before the Response.

6.2.1 Activating the Demo Go 1/Go 3

To turn on the Demo Go 1, slide the Go 1 apart to reveal the LCD screen.

To turn on the Demo Go 3, press the button on the token.

All Go 1/Go 3 tokens have an auto-off function, meaning that they automatically turn

themselves off after short periods of inactivity.

6.2.2 Obtaining a One Time Password

Whenever the Demo Go 1/Go 3 is activated, it produces a 6-digit number on its LCD screen.

This response number is generated based on the secret code stored within the token, and the

current time.

At logon, the Users' Server PIN and the One Time Password from the Go 1/Go 3 should be

entered as into the appropriate password field in the logon screen or web page. The Server

PIN is initially 1234.

For example, if the One Time Password generated by the Demo Go 1/Go 3 was 235761,

1234235761 should be entered in the login screen.

© 2006 VASCO Data Security Inc. 28


VACMAN Middleware Getting Started Demo Tokens

6.2.3 Changing the Demo Go 1/Go 3 Server PIN

The Demo Go 1/Go 3 Server PIN (1234) can be changed during the authentication process.

To change the Demo Go 1/Go 3 Server PIN:

1. Go to the login page or screen.

2. In the user ID field, enter the User ID for the account you are using for testing.

3. In the password field, enter the current Server PIN (1234) for the Demo Go 1/Go 3.

4. Activate the Demo Digipass and enter the One Time Password generated in the

response field directly after the Server PIN.

5. Next, enter the new PIN for the Demo Go 1/Go 3 after the response in the Response

field, then enter it again to confirm it.

6. Submit your login to issue the new Server PIN information to the Authentication Server.

Example

To change the Server PIN for a Demo Digipass from 1234 to 5678, where the OTP generated

was 111111, enter:

123411111156785678

in the password field and login.

Any time you login using the Demo or another Go 1/Go 3, you may use this method to change

your PIN, except for RADIUS authentications where any form of CHAP is in use (E.g., CHAP,

MS-CHAP, MS-CHAP2). This is because the information is one-way hashed and cannot be

retrieved from the packet.

If CHAP protocols are used, refer to the User Self-Management Web Site Guide for more

information about alternative web based methods for PIN change (eg. using your intranet).

6.3 Using the Demo DP300

This topic explains the activation and use of the demonstration DP300.

6.3.1 Activate the Demo DP300

The Demo DP300 is turned on with the < button.

Each time the Demo DP300 is activated it will request a 4-digit PIN number (displayed on the

LCD screen). The PIN for Demo DP300s is initially set to 1234.

The Demo Digipass will then prompt you to indicate the application you wish to use:

Application 1 : Response only

When you press 1 on the keypad, the demo DP300 will produce a 6-digit number. This

response number is generated based on the secret code stored within the token, and the

current time.

© 2006 VASCO Data Security Inc. 29


VACMAN Middleware Getting Started Demo Tokens

The One Time Password displayed should be entered into the appropriate password field in the

logon screen or web page.

Application 2 : Digital Signature

When you press 2 on the keypad, you will be prompted for 3 numbers (typically from an online

transaction) comprising up to 5 digits each. When all three numbers required have been

entered, a 6-digit number is generated (displayed on the LCD screen). This number is the

digital signature for the transaction. This needs to be entered into the appropriate field in the

digital signature web page or screen.

Note

Digital signatures are not currently in use with the Authentication Server.

Application 3: Challenge / Response

When you press 3 on the keypad, the Digipass will present you with four dashes (- - - -) to

indicate that a ‘challenge’ must be entered.

You may have the option of holding the optical reader to the middle of the flash sequence (the

white flashing panels) on the logon web page if one is presented.

Alternatively, if the challenge number is shown on the screen, you can key it in directly into

the keypad.

The demo DP300 will then calculate and display a One Time Password based on the challenge

and the secret code stored in the DP300. The One Time Password displayed should be entered

into the appropriate password field in the logon screen or web page.

6.3.2 Change the PIN

Turn on the Demo DP300 and enter the current PIN to activate the token. Then hold down the

On (


VACMAN Middleware Getting Started Demo Tokens

The Administration MMC Interface allows Digipass to be unlocked using the Unlock option. See

the Help in the Administration MMC Interface for more information.

© 2006 VASCO Data Security Inc. 31


VACMAN Middleware Getting Started Set up Live System

7 Set up Live System

7.1 Checklist

Set up RADIUS Server

Set up your RADIUS Server with the necessary User accounts and RADIUS

attributes.

Modify RADIUS Client Configuration

Configure the RADIUS Clients to send authentication requests to the Authentication

Server.

Import More Digipass

Import all required Digipass records

Create Digipass User Accounts

If required, manually create Digipass User accounts. Alternatively, enable Dynamic

User Registration in VACMAN Middleware.

Create New Policy

Create the necessary Policies in the Administration MMC Interface for login

authentications requested by the RADIUS Clients.

Create Component Records for the RADIUS Clients

Create a Component record for the RADIUS Clients in the Administration MMC

Interface, linking them to the correct Policies. You may wish to use the default

RADIUS Client for some or all RADIUS Clients instead.

Test Digipass Logins

Test Digipass logins through the RADIUS Clients, using One Time Passwords.

© 2006 VASCO Data Security Inc. 32

More magazines by this user
Similar magazines