Digipass Plug-In for IAS Getting Started - Vasco

Digipass Plug-In for IAS 

IAS Plug-In 

IAS 

Microsoft's Internet Authentication Service 

Getting Started

Disclaimer of Warranties and Limitations of Liabilities 

Disclaimer of Warranties and Limitations of Liabilities 

The Product is provided on an 'as is' basis, without any other warranties, or conditions, express 

or implied, including but not limited to warranties of merchantable quality, merchantability of 

fitness for a particular purpose, or those arising by law, statute, usage of trade or course of 

dealing. The entire risk as to the results and performance of the product is assumed by you. 

Neither we nor our dealers or suppliers shall have any liability to you or any other person or 

entity for any indirect, incidental, special or consequential damages whatsoever, including but 

not limited to loss of revenue or profit, lost or damaged data of other commercial or economic 

loss, even if we have been advised of the possibility of such damages or they are foreseeable; 

or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers 

and suppliers shall not exceed the amount paid by you for the Product. The limitations in this 

section shall apply whether or not the alleged breach or default is a breach of a fundamental 

condition or term, or a fundamental breach. Some states/countries do not allow the exclusion 

or limitation or liability for consequential or incidental damages so the above limitation may 

not apply to you. 

Copyright 

© 2005 VASCO Data Security Inc. All rights reserved. 

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in 

any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, 

without the prior written permission of VASCO Data Security Inc. 

Trademarks 

VACMAN and Digipass are registered trademarks of VASCO Data Security International Inc. 

Microsoft and Windows are registered trademarks of Microsoft Corporation. 

All other trademarks are the property of their respective holders. 

© 2005 VASCO Data Security Inc. ii

Digipass Plug-In for IAS Getting Started Table of Contents 

Table of Contents 

1 Introduction............................................................................................................5 

1.1 What You Need to Know/Have before Starting.............................................................6 

1.2 System Requirements...................................................................................................6 

1.3 Available Reference Guides.......................................................................................... 7 

2 Initial Setup and Testing.........................................................................................8 

2.1 Basic Procedure............................................................................................................8 

2.2 Install the RADIUS Client Simulator............................................................................. 9 

2.3 Configure Microsoft's Internet Authentication Service............................................... 10 

2.3.1 Register IAS in Active Directory............................................................................. 10 

2.3.2 Create RADIUS Client record................................................................................. 11 

2.3.3 Create Remote Access Policy................................................................................. 11 

2.3.4 Give Remote Access Permissions to a User.............................................................. 12 

2.3.5 Enable Logging.................................................................................................... 12 

2.4 Test Windows Password Login................................................................................... 12 

2.5 Active Directory Changes............................................................................................12 

2.6 Install the Digipass Plug-In for IAS............................................................................ 12 

2.7 Configure the IAS Plug-In.......................................................................................... 13 

2.8 Log in to Administration Interfaces............................................................................ 13 

2.8.1 Administration MMC Interface................................................................................ 13 

2.8.2 Active Directory Users and Computers.................................................................... 13 

2.9 Set up Policy and Component..................................................................................... 13 

2.10 Test Windows Password Login................................................................................... 14 

2.11 Import and Assign Digipass Records.......................................................................... 15 

2.11.1 Import Digipass Records....................................................................................... 15 

2.11.2 Assign Digipass Record(s)..................................................................................... 15 

2.12 Modify Settings for Digipass logins.............................................................................16 

2.13 Test Digipass Login.....................................................................................................16 

3 Test Logins............................................................................................................18 

3.1 Test Pre-requisites..................................................................................................... 18 

3.2 Configure Authentication Method............................................................................... 18 

3.2.1 Local Authentication............................................................................................. 18 

3.2.2 Back-end Authentication....................................................................................... 18 

3.2.3 Local and Back-end Authentication......................................................................... 18 

3.3 Configure Login Methods............................................................................................ 19 

3.3.1 Response Only.................................................................................................... 19 

3.3.2 2-Step Challenge/Response................................................................................... 19 

3.4 Configure Protocol......................................................................................................19 

3.5 Test Logins................................................................................................................. 19 

4 Test Management Features................................................................................... 21 

4.1 Auto-Assignment........................................................................................................ 21 

4.2 Self-Assignment......................................................................................................... 24 

© 2005 VASCO Data Security Inc. iii

Digipass Plug-In for IAS Getting Started Table of Contents 

5 Demo Tokens........................................................................................................ 27 

5.1 Obtaining a Demo Digipass.........................................................................................27 

5.2 Using the Demo Go 1 or Go 3...................................................................................... 27 

5.2.1 Activating the Demo Go 1/Go 3............................................................................. 27 

5.2.2 Obtaining a One Time Password............................................................................. 27 

5.2.3 Changing the Demo Go 1/Go 3 Server PIN.............................................................. 28 

5.3 Using the Demo DP300............................................................................................... 28 

5.3.1 Activate the Demo DP300..................................................................................... 28 

5.3.2 Change the PIN................................................................................................... 29 

5.3.3 Auto-Off Function................................................................................................ 29 

5.3.4 Unlock the Demo DP300....................................................................................... 30 

6 Set up Live System................................................................................................31 

6.1 Checklist.....................................................................................................................31 

Disable IAS Plug-In.................................................................................................... 31 

Set up Internet Authentication Service.......................................................................... 31 

Modify NAS Configuration............................................................................................ 31 

Test Windows Logins.................................................................................................. 31 

Import More Digipass................................................................................................. 31 

Import More Users..................................................................................................... 31 

Enable IAS Plug-In..................................................................................................... 31 

Create New Policy...................................................................................................... 31 

Create Component Record for NAS............................................................................... 31 

Test Digipass Logins................................................................................................... 31 

© 2005 VASCO Data Security Inc. iv

Digipass Plug-In for IAS Getting Started Introduction 

1 Introduction 

This Getting Started Guide will introduce you to the Digipass Plug-In for IAS. It will help you 

set up a basic installation of the Digipass Plug-In for IAS and get to know the product and the 

tools it includes. It covers only basic information and the most common configuration 

requirements. Other options and more in-depth instructions are covered in other manuals. 

This guide covers a standard implementation of the Digipass Plug-In for IAS: 

Windows environment 

Typical installation: 


Active Directory as the data store 

Administration MMC Interface 

Digipass Extension for Active Directory Users and Computers 

It includes information on: 

Basic configuration of the Digipass Plug-In for IAS 

Testing 

This guide does not cover topics such as: 

Installation instructions 

Detailed introduction to the Digipass Plug-In for IAS, its features and components 

Detailed instructions on the use of the Digipass Plug-In for IAS 

Additional components 

Virtual Digipass 

Backup and recovery 

© 2005 VASCO Data Security Inc. 5


1.1 What You Need to Know/Have before Starting 

DPX file (unless you will only use the provided demo Digipass files) 

Encryption Key for the DPX file (if using your own file) 

Installation Guide 

1.2 System Requirements 


Microsoft's Internet Authentication Service 

Digipass Extension for Active Directory Users and Computers 

Active Directory Users and Computers Snap-In 

Operating System 

Windows Server 2003 (32-bit version only), or 

Windows XP Professional (32-bit version only) with Service Pack 1 or above, or 

Windows 2000 with Service Pack 4 or above 



1.3 Available Reference Guides 

Reference Guides are included with every VASCO product: 

Product Guide 

The Product Guide will introduce you to the features of this product and the various options 

you have for using it. It also highlights decisions which you should consider and make before 

setting up a live installation of the product. 

Installation Guide 

Use this guide when planning and working through an installation of the product. 

Getting Started 

To get you up and running quickly with a simple installation and setup of the product. 

Administrator Reference 

In-depth information required for administration of the product. 

Data Migration Tool Guide 

This Guide will take you through a data migration from one VASCO product to another, using 

the VASCO Data Migration Tool. 

Help Files 

Accompany various utilities and the administration interfaces. 


Digipass Plug-In for IAS Getting Started Initial Setup and Testing 

2 Initial Setup and Testing 

2.1 Basic Procedure 

The diagram below illustrates the basic procedure which this Guide will take you through in the 

initial setup and tests for the Digipass Plug-In for IAS. At various points in the process, test 

logins are recommended to ensure that the previous steps have not caused unexpected 

problems. This also helps in troubleshooting, as it helps to pinpoint where in the process a 

problem occurred. 

Image 1: Basic Setup Procedure 



2.2 Install the RADIUS Client Simulator 

Install the RADIUS Client Simulator on a machine in the required Domain: 

1. Locate and run the VACMAN RADIUS Client Simulator Setup.exe. 

2. Follow the prompts until the installation is complete. 

If you chose the default install location, the Simulator will be installed to the 

C:\Program Files\VASCO\VACMAN RADIUS Client Simulator directory. 

3. Launch the Simulator from the Start menu. 



2.3 Configure Microsoft's Internet Authentication Service 

If IAS is newly-installed, there are some steps you will need to follow in order to get the IAS 

Plug-In working with IAS. 

The diagram below shows the basic process involved. For help in completing each of these 

steps, see the relevant sub-section. 

Register IAS server in Active Directory 

Create a RADIUS Client record for the 

RADIUS Client Simulator 

Configure a Remote Access Policy 

Give Windows User Remote Access 

permissions 

Enable Remote Access Logging within IAS 

Image 2: IAS Setup 

2.3.1 Register IAS in Active Directory 

Register IAS in the Active Directory Domain: 

1. Log on to the IAS server with an administrator account for the domain. 

2. Open Internet Authentication Service in the Administrative Tools folder of the Start 

menu. 

3. Right-click on Internet Authentication Service. 

4. Click on Register Server in Active Directory. 

The Register Internet Authentication Service in Active Directory window will be 

displayed. 

5. Click OK. 

Test Windows Login 

The IAS Server must be registered in the 

relevant Active Directory Domain before it 

can access data within Active Directory. 

A RADIUS Client record must exist within IAS 

for the machine on which the RADIUS Client 

Simulator is installed, or authentication 

requests from it will be rejected by IAS. 

Configure a Remote Access Policy to handle 

logins authenticated by the IAS Extension. 

At least one Windows User should be given 

remote access permissions, so that remote 

logins can be tested. 

Configure IAS to log authentication 

requests. 

Log in with a Windows User account which 

has remote access permissions. Use 

Windows User ID and password. See . 



2.3.2 Create RADIUS Client record 

Create a RADIUS Client record within IAS for the machine on which the RADIUS Client 

Simulator will be running: 

1. Right-click on Clients. 

2. Click on New Client. 

3. Follow the prompts provided by the IAS New Client wizard. 

2.3.3 Create Remote Access Policy 

Create a Remote Access Policy in IAS for use with the IAS Plug-In: 

1. Right-click Remote Access Policies. 

2. Click on New Remote Access Policy. 

The Add Remote Access Policy window will be displayed. 

3. Enter a name for the Policy (eg. Digipass Access) 

4. Click on Next. 

Click on Add. 

The Select Attribute window will be displayed. 

5. Select an attribute to define the Policy with: 

The Day-and-Time-Restrictions attribute with 24/7 setting is recommended for 

Windows 2000, as the simplest way to create a Policy which will handle all logins. 

For Windows 2003 installations, the Extension attribute is recommended. 

6. Click on Add twice. 

7. Click on OK twice. 


9. Tick the Grant remote access permission checkbox. 


11. Click on Edit Profile. 

The Edit Dial-in Profile window will be displayed. 

12. Enable the protocols you wish to test. 


14. Click on Finish. 



2.3.4 Give Remote Access Permissions to a User 

In order to test Windows logins through the RADIUS Client Simulator, you will need to use a 

Windows User account which has remote access permissions. To do this, select a User account 

and set the Remote Access permission to Allow access. 

2.3.5 Enable Logging 

Enabling remote access logging within IAS will allow you to check the log file if you need to 

troubleshoot a failed test login. 

To enable remote access logging in IAS: 

1. Click on Remote Access Logging. 

2. Right-click on Local File. 

3. Click on Properties. 

4. Tick the Log authentication requests checkbox. 

5. Click on Apply. 

2.4 Test Windows Password Login 

Once IAS has been set up, attempt a login through the RADIUS Client Simulator (using 

Windows User ID and Password) with a User whose account has been given remote access 

permissions. 

2.5 Active Directory Changes 

Extend the Active Directory Schema according to the instructions in the Installation Guide. 

2.6 Install the Digipass Plug-In for IAS 

Install the Digipass Plug-In for IAS according to the instructions in the Installation Guide. 

Some settings which are created automatically for the IAS Plug-In are: 

Example Policies. 

A Component for the IAS Plug-In, which will point to a default Policy. 

Permissions within Active Directory for the IAS Plug-In. 



2.7 Configure the IAS Plug-In 

When the install process for the Digipass Pack is completed, the IAS Plug-In Configuration 

Interface will be displayed. In particular, these should be configured: 

Configure auditing – log to a text file or to the Windows Event Log. 

Configure tracing. 

Check Domain connection parameters – modify or select a Domain Controller to connect 

to if required. 

Check that the IAS Plug-In is enabled. 

2.8 Log in to Administration Interfaces 

2.8.1 Administration MMC Interface 

The Administration MMC Interface is a standalone MMC snap-in that can be used to administer 

Policies and Components for the IAS Plug-In. 

1. Select Programs -> VASCO -> Digipass Plug-In for IAS -> Administration MMC 

Interface from the Start menu. 

2. Expand the Digipass Administration node. 

3. Right-click on the domain node. 

4. Select Connect from the list. 

2.8.2 Active Directory Users and Computers 

The Digipass Extension for Active Directory Users and Computers can be used to administer 

Digipass and Digipass User accounts. 

2.9 Set up Policy and Component 

Ensure that the IAS Plug-In Component is pointed to a Policy which has the Back-End 

Authentication set to Windows and Local Authentication disabled. To modify these settings for 

a Policy: 

1. Open the Administration MMC Interface. 

2. Click on the Policies node. 

The Policies list will be displayed in the Result pane. 

3. Double-click on the Policy IAS Base Policy. 

The Policy property sheet will be displayed. 

4. Click on the Main Settings tab. 

5. Check these drop down lists: 



a. Local Auth. should be set to None. 

b. Back-end Auth. should be set to Always. 

c. Back-end Protocol should be set to Windows. 

To ensure that the IAS Plug-In Component will use the correct Policy: 

1. Click on the Components node. 

The Components list will be displayed in the Result pane. 

2. Double-click on the IAS Plug-In Component. 

The Component property sheet will be displayed. 

3. Ensure that the IAS Base Policy Policy is selected in the Policy drop down list. 

4. Click on OK. 

5. Stop and Start the Internet Authentication Service service. 

2.10 Test Windows Password Login 

Use the RADIUS Client Simulator to attempt a login (using Windows User ID and Password) 

with the same User account as the last test login. This is to check that the installation and 

configuration of the IAS Plug-In has been successful at this point. 

Note 

Windows Authentication is only supported by the IAS Plug-In using the PAP 

protocol, unless the User ID and password are manually added to the IAS Plug- 

In and Stored Password Proxy is enabled. Therefore, only simulated logins 

using the PAP protocol will be successful at this point in the testing process. 

1. Open the RADIUS Client Simulator. 

2. Click on any port in the Simulated NAS Ports group to display the Manual 

Simulation window. 

3. Enter the User ID for the User account you are using for test logins in the User ID 

field. 

4. Enter the password for the User account in the Password field. 

5. Click on the Login button. 

6. The Status information field will indicate the success or failure of your login. 



2.11 Import and Assign Digipass Records 

2.11.1 Import Digipass Records 

Digipass records must be imported into the data store before they can be assigned to User 

accounts. 

To import Digipass records: 

1. Open the Active Directory Users and Computers interface. 

2. Right-click on the Users container. 

3. Click on Import Digipass... 

4. Enter or browse for the import path and filename for the DPX file. 

5. Enter the encryption key – this is 11111111111111111111111111111111 for the 

installed demo Digipass DPX files. 

6. Click on Import All Applications. 

OR 

a. Click on Show Applications. 

b. Select the Digipass Applications to import. 

c. Click on Import Selected Applications. 

2.11.2 Assign Digipass Record(s) 

Before a User can use a Digipass to login, the Digipass must be assigned to their User account 

within the Digipass Extension for Active Directory Users and Computers. 

To assign a Digipass record to a User account: 

1. Select the User account to be assigned a Digipass. 

2. Right-click on the record and select Assign Digipass... 

3. Select the Digipass record to be assigned to the User account. 




2.12 Modify Settings for Digipass logins 

To test Digipass logins, the IAS Plug-In Component should use a Policy which has Local 

Authentication enabled and Back-end Authentication disabled. 

To check that a Policy has these settings: 


2. Click on the Policies node. 

The Policies list will be displayed in the Result pane. 

3. Double-click on the “IAS Base Policy” Policy. 

The Policy property sheet will be displayed. 

4. Click on the Main Settings tab. 

5. Check these drop down lists: 

a. Local Auth. should be set to Digipass/Password. 

b. Back-end Auth. should be set to None. 

To ensure that the IAS Plug-In Component will use the correct Policy: 





3. Ensure that the “IAS Base Policy” Policy is selected in the Policy drop down list. 


5. Stop and Start the Internet Authentication Service service. 

2.13 Test Digipass Login 

Use the RADIUS Client Simulator to attempt a Digipass login with a User account which has a 

Digipass assigned. This is to check that the IAS Plug-In has been configured correctly for 

authenticating Digipass logins. 

If you are unsure how to use the Digipass, see the Demo Tokens section. 




2. Click on any port in the Simulated NAS Ports group to display the Manual 

Simulation window. 


field. 

4. Enter the One Time Password generated by the Digipass in the Password field. 


6. The Status information field will indicate the success or failure of your login. 


Digipass Plug-In for IAS Getting Started Test Logins 

3 Test Logins 

Using the User account to which you assigned a Digipass, and the Digipass, you can test the 

various authentication methods, login methods and protocols needed. 

You may wish to try various combinations of authentication method, login method and 

protocol, or simply the combination required for your system. 

3.1 Test Pre-requisites 

If you are going to test all types of login methods available, you will need: 

A User account to test logins with - this can be the same one as in previous tests. 

A Digipass or Demo Digipass with Response Only and Challenge/Response Applications. 

3.2 Configure Authentication Method 

Create a Policy for each authentication method required, or use a 'Test' Policy which can be 

modified as desired. 

After changing the Policy or Component, make sure that you stop and start the 

Internet Authentication Service service, to be sure that the new settings will take 

effect immediately. 

3.2.1 Local Authentication 

Local authentication means that only the IAS Plug-In will authenticate a login. 

The recommended Policy settings for Local Authentication tests are: 

Local Auth. should be set to Digipass/Password. 

Back-end Auth. should be set to None. 

3.2.2 Back-end Authentication 

Back-end authentication means that only Windows will authenticate a login. 

The recommended Policy settings for Back-end Authentication tests are: 

Local Auth. should be set to None. 

Back-end Auth. should be set to Always. 

Back-end Protocol must be set to Windows. 

3.2.3 Local and Back-end Authentication 

Local authentication means that both the IAS Plug-In and Windows will authenticate a login. 

The recommended Policy settings for Local and Back-end Authentication tests are: 



Local Auth. should be set to Digipass/Password. 

Back-end Auth. should be set to Always. 

Back-end Protocol must be set to Windows. 

3.3 Configure Login Methods 

3.3.1 Response Only 

To configure a Policy to allow Response Only logins: 

1. Open the Policy property sheet. 

2. Click on the Digipass Settings tab. 

3. Select Response Only from the Application Type drop down list. 


3.3.2 2-Step Challenge/Response 

1. Open the Policy property sheet. 

2. Click on the Digipass Settings tab. 

3. Select Challenge/Response from the Application Type drop down list. 

4. Click on Apply. 

5. Click on the Challenge Settings tab. 

6. Select Keyword from the 2-step Challenge/Response Request Method drop down 

list. 

7. Enter a Keyword to use (eg. '2stepCR') in the Keyword field. You can leave this field 

blank, so that an empty password can be used to get a challenge. 


3.4 Configure Protocol 


2. Check that the Protocol drop down list is set to the protocol you wish to implement (eg. 

CHAP, MS-CHAP, MS-CHAP2). 

3.5 Test Logins 

1. Configure a Policy for the authentication method, login method and protocol to be 

tested. 

2. Ensure that the IAS Plug-In Component is using the configured Policy. 



In the RADIUS Client Simulator: 

3. Click on any port in the Simulated NAS Ports group to display the Manual Simulation 

window. 


field. 

5. Enter the password for the User account and an OTP from the Digipass in the 

Password field. 


7. The Status information field will indicate the success or failure of your logon. 


Digipass Plug-In for IAS Getting Started Test Management Features 

4 Test Management Features 

4.1 Auto-Assignment 

Initial Setup 






4. Ensure that the IAS Base Policy is selected in the Policy drop down list. 


6. Stop and Start the service. 

7. Create or use a Windows User account which does not currently have a Digipass User 

account. 

8. Check that at least one unassigned Digipass is available in either: 

the same Organizational Unit, 

a parent Organizational Unit, or 

the Digipass Container 

If one of the latter two options, ensure that the Search Upwards in Organizational Unit 

hierarchy option is enabled for the IAS Base Policy. 

Test Auto-Assignment - 1 

In the following test, both Dynamic User Registration and Auto-Assignment should fail, 

meaning that a Digipass User account will not be created, and a Digipass will not be assigned 

to the User. 



window. 

10. Enter the User ID for the Windows User account you created earlier (step 7) in the 

User ID field. 

11. Enter the password for the Windows User account. 


The Status information field will indicate the success or failure of your logon. 



Check Test Results 

To check whether a Digipass User account has been created for the User: 

13. Open the Active Directory Users and Computers Snap-In. 

14. Find the User account record and right-click on it. 

15. Select Properties from the list. 

The User property sheet will be displayed. 

16. Click on the Digipass User Account tab. 

17. If the Created On field is blank, a Digipass User account does not exist for the User. 

Modify Settings 

18. Modify the IAS Plug-In Component to use the IAS Windows Auto-Assignment Policy. 


Test Auto-Assignment - 2 

In the following test, both Dynamic User Registration and Auto-Assignment should succeed, 

meaning that a Digipass User account will be created, and an available Digipass will be 

assigned to the User. 



window. 



22. Enter the password for the User account. 












If the Created On field is not blank, a Digipass User account exists for the User. 

To check whether a Digipass has been assigned to the User: 

28. Click on the Digipass Assignment tab. 

29. If a Digipass is listed under this tab, the User has been assigned the listed Digipass. 

30. Check the Grace Period End field to see that a Grace Period of the correct length (7 

days by default) has been set. 

Check Grace Period 

Password login 

31. Using the RADIUS Client Simulator, attempt a login using the Windows User's User ID 

and password only. If the Grace Period is still effective, this should be successful. 

OTP login 


and One Time Password. This should be successful. 



and password only. As the OTP login from the previous step should have ended the 

Grace Period for the Digipass, this login should fail. 

34. Check the Grace Period End in the User record. It should contain today's date. 



4.2 Self-Assignment 

Initial Setup 






4. Ensure that the IAS Base Policy is selected in the Policy drop down list. 



7. Create or use a Windows User account which does not currently have a Digipass User 

account. 

8. Check that the record for the Digipass to be used in the Self-Assignment is available in 

either: 

the same Organizational Unit, 

a parent Organizational Unit, or 

the Digipass Container 

If one of the latter two options, ensure that the Search Upwards in Organizational Unit 

hierarchy option is enabled for the IAS Base Policy. 

Test Self-Assignment - 1 

In the following test, both Dynamic User Registration and Self-Assignment should fail, 

meaning that a Digipass User account will not be created, and the selected Digipass will not be 




window. 



11. Enter the Serial Number for the Digipass, the Separator, the Windows User's 

Password, a Server PIN (if required) and a One Time Password from the Digipass into 

the Password field. eg. 98765432|password12340098787 (see the Login 

Permutations topic in the Administrator Reference for more information). 












17. If the Created On field is blank, a Digipass User account does not exist for the User. 

Modify Settings 

18. Modify the IAS Plug-In Component to use the IAS Windows Self-Assignment Policy. 


Test Self-Assignment - 2 

In the following test, both Dynamic User Registration and Self-Assignment should succeed, 

meaning that a Digipass User account will be created, and the intended Digipass will be 




window. 



22. Enter the Serial Number for the Digipass, the Separator, the Windows User's 

Password, a Server PIN (if required) and a One Time Password from the Digipass into 

the Password field. eg. 98765432|password12340098787 (see the Login 

Permutations topic in the Administrator Reference for more information). 












If the Created On field is not blank, a Digipass User account exists for the User. 

To check whether the Digipass has been assigned to the User: 

28. Click on the Digipass Assignment tab. 

29. If the Digipass is listed under this tab, it has been assigned to the Digipass User 

account. 

Check Grace Period 

30. Check that a Grace Period has not been set. (check – see if GPE field is blank or 

today's date) 



and password only. This should fail, as a Grace Period is not set for a Self-Assignment. 

OTP login 


and One Time Password. This should be successful. 


Digipass Plug-In for IAS Getting Started Demo Tokens 

5 Demo Tokens 

5.1 Obtaining a Demo Digipass 

If you do not have a demo Digipass, you can use a simulated DP300 at 

http://demotoken.vasco.com/ 

The DPX files for the Demo DP300 and Demo Go 1/Go 3 are located in the DPX folder under 

the Digipass Plug-In for IAS installation directory. 

5.2 Using the Demo Go 1 or Go 3 

This topic explains the activation and use of the demonstration Go 1 or Go 3 

Note 

The Demo Go 1 and Go 3, and other Go 1/Go 3 tokens, only produce a timebased 

One Time Password - referred to as a ‘Response’ . This is referred to as 

the ‘Response Only’ authentication method. The Go 1 and Go 3 tokens are 

used with a PIN, which is entered before the Response. 

5.2.1 Activating the Demo Go 1/Go 3 

To turn on the Demo Go 1, slide the Go 1 apart to reveal the LCD screen. 

To turn on the Demo Go 3, press the button on the token. 

All Go 1/Go 3 tokens have an auto-off function, meaning that they automatically turn 

themselves off after short periods of inactivity. 

5.2.2 Obtaining a One Time Password 

Whenever the Demo Go 1/Go 3 is activated, it produces a 6-digit number on its LCD screen. 

This response number is generated based on the secret code stored within the token, and the 

current time. 

At logon, the Users' Server PIN and the One Time Password from the Go 1/Go 3 should be 

entered as into the appropriate password field in the logon screen or web page. The Server 

PIN is initially 1234. 

For example, if the One Time Password generated by the Demo Go 1/Go 3 was 235761, 

1234235761 should be entered in the login screen. 



5.2.3 Changing the Demo Go 1/Go 3 Server PIN 

The Demo Go 1/Go 3 Server PIN (1234) can be changed during the authentication process. 

To change the Demo Go 1/Go 3 Server PIN: 

1. Go to the login page or screen. 

2. In the user ID field, enter the User ID for the account you are using for testing. 

3. In the password field, enter the current Server PIN (1234) for the Demo Go 1/Go 3. 

4. Activate the Demo Digipass and enter the One Time Password generated in the 

response field directly after the Server PIN. 

5. Next, enter the new PIN for the Demo Go 1/Go 3 after the response in the Response 

field, then enter it again to confirm it. 

6. Submit your login to issue the new Server PIN information to the IAS Plug-In. 

Example 

To change the Server PIN for a Demo Digipass from 1234 to 5678, where the OTP 

generated was 111111, enter: 

123411111156785678 

in the password field and login. 

Any time you login using the Demo or another Go 1/Go 3, you may use this method to change 

your PIN, except for RADIUS authentications where any form of CHAP is in use (E.g., CHAP, 

MS-CHAP, MS-CHAP2). This is because the information is one-way hashed and cannot be 

retrieved from the packet. 

If CHAP protocols are used, refer to the User Self-Management Web Site Guide for more 

information about alternative web based methods for PIN change (eg. using your intranet). 

5.3 Using the Demo DP300 

This topic explains the activation and use of the demonstration DP300. 

5.3.1 Activate the Demo DP300 

The Demo DP300 is turned on with the < button. 

Each time the Demo DP300 is activated it will request a 4-digit PIN number (displayed on the 

LCD screen). The PIN for Demo DP300s is initially set to 1234. 

The Demo Digipass will then prompt you to indicate the application you wish to use: 



Application 1 : Response only 

When you press 1 on the keypad, the demo DP300 will produce a 6-digit number. This 

response number is generated based on the secret code stored within the token, and the 

current time. 

The One Time Password displayed should be entered into the appropriate password field in the 

logon screen or web page. 

Application 2 : Digital Signature 

When you press 2 on the keypad, you will be prompted for 3 numbers (typically from an online 

transaction) comprising up to 5 digits each. When all three numbers required have been 

entered, a 6-digit number is generated (displayed on the LCD screen). This number is the 

digital signature for the transaction. This needs to be entered into the appropriate field in the 

digital signature web page or screen. 

Note 

Digital signatures are not currently in use with the IAS Plug-In. 

Application 3: Challenge / Response 

When you press 3 on the keypad, the Digipass will present you with four dashes (- - - -) to 

indicate that a ‘challenge’ must be entered. 

You may have the option of holding the optical reader to the middle of the flash sequence (the 

white flashing panels) on the logon web page if one is presented. 

Alternatively, if the challenge number is shown on the screen, you can key it in directly into 

the keypad. 

The demo DP300 will then calculate and display a One Time Password based on the challenge 

and the secret code stored in the DP300. The One Time Password displayed should be entered 

into the appropriate password field in the logon screen or web page. 

5.3.2 Change the PIN 

Turn on the Demo DP300 and enter the current PIN to activate the token. Then hold down the 

On (


5.3.4 Unlock the Demo DP300 

If an incorrect PIN is entered into a Demo DP300 too many times (3), the Digipass will lock 

itself from further use. 

When a token is locked, it will display an unlock challenge on its LCD screen. 

The Administration MMC Interface allows Digipass to be unlocked using the Unlock option. See 

the Help in the Administration MMC Interface for more information. 


Digipass Plug-In for IAS Getting Started Set up Live System 

6 Set up Live System 

6.1 Checklist 

Disable IAS Plug-In 

Disable the IAS Plug-In, using the IAS Plug-In Configuration Interface. 

Set up Internet Authentication Service 

Set up IAS to work with the IAS Plug-In. See 2.3 

Internet Authentication Service for more information. 

Modify NAS Configuration 

Configure Microsoft's 

Configure the Network Access Server to send authentication requests to IAS. 

Test Windows Logins 

Test logins through the NAS, using Windows User ID and password. 

Import More Digipass 

Import all required Digipass records 

Import More Users 

If required, import User records. Alternatively, enable Dynamic User Registration 

in the IAS Plug-In. 

Enable IAS Plug-In 

Enable the IAS Plug-In, using the IAS Plug-In Configuration Interface. 

Create New Policy 

Create a Policy in the Administration MMC Interface for login authentications 

requested by the NAS. 

Create Component Record for NAS 

Create a Component record for the NAS in the Administration MMC Interface. 

Test Digipass Logins 

Test Digipass logins through the NAS, using One Time Passwords.

Digipass Plug-In for IAS Getting Started - Vasco

Create successful ePaper yourself

Delete template?

Save as template?