Digipass Plug-In for IAS Getting Started - Vasco
Digipass Plug-In for IAS Getting Started - Vasco
Digipass Plug-In for IAS Getting Started - Vasco
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong><br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
<strong>IAS</strong><br />
Microsoft's <strong>In</strong>ternet Authentication Service<br />
<strong>Getting</strong> <strong>Started</strong>
Disclaimer of Warranties and Limitations of Liabilities<br />
Disclaimer of Warranties and Limitations of Liabilities<br />
The Product is provided on an 'as is' basis, without any other warranties, or conditions, express<br />
or implied, including but not limited to warranties of merchantable quality, merchantability of<br />
fitness <strong>for</strong> a particular purpose, or those arising by law, statute, usage of trade or course of<br />
dealing. The entire risk as to the results and per<strong>for</strong>mance of the product is assumed by you.<br />
Neither we nor our dealers or suppliers shall have any liability to you or any other person or<br />
entity <strong>for</strong> any indirect, incidental, special or consequential damages whatsoever, including but<br />
not limited to loss of revenue or profit, lost or damaged data of other commercial or economic<br />
loss, even if we have been advised of the possibility of such damages or they are <strong>for</strong>eseeable;<br />
or <strong>for</strong> claims by a third party. Our maximum aggregate liability to you, and that of our dealers<br />
and suppliers shall not exceed the amount paid by you <strong>for</strong> the Product. The limitations in this<br />
section shall apply whether or not the alleged breach or default is a breach of a fundamental<br />
condition or term, or a fundamental breach. Some states/countries do not allow the exclusion<br />
or limitation or liability <strong>for</strong> consequential or incidental damages so the above limitation may<br />
not apply to you.<br />
Copyright<br />
© 2005 VASCO Data Security <strong>In</strong>c. All rights reserved.<br />
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in<br />
any <strong>for</strong>m or by any means, electronic, mechanical, photocopying, recording, or otherwise,<br />
without the prior written permission of VASCO Data Security <strong>In</strong>c.<br />
Trademarks<br />
VACMAN and <strong>Digipass</strong> are registered trademarks of VASCO Data Security <strong>In</strong>ternational <strong>In</strong>c.<br />
Microsoft and Windows are registered trademarks of Microsoft Corporation.<br />
All other trademarks are the property of their respective holders.<br />
© 2005 VASCO Data Security <strong>In</strong>c. ii
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> Table of Contents<br />
Table of Contents<br />
1 <strong>In</strong>troduction............................................................................................................5<br />
1.1 What You Need to Know/Have be<strong>for</strong>e Starting.............................................................6<br />
1.2 System Requirements...................................................................................................6<br />
1.3 Available Reference Guides.......................................................................................... 7<br />
2 <strong>In</strong>itial Setup and Testing.........................................................................................8<br />
2.1 Basic Procedure............................................................................................................8<br />
2.2 <strong>In</strong>stall the RADIUS Client Simulator............................................................................. 9<br />
2.3 Configure Microsoft's <strong>In</strong>ternet Authentication Service............................................... 10<br />
2.3.1 Register <strong>IAS</strong> in Active Directory............................................................................. 10<br />
2.3.2 Create RADIUS Client record................................................................................. 11<br />
2.3.3 Create Remote Access Policy................................................................................. 11<br />
2.3.4 Give Remote Access Permissions to a User.............................................................. 12<br />
2.3.5 Enable Logging.................................................................................................... 12<br />
2.4 Test Windows Password Login................................................................................... 12<br />
2.5 Active Directory Changes............................................................................................12<br />
2.6 <strong>In</strong>stall the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>............................................................................ 12<br />
2.7 Configure the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.......................................................................................... 13<br />
2.8 Log in to Administration <strong>In</strong>terfaces............................................................................ 13<br />
2.8.1 Administration MMC <strong>In</strong>terface................................................................................ 13<br />
2.8.2 Active Directory Users and Computers.................................................................... 13<br />
2.9 Set up Policy and Component..................................................................................... 13<br />
2.10 Test Windows Password Login................................................................................... 14<br />
2.11 Import and Assign <strong>Digipass</strong> Records.......................................................................... 15<br />
2.11.1 Import <strong>Digipass</strong> Records....................................................................................... 15<br />
2.11.2 Assign <strong>Digipass</strong> Record(s)..................................................................................... 15<br />
2.12 Modify Settings <strong>for</strong> <strong>Digipass</strong> logins.............................................................................16<br />
2.13 Test <strong>Digipass</strong> Login.....................................................................................................16<br />
3 Test Logins............................................................................................................18<br />
3.1 Test Pre-requisites..................................................................................................... 18<br />
3.2 Configure Authentication Method............................................................................... 18<br />
3.2.1 Local Authentication............................................................................................. 18<br />
3.2.2 Back-end Authentication....................................................................................... 18<br />
3.2.3 Local and Back-end Authentication......................................................................... 18<br />
3.3 Configure Login Methods............................................................................................ 19<br />
3.3.1 Response Only.................................................................................................... 19<br />
3.3.2 2-Step Challenge/Response................................................................................... 19<br />
3.4 Configure Protocol......................................................................................................19<br />
3.5 Test Logins................................................................................................................. 19<br />
4 Test Management Features................................................................................... 21<br />
4.1 Auto-Assignment........................................................................................................ 21<br />
4.2 Self-Assignment......................................................................................................... 24<br />
© 2005 VASCO Data Security <strong>In</strong>c. iii
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> Table of Contents<br />
5 Demo Tokens........................................................................................................ 27<br />
5.1 Obtaining a Demo <strong>Digipass</strong>.........................................................................................27<br />
5.2 Using the Demo Go 1 or Go 3...................................................................................... 27<br />
5.2.1 Activating the Demo Go 1/Go 3............................................................................. 27<br />
5.2.2 Obtaining a One Time Password............................................................................. 27<br />
5.2.3 Changing the Demo Go 1/Go 3 Server PIN.............................................................. 28<br />
5.3 Using the Demo DP300............................................................................................... 28<br />
5.3.1 Activate the Demo DP300..................................................................................... 28<br />
5.3.2 Change the PIN................................................................................................... 29<br />
5.3.3 Auto-Off Function................................................................................................ 29<br />
5.3.4 Unlock the Demo DP300....................................................................................... 30<br />
6 Set up Live System................................................................................................31<br />
6.1 Checklist.....................................................................................................................31<br />
Disable <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.................................................................................................... 31<br />
Set up <strong>In</strong>ternet Authentication Service.......................................................................... 31<br />
Modify NAS Configuration............................................................................................ 31<br />
Test Windows Logins.................................................................................................. 31<br />
Import More <strong>Digipass</strong>................................................................................................. 31<br />
Import More Users..................................................................................................... 31<br />
Enable <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>..................................................................................................... 31<br />
Create New Policy...................................................................................................... 31<br />
Create Component Record <strong>for</strong> NAS............................................................................... 31<br />
Test <strong>Digipass</strong> Logins................................................................................................... 31<br />
© 2005 VASCO Data Security <strong>In</strong>c. iv
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> <strong>In</strong>troduction<br />
1 <strong>In</strong>troduction<br />
This <strong>Getting</strong> <strong>Started</strong> Guide will introduce you to the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>. It will help you<br />
set up a basic installation of the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> and get to know the product and the<br />
tools it includes. It covers only basic in<strong>for</strong>mation and the most common configuration<br />
requirements. Other options and more in-depth instructions are covered in other manuals.<br />
This guide covers a standard implementation of the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>:<br />
Windows environment<br />
Typical installation:<br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
Active Directory as the data store<br />
Administration MMC <strong>In</strong>terface<br />
<strong>Digipass</strong> Extension <strong>for</strong> Active Directory Users and Computers<br />
It includes in<strong>for</strong>mation on:<br />
Basic configuration of the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong><br />
Testing<br />
This guide does not cover topics such as:<br />
<strong>In</strong>stallation instructions<br />
Detailed introduction to the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>, its features and components<br />
Detailed instructions on the use of the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong><br />
Additional components<br />
Virtual <strong>Digipass</strong><br />
Backup and recovery<br />
© 2005 VASCO Data Security <strong>In</strong>c. 5
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> <strong>In</strong>troduction<br />
1.1 What You Need to Know/Have be<strong>for</strong>e Starting<br />
DPX file (unless you will only use the provided demo <strong>Digipass</strong> files)<br />
Encryption Key <strong>for</strong> the DPX file (if using your own file)<br />
<strong>In</strong>stallation Guide<br />
1.2 System Requirements<br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
Microsoft's <strong>In</strong>ternet Authentication Service<br />
<strong>Digipass</strong> Extension <strong>for</strong> Active Directory Users and Computers<br />
Active Directory Users and Computers Snap-<strong>In</strong><br />
Operating System<br />
Windows Server 2003 (32-bit version only), or<br />
Windows XP Professional (32-bit version only) with Service Pack 1 or above, or<br />
Windows 2000 with Service Pack 4 or above<br />
© 2005 VASCO Data Security <strong>In</strong>c. 6
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> <strong>In</strong>troduction<br />
1.3 Available Reference Guides<br />
Reference Guides are included with every VASCO product:<br />
Product Guide<br />
The Product Guide will introduce you to the features of this product and the various options<br />
you have <strong>for</strong> using it. It also highlights decisions which you should consider and make be<strong>for</strong>e<br />
setting up a live installation of the product.<br />
<strong>In</strong>stallation Guide<br />
Use this guide when planning and working through an installation of the product.<br />
<strong>Getting</strong> <strong>Started</strong><br />
To get you up and running quickly with a simple installation and setup of the product.<br />
Administrator Reference<br />
<strong>In</strong>-depth in<strong>for</strong>mation required <strong>for</strong> administration of the product.<br />
Data Migration Tool Guide<br />
This Guide will take you through a data migration from one VASCO product to another, using<br />
the VASCO Data Migration Tool.<br />
Help Files<br />
Accompany various utilities and the administration interfaces.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 7
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> <strong>In</strong>itial Setup and Testing<br />
2 <strong>In</strong>itial Setup and Testing<br />
2.1 Basic Procedure<br />
The diagram below illustrates the basic procedure which this Guide will take you through in the<br />
initial setup and tests <strong>for</strong> the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>. At various points in the process, test<br />
logins are recommended to ensure that the previous steps have not caused unexpected<br />
problems. This also helps in troubleshooting, as it helps to pinpoint where in the process a<br />
problem occurred.<br />
Image 1: Basic Setup Procedure<br />
© 2005 VASCO Data Security <strong>In</strong>c. 8
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> <strong>In</strong>itial Setup and Testing<br />
2.2 <strong>In</strong>stall the RADIUS Client Simulator<br />
<strong>In</strong>stall the RADIUS Client Simulator on a machine in the required Domain:<br />
1. Locate and run the VACMAN RADIUS Client Simulator Setup.exe.<br />
2. Follow the prompts until the installation is complete.<br />
If you chose the default install location, the Simulator will be installed to the<br />
C:\Program Files\VASCO\VACMAN RADIUS Client Simulator directory.<br />
3. Launch the Simulator from the Start menu.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 9
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> <strong>In</strong>itial Setup and Testing<br />
2.3 Configure Microsoft's <strong>In</strong>ternet Authentication Service<br />
If <strong>IAS</strong> is newly-installed, there are some steps you will need to follow in order to get the <strong>IAS</strong><br />
<strong>Plug</strong>-<strong>In</strong> working with <strong>IAS</strong>.<br />
The diagram below shows the basic process involved. For help in completing each of these<br />
steps, see the relevant sub-section.<br />
Register <strong>IAS</strong> server in Active Directory<br />
Create a RADIUS Client record <strong>for</strong> the<br />
RADIUS Client Simulator<br />
Configure a Remote Access Policy<br />
Give Windows User Remote Access<br />
permissions<br />
Enable Remote Access Logging within <strong>IAS</strong><br />
Image 2: <strong>IAS</strong> Setup<br />
2.3.1 Register <strong>IAS</strong> in Active Directory<br />
Register <strong>IAS</strong> in the Active Directory Domain:<br />
1. Log on to the <strong>IAS</strong> server with an administrator account <strong>for</strong> the domain.<br />
2. Open <strong>In</strong>ternet Authentication Service in the Administrative Tools folder of the Start<br />
menu.<br />
3. Right-click on <strong>In</strong>ternet Authentication Service.<br />
4. Click on Register Server in Active Directory.<br />
The Register <strong>In</strong>ternet Authentication Service in Active Directory window will be<br />
displayed.<br />
5. Click OK.<br />
Test Windows Login<br />
The <strong>IAS</strong> Server must be registered in the<br />
relevant Active Directory Domain be<strong>for</strong>e it<br />
can access data within Active Directory.<br />
A RADIUS Client record must exist within <strong>IAS</strong><br />
<strong>for</strong> the machine on which the RADIUS Client<br />
Simulator is installed, or authentication<br />
requests from it will be rejected by <strong>IAS</strong>.<br />
Configure a Remote Access Policy to handle<br />
logins authenticated by the <strong>IAS</strong> Extension.<br />
At least one Windows User should be given<br />
remote access permissions, so that remote<br />
logins can be tested.<br />
Configure <strong>IAS</strong> to log authentication<br />
requests.<br />
Log in with a Windows User account which<br />
has remote access permissions. Use<br />
Windows User ID and password. See .<br />
© 2005 VASCO Data Security <strong>In</strong>c. 10
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> <strong>In</strong>itial Setup and Testing<br />
2.3.2 Create RADIUS Client record<br />
Create a RADIUS Client record within <strong>IAS</strong> <strong>for</strong> the machine on which the RADIUS Client<br />
Simulator will be running:<br />
1. Right-click on Clients.<br />
2. Click on New Client.<br />
3. Follow the prompts provided by the <strong>IAS</strong> New Client wizard.<br />
2.3.3 Create Remote Access Policy<br />
Create a Remote Access Policy in <strong>IAS</strong> <strong>for</strong> use with the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>:<br />
1. Right-click Remote Access Policies.<br />
2. Click on New Remote Access Policy.<br />
The Add Remote Access Policy window will be displayed.<br />
3. Enter a name <strong>for</strong> the Policy (eg. <strong>Digipass</strong> Access)<br />
4. Click on Next.<br />
Click on Add.<br />
The Select Attribute window will be displayed.<br />
5. Select an attribute to define the Policy with:<br />
The Day-and-Time-Restrictions attribute with 24/7 setting is recommended <strong>for</strong><br />
Windows 2000, as the simplest way to create a Policy which will handle all logins.<br />
For Windows 2003 installations, the Extension attribute is recommended.<br />
6. Click on Add twice.<br />
7. Click on OK twice.<br />
8. Click on Next.<br />
9. Tick the Grant remote access permission checkbox.<br />
10. Click on Next.<br />
11. Click on Edit Profile.<br />
The Edit Dial-in Profile window will be displayed.<br />
12. Enable the protocols you wish to test.<br />
13. Click on Next.<br />
14. Click on Finish.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 11
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> <strong>In</strong>itial Setup and Testing<br />
2.3.4 Give Remote Access Permissions to a User<br />
<strong>In</strong> order to test Windows logins through the RADIUS Client Simulator, you will need to use a<br />
Windows User account which has remote access permissions. To do this, select a User account<br />
and set the Remote Access permission to Allow access.<br />
2.3.5 Enable Logging<br />
Enabling remote access logging within <strong>IAS</strong> will allow you to check the log file if you need to<br />
troubleshoot a failed test login.<br />
To enable remote access logging in <strong>IAS</strong>:<br />
1. Click on Remote Access Logging.<br />
2. Right-click on Local File.<br />
3. Click on Properties.<br />
4. Tick the Log authentication requests checkbox.<br />
5. Click on Apply.<br />
2.4 Test Windows Password Login<br />
Once <strong>IAS</strong> has been set up, attempt a login through the RADIUS Client Simulator (using<br />
Windows User ID and Password) with a User whose account has been given remote access<br />
permissions.<br />
2.5 Active Directory Changes<br />
Extend the Active Directory Schema according to the instructions in the <strong>In</strong>stallation Guide.<br />
2.6 <strong>In</strong>stall the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong><br />
<strong>In</strong>stall the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> according to the instructions in the <strong>In</strong>stallation Guide.<br />
Some settings which are created automatically <strong>for</strong> the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> are:<br />
Example Policies.<br />
A Component <strong>for</strong> the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>, which will point to a default Policy.<br />
Permissions within Active Directory <strong>for</strong> the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 12
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> <strong>In</strong>itial Setup and Testing<br />
2.7 Configure the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
When the install process <strong>for</strong> the <strong>Digipass</strong> Pack is completed, the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Configuration<br />
<strong>In</strong>terface will be displayed. <strong>In</strong> particular, these should be configured:<br />
Configure auditing – log to a text file or to the Windows Event Log.<br />
Configure tracing.<br />
Check Domain connection parameters – modify or select a Domain Controller to connect<br />
to if required.<br />
Check that the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> is enabled.<br />
2.8 Log in to Administration <strong>In</strong>terfaces<br />
2.8.1 Administration MMC <strong>In</strong>terface<br />
The Administration MMC <strong>In</strong>terface is a standalone MMC snap-in that can be used to administer<br />
Policies and Components <strong>for</strong> the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.<br />
1. Select Programs -> VASCO -> <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> -> Administration MMC<br />
<strong>In</strong>terface from the Start menu.<br />
2. Expand the <strong>Digipass</strong> Administration node.<br />
3. Right-click on the domain node.<br />
4. Select Connect from the list.<br />
2.8.2 Active Directory Users and Computers<br />
The <strong>Digipass</strong> Extension <strong>for</strong> Active Directory Users and Computers can be used to administer<br />
<strong>Digipass</strong> and <strong>Digipass</strong> User accounts.<br />
2.9 Set up Policy and Component<br />
Ensure that the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Component is pointed to a Policy which has the Back-End<br />
Authentication set to Windows and Local Authentication disabled. To modify these settings <strong>for</strong><br />
a Policy:<br />
1. Open the Administration MMC <strong>In</strong>terface.<br />
2. Click on the Policies node.<br />
The Policies list will be displayed in the Result pane.<br />
3. Double-click on the Policy <strong>IAS</strong> Base Policy.<br />
The Policy property sheet will be displayed.<br />
4. Click on the Main Settings tab.<br />
5. Check these drop down lists:<br />
© 2005 VASCO Data Security <strong>In</strong>c. 13
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> <strong>In</strong>itial Setup and Testing<br />
a. Local Auth. should be set to None.<br />
b. Back-end Auth. should be set to Always.<br />
c. Back-end Protocol should be set to Windows.<br />
To ensure that the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Component will use the correct Policy:<br />
1. Click on the Components node.<br />
The Components list will be displayed in the Result pane.<br />
2. Double-click on the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Component.<br />
The Component property sheet will be displayed.<br />
3. Ensure that the <strong>IAS</strong> Base Policy Policy is selected in the Policy drop down list.<br />
4. Click on OK.<br />
5. Stop and Start the <strong>In</strong>ternet Authentication Service service.<br />
2.10 Test Windows Password Login<br />
Use the RADIUS Client Simulator to attempt a login (using Windows User ID and Password)<br />
with the same User account as the last test login. This is to check that the installation and<br />
configuration of the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> has been successful at this point.<br />
Note<br />
Windows Authentication is only supported by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> using the PAP<br />
protocol, unless the User ID and password are manually added to the <strong>IAS</strong> <strong>Plug</strong>-<br />
<strong>In</strong> and Stored Password Proxy is enabled. There<strong>for</strong>e, only simulated logins<br />
using the PAP protocol will be successful at this point in the testing process.<br />
1. Open the RADIUS Client Simulator.<br />
2. Click on any port in the Simulated NAS Ports group to display the Manual<br />
Simulation window.<br />
3. Enter the User ID <strong>for</strong> the User account you are using <strong>for</strong> test logins in the User ID<br />
field.<br />
4. Enter the password <strong>for</strong> the User account in the Password field.<br />
5. Click on the Login button.<br />
6. The Status in<strong>for</strong>mation field will indicate the success or failure of your login.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 14
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> <strong>In</strong>itial Setup and Testing<br />
2.11 Import and Assign <strong>Digipass</strong> Records<br />
2.11.1 Import <strong>Digipass</strong> Records<br />
<strong>Digipass</strong> records must be imported into the data store be<strong>for</strong>e they can be assigned to User<br />
accounts.<br />
To import <strong>Digipass</strong> records:<br />
1. Open the Active Directory Users and Computers interface.<br />
2. Right-click on the Users container.<br />
3. Click on Import <strong>Digipass</strong>...<br />
4. Enter or browse <strong>for</strong> the import path and filename <strong>for</strong> the DPX file.<br />
5. Enter the encryption key – this is 11111111111111111111111111111111 <strong>for</strong> the<br />
installed demo <strong>Digipass</strong> DPX files.<br />
6. Click on Import All Applications.<br />
OR<br />
a. Click on Show Applications.<br />
b. Select the <strong>Digipass</strong> Applications to import.<br />
c. Click on Import Selected Applications.<br />
2.11.2 Assign <strong>Digipass</strong> Record(s)<br />
Be<strong>for</strong>e a User can use a <strong>Digipass</strong> to login, the <strong>Digipass</strong> must be assigned to their User account<br />
within the <strong>Digipass</strong> Extension <strong>for</strong> Active Directory Users and Computers.<br />
To assign a <strong>Digipass</strong> record to a User account:<br />
1. Select the User account to be assigned a <strong>Digipass</strong>.<br />
2. Right-click on the record and select Assign <strong>Digipass</strong>...<br />
3. Select the <strong>Digipass</strong> record to be assigned to the User account.<br />
4. Click on OK.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 15
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> <strong>In</strong>itial Setup and Testing<br />
2.12 Modify Settings <strong>for</strong> <strong>Digipass</strong> logins<br />
To test <strong>Digipass</strong> logins, the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Component should use a Policy which has Local<br />
Authentication enabled and Back-end Authentication disabled.<br />
To check that a Policy has these settings:<br />
1. Open the Administration MMC <strong>In</strong>terface.<br />
2. Click on the Policies node.<br />
The Policies list will be displayed in the Result pane.<br />
3. Double-click on the “<strong>IAS</strong> Base Policy” Policy.<br />
The Policy property sheet will be displayed.<br />
4. Click on the Main Settings tab.<br />
5. Check these drop down lists:<br />
a. Local Auth. should be set to <strong>Digipass</strong>/Password.<br />
b. Back-end Auth. should be set to None.<br />
To ensure that the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Component will use the correct Policy:<br />
1. Click on the Components node.<br />
The Components list will be displayed in the Result pane.<br />
2. Double-click on the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Component.<br />
The Component property sheet will be displayed.<br />
3. Ensure that the “<strong>IAS</strong> Base Policy” Policy is selected in the Policy drop down list.<br />
4. Click on OK.<br />
5. Stop and Start the <strong>In</strong>ternet Authentication Service service.<br />
2.13 Test <strong>Digipass</strong> Login<br />
Use the RADIUS Client Simulator to attempt a <strong>Digipass</strong> login with a User account which has a<br />
<strong>Digipass</strong> assigned. This is to check that the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> has been configured correctly <strong>for</strong><br />
authenticating <strong>Digipass</strong> logins.<br />
If you are unsure how to use the <strong>Digipass</strong>, see the Demo Tokens section.<br />
1. Open the RADIUS Client Simulator.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 16
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> <strong>In</strong>itial Setup and Testing<br />
2. Click on any port in the Simulated NAS Ports group to display the Manual<br />
Simulation window.<br />
3. Enter the User ID <strong>for</strong> the User account you are using <strong>for</strong> test logins in the User ID<br />
field.<br />
4. Enter the One Time Password generated by the <strong>Digipass</strong> in the Password field.<br />
5. Click on the Login button.<br />
6. The Status in<strong>for</strong>mation field will indicate the success or failure of your login.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 17
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> Test Logins<br />
3 Test Logins<br />
Using the User account to which you assigned a <strong>Digipass</strong>, and the <strong>Digipass</strong>, you can test the<br />
various authentication methods, login methods and protocols needed.<br />
You may wish to try various combinations of authentication method, login method and<br />
protocol, or simply the combination required <strong>for</strong> your system.<br />
3.1 Test Pre-requisites<br />
If you are going to test all types of login methods available, you will need:<br />
A User account to test logins with - this can be the same one as in previous tests.<br />
A <strong>Digipass</strong> or Demo <strong>Digipass</strong> with Response Only and Challenge/Response Applications.<br />
3.2 Configure Authentication Method<br />
Create a Policy <strong>for</strong> each authentication method required, or use a 'Test' Policy which can be<br />
modified as desired.<br />
After changing the Policy or Component, make sure that you stop and start the<br />
<strong>In</strong>ternet Authentication Service service, to be sure that the new settings will take<br />
effect immediately.<br />
3.2.1 Local Authentication<br />
Local authentication means that only the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will authenticate a login.<br />
The recommended Policy settings <strong>for</strong> Local Authentication tests are:<br />
Local Auth. should be set to <strong>Digipass</strong>/Password.<br />
Back-end Auth. should be set to None.<br />
3.2.2 Back-end Authentication<br />
Back-end authentication means that only Windows will authenticate a login.<br />
The recommended Policy settings <strong>for</strong> Back-end Authentication tests are:<br />
Local Auth. should be set to None.<br />
Back-end Auth. should be set to Always.<br />
Back-end Protocol must be set to Windows.<br />
3.2.3 Local and Back-end Authentication<br />
Local authentication means that both the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> and Windows will authenticate a login.<br />
The recommended Policy settings <strong>for</strong> Local and Back-end Authentication tests are:<br />
© 2005 VASCO Data Security <strong>In</strong>c. 18
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> Test Logins<br />
Local Auth. should be set to <strong>Digipass</strong>/Password.<br />
Back-end Auth. should be set to Always.<br />
Back-end Protocol must be set to Windows.<br />
3.3 Configure Login Methods<br />
3.3.1 Response Only<br />
To configure a Policy to allow Response Only logins:<br />
1. Open the Policy property sheet.<br />
2. Click on the <strong>Digipass</strong> Settings tab.<br />
3. Select Response Only from the Application Type drop down list.<br />
4. Click on OK.<br />
3.3.2 2-Step Challenge/Response<br />
1. Open the Policy property sheet.<br />
2. Click on the <strong>Digipass</strong> Settings tab.<br />
3. Select Challenge/Response from the Application Type drop down list.<br />
4. Click on Apply.<br />
5. Click on the Challenge Settings tab.<br />
6. Select Keyword from the 2-step Challenge/Response Request Method drop down<br />
list.<br />
7. Enter a Keyword to use (eg. '2stepCR') in the Keyword field. You can leave this field<br />
blank, so that an empty password can be used to get a challenge.<br />
8. Click on OK.<br />
3.4 Configure Protocol<br />
1. Open the RADIUS Client Simulator.<br />
2. Check that the Protocol drop down list is set to the protocol you wish to implement (eg.<br />
CHAP, MS-CHAP, MS-CHAP2).<br />
3.5 Test Logins<br />
1. Configure a Policy <strong>for</strong> the authentication method, login method and protocol to be<br />
tested.<br />
2. Ensure that the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Component is using the configured Policy.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 19
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> Test Logins<br />
<strong>In</strong> the RADIUS Client Simulator:<br />
3. Click on any port in the Simulated NAS Ports group to display the Manual Simulation<br />
window.<br />
4. Enter the User ID <strong>for</strong> the User account you are using <strong>for</strong> test logins in the User ID<br />
field.<br />
5. Enter the password <strong>for</strong> the User account and an OTP from the <strong>Digipass</strong> in the<br />
Password field.<br />
6. Click on the Login button.<br />
7. The Status in<strong>for</strong>mation field will indicate the success or failure of your logon.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 20
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> Test Management Features<br />
4 Test Management Features<br />
4.1 Auto-Assignment<br />
<strong>In</strong>itial Setup<br />
1. Open the Administration MMC <strong>In</strong>terface.<br />
2. Click on the Components node.<br />
The Components list will be displayed in the Result pane.<br />
3. Double-click on the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Component.<br />
The Component property sheet will be displayed.<br />
4. Ensure that the <strong>IAS</strong> Base Policy is selected in the Policy drop down list.<br />
5. Click on OK.<br />
6. Stop and Start the service.<br />
7. Create or use a Windows User account which does not currently have a <strong>Digipass</strong> User<br />
account.<br />
8. Check that at least one unassigned <strong>Digipass</strong> is available in either:<br />
the same Organizational Unit,<br />
a parent Organizational Unit, or<br />
the <strong>Digipass</strong> Container<br />
If one of the latter two options, ensure that the Search Upwards in Organizational Unit<br />
hierarchy option is enabled <strong>for</strong> the <strong>IAS</strong> Base Policy.<br />
Test Auto-Assignment - 1<br />
<strong>In</strong> the following test, both Dynamic User Registration and Auto-Assignment should fail,<br />
meaning that a <strong>Digipass</strong> User account will not be created, and a <strong>Digipass</strong> will not be assigned<br />
to the User.<br />
<strong>In</strong> the RADIUS Client Simulator:<br />
9. Click on any port in the Simulated NAS Ports group to display the Manual Simulation<br />
window.<br />
10. Enter the User ID <strong>for</strong> the Windows User account you created earlier (step 7) in the<br />
User ID field.<br />
11. Enter the password <strong>for</strong> the Windows User account.<br />
12. Click on the Login button.<br />
The Status in<strong>for</strong>mation field will indicate the success or failure of your logon.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 21
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> Test Management Features<br />
Check Test Results<br />
To check whether a <strong>Digipass</strong> User account has been created <strong>for</strong> the User:<br />
13. Open the Active Directory Users and Computers Snap-<strong>In</strong>.<br />
14. Find the User account record and right-click on it.<br />
15. Select Properties from the list.<br />
The User property sheet will be displayed.<br />
16. Click on the <strong>Digipass</strong> User Account tab.<br />
17. If the Created On field is blank, a <strong>Digipass</strong> User account does not exist <strong>for</strong> the User.<br />
Modify Settings<br />
18. Modify the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Component to use the <strong>IAS</strong> Windows Auto-Assignment Policy.<br />
19. Stop and Start the service.<br />
Test Auto-Assignment - 2<br />
<strong>In</strong> the following test, both Dynamic User Registration and Auto-Assignment should succeed,<br />
meaning that a <strong>Digipass</strong> User account will be created, and an available <strong>Digipass</strong> will be<br />
assigned to the User.<br />
<strong>In</strong> the RADIUS Client Simulator:<br />
20. Click on any port in the Simulated NAS Ports group to display the Manual Simulation<br />
window.<br />
21. Enter the User ID <strong>for</strong> the Windows User account you created earlier (step 7) in the<br />
User ID field.<br />
22. Enter the password <strong>for</strong> the User account.<br />
23. Click on the Login button.<br />
The Status in<strong>for</strong>mation field will indicate the success or failure of your logon.<br />
Check Test Results<br />
To check whether a <strong>Digipass</strong> User account has been created <strong>for</strong> the User:<br />
24. Open the Active Directory Users and Computers Snap-<strong>In</strong>.<br />
25. Find the User account record and right-click on it.<br />
26. Select Properties from the list.<br />
The User property sheet will be displayed.<br />
27. Click on the <strong>Digipass</strong> User Account tab.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 22
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> Test Management Features<br />
If the Created On field is not blank, a <strong>Digipass</strong> User account exists <strong>for</strong> the User.<br />
To check whether a <strong>Digipass</strong> has been assigned to the User:<br />
28. Click on the <strong>Digipass</strong> Assignment tab.<br />
29. If a <strong>Digipass</strong> is listed under this tab, the User has been assigned the listed <strong>Digipass</strong>.<br />
30. Check the Grace Period End field to see that a Grace Period of the correct length (7<br />
days by default) has been set.<br />
Check Grace Period<br />
Password login<br />
31. Using the RADIUS Client Simulator, attempt a login using the Windows User's User ID<br />
and password only. If the Grace Period is still effective, this should be successful.<br />
OTP login<br />
32. Using the RADIUS Client Simulator, attempt a login using the Windows User's User ID<br />
and One Time Password. This should be successful.<br />
Password login<br />
33. Using the RADIUS Client Simulator, attempt a login using the Windows User's User ID<br />
and password only. As the OTP login from the previous step should have ended the<br />
Grace Period <strong>for</strong> the <strong>Digipass</strong>, this login should fail.<br />
34. Check the Grace Period End in the User record. It should contain today's date.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 23
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> Test Management Features<br />
4.2 Self-Assignment<br />
<strong>In</strong>itial Setup<br />
1. Open the Administration MMC <strong>In</strong>terface.<br />
2. Click on the Components node.<br />
The Components list will be displayed in the Result pane.<br />
3. Double-click on the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Component.<br />
The Component property sheet will be displayed.<br />
4. Ensure that the <strong>IAS</strong> Base Policy is selected in the Policy drop down list.<br />
5. Click on OK.<br />
6. Stop and Start the service.<br />
7. Create or use a Windows User account which does not currently have a <strong>Digipass</strong> User<br />
account.<br />
8. Check that the record <strong>for</strong> the <strong>Digipass</strong> to be used in the Self-Assignment is available in<br />
either:<br />
the same Organizational Unit,<br />
a parent Organizational Unit, or<br />
the <strong>Digipass</strong> Container<br />
If one of the latter two options, ensure that the Search Upwards in Organizational Unit<br />
hierarchy option is enabled <strong>for</strong> the <strong>IAS</strong> Base Policy.<br />
Test Self-Assignment - 1<br />
<strong>In</strong> the following test, both Dynamic User Registration and Self-Assignment should fail,<br />
meaning that a <strong>Digipass</strong> User account will not be created, and the selected <strong>Digipass</strong> will not be<br />
assigned to the User.<br />
<strong>In</strong> the RADIUS Client Simulator:<br />
9. Click on any port in the Simulated NAS Ports group to display the Manual Simulation<br />
window.<br />
10. Enter the User ID <strong>for</strong> the Windows User account you created earlier (step 7) in the<br />
User ID field.<br />
11. Enter the Serial Number <strong>for</strong> the <strong>Digipass</strong>, the Separator, the Windows User's<br />
Password, a Server PIN (if required) and a One Time Password from the <strong>Digipass</strong> into<br />
the Password field. eg. 98765432|password12340098787 (see the Login<br />
Permutations topic in the Administrator Reference <strong>for</strong> more in<strong>for</strong>mation).<br />
12. Click on the Login button.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 24
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> Test Management Features<br />
The Status in<strong>for</strong>mation field will indicate the success or failure of your logon.<br />
Check Test Results<br />
To check whether a <strong>Digipass</strong> User account has been created <strong>for</strong> the User:<br />
13. Open the Active Directory Users and Computers Snap-<strong>In</strong>.<br />
14. Find the User account record and right-click on it.<br />
15. Select Properties from the list.<br />
The User property sheet will be displayed.<br />
16. Click on the <strong>Digipass</strong> User Account tab.<br />
17. If the Created On field is blank, a <strong>Digipass</strong> User account does not exist <strong>for</strong> the User.<br />
Modify Settings<br />
18. Modify the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Component to use the <strong>IAS</strong> Windows Self-Assignment Policy.<br />
19. Stop and Start the service.<br />
Test Self-Assignment - 2<br />
<strong>In</strong> the following test, both Dynamic User Registration and Self-Assignment should succeed,<br />
meaning that a <strong>Digipass</strong> User account will be created, and the intended <strong>Digipass</strong> will be<br />
assigned to the User.<br />
<strong>In</strong> the RADIUS Client Simulator:<br />
20. Click on any port in the Simulated NAS Ports group to display the Manual Simulation<br />
window.<br />
21. Enter the User ID <strong>for</strong> the Windows User account you created earlier (step 7) in the<br />
User ID field.<br />
22. Enter the Serial Number <strong>for</strong> the <strong>Digipass</strong>, the Separator, the Windows User's<br />
Password, a Server PIN (if required) and a One Time Password from the <strong>Digipass</strong> into<br />
the Password field. eg. 98765432|password12340098787 (see the Login<br />
Permutations topic in the Administrator Reference <strong>for</strong> more in<strong>for</strong>mation).<br />
23. Click on the Login button.<br />
The Status in<strong>for</strong>mation field will indicate the success or failure of your logon.<br />
Check Test Results<br />
To check whether a <strong>Digipass</strong> User account has been created <strong>for</strong> the User:<br />
24. Open the Active Directory Users and Computers Snap-<strong>In</strong>.<br />
25. Find the User account record and right-click on it.<br />
26. Select Properties from the list.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 25
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> Test Management Features<br />
The User property sheet will be displayed.<br />
27. Click on the <strong>Digipass</strong> User Account tab.<br />
If the Created On field is not blank, a <strong>Digipass</strong> User account exists <strong>for</strong> the User.<br />
To check whether the <strong>Digipass</strong> has been assigned to the User:<br />
28. Click on the <strong>Digipass</strong> Assignment tab.<br />
29. If the <strong>Digipass</strong> is listed under this tab, it has been assigned to the <strong>Digipass</strong> User<br />
account.<br />
Check Grace Period<br />
30. Check that a Grace Period has not been set. (check – see if GPE field is blank or<br />
today's date)<br />
Password login<br />
31. Using the RADIUS Client Simulator, attempt a login using the Windows User's User ID<br />
and password only. This should fail, as a Grace Period is not set <strong>for</strong> a Self-Assignment.<br />
OTP login<br />
32. Using the RADIUS Client Simulator, attempt a login using the Windows User's User ID<br />
and One Time Password. This should be successful.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 26
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> Demo Tokens<br />
5 Demo Tokens<br />
5.1 Obtaining a Demo <strong>Digipass</strong><br />
If you do not have a demo <strong>Digipass</strong>, you can use a simulated DP300 at<br />
http://demotoken.vasco.com/<br />
The DPX files <strong>for</strong> the Demo DP300 and Demo Go 1/Go 3 are located in the DPX folder under<br />
the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> installation directory.<br />
5.2 Using the Demo Go 1 or Go 3<br />
This topic explains the activation and use of the demonstration Go 1 or Go 3<br />
Note<br />
The Demo Go 1 and Go 3, and other Go 1/Go 3 tokens, only produce a timebased<br />
One Time Password - referred to as a ‘Response’ . This is referred to as<br />
the ‘Response Only’ authentication method. The Go 1 and Go 3 tokens are<br />
used with a PIN, which is entered be<strong>for</strong>e the Response.<br />
5.2.1 Activating the Demo Go 1/Go 3<br />
To turn on the Demo Go 1, slide the Go 1 apart to reveal the LCD screen.<br />
To turn on the Demo Go 3, press the button on the token.<br />
All Go 1/Go 3 tokens have an auto-off function, meaning that they automatically turn<br />
themselves off after short periods of inactivity.<br />
5.2.2 Obtaining a One Time Password<br />
Whenever the Demo Go 1/Go 3 is activated, it produces a 6-digit number on its LCD screen.<br />
This response number is generated based on the secret code stored within the token, and the<br />
current time.<br />
At logon, the Users' Server PIN and the One Time Password from the Go 1/Go 3 should be<br />
entered as into the appropriate password field in the logon screen or web page. The Server<br />
PIN is initially 1234.<br />
For example, if the One Time Password generated by the Demo Go 1/Go 3 was 235761,<br />
1234235761 should be entered in the login screen.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 27
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> Demo Tokens<br />
5.2.3 Changing the Demo Go 1/Go 3 Server PIN<br />
The Demo Go 1/Go 3 Server PIN (1234) can be changed during the authentication process.<br />
To change the Demo Go 1/Go 3 Server PIN:<br />
1. Go to the login page or screen.<br />
2. <strong>In</strong> the user ID field, enter the User ID <strong>for</strong> the account you are using <strong>for</strong> testing.<br />
3. <strong>In</strong> the password field, enter the current Server PIN (1234) <strong>for</strong> the Demo Go 1/Go 3.<br />
4. Activate the Demo <strong>Digipass</strong> and enter the One Time Password generated in the<br />
response field directly after the Server PIN.<br />
5. Next, enter the new PIN <strong>for</strong> the Demo Go 1/Go 3 after the response in the Response<br />
field, then enter it again to confirm it.<br />
6. Submit your login to issue the new Server PIN in<strong>for</strong>mation to the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.<br />
Example<br />
To change the Server PIN <strong>for</strong> a Demo <strong>Digipass</strong> from 1234 to 5678, where the OTP<br />
generated was 111111, enter:<br />
123411111156785678<br />
in the password field and login.<br />
Any time you login using the Demo or another Go 1/Go 3, you may use this method to change<br />
your PIN, except <strong>for</strong> RADIUS authentications where any <strong>for</strong>m of CHAP is in use (E.g., CHAP,<br />
MS-CHAP, MS-CHAP2). This is because the in<strong>for</strong>mation is one-way hashed and cannot be<br />
retrieved from the packet.<br />
If CHAP protocols are used, refer to the User Self-Management Web Site Guide <strong>for</strong> more<br />
in<strong>for</strong>mation about alternative web based methods <strong>for</strong> PIN change (eg. using your intranet).<br />
5.3 Using the Demo DP300<br />
This topic explains the activation and use of the demonstration DP300.<br />
5.3.1 Activate the Demo DP300<br />
The Demo DP300 is turned on with the < button.<br />
Each time the Demo DP300 is activated it will request a 4-digit PIN number (displayed on the<br />
LCD screen). The PIN <strong>for</strong> Demo DP300s is initially set to 1234.<br />
The Demo <strong>Digipass</strong> will then prompt you to indicate the application you wish to use:<br />
© 2005 VASCO Data Security <strong>In</strong>c. 28
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> Demo Tokens<br />
Application 1 : Response only<br />
When you press 1 on the keypad, the demo DP300 will produce a 6-digit number. This<br />
response number is generated based on the secret code stored within the token, and the<br />
current time.<br />
The One Time Password displayed should be entered into the appropriate password field in the<br />
logon screen or web page.<br />
Application 2 : Digital Signature<br />
When you press 2 on the keypad, you will be prompted <strong>for</strong> 3 numbers (typically from an online<br />
transaction) comprising up to 5 digits each. When all three numbers required have been<br />
entered, a 6-digit number is generated (displayed on the LCD screen). This number is the<br />
digital signature <strong>for</strong> the transaction. This needs to be entered into the appropriate field in the<br />
digital signature web page or screen.<br />
Note<br />
Digital signatures are not currently in use with the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.<br />
Application 3: Challenge / Response<br />
When you press 3 on the keypad, the <strong>Digipass</strong> will present you with four dashes (- - - -) to<br />
indicate that a ‘challenge’ must be entered.<br />
You may have the option of holding the optical reader to the middle of the flash sequence (the<br />
white flashing panels) on the logon web page if one is presented.<br />
Alternatively, if the challenge number is shown on the screen, you can key it in directly into<br />
the keypad.<br />
The demo DP300 will then calculate and display a One Time Password based on the challenge<br />
and the secret code stored in the DP300. The One Time Password displayed should be entered<br />
into the appropriate password field in the logon screen or web page.<br />
5.3.2 Change the PIN<br />
Turn on the Demo DP300 and enter the current PIN to activate the token. Then hold down the<br />
On (
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> Demo Tokens<br />
5.3.4 Unlock the Demo DP300<br />
If an incorrect PIN is entered into a Demo DP300 too many times (3), the <strong>Digipass</strong> will lock<br />
itself from further use.<br />
When a token is locked, it will display an unlock challenge on its LCD screen.<br />
The Administration MMC <strong>In</strong>terface allows <strong>Digipass</strong> to be unlocked using the Unlock option. See<br />
the Help in the Administration MMC <strong>In</strong>terface <strong>for</strong> more in<strong>for</strong>mation.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 30
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Getting</strong> <strong>Started</strong> Set up Live System<br />
6 Set up Live System<br />
6.1 Checklist<br />
Disable <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
Disable the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>, using the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Configuration <strong>In</strong>terface.<br />
Set up <strong>In</strong>ternet Authentication Service<br />
Set up <strong>IAS</strong> to work with the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>. See 2.3<br />
<strong>In</strong>ternet Authentication Service <strong>for</strong> more in<strong>for</strong>mation.<br />
Modify NAS Configuration<br />
Configure Microsoft's<br />
Configure the Network Access Server to send authentication requests to <strong>IAS</strong>.<br />
Test Windows Logins<br />
Test logins through the NAS, using Windows User ID and password.<br />
Import More <strong>Digipass</strong><br />
Import all required <strong>Digipass</strong> records<br />
Import More Users<br />
If required, import User records. Alternatively, enable Dynamic User Registration<br />
in the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.<br />
Enable <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
Enable the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>, using the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Configuration <strong>In</strong>terface.<br />
Create New Policy<br />
Create a Policy in the Administration MMC <strong>In</strong>terface <strong>for</strong> login authentications<br />
requested by the NAS.<br />
Create Component Record <strong>for</strong> NAS<br />
Create a Component record <strong>for</strong> the NAS in the Administration MMC <strong>In</strong>terface.<br />
Test <strong>Digipass</strong> Logins<br />
Test <strong>Digipass</strong> logins through the NAS, using One Time Passwords.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 31