Digipass Plug-In for IAS Product Guide - Vasco
Digipass Plug-In for IAS Product Guide - Vasco
Digipass Plug-In for IAS Product Guide - Vasco
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong><br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
<strong>Digipass</strong> Extension <strong>for</strong> Active Directory Users and Computers<br />
Administration MMC <strong>In</strong>terface<br />
<strong>IAS</strong><br />
Microsoft's <strong>In</strong>ternet Authentication Service<br />
<strong>Product</strong> <strong>Guide</strong>
Disclaimer of Warranties and Limitations of Liabilities<br />
Disclaimer of Warranties and Limitations of Liabilities<br />
The <strong>Product</strong> is provided on an 'as is' basis, without any other warranties, or conditions, express<br />
or implied, including but not limited to warranties of merchantable quality, merchantability of<br />
fitness <strong>for</strong> a particular purpose, or those arising by law, statute, usage of trade or course of<br />
dealing. The entire risk as to the results and per<strong>for</strong>mance of the product is assumed by you.<br />
Neither we nor our dealers or suppliers shall have any liability to you or any other person or<br />
entity <strong>for</strong> any indirect, incidental, special or consequential damages whatsoever, including but<br />
not limited to loss of revenue or profit, lost or damaged data of other commercial or economic<br />
loss, even if we have been advised of the possibility of such damages or they are <strong>for</strong>eseeable;<br />
or <strong>for</strong> claims by a third party. Our maximum aggregate liability to you, and that of our dealers<br />
and suppliers shall not exceed the amount paid by you <strong>for</strong> the <strong>Product</strong>. The limitations in this<br />
section shall apply whether or not the alleged breach or default is a breach of a fundamental<br />
condition or term, or a fundamental breach. Some states/countries do not allow the exclusion<br />
or limitation or liability <strong>for</strong> consequential or incidental damages so the above limitation may<br />
not apply to you.<br />
RADIUS Documentation Disclaimer<br />
The RADIUS documentation featured in this manual is focused on supplying required<br />
in<strong>for</strong>mation pertaining to the RADIUS server and its operation in the VACMAN Middleware<br />
environment. It is recommended that further in<strong>for</strong>mation be gathered from your NAS/RAS<br />
vendor <strong>for</strong> in<strong>for</strong>mation on the use of RADIUS.<br />
Copyright<br />
© 2005 VASCO Data Security <strong>In</strong>c. All rights reserved.<br />
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in<br />
any <strong>for</strong>m or by any means, electronic, mechanical, photocopying, recording, or otherwise,<br />
without the prior written permission of VASCO Data Security <strong>In</strong>c.<br />
Trademarks<br />
VACMAN and <strong>Digipass</strong> are registered trademarks of VASCO Data Security <strong>In</strong>ternational <strong>In</strong>c.<br />
Microsoft and Windows are registered trademarks of Microsoft Corporation.<br />
All other trademarks are the property of their respective holders.<br />
© 2005 VASCO Data Security <strong>In</strong>c. ii
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Table of Contents<br />
Table of Contents<br />
1 Overview............................................................................................................... 9<br />
1.1 <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>............................................................................................... 9<br />
1.2 <strong>Digipass</strong> <strong>In</strong>troduction................................................................................................. 10<br />
1.2.1 What is a <strong>Digipass</strong>?................................................................................................ 10<br />
1.2.2 Logging in with a <strong>Digipass</strong>....................................................................................... 10<br />
1.2.3 Types of <strong>Digipass</strong>................................................................................................... 11<br />
1.3 Software Components................................................................................................ 12<br />
1.3.1 Required Components............................................................................................ 12<br />
1.3.2 Optional Components............................................................................................. 12<br />
1.3.3 Extra Utilities........................................................................................................ 12<br />
1.4 Authentication Process............................................................................................... 14<br />
1.4.1 Local and Back-End Authentication........................................................................... 14<br />
1.4.2 Policies................................................................................................................. 15<br />
1.4.3 <strong>Digipass</strong> User Account............................................................................................ 15<br />
1.4.3.1 <strong>Digipass</strong> User Account Settings..........................................................................................15<br />
1.4.3.2 Static Passwords..............................................................................................................16<br />
1.5 Features..................................................................................................................... 17<br />
1.5.1 Active Directory <strong>In</strong>tegration..................................................................................... 17<br />
1.5.2 User Management.................................................................................................. 17<br />
1.5.3 <strong>Digipass</strong> Management............................................................................................. 17<br />
1.6 Supported Protocols................................................................................................... 18<br />
1.7 Unsupported by <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>................................................................... 18<br />
1.7.1 Windows 2000 Limitations....................................................................................... 18<br />
1.7.2 Other Unsupported Protocols................................................................................... 18<br />
1.7.3 <strong>IAS</strong> Remote Access Policy Limitations........................................................................ 18<br />
1.8 Available Reference <strong>Guide</strong>s........................................................................................ 19<br />
2 <strong>Digipass</strong>...............................................................................................................20<br />
2.1 Types of <strong>Digipass</strong>........................................................................................................20<br />
2.1.1 Hardware <strong>Digipass</strong>................................................................................................. 20<br />
2.1.2 Software <strong>Digipass</strong>.................................................................................................. 21<br />
2.1.3 Virtual <strong>Digipass</strong>..................................................................................................... 22<br />
2.2 How do <strong>Digipass</strong> Work?.............................................................................................. 23<br />
2.2.1 <strong>Digipass</strong> Applications.............................................................................................. 23<br />
2.2.2 Virtual <strong>Digipass</strong> Differences..................................................................................... 23<br />
2.2.2.1 Virtual <strong>Digipass</strong> Login Process........................................................................................... 24<br />
2.2.2.2 How Does a User Request an OTP?.....................................................................................25<br />
2.2.3 <strong>Digipass</strong> Programming............................................................................................ 25<br />
2.2.3.1 <strong>Digipass</strong> PIN................................................................................................................... 25<br />
2.2.3.2 Time/Event-based <strong>Digipass</strong> Applications............................................................................. 25<br />
2.2.3.3 OTP Length.....................................................................................................................26<br />
2.2.3.4 Challenge Length.............................................................................................................26<br />
2.2.4 <strong>Digipass</strong> Record Settings......................................................................................... 27<br />
2.2.4.1 Time/Event-based Settings............................................................................................... 27<br />
2.2.4.2 Response Length............................................................................................................. 27<br />
2.2.4.3 Server PIN......................................................................................................................28<br />
2.2.4.4 Backup Virtual <strong>Digipass</strong>.................................................................................................... 28<br />
© 2005 VASCO Data Security <strong>In</strong>c. iii
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Table of Contents<br />
2.3 <strong>Digipass</strong> Records........................................................................................................ 30<br />
2.3.1 Location of <strong>Digipass</strong> Records................................................................................... 30<br />
2.3.2 Typical <strong>Digipass</strong> Location Models.............................................................................. 32<br />
2.3.3 Search <strong>for</strong> <strong>Digipass</strong> Records.................................................................................... 35<br />
2.4 <strong>Digipass</strong> Record Functions..........................................................................................36<br />
2.4.1 Reset Application................................................................................................... 36<br />
2.4.2 Set Event Counter.................................................................................................. 36<br />
2.4.3 Reset PIN............................................................................................................. 36<br />
2.4.4 Force PIN Change.................................................................................................. 36<br />
2.4.5 Set PIN................................................................................................................ 36<br />
2.4.6 Unlock <strong>Digipass</strong>..................................................................................................... 36<br />
2.4.7 Reset Application Lock............................................................................................ 36<br />
2.4.8 Test a <strong>Digipass</strong> Application...................................................................................... 36<br />
2.5 Assigning <strong>Digipass</strong> to Users........................................................................................37<br />
2.5.1 <strong>Digipass</strong> Assignment Options................................................................................... 37<br />
2.5.1.1 Self-Assignment.............................................................................................................. 38<br />
2.5.1.2 Auto-Assignment............................................................................................................. 38<br />
2.5.1.3 Manual Assignment..........................................................................................................38<br />
2.6 Security Levels........................................................................................................... 38<br />
2.7 Virtual <strong>Digipass</strong> Implementation Considerations........................................................ 39<br />
2.7.1 <strong>Digipass</strong> Assignment Options................................................................................... 39<br />
2.7.2 Cost..................................................................................................................... 39<br />
2.7.3 Security................................................................................................................ 39<br />
2.7.4 Convenience......................................................................................................... 39<br />
2.7.5 Gateway and account............................................................................................. 39<br />
2.7.6 Limiting Usage of Virtual <strong>Digipass</strong>............................................................................. 40<br />
2.7.6.2 Backup Virtual <strong>Digipass</strong> Usage <strong>Guide</strong>lines........................................................................... 40<br />
2.7.7 Resetting Virtual <strong>Digipass</strong> Restrictions....................................................................... 41<br />
2.7.8 Virtual <strong>Digipass</strong> Login options.................................................................................. 41<br />
2.7.9 Location of OTP Request Site................................................................................... 41<br />
3 <strong>Digipass</strong> User Accounts....................................................................................... 42<br />
3.1 User Account Identification........................................................................................ 42<br />
3.2 <strong>Digipass</strong> User Account Creation.................................................................................. 42<br />
3.2.1 Manual Creation.................................................................................................... 42<br />
3.2.2 User Self-Management Web Site.............................................................................. 42<br />
3.2.3 Dynamic User Registration...................................................................................... 42<br />
3.2.4 Changes to Stored Static Password........................................................................... 43<br />
3.2.4.1 Password Autolearn..........................................................................................................43<br />
3.2.4.2 User Self-Management Web Site........................................................................................43<br />
3.3 Logging in with a <strong>Digipass</strong>..........................................................................................45<br />
3.3.1 Login Processes..................................................................................................... 45<br />
3.3.2 Multiple <strong>Digipass</strong> or <strong>Digipass</strong> Applications.................................................................. 46<br />
3.3.3 Password Field <strong>In</strong><strong>for</strong>mation..................................................................................... 46<br />
3.4 Administration Privileges........................................................................................... 47<br />
3.5 Authenticating Users.................................................................................................. 48<br />
3.5.1 Authentication Settings........................................................................................... 48<br />
© 2005 VASCO Data Security <strong>In</strong>c. iv
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Table of Contents<br />
3.5.2 Local Authentication............................................................................................... 48<br />
3.5.3 Back-End Authentication......................................................................................... 48<br />
3.5.4 User Account Locking............................................................................................. 49<br />
3.5.5 Windows Group Check............................................................................................ 49<br />
3.5.5.2 Windows Group Check Process.......................................................................................... 50<br />
3.5.6 Linking User Accounts............................................................................................. 51<br />
4 Policies................................................................................................................52<br />
4.1 What are Policies?...................................................................................................... 52<br />
4.2 How Do They Work?................................................................................................... 52<br />
4.3 Policy Settings............................................................................................................53<br />
4.4 Multiple Policies......................................................................................................... 55<br />
4.4.1 <strong>In</strong>heritance........................................................................................................... 55<br />
4.4.2 Show Effective Settings.......................................................................................... 56<br />
4.5 Pre-Loaded Policies.................................................................................................... 57<br />
4.6 Differences from VACMAN Middleware 2.3..................................................................58<br />
4.6.1 Authenticator Setting............................................................................................. 58<br />
5 Components........................................................................................................ 59<br />
5.1 What is a Component Record?.................................................................................... 59<br />
5.1.1 No Component Record Exists <strong>for</strong> a RADIUS Client....................................................... 60<br />
5.1.2 Policy Selection..................................................................................................... 61<br />
5.2 Pre-loaded Component............................................................................................... 61<br />
5.3 Licensing.................................................................................................................... 61<br />
6 Active Directory <strong>In</strong>tegration................................................................................62<br />
6.1 What is Stored in Active Directory?............................................................................ 62<br />
6.2 Schema Extensions.....................................................................................................62<br />
6.3 Permissions Needed by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>..................................................................... 62<br />
6.4 Sensitive Data Encryption...........................................................................................62<br />
6.5 Administrative Permissions........................................................................................ 63<br />
6.6 Active Directory Command Line Utility....................................................................... 63<br />
7 Administration <strong>In</strong>terfaces....................................................................................64<br />
7.1 <strong>Digipass</strong> Extension <strong>for</strong> Active Directory Users & Computers....................................... 64<br />
7.2 Administration MMC <strong>In</strong>terface.................................................................................... 64<br />
8 Licensing............................................................................................................. 65<br />
8.1 Overview.................................................................................................................... 65<br />
8.2 Obtaining a License Key File....................................................................................... 65<br />
8.2.1 <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> Activation Page.............................................................................. 65<br />
9 Auditing and Tracing........................................................................................... 66<br />
9.1 Auditing......................................................................................................................66<br />
9.1.1 Audit System........................................................................................................ 66<br />
9.1.1.1 Audit message types........................................................................................................ 66<br />
9.1.1.2 Audit messages location................................................................................................... 66<br />
9.1.2 Active Directory Auditing......................................................................................... 67<br />
9.2 Tracing....................................................................................................................... 67<br />
10 User Self Management Web Site..........................................................................68<br />
© 2005 VASCO Data Security <strong>In</strong>c. v
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Table of Contents<br />
10.1 Customizing the User Self Management Web Site.......................................................69<br />
11 OTP Request Site.................................................................................................70<br />
12 Message Delivery Component..............................................................................71<br />
12.1 Configuration..............................................................................................................71<br />
Alphabetical <strong>In</strong>dex.............................................................................................. 72<br />
© 2005 VASCO Data Security <strong>In</strong>c. vi
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Table of Contents<br />
<strong>In</strong>dex of Tables<br />
Table 1: Login static password Requirements................................................................................ 16<br />
Table 2: Backup Virtual <strong>Digipass</strong> Policy/<strong>Digipass</strong> Settings................................................................ 28<br />
Table 3: Summary of <strong>Digipass</strong> Record Location Options.................................................................. 31<br />
Table 4: <strong>Digipass</strong> Options........................................................................................................... 39<br />
Table 5: Backup Virtual <strong>Digipass</strong> Example <strong>Guide</strong>lines...................................................................... 41<br />
Table 6: User Account Identification Methods................................................................................ 42<br />
Table 7: VACMAN Middleware and <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Authentication Settings.............................................. 58<br />
Table 8: DPADadmin tasks......................................................................................................... 63<br />
Table 9: Audit message types..................................................................................................... 66<br />
<strong>In</strong>dex of Images<br />
Image 1: <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> Overview................................................................................... 9<br />
Image 2: Login Method Processes................................................................................................ 10<br />
Image 3: Authentication Process................................................................................................. 14<br />
Image 4: GO 1......................................................................................................................... 20<br />
Image 5: GO 3......................................................................................................................... 20<br />
Image 6: DP 300....................................................................................................................... 20<br />
Image 7: DP 585....................................................................................................................... 20<br />
Image 8: DP 260....................................................................................................................... 20<br />
Image 9: GO 2......................................................................................................................... 21<br />
Image 10: DP 800..................................................................................................................... 21<br />
Image 11: <strong>Digipass</strong> <strong>for</strong> Pocket PC................................................................................................ 21<br />
Image 12: <strong>Digipass</strong> <strong>for</strong> SIM........................................................................................................ 21<br />
Image 13: <strong>Digipass</strong> <strong>for</strong> Palm....................................................................................................... 21<br />
Image 14: Virtual <strong>Digipass</strong> Login................................................................................................. 24<br />
Image 15: <strong>Digipass</strong> Record Locations - <strong>Digipass</strong> Pool...................................................................... 32<br />
Image 16: <strong>Digipass</strong> Record Locations - Parent Organizational Unit.................................................... 33<br />
Image 17: <strong>Digipass</strong> Record Locations - <strong>In</strong>dividual Organizational Units.............................................. 34<br />
Image 18: Assignment Method Processes..................................................................................... 37<br />
Image 19: Dynamic User Registration.......................................................................................... 43<br />
Image 20: Login Method Processes.............................................................................................. 45<br />
Image 21: Windows Group Check Process..................................................................................... 50<br />
Image 22: Policy Selection......................................................................................................... 52<br />
Image 23: Policy <strong>In</strong>heritance...................................................................................................... 55<br />
Image 24: Component Overview................................................................................................. 59<br />
Image 25: Component Use by <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.................................................................................... 61<br />
© 2005 VASCO Data Security <strong>In</strong>c. vii
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Table of Contents<br />
Image 26: OTP Request Site....................................................................................................... 70<br />
© 2005 VASCO Data Security <strong>In</strong>c. viii
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Overview<br />
1 Overview<br />
1.1 <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong><br />
The main purpose of the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> is to improve your network security by<br />
adding two-factor authentication to Microsoft's <strong>In</strong>ternet Authentication Service (<strong>IAS</strong>). It<br />
consists of two main parts -<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> is an Authentication Module <strong>for</strong> <strong>IAS</strong> which enables two-factor<br />
authentication using <strong>Digipass</strong>.<br />
<strong>Digipass</strong> are devices used to generate a One Time Password.<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> interacts with <strong>IAS</strong> by per<strong>for</strong>ming the authentication check when <strong>IAS</strong> passes<br />
the Access-Request to it. When this occurs depends on the Authentication Policies defined in<br />
<strong>IAS</strong>. The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> does not per<strong>for</strong>m any authorization checks, however if authentication is<br />
successful, it can instruct <strong>IAS</strong> to use a specific RADIUS Profile.<br />
The User logs in through<br />
the usual channel, using<br />
their <strong>Digipass</strong> to generate<br />
a One Time Password.<br />
Image 1: <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> Overview<br />
What is Two-Factor Authentication?<br />
Methods of identifying an individual can be separated into three main categories -<br />
Something they have (eg ID card)<br />
Something they know (eg static password)<br />
Something they are (eg thumbprint)<br />
Standard authentication is usually based on a UserID and a static password, and relies on only<br />
one factor of identification - something the User knows.<br />
<strong>In</strong> contrast, <strong>Digipass</strong> authentication relies on two factors of identification – something the User<br />
has (the <strong>Digipass</strong>) and something the User knows (a static PIN or password). This is<br />
commonly referred to as two-factor authentication.<br />
What is a One Time Password?<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> checks the User<br />
details and, if correct, passes<br />
the authentication request on to<br />
<strong>IAS</strong>.<br />
A One Time Password (OTP) is a dynamic password created by a <strong>Digipass</strong>. It is either timebased<br />
(valid <strong>for</strong> a specific time interval) or event-based (valid <strong>for</strong> a specific usage count of the<br />
<strong>Digipass</strong>).<br />
© 2005 VASCO Data Security <strong>In</strong>c. 9
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Overview<br />
1.2 <strong>Digipass</strong> <strong>In</strong>troduction<br />
1.2.1 What is a <strong>Digipass</strong>?<br />
A <strong>Digipass</strong> is a device <strong>for</strong> providing a One Time Password to a User. The <strong>Digipass</strong> is provided to<br />
each person whom a company wishes to be able to log into their system using One Time<br />
Passwords. The User obtains a One Time Password from the <strong>Digipass</strong> to use instead of, or as<br />
well as, a static password when logging in.<br />
Virtual <strong>Digipass</strong> is a mechanism where an OTP is generated by the server and sent by text<br />
message to the User's mobile phone. <strong>In</strong> this case, a physical <strong>Digipass</strong> is not needed.<br />
1.2.2 Logging in with a <strong>Digipass</strong><br />
The diagram below shows a typical login process <strong>for</strong> the three basic login methods supported<br />
by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>. The actual details entered by the User may vary, depending on Policy<br />
settings.<br />
Image 2: Login Method Processes<br />
© 2005 VASCO Data Security <strong>In</strong>c. 10
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Overview<br />
1.2.3 Types of <strong>Digipass</strong><br />
There are three basic types of <strong>Digipass</strong>:<br />
Hardware <strong>Digipass</strong><br />
Hardware <strong>Digipass</strong> are devices specifically designed <strong>for</strong> creation of One Time Passwords.<br />
Depending on the model supplied, they may be used <strong>for</strong> Response Only, Challenge/Response<br />
and Digital Signature (not supported by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>) methods.<br />
Software <strong>Digipass</strong><br />
Software <strong>Digipass</strong> may be installed on a PDA or other mobile device. The User then accesses a<br />
<strong>Digipass</strong> program to obtain a One Time Password. They typically support Response Only,<br />
Challenge/Response and Digital Signature (not supported by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>) methods.<br />
Virtual <strong>Digipass</strong><br />
Virtual <strong>Digipass</strong> can be used instead of hardware <strong>Digipass</strong> tokens, or as a backup mechanism<br />
when a User has mislaid their hardware <strong>Digipass</strong>. Using Virtual <strong>Digipass</strong> means that a User<br />
may receive a One Time Password on their mobile phone via text message.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 11
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Overview<br />
1.3 Software Components<br />
The <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> consists of various components, some required and some<br />
optional:<br />
1.3.1 Required Components<br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
This module is an addition to Microsoft's <strong>In</strong>ternet Authentication Service which permits an<br />
increase in <strong>IAS</strong> security by adding two-factor authentication. Versions 5.0 of <strong>IAS</strong> and later are<br />
supported.<br />
Data Store<br />
Additional User account in<strong>for</strong>mation, <strong>Digipass</strong> records and other required <strong>Digipass</strong>-related<br />
settings are stored in Active Directory.<br />
Administration <strong>In</strong>terfaces<br />
<strong>Digipass</strong> Extension <strong>for</strong> Active Directory Users and Computers<br />
VASCO Extension to the Active Directory Users and Computers interface. Allows integrated<br />
administration of additional User settings and <strong>Digipass</strong> records.<br />
Administration MMC <strong>In</strong>terface<br />
This interface allows easy administration of <strong>Digipass</strong> Configuration data.<br />
1.3.2 Optional Components<br />
User Self Management Web Site<br />
Allows Users to make appropriate changes to their own <strong>Digipass</strong> settings, including PIN<br />
changes.<br />
Virtual <strong>Digipass</strong><br />
The VASCO components used <strong>for</strong> Virtual <strong>Digipass</strong> are:<br />
Message Delivery Component<br />
Sends a One Time Password through a text message HTTP gateway to a User’s mobile phone.<br />
OTP Request Site<br />
Allows a User to specifically request an OTP to be sent to their mobile phone.<br />
1.3.3 Extra Utilities<br />
These extra utilities may be used with the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>, but require separate<br />
installations.<br />
Data Migration Tool<br />
The VASCO Data Migration Tool is a utility which allows you to migrate your data from one<br />
VASCO product to another.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 12
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Overview<br />
RADIUS Client Simulator<br />
The RADIUS Client Simulator is a program that simulates RADIUS Authentication and<br />
Accounting processing in a similar fashion to RADIUS enabled Network Access Server and<br />
Firewall devices. The RCS can be used to test User authentication, <strong>Digipass</strong> authentication,<br />
estimate RADIUS Server per<strong>for</strong>mance, test system overload, and assist in detection of<br />
resource (memory, handle, etc.) leakage.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 13
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Overview<br />
1.4 Authentication Process<br />
The authentication process used by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will vary depending on settings in the<br />
applicable Policy and <strong>Digipass</strong> User account. The diagram below shows the basic process<br />
followed by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> when authenticating a <strong>Digipass</strong> User login.<br />
Image 3: Authentication Process<br />
1.4.1 Local and Back-End Authentication<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> authenticates logins in two basic ways:<br />
Using in<strong>for</strong>mation from its data store ('local' authentication)<br />
Asking Windows <strong>for</strong> verification of in<strong>for</strong>mation ('back-end' authentication)<br />
'Local' Authentication<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> checks the details given in the authentication request against the details in its<br />
data store. This is when a <strong>Digipass</strong> User's One Time Password is checked. See 3.5.2 Local<br />
Authentication <strong>for</strong> more in<strong>for</strong>mation.<br />
'Back-End' Authentication<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> checks the details given in the authentication request – User ID and domain -<br />
with Windows. The User's static password is also checked, and may be retrieved from the<br />
stored static password or from the authentication request, depending on Policy settings. See<br />
3.5.3 Back-End Authentication <strong>for</strong> more in<strong>for</strong>mation.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 14
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Overview<br />
1.4.2 Policies<br />
Policies specify various login settings which can affect how a User must log in. The Policy used<br />
<strong>for</strong> a specific authentication request is decided based on the RADIUS Client that transmitted<br />
the request or based on the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> component that handles the request.<br />
Some policy settings include:<br />
Whether Local and/or Back-End Authentication should be used<br />
Whether various automatic management features should be used<br />
The <strong>Digipass</strong> Application types required <strong>for</strong> login<br />
Backup Virtual <strong>Digipass</strong> settings<br />
1.4.3 <strong>Digipass</strong> User Account<br />
A <strong>Digipass</strong> User account is attached to an Active Directory User account, by including<br />
additional attributes. These attributes are stored in an auxiliary class attached to the User<br />
object class. The account is created to hold authentication settings <strong>for</strong> the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>. It<br />
includes settings such as <strong>Digipass</strong> assignment and authentication overrides.<br />
The <strong>Digipass</strong> User account contains some login settings that affect how a User must log in.<br />
These settings can be used to override equivalent settings in the relevant Policy.<br />
A <strong>Digipass</strong> User account is created as required <strong>for</strong> a User record in Active Directory – <strong>for</strong><br />
example when a <strong>Digipass</strong> must be assigned or <strong>Digipass</strong> User account settings modified. When<br />
Auto-Assignment is enabled (see later), creation of the account via Dynamic User Registration<br />
is the trigger <strong>for</strong> a <strong>Digipass</strong> to be automatically assigned to the User.<br />
1.4.3.1 <strong>Digipass</strong> User Account Settings<br />
Stored Static Password<br />
This may be used when local authentication is enabled and back-end authentication disabled,<br />
to avoid using the Windows static password <strong>for</strong> remote network access. It can be used <strong>for</strong><br />
authenticating a User when a <strong>Digipass</strong> has not been assigned, or the assigned <strong>Digipass</strong> is still<br />
in the grace period. It can also be used <strong>for</strong> the Virtual <strong>Digipass</strong> feature, which requires a static<br />
password to be used in addition to the transmitted OTP.<br />
Local Authentication<br />
See 1.4.1 Local and Back-End Authentication.<br />
The <strong>Digipass</strong> User account setting overrides<br />
the Policy setting of the same name.<br />
Back-End Authentication<br />
See 1.4.1 Local and Back-End Authentication.<br />
The <strong>Digipass</strong> User account setting overrides<br />
the Policy setting of the same name.<br />
Disabled<br />
Specifies whether the Active Directory User account has been disabled. If so, the User will be<br />
rejected by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.<br />
Locked<br />
If a <strong>Digipass</strong> User account is locked, the User will be unable to log in until it is unlocked by an<br />
administrator.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 15
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Overview<br />
User Account Link<br />
Link to another Active Directory User account utilized by the same person. This may be used<br />
where an administrator needs to use their <strong>Digipass</strong> to log in via two different accounts.<br />
RADIUS Profiles<br />
Provides an authorisation link to <strong>IAS</strong> by selecting a RADIUS Profile.<br />
Record Creation Time<br />
The time and date when the <strong>Digipass</strong> User account was created. This is significant because it<br />
is used as an indicator of whether a given Active Directory User has a <strong>Digipass</strong> User account.<br />
1.4.3.2 Static Passwords<br />
When a static password is required <strong>for</strong> a login through the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>, which static password<br />
is checked depends on the settings in the relevant Policy. It will be either:<br />
Stored (local) static password in the <strong>Digipass</strong> User account<br />
If back-end authentication is in use, this will be a copy of the Windows static password –<br />
this is not typically required <strong>for</strong> the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>. Otherwise it will be a static password<br />
unrelated to the Windows static password.<br />
Windows static password<br />
Common Scenarios<br />
The table below shows common scenarios and the static password that the User would be<br />
required to enter on login.<br />
Scenario Password Required<br />
Local Authentication enabled and Back-End Authentication disabled Stored static password<br />
Dynamic User Registration enabled and needed <strong>for</strong> the login Windows static password<br />
Virtual <strong>Digipass</strong> login with Back-End Authentication enabled Windows static password<br />
Challenge/Response login with Back-End Authentication enabled 1<br />
Table 1: Login static password Requirements<br />
1<br />
If static password is required to request a Challenge/Response login<br />
Windows static password<br />
© 2005 VASCO Data Security <strong>In</strong>c. 16
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Overview<br />
1.5 Features<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> includes many features to make administration simple and easy. These<br />
include integration with your current User Management system and automated processes <strong>for</strong><br />
<strong>Digipass</strong> and User management.<br />
1.5.1 Active Directory <strong>In</strong>tegration<br />
The <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> uses Active Directory to store VASCO-specific User attributes,<br />
<strong>Digipass</strong> records and <strong>Digipass</strong> Configuration in<strong>for</strong>mation (eg Policies).<br />
1.5.2 User Management<br />
These features help your administrators streamline their User management:<br />
Dynamic User Registration (DUR)<br />
A <strong>Digipass</strong> User Account can be automatically created <strong>for</strong> a User new to the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> upon<br />
successful login through <strong>IAS</strong>. This allows the User to be assigned a <strong>Digipass</strong>, and the <strong>IAS</strong><br />
<strong>Plug</strong>-<strong>In</strong> to process their future logins.<br />
Windows Group Check<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> can be configured to only authenticate Users belonging to specific Windows<br />
Groups. See 3.5.5 Windows Group Check <strong>for</strong> more in<strong>for</strong>mation.<br />
1.5.3 <strong>Digipass</strong> Management<br />
These features will assist your administrators by automating the main <strong>Digipass</strong> management<br />
tasks required:<br />
Self-Assignment<br />
Your company might decide to distribute all of the <strong>Digipass</strong> to your Users, then require each<br />
User to self-assign their <strong>Digipass</strong>. On their first login, the User must enter a password<br />
combination which includes the <strong>Digipass</strong> serial number, to in<strong>for</strong>m the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> of the<br />
assignment. The User account is then linked with the relevant <strong>Digipass</strong> record.<br />
Auto-Assignment<br />
A <strong>Digipass</strong> may be automatically assigned to a User upon creation of a <strong>Digipass</strong> User account,<br />
when Dynamic User Registration is used.<br />
Grace Period<br />
The Grace Period supplies a User with a set amount of time (eg. 7 days) between assignment<br />
of a <strong>Digipass</strong> and the User being required to log in <strong>for</strong> the first time using an OTP from their<br />
<strong>Digipass</strong>.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 17
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Overview<br />
1.6 Supported Protocols<br />
The following protocols are supported by the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>:<br />
PAP<br />
CHAP<br />
MS-CHAP with MPPE (Microsoft Point-to-Point Encryption)<br />
MS-CHAP2 with MPPE<br />
EAP-MD5<br />
1.7 Unsupported by <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong><br />
1.7.1 Windows 2000 Limitations<br />
These are not supported with Windows 2000:<br />
EAP-MD5<br />
Challenge/Response<br />
1.7.2 Other Unsupported Protocols<br />
These protocols are not supported by the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>:<br />
Other EAP types<br />
PEAP<br />
EAP-TTLS<br />
Various EAP types<br />
1.7.3 <strong>IAS</strong> Remote Access Policy Limitations<br />
Windows Server 2003<br />
Remote Access Policy Conditions may be set based the password protocol being used <strong>for</strong> an<br />
authentication request, using the Authentication-Type option.<br />
When the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> authenticates a login, the Authentication-Type is recorded within <strong>IAS</strong> as<br />
"Extension", regardless of the actual password protocol used. There<strong>for</strong>e, any Remote Access<br />
Policy Conditions limiting the password protocol being used will not work with the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.<br />
Example<br />
Authentication-Type is set to PAP, meaning that any authentication requests which<br />
do not use the PAP password protocol will be rejected. If the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> is<br />
configured to use the PAP protocol, the Authentication-Type recognised when it<br />
makes an authentication request will be 'Extension' (meaning that <strong>IAS</strong> has<br />
recognised it as an <strong>IAS</strong> extension). The request will be failed by <strong>IAS</strong> because the<br />
password protocol being used by the <strong>Plug</strong>-<strong>In</strong> was only registered as 'Extension', not<br />
as 'PAP'.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 18
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Overview<br />
1.8 Available Reference <strong>Guide</strong>s<br />
Reference <strong>Guide</strong>s are included with every VASCO product:<br />
<strong>Product</strong> <strong>Guide</strong><br />
The <strong>Product</strong> <strong>Guide</strong> will introduce you to the features of this product and the various options<br />
you have <strong>for</strong> using it.<br />
<strong>In</strong>stallation <strong>Guide</strong><br />
Use this guide when planning and working through an installation of the product.<br />
Getting Started<br />
To get you up and running quickly with a simple installation and setup of the product.<br />
Administrator Reference<br />
<strong>In</strong>-depth in<strong>for</strong>mation required <strong>for</strong> administration of the product. This includes references such<br />
as data attribute lists, backup and recovery and utility commands.<br />
Data Migration Tool <strong>Guide</strong><br />
Takes you through a data migration from one VASCO product to another, using the VASCO<br />
Data Migration Tool.<br />
Help Files<br />
Context-sensitive help accompanies the administration interfaces.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 19
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
2 <strong>Digipass</strong><br />
This section contains in<strong>for</strong>mation specific to <strong>Digipass</strong>, their setup and management on your<br />
network.<br />
2.1 Types of <strong>Digipass</strong><br />
2.1.1 Hardware <strong>Digipass</strong><br />
The three basic types of hardware <strong>Digipass</strong> are:<br />
<strong>Digipass</strong> without keypads<br />
These are the simplest type of <strong>Digipass</strong>. They have a triggering mechanism - typically a button<br />
or action, such as pulling the <strong>Digipass</strong> open – which causes a One Time Password to be<br />
generated. They have only one Application, which is Response Only.<br />
<strong>Digipass</strong> with keypads<br />
Image 4: GO 1 Image 5: GO 3<br />
These are typically capable of supporting more than one Application, and can be programmed<br />
so that a PIN must be entered be<strong>for</strong>e a One Time Password may be accessed.<br />
Image 6: DP 300 Image 7: DP 585 Image 8: DP 260<br />
© 2005 VASCO Data Security <strong>In</strong>c. 20
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
Smartcard reader <strong>Digipass</strong><br />
These provide two-factor authentication based on smartcard technology.<br />
2.1.2 Software <strong>Digipass</strong><br />
Image 11: <strong>Digipass</strong> <strong>for</strong><br />
Pocket PC<br />
<strong>Digipass</strong> <strong>for</strong> Pocket PC<br />
Image 9: GO 2 Image 10: DP 800<br />
Image 12: <strong>Digipass</strong> <strong>for</strong><br />
SIM<br />
Image 13: <strong>Digipass</strong> <strong>for</strong><br />
Palm<br />
<strong>Digipass</strong> <strong>for</strong> Pocket PC turns Pocket PCs and smart phones into a personal hardware security<br />
device to provide One Time Passwords and Digital Signatures.<br />
<strong>Digipass</strong> <strong>for</strong> Palm<br />
Like <strong>Digipass</strong> <strong>for</strong> Pocket PC, <strong>Digipass</strong> <strong>for</strong> Palm allows generation of One Time Passwords and<br />
Digital Signatures from Palm Pilots and other devices utilising the Palm technology.<br />
<strong>Digipass</strong> <strong>for</strong> SIM<br />
<strong>Digipass</strong> <strong>for</strong> SIM allows a GSM mobile phone SIM card to be used to generate One Time<br />
Passwords.<br />
<strong>Digipass</strong> <strong>for</strong> Windows<br />
<strong>Digipass</strong> <strong>for</strong> Windows can be installed directly onto a PC. One Time Passwords and Digital<br />
Signatures can be generated on your computer and pasted into the required login window.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 21
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
2.1.3 Virtual <strong>Digipass</strong><br />
There are two <strong>for</strong>ms of Virtual <strong>Digipass</strong> available:<br />
Primary Virtual <strong>Digipass</strong> are treated by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> almost identically to hardware<br />
<strong>Digipass</strong> – a record of each Primary Virtual <strong>Digipass</strong> must be imported into the data store, and<br />
may then be assigned to a User automatically or manually. The User will typically log in with<br />
their User ID and static password, have a text message sent to their mobile phone, and then<br />
enter the One Time Password from the text message in the second stage of their login.<br />
The Backup Virtual <strong>Digipass</strong> feature allows a User to request a One Time Password sent to<br />
their mobile phone if they do not have their usual <strong>Digipass</strong> at hand. It may be limited by<br />
number of uses or days of use – eg. a User may be limited to 2 days' usage, after which they<br />
will again need to use their usual <strong>Digipass</strong> to log in.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 22
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
2.2 How do <strong>Digipass</strong> Work?<br />
2.2.1 <strong>Digipass</strong> Applications<br />
Each <strong>Digipass</strong> is programmed with at least one <strong>Digipass</strong> Application, and a unique algorithm.<br />
The <strong>Digipass</strong> uses this unique algorithm when generating One Time Passwords.<br />
Each type of <strong>Digipass</strong> Application generates One Time Passwords from different data, and in<br />
slightly different ways:<br />
Response Only<br />
Creates a One Time Password based on the date and time, or on the number of uses (events).<br />
Challenge/Response<br />
Creates a One Time Password (also referred to as a 'Response' in this context) based on a<br />
numerical challenge given on a login page. This may be either a challenge custom-created <strong>for</strong><br />
the specific <strong>Digipass</strong>, or a randomly created challenge. The One Time Password may also be<br />
based on the date and time.<br />
Digital Signature<br />
Digital Signature <strong>Digipass</strong> Applications are typically used in online banking. The <strong>Digipass</strong><br />
generates a unique code - referred to as a 'Digital Signature' - based on a number of factors<br />
entered, plus (optionally) the date and time, or number of uses (events). <strong>In</strong> an online banking<br />
environment, the factors used to generate the Digital Signature during a funds transfer might<br />
be the debit account number, the destination account number and the amount of money being<br />
transferred.<br />
Digital Signatures are not currently in use with the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>.<br />
2.2.2 Virtual <strong>Digipass</strong> Differences<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> treats Primary Virtual <strong>Digipass</strong> slightly differently to other <strong>Digipass</strong>. The two<br />
main differences are:<br />
Grace Period<br />
A Primary Virtual <strong>Digipass</strong> cannot be used until its grace period has expired, if the method of<br />
requesting an OTP is the static password. This is to ensure that text messages are only sent<br />
when needed – avoiding unnecessary cost to the company and/or Users. However, in this<br />
case the OTP Request Site or User Self Management Web Site may be used to prematurely end<br />
the grace period.<br />
Backup Virtual <strong>Digipass</strong><br />
The Backup Virtual <strong>Digipass</strong> feature cannot be enabled <strong>for</strong> a Primary Virtual <strong>Digipass</strong>.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 23
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
2.2.2.1 Virtual <strong>Digipass</strong> Login Process<br />
The diagram below shows the basic process that occurs when a User logs in with a Virtual<br />
<strong>Digipass</strong>:<br />
Image 14: Virtual <strong>Digipass</strong> Login<br />
© 2005 VASCO Data Security <strong>In</strong>c. 24
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
2.2.2.2 How Does a User Request an OTP?<br />
There are three ways a User might request a One Time Password to be delivered with either a<br />
Primary or Backup Virtual <strong>Digipass</strong>:<br />
2-step Login<br />
Two login prompts are used to provide an easy-to-use login interface <strong>for</strong> Users with Virtual<br />
<strong>Digipass</strong>. The first prompt is used to request an OTP, the second to enter the received OTP.<br />
This can be used with applications which support 2-step logins eg. Citrix Web <strong>In</strong>terface,<br />
RADIUS with support <strong>for</strong> Challenge/Response.<br />
Two 1-step Logins<br />
The User must attempt two logins, the first of which will fail but will initiate the sending of an<br />
OTP to the User’s mobile. This is used when the 2-step login process is not supported – eg.<br />
RADIUS without support <strong>for</strong> Challenge/Response.<br />
OTP Request Site<br />
Alternatively – especially if a more user-friendly option than the previous is needed - Users can<br />
go to the OTP Request site when they need an OTP sent to their mobile phone, then login<br />
normally at the usual login screen.<br />
2.2.3 <strong>Digipass</strong> Programming<br />
A <strong>Digipass</strong> is programmed using a <strong>Digipass</strong> Programmer and the necessary software. This may<br />
be done by your company or by your supplier.<br />
Common settings which may affect your administration tasks are explained below.<br />
2.2.3.1 <strong>Digipass</strong> PIN<br />
A <strong>Digipass</strong> PIN may be required <strong>for</strong> a <strong>Digipass</strong>. If set, the PIN must be entered into the<br />
<strong>Digipass</strong> be<strong>for</strong>e obtaining a One Time Password. This means that just possessing the <strong>Digipass</strong><br />
is not enough to log in to a network – the person logging in must also know the <strong>Digipass</strong> PIN.<br />
<strong>Digipass</strong> PIN settings include:<br />
An <strong>In</strong>itial PIN can be set <strong>for</strong> a <strong>Digipass</strong>. The PIN must then be sent to the User of the<br />
<strong>Digipass</strong>, typically separate from the <strong>Digipass</strong> delivery.<br />
First Use PIN Modification allows a <strong>Digipass</strong> to require a PIN change from the User<br />
upon first use.<br />
PIN Change allows a User to change their PIN as desired.<br />
The PIN Length can be set <strong>for</strong> a <strong>Digipass</strong>.<br />
<strong>Digipass</strong> Lock sets the number of consecutive faulty PIN entries allowed be<strong>for</strong>e the<br />
<strong>Digipass</strong> is locked.<br />
2.2.3.2 Time/Event-based <strong>Digipass</strong> Applications<br />
Response Only<br />
Response Only <strong>Digipass</strong> Applications can be either time-based or event-based:<br />
© 2005 VASCO Data Security <strong>In</strong>c. 25
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
Time-based<br />
A time-based Application will change the OTP to be displayed based on the current time. The<br />
common time step used is 36 seconds – and means that the OTP to be displayed will change<br />
every 36 seconds, whether or not an OTP has been requested from the <strong>Digipass</strong>.<br />
Event-based<br />
An event-based <strong>Digipass</strong> Application will display a new OTP each time a request <strong>for</strong> an OTP is<br />
made.<br />
Challenge/Response<br />
Challenge/Response <strong>Digipass</strong> Applications can be either time-based or non-time-based:<br />
Time-based<br />
A time-based Challenge/Response <strong>Digipass</strong> Application will generate an OTP based on the<br />
Challenge given and the current time. The common time step used is 9 hours ('slow<br />
challenge'). This would mean that if the exact same Challenge were given to a <strong>Digipass</strong> within<br />
a 9 hour period, the <strong>Digipass</strong> Application will generate the same OTP. However, Challenges<br />
are very rarely repeated within such a time period.<br />
Non-time-based<br />
A non-time-based Challenge/Response <strong>Digipass</strong> Application will generate an OTP based only on<br />
the Challenge given.<br />
2.2.3.3 OTP Length<br />
The length of the OTP (excluding check digit) generated by the <strong>Digipass</strong> <strong>for</strong> Response Only<br />
and Challenge/Response <strong>Digipass</strong> Applications.<br />
Check Digit<br />
A check digit may be added to each OTP. This is generated from the response and allows <strong>for</strong><br />
faster invalidation of incorrect OTPs.<br />
2.2.3.4 Challenge Length<br />
The length of the Challenge (excluding check digit) which should be expected by the <strong>Digipass</strong>.<br />
This is used by the Challenge/Response <strong>Digipass</strong> Application.<br />
Check Digit<br />
A check digit may be expected with each Challenge. This is generated by the server from the<br />
Challenge and allows the <strong>Digipass</strong> to reject most invalid Challenges.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 26
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
2.2.4 <strong>Digipass</strong> Record Settings<br />
These settings are kept in the record <strong>for</strong> a <strong>Digipass</strong> Application, and affect which OTP is<br />
expected by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.<br />
2.2.4.1 Time/Event-based Settings<br />
Time Based<br />
Specifies whether the algorithm <strong>for</strong> the <strong>Digipass</strong> application is time-based (see Time/Eventbased<br />
<strong>Digipass</strong> Applications <strong>for</strong> more in<strong>for</strong>mation).<br />
Time Step Used<br />
The time step used by the <strong>Digipass</strong> Application (see Time/Event-based <strong>Digipass</strong><br />
Applications <strong>for</strong> more in<strong>for</strong>mation).<br />
Last Time Shift<br />
Time Shift records any misalignments between the time recorded on the <strong>Digipass</strong> and the time<br />
recorded on the server, each time a User logs in. This ensures that if either clock drifts from<br />
the correct time, an allowance can be made by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> and the User will still be able to<br />
log in. If the time drift goes beyond the allowable time window between User logins, the<br />
<strong>Digipass</strong> record will have to be reset (this allows <strong>for</strong> recalculation of the time drift).<br />
Example<br />
Time window may be 5 steps in either direction.<br />
This means that 11 OTPs would be considered valid – the exact OTP <strong>for</strong> that time,<br />
and the OTPs <strong>for</strong> the 5 time steps either side of the exact time. If the OTP given is<br />
<strong>for</strong> a different time step, the time shift <strong>for</strong> that <strong>Digipass</strong> will be recorded. The next<br />
time the User logs in, the expected OTP will be calculated based on that time shift.<br />
Last Event Value<br />
The current number of uses of the <strong>Digipass</strong> Application, according to the <strong>Digipass</strong>. This can<br />
get out of sync with the number of uses recorded by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> when:<br />
login failures occur <strong>for</strong> other reasons than incorrect OTP<br />
the <strong>Digipass</strong> has been used without a login (eg. children have been playing with it)<br />
The <strong>Digipass</strong> is being used to log in to two separate systems<br />
The purpose of this setting is much the same as the Last Time Shift setting – it allows the <strong>IAS</strong><br />
<strong>Plug</strong>-<strong>In</strong> to track any shifts between the event count recorded by itself and the <strong>Digipass</strong>.<br />
2.2.4.2 Response Length<br />
This setting determines the length of the OTP (excluding check digit) expected by the server<br />
from the <strong>Digipass</strong> Application.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 27
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
Response Check Digit<br />
Whether a check digit may be expected with each OTP from the <strong>Digipass</strong> Application. This is<br />
generated from the response and allows <strong>for</strong> faster invalidation of incorrect OTPs.<br />
2.2.4.3 Server PIN<br />
The term 'Server PIN' is used to mean a PIN that the user enters into the login password field<br />
in front of the OTP displayed on the <strong>Digipass</strong>. It is checked by the authenticating server. The<br />
'<strong>Digipass</strong> PIN' referred to earlier indicates a PIN entered into a keypad on the <strong>Digipass</strong>. That is<br />
checked by the device itself, and is never transmitted to the server.<br />
There are a number of Server settings regulating Server PINs:<br />
PIN Supported<br />
Whether a PIN must be included in a User's login.<br />
PIN Change On<br />
Is a User allowed to change their Server PIN <strong>for</strong> this <strong>Digipass</strong>?<br />
Force PIN Change<br />
Must the User change their Server PIN the next time they log in?<br />
PIN Length<br />
The length of the current Server PIN.<br />
PIN Minimum Length<br />
The minimum PIN length required by the Server.<br />
2.2.4.4 Backup Virtual <strong>Digipass</strong><br />
Policy and <strong>Digipass</strong> settings<br />
Several settings dictate how a User may utilize the Backup Virtual <strong>Digipass</strong> feature. These<br />
settings are:<br />
Enable or disable Backup Virtual <strong>Digipass</strong> and enable method (eg. Required).<br />
Time limit/expiry (applies to Time Limited enable only)<br />
Maximum number of times a User may make use of the Backup Virtual <strong>Digipass</strong>.<br />
The above settings may be set both at the Policy level and at the <strong>Digipass</strong> record level.<br />
<strong>In</strong>dividual settings override Policy settings <strong>for</strong> an individual <strong>Digipass</strong>, but some Policy settings<br />
(see below) may be used to automatically set <strong>Digipass</strong> settings which are blank when the<br />
Backup Virtual <strong>Digipass</strong> is first utilized by the User.<br />
Time Limit and Max. Uses/User<br />
Server Setting User Setting<br />
Time Limit Enabled Until<br />
Max. Uses/User Uses Remaining<br />
Table 2: Backup Virtual <strong>Digipass</strong> Policy/<strong>Digipass</strong> Settings<br />
© 2005 VASCO Data Security <strong>In</strong>c. 28
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
If Backup Virtual <strong>Digipass</strong> is enabled <strong>for</strong> a <strong>Digipass</strong> and set to Time Limited, and the Enabled<br />
Until field in the <strong>Digipass</strong> property sheet is blank on their first use of the Backup Virtual<br />
<strong>Digipass</strong>, their time limit will begin on their first use of the feature. The expiry date (today’s<br />
date + Time Limit) will then be displayed in the Enabled Until field.<br />
If a Max. Uses/User is set <strong>for</strong> the relevant Policy and a <strong>Digipass</strong> record's Uses Remaining field<br />
in their User property sheet is blank on their first use of the Backup Virtual <strong>Digipass</strong>, a number<br />
(Max Uses/User) will be automatically entered into their Uses Remaining field and immediately<br />
decremented by 1.<br />
Note<br />
If a User has Backup Virtual <strong>Digipass</strong> enabled with Enabled Until date set and<br />
their Uses Remaining has been set (automatically or manually), whichever of<br />
these expires first will disable Backup Virtual <strong>Digipass</strong> <strong>for</strong> the User.<br />
eg. Backup Virtual <strong>Digipass</strong> is enabled <strong>for</strong> a User as Time Limited, and the<br />
server Time Limit setting is 3 days. The Max. Uses/User Policy setting is 5.<br />
When the User first makes use of the Backup Virtual <strong>Digipass</strong>, their Enabled<br />
Until is set to a date 3 days hence and their Uses Remaining to 4. During<br />
the next 48 hours, they log in 4 more times. Although the User’s time limit<br />
does not run out <strong>for</strong> another 24 hours, their Uses Remaining is now 0 and<br />
Backup Virtual <strong>Digipass</strong> is disabled.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 29
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
2.3 <strong>Digipass</strong> Records<br />
2.3.1 Location of <strong>Digipass</strong> Records<br />
When a <strong>Digipass</strong> is assigned to a User, it is moved to the same location as the <strong>Digipass</strong> User<br />
account it is assigned to. This makes it easier to set up the permissions necessary <strong>for</strong><br />
delegated administration.<br />
Note<br />
A <strong>Digipass</strong> record will not automatically be moved when the User account to<br />
which it is assigned is moved to another location. When moving User accounts<br />
within Active Directory, ensure that the records of any assigned <strong>Digipass</strong> are<br />
manually moved to the same location.<br />
Unassigned <strong>Digipass</strong> records may be stored in various places in the domain:<br />
<strong>Digipass</strong> Pool<br />
During installation, a container is created in the Domain called <strong>Digipass</strong>-Pool. This is intended<br />
as a general store <strong>for</strong> unassigned <strong>Digipass</strong>, regardless of which administrator is per<strong>for</strong>ming<br />
assignment.<br />
Organizational Units<br />
<strong>Digipass</strong> can be loaded or moved either into the exact Organizational Units where the User<br />
accounts to which they will be assigned are located, or into a few key Organizational Units in<br />
the hierarchy where they may be assigned to Users in lower level Organizational Units.<br />
Users Container<br />
<strong>Digipass</strong> can be loaded into the Users container, so they are available <strong>for</strong> Users in that<br />
container. However, it is not recommended to use the Users container <strong>for</strong> either User accounts<br />
or <strong>Digipass</strong>.<br />
Note<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will always find or assign the closest available <strong>Digipass</strong> record<br />
to the selected User record(s).<br />
When looking <strong>for</strong> an available <strong>Digipass</strong> to assign to a User, the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will first look in the<br />
same location as the specific User account. The Search Upwards in Organizational Unit<br />
hierarchy option, when enabled, allows the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> to search in parent Organizational<br />
Units and the <strong>Digipass</strong> Pool container. This option may be set at the Policy level <strong>for</strong> system<br />
searches (eg. Auto-Assignment and Self-Assignment) or at the time of the search <strong>for</strong> manual<br />
assignment.<br />
If the assignment is manual (per<strong>for</strong>med by an administrator), it will only find and successfully<br />
assign <strong>Digipass</strong> from locations where the administrator has the correct permissions. The<br />
administrator must have read permission <strong>for</strong> <strong>Digipass</strong> objects in the location to find a <strong>Digipass</strong><br />
record, and if it needs to be moved to the User's location, they must have delete permission<br />
<strong>for</strong> <strong>Digipass</strong> objects to successfully assign the <strong>Digipass</strong>. If the administrator has sufficient<br />
© 2005 VASCO Data Security <strong>In</strong>c. 30
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
permissions to view a <strong>Digipass</strong> record but not to assign it, the assignment will fail.<br />
Record<br />
Location<br />
<strong>Digipass</strong> Pool Only administrators with access to the <strong>Digipass</strong><br />
Pool may view or modify records <strong>for</strong> unassigned<br />
<strong>Digipass</strong>. This also means that only those<br />
administrators may manually assign <strong>Digipass</strong>.<br />
Organizational<br />
Unit<br />
Users<br />
Container<br />
Pros Cons<br />
<strong>Digipass</strong> may be portioned out to various<br />
Organizational Units. This is particularly useful<br />
where a company is contracted to provide<br />
authentication services to multiple companies,<br />
or where various departments have different<br />
<strong>Digipass</strong> quota.<br />
<strong>Digipass</strong> can be assigned to any User in the<br />
Users container.<br />
Table 3: Summary of <strong>Digipass</strong> Record Location Options<br />
An extra permission must be assigned all<br />
administrators who should be able to assign<br />
<strong>Digipass</strong> (if they are not Domain Admins). It is<br />
not possible to strictly subdivide the unassigned<br />
<strong>Digipass</strong> among the Organizational Units<br />
according to quotas.<br />
If an Organizational Unit runs out of <strong>Digipass</strong> to<br />
assign its Users, more <strong>Digipass</strong> records must be<br />
manually moved to the right location.<br />
<strong>Digipass</strong> in the Users container are only available<br />
to User accounts stored there.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 31
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
2.3.2 Typical <strong>Digipass</strong> Location Models<br />
<strong>Digipass</strong> Pool<br />
A centralised point of access and importation can be implemented by using the <strong>Digipass</strong> Pool<br />
to hold unassigned <strong>Digipass</strong> records. This option requires less calculation and high-level<br />
administration, as <strong>Digipass</strong> records are all imported into one area and there is no need to<br />
manually move records or calculate the exact number of <strong>Digipass</strong> required <strong>for</strong> each<br />
Organizational Unit or group of Units. However, permissions will need to be set up to permit<br />
delegated administrators access to move the <strong>Digipass</strong> out of the container upon assignment.<br />
The <strong>Digipass</strong> Pool is treated as the Domain Root by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>, as <strong>Digipass</strong> records may<br />
not be saved in the Domain Root.<br />
Image 15: <strong>Digipass</strong> Record Locations - <strong>Digipass</strong> Pool<br />
<strong>In</strong> the diagram above, Administrator 1 has delegated administrator permissions <strong>for</strong> the<br />
Organizational Unit B and its child Organizational Units. They must also have read and delete<br />
permissions <strong>for</strong> <strong>Digipass</strong> objects in the <strong>Digipass</strong> Pool container.<br />
The Search Upwards in Organizational Unit hierarchy option must be enabled <strong>for</strong> this<br />
model to function correctly.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 32
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
Parent Organizational Units<br />
Unassigned <strong>Digipass</strong> can be kept in key Organizational Units, and made available to their lower<br />
level Organizational Units. This requires a delegated administrator to have permissions not<br />
only <strong>for</strong> the Organizational Unit in which the User accounts are stored, but also read, write and<br />
delete permissions <strong>for</strong> <strong>Digipass</strong> objects in the Organizational Unit in which the <strong>Digipass</strong> are<br />
stored.<br />
Image 16: <strong>Digipass</strong> Record Locations - Parent Organizational Unit<br />
<strong>In</strong> the diagram above, Administrator 1 has full admin permissions <strong>for</strong> Organizational Unit B and<br />
its child Organizational Units. She does not require any other permissions to assign <strong>Digipass</strong><br />
from Organizational Unit B to a User in Organizational Unit B1. Administrator 2 has full admin<br />
permissions <strong>for</strong> Organizational Unit A2 only. He has read and delete permissions <strong>for</strong> <strong>Digipass</strong><br />
objects in Organizational Unit A in order to assign <strong>Digipass</strong> from Organizational Unit A to a<br />
User in Organizational Unit A2.<br />
The Search Upwards in Organizational Unit hierarchy option must be enabled <strong>for</strong> this<br />
model to function correctly.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 33
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
<strong>In</strong>dividual Organizational Units<br />
<strong>Digipass</strong> can be loaded or moved into each Organizational Unit where and when they are<br />
required. It is then easy to set up permissions <strong>for</strong> delegated administrators to assign them<br />
only within their scope of control. If all <strong>Digipass</strong> in the Organizational Unit are assigned, more<br />
<strong>Digipass</strong> will need to be moved in manually by a Domain Admin be<strong>for</strong>e they can be assigned<br />
by a delegated administrator.<br />
Image 17: <strong>Digipass</strong> Record Locations - <strong>In</strong>dividual Organizational Units<br />
<strong>In</strong> the diagram above, each delegated administrator only requires permissions within their<br />
specific Organizational Unit(s), as unassigned <strong>Digipass</strong> are stored in the Organizational Units in<br />
which they will be assigned.<br />
The Search Upwards in Organizational Unit hierarchy option does not need to be enabled<br />
<strong>for</strong> this model.<br />
Combination of models<br />
<strong>Digipass</strong> may be stored in the <strong>Digipass</strong> Pool as well as some or all Organizational Units. If no<br />
unassigned <strong>Digipass</strong> records are found in the Organizational Unit, and the Search Upwards in<br />
Organization Unit hierarchy option is enabled, the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will search upwards to the<br />
Domain Root and search in the <strong>Digipass</strong> Pool <strong>for</strong> an available, unassigned <strong>Digipass</strong> record.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 34
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
2.3.3 Search <strong>for</strong> <strong>Digipass</strong> Records<br />
The <strong>Digipass</strong> Extension <strong>for</strong> Active Directory Users and Computers allows you to search <strong>for</strong><br />
specific <strong>Digipass</strong> records, or <strong>Digipass</strong> records meeting set criteria. This functionality can be<br />
useful when you have <strong>Digipass</strong> records in various places throughout Active Directory.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 35
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
2.4 <strong>Digipass</strong> Record Functions<br />
A number of functions are available in the <strong>Digipass</strong> Extension <strong>for</strong> Active Directory Users and<br />
Computers to administer <strong>Digipass</strong> records. These are typically required <strong>for</strong> maintenance – eg.<br />
a User has <strong>for</strong>gotten their Server PIN, or a <strong>Digipass</strong> has been locked.<br />
2.4.1 Reset Application<br />
A <strong>Digipass</strong> Application may need to be reset if the time difference between it and the server<br />
needs to be recalculated. This would typically be <strong>for</strong> time-based Response Only <strong>Digipass</strong> after<br />
a very long period of inactivity. The 'reset' widens the allowable time window <strong>for</strong> the next<br />
login, allowing the User to log in and the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> to calculate the current time shift.<br />
2.4.2 Set Event Counter<br />
If the event count <strong>for</strong> an event-based application has become unsynchronised between the<br />
<strong>Digipass</strong> and the server, this function can be used to set the server event count to the event<br />
count on the <strong>Digipass</strong>.<br />
2.4.3 Reset PIN<br />
If a User’s Server PIN needs to be changed – usually because the User has <strong>for</strong>gotten it – then<br />
it can be reset, and the User can create a new Server PIN when they next log in. This may be<br />
done when unassigning or re-assigning a <strong>Digipass</strong>.<br />
2.4.4 Force PIN Change<br />
This function can be used when an administrator wants a User to change their Server PIN on<br />
their next login. This may be desirable as a security measure.<br />
2.4.5 Set PIN<br />
A User’s Server PIN can be set to a specific value and communicated to the User.<br />
2.4.6 Unlock <strong>Digipass</strong><br />
If a User incorrectly enters their <strong>Digipass</strong> PIN into their <strong>Digipass</strong> a predetermined number of<br />
times, the <strong>Digipass</strong> will become locked. Once locked, the assistance of an administrator will be<br />
required to unlock it. This function allows an administrator to provide the User with an Unlock<br />
Code to enter into their <strong>Digipass</strong>.<br />
2.4.7 Reset Application Lock<br />
If a User has attempted to log in with incorrect details too many times, the <strong>Digipass</strong><br />
Application used may be locked, depending on Policy settings. This function can be used to set<br />
the record <strong>for</strong> the <strong>Digipass</strong> Application to the status of unlocked. This differs from User<br />
locking, as the User may still log in with a different <strong>Digipass</strong>.<br />
2.4.8 Test a <strong>Digipass</strong> Application<br />
Use this function to check that a <strong>Digipass</strong> Application is working as expected. There is also a<br />
function to test the Backup Virtual <strong>Digipass</strong> functionality.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 36
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
2.5 Assigning <strong>Digipass</strong> to Users<br />
<strong>Digipass</strong> may be assigned to Users in a number of ways, depending on the requirements of<br />
your company. For example, a company with only a few User accounts may use Manual<br />
Assignment. A larger company needing to distribute large numbers of <strong>Digipass</strong> may find it<br />
easier to simply distribute the <strong>Digipass</strong> and require each User to go through Self-Assignment.<br />
Note<br />
<strong>Digipass</strong> records must be imported into Active Directory be<strong>for</strong>e being assigned<br />
to Users. They may be imported into a general-purpose '<strong>Digipass</strong> Pool' or into<br />
the specific Organizational Units where they are needed. They must be in the<br />
same domain as the User to whom they are being assigned.<br />
2.5.1 <strong>Digipass</strong> Assignment Options<br />
The diagram below shows the basic assignment process used <strong>for</strong> the three main assignment<br />
methods which may be set in a Policy.<br />
Image 18: Assignment Method Processes<br />
© 2005 VASCO Data Security <strong>In</strong>c. 37
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
2.5.1.1 Self-Assignment<br />
A <strong>Digipass</strong> may be assigned to a User by their own action. The User must log in and include<br />
the serial number, Windows static password and One Time Password. This in<strong>for</strong>ms the <strong>IAS</strong><br />
<strong>Plug</strong>-<strong>In</strong> of the assignment, and provided that the User enters the details correctly, a link will be<br />
made between the <strong>Digipass</strong> record and the User account. A grace period is not used <strong>for</strong> this<br />
method.<br />
2.5.1.2 Auto-Assignment<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> can automatically assign an available <strong>Digipass</strong> when a <strong>Digipass</strong> User account<br />
is created using Dynamic User Registration (DUR). The correct <strong>Digipass</strong> must then be<br />
delivered to the User. A grace period is typically set, which allows a number of days in which<br />
the User may still log in using only their static password.<br />
2.5.1.3 Manual Assignment<br />
A selected <strong>Digipass</strong> is manually assigned to a specific <strong>Digipass</strong> User account. The <strong>Digipass</strong><br />
must then be sent out to the User. A grace period is typically set, during which the User may<br />
still log in using only their static password.<br />
2.6 Security Levels<br />
The following will affect the security level of your setup <strong>for</strong> the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>:<br />
Using the Windows Static Password instead of a Server PIN<br />
You can configure the authentication process so that a User is required to use their Windows<br />
static password in place of a Server PIN when logging on through a remote access server. This<br />
is a valid two-factor authentication combination, but it is important to consider the security of<br />
the machines from which the User will log in. If there is a risk of key logging <strong>for</strong> example, it<br />
would still not be possible <strong>for</strong> the hacker to log in, but they would have captured the Windows<br />
static password of the User. If a PIN was used, they would only have captured the PIN.<br />
This has to be balanced against the need <strong>for</strong> a User to learn and remember an additional item,<br />
the Server PIN.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 38
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
2.7 Virtual <strong>Digipass</strong> Implementation Considerations<br />
2.7.1 <strong>Digipass</strong> Assignment Options<br />
With the introduction of Virtual <strong>Digipass</strong>, there are several different assignment combinations<br />
that can be used. The first option in the table below does not utilize Virtual <strong>Digipass</strong>. The<br />
others include a Virtual <strong>Digipass</strong> in either a backup or primary mode.<br />
Primary Backup<br />
<strong>Digipass</strong> None User must log in using a <strong>Digipass</strong>.<br />
<strong>Digipass</strong> Backup Virtual<br />
<strong>Digipass</strong><br />
<strong>Digipass</strong><br />
(temporarily<br />
disallowed)<br />
Primary Virtual<br />
<strong>Digipass</strong><br />
Table 4: <strong>Digipass</strong> Options<br />
2.7.2 Cost<br />
Backup Virtual<br />
<strong>Digipass</strong><br />
User usually logs in using a <strong>Digipass</strong>, but may utilize the Backup<br />
Virtual <strong>Digipass</strong> feature where required. Usage of the feature may<br />
be limited.<br />
User must log in using the Backup Virtual <strong>Digipass</strong> feature. This<br />
might be used while a User’s <strong>Digipass</strong> is lost, until the <strong>Digipass</strong> is<br />
recovered.<br />
N/A User is assigned a Virtual <strong>Digipass</strong> and must log in using it.<br />
Your company will probably need to pay an amount <strong>for</strong> each text message sent. <strong>In</strong> some<br />
countries, mobile phone owners might need to pay an amount <strong>for</strong> each text message received<br />
on their mobile phone. This will need to be taken into consideration when deciding how to<br />
implement Virtual <strong>Digipass</strong> functionality.<br />
2.7.3 Security<br />
Hardware <strong>Digipass</strong> devices provide the highest level of security. Virtual <strong>Digipass</strong> provides a<br />
lower, although still high, level of security. This needs to be weighed against other<br />
considerations be<strong>for</strong>e deciding whether your company will implement Virtual <strong>Digipass</strong>, and if<br />
so, how it will be implemented.<br />
2.7.4 Convenience<br />
Virtual <strong>Digipass</strong> is more convenient than a hardware <strong>Digipass</strong> <strong>for</strong> many Users. Only one’s<br />
usual mobile phone is required: there are no extra devices to carry around. Users who do not<br />
habitually carry their mobile phone with them, though, are likely to find a GO 3 or GO 1 easier<br />
to transport.<br />
For Users with the Backup Virtual <strong>Digipass</strong> enabled, it might be the difference between going<br />
to work to pick up a <strong>for</strong>gotten <strong>Digipass</strong> and getting important work done at home.<br />
2.7.5 Gateway and account<br />
Your company will need the use of an text message gateway and an account with the gateway.<br />
The Message Delivery Component will need configuration in<strong>for</strong>mation <strong>for</strong> the gateway and the<br />
Username and static password <strong>for</strong> the account. Your VASCO supplier can assist with this<br />
process.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 39
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
2.7.6 Limiting Usage of Virtual <strong>Digipass</strong><br />
Use of Virtual <strong>Digipass</strong> may be limited by:<br />
Using Backup Virtual <strong>Digipass</strong> only.<br />
Minimizing the number of Users assigned a Primary Virtual <strong>Digipass</strong>.<br />
A User’s Primary Virtual <strong>Digipass</strong> use cannot be limited.<br />
The Backup Virtual <strong>Digipass</strong> feature may be enabled as an ‘emergency’ backup <strong>for</strong> Users who<br />
have left their primary <strong>Digipass</strong> at home, or <strong>for</strong> other reasons do not have access to their<br />
primary <strong>Digipass</strong>. Use of this feature can be limited <strong>for</strong> each User by:<br />
Time period<br />
Set a time period in which a User may access the Backup Virtual <strong>Digipass</strong>. After this period<br />
has expired, any Virtual <strong>Digipass</strong> requests from the User will be rejected. If the User is still<br />
unable to use their <strong>Digipass</strong>, the time period must then be extended by an administrator.<br />
Once they have started using their <strong>Digipass</strong> again, the administrator must reset the time<br />
period if the User is to be allowed to use Backup Virtual <strong>Digipass</strong> again.<br />
Number of Uses<br />
Set a maximum number of times a User may request an OTP using the Backup Virtual <strong>Digipass</strong><br />
feature. When the User has reached this number of uses, any further OTP requests from the<br />
User will be rejected. This must be reset by an administrator if further use of the Backup<br />
Virtual <strong>Digipass</strong> is required <strong>for</strong> the User.<br />
Global and <strong>In</strong>dividual Backup Virtual <strong>Digipass</strong> settings<br />
Backup Virtual <strong>Digipass</strong> options can be set globally or individually, to allow a standard policy<br />
<strong>for</strong> all <strong>Digipass</strong> with exceptions made where necessary. Global settings will affect all <strong>Digipass</strong><br />
whose individual option is set to 'Default'.<br />
Global options are defined in the Policy that controls authentication. There<strong>for</strong>e, by using<br />
multiple Policies, you have some additional flexibility.<br />
2.7.6.2 Backup Virtual <strong>Digipass</strong> Usage <strong>Guide</strong>lines<br />
Some questions which will need to be answered be<strong>for</strong>e arriving at a Backup Virtual <strong>Digipass</strong><br />
usage guidelines are:<br />
Will any users have access to Backup Virtual <strong>Digipass</strong>?<br />
If so, will all users have access to Backup Virtual <strong>Digipass</strong>?<br />
Will usage of Backup Virtual <strong>Digipass</strong> be limited? If so, how?<br />
Time-limited<br />
Limited number of uses<br />
© 2005 VASCO Data Security <strong>In</strong>c. 40
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong><br />
Some Possible <strong>Guide</strong>lines<br />
<strong>Guide</strong>line Pro Con<br />
Backup Virtual <strong>Digipass</strong> disabled <strong>for</strong> all - enabled<br />
<strong>for</strong> individual Users as required.<br />
Backup Virtual <strong>Digipass</strong> enabled <strong>for</strong> all - either<br />
time/number of usage limit set.<br />
Backup Virtual <strong>Digipass</strong> enabled <strong>for</strong> all - no limits<br />
set.<br />
Table 5: Backup Virtual <strong>Digipass</strong> Example <strong>Guide</strong>lines<br />
Low text message costs Manual enable <strong>for</strong> each User<br />
and circumstance. Possible<br />
heavy administration load.<br />
Predictable text message<br />
costs<br />
2.7.7 Resetting Virtual <strong>Digipass</strong> Restrictions<br />
Administrator may need to reset<br />
limits frequently – medium<br />
administration load.<br />
Lighter administration load Possible high text message<br />
costs.<br />
When a User has reached their limit of Virtual <strong>Digipass</strong> use, an administrator must reset their<br />
limit.<br />
2.7.8 Virtual <strong>Digipass</strong> Login options<br />
A decision must be made as to how Users will log in using Virtual <strong>Digipass</strong>. <strong>In</strong> particular, Users<br />
with a hardware <strong>Digipass</strong> and the Backup Virtual <strong>Digipass</strong> enabled must be able to request an<br />
OTP to be sent to their mobile when required, but to login using the hardware <strong>Digipass</strong> at<br />
other times.<br />
The simplest method <strong>for</strong> the User is to allow a 2-step login process, where the User enters<br />
their User ID and static password only, triggering an OTP Request, and are redirected to a<br />
second login page to enter the OTP sent to them. To use this method, though, your system<br />
must be set up to allow 2-step logins. Check with your system administrator if unsure.<br />
Alternatives to the 2-step login are a sequence of two 1-step logins or the use of the OTP<br />
Request Site.<br />
See the Administrator Reference <strong>for</strong> in<strong>for</strong>mation on possible login permutation.<br />
2.7.9 Location of OTP Request Site<br />
If the OTP Request Site is to be used, its location must be decided. You may choose to install<br />
the Web Site onto any web server, bearing the following in mind:<br />
If the Web Site is installed onto a web server in the DMZ, you need to permit TCP/IP<br />
access from the web server to the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> on port 20003. This is the recommended<br />
option.<br />
The Web Site can be used on the <strong>In</strong>ternet, however it would be essential to provide SSL<br />
(or TLS) encryption <strong>for</strong> access to it. Otherwise, an attacker could discover static<br />
passwords and PINs. The other point to take into consideration is that publishing the<br />
Web Site on the <strong>In</strong>ternet would allow anyone in the world to send requests to the <strong>IAS</strong><br />
<strong>Plug</strong>-<strong>In</strong> – this would provide the potential <strong>for</strong> denial of service and brute <strong>for</strong>ce attacks. It<br />
would be strongly advised to protect the Web Site from general use in some way.<br />
If the Web Site is installed onto a web server that communicates over a WAN link to the<br />
<strong>IAS</strong> Server(s), the WAN link must be encrypted. For example, an IPSEC-based VPN<br />
connection would be sufficient.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 41
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong> User Accounts<br />
3 <strong>Digipass</strong> User Accounts<br />
3.1 User Account Identification<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> requires a User ID (SAM-Account-Name) and domain (Fully Qualified Domain<br />
Name) <strong>for</strong> each User logging in through it. These are collected in various ways, depending on<br />
the in<strong>for</strong>mation entered by the User.<br />
If the User enters:<br />
Format Example Method Used to Identify User Account<br />
UPN user@domain.com The Global Catalog is utilized to translate this into User ID and<br />
domain. *<br />
Windows NT <strong>for</strong>mat DOMAIN\user The Global Catalog is utilized to translate this into User ID and<br />
domain. *<br />
User ID User <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will use the default domain set in the applicable Policy<br />
if defined, otherwise it will use the Configuration Domain set in<br />
the configuration file <strong>for</strong> the <strong>Plug</strong>-<strong>In</strong>.<br />
Table 6: User Account Identification Methods<br />
* Access to a Global Catalog is there<strong>for</strong>e required by the <strong>Plug</strong>-<strong>In</strong>.<br />
3.2 <strong>Digipass</strong> User Account Creation<br />
A <strong>Digipass</strong> User account can be created in a number of ways:<br />
3.2.1 Manual Creation<br />
A <strong>Digipass</strong> User Account can be created manually <strong>for</strong> a User account in Active Directory.<br />
3.2.2 User Self-Management Web Site<br />
Enabling Dynamic User Registration on a system which includes the User Self-Management<br />
Web Site will allow Users to create their own <strong>Digipass</strong> User Account via the web site.<br />
3.2.3 Dynamic User Registration<br />
When the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> receives an authentication request <strong>for</strong> a User without a <strong>Digipass</strong> User<br />
account, it can check the credentials with Windows. If the authentication is successful with<br />
Windows, the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> can create a <strong>Digipass</strong> User account automatically <strong>for</strong> the User. This<br />
process is called Dynamic User Registration (DUR) and can be enabled via the Administration<br />
MMC <strong>In</strong>terface.<br />
This feature is commonly used in conjunction with Auto-Assignment, so that the new account<br />
is immediately assigned a <strong>Digipass</strong>.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 42
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong> User Accounts<br />
Image 19: Dynamic User Registration<br />
3.2.4 Changes to Stored Static Password<br />
Any changes to a User's stored static password need to be communicated to the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> if<br />
Stored Password Proxy is enabled. There are two ways to do this:<br />
3.2.4.1 Password Autolearn<br />
If Password Autolearn is enabled, a User may directly log in with their new static password. If<br />
it does not match the static password stored by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>, it can be verified with<br />
Windows. If correct, the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will store the new static password <strong>for</strong> future use and<br />
authenticate the User.<br />
3.2.4.2 User Self-Management Web Site<br />
When the User Self Management Web Site is utilized, the User may modify the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>'s<br />
record of their stored static password. They must be able to log in according to current settings<br />
© 2005 VASCO Data Security <strong>In</strong>c. 43
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong> User Accounts<br />
to do this, and the Password Autolearn feature must be enabled.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 44
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong> User Accounts<br />
3.3 Logging in with a <strong>Digipass</strong><br />
This topic explains the basic steps required to log in using the three available authentication<br />
methods. Depending on your settings, a User may be required to enter other in<strong>for</strong>mation in<br />
the password field during login (see 3.3.3 Password Field <strong>In</strong><strong>for</strong>mation).<br />
3.3.1 Login Processes<br />
The diagram below shows a typical login process <strong>for</strong> the three basic login methods supported<br />
by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>. The actual details entered by the User may vary, depending on Policy<br />
settings.<br />
Image 20: Login Method Processes<br />
© 2005 VASCO Data Security <strong>In</strong>c. 45
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong> User Accounts<br />
3.3.2 Multiple <strong>Digipass</strong> or <strong>Digipass</strong> Applications<br />
A User may have multiple <strong>Digipass</strong> assigned to their User account, and/or multiple Applications<br />
enabled <strong>for</strong> a <strong>Digipass</strong>. If so, the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will need to know which <strong>Digipass</strong> and <strong>Digipass</strong><br />
Application will be used <strong>for</strong> a particular login <strong>for</strong> the User.<br />
The <strong>Digipass</strong> and <strong>Digipass</strong> Application required <strong>for</strong> a login is selected by the Policy applicable to<br />
the login scenario. Policy settings may determine the Application Names, Application Type,<br />
and/or <strong>Digipass</strong> Types to be used.<br />
Once the Policy settings are taken into account, there may still be more than one <strong>Digipass</strong><br />
Application that could be used. <strong>In</strong> that case, the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will check each one.<br />
3.3.3 Password Field <strong>In</strong><strong>for</strong>mation<br />
<strong>In</strong><strong>for</strong>mation which may be required to be entered into the password field during login:<br />
Static Password<br />
The static password may be entered to:<br />
authenticate the User if they do not have a <strong>Digipass</strong> assigned (or if all <strong>Digipass</strong> assigned<br />
to the User are in the grace period).<br />
request a challenge or Virtual <strong>Digipass</strong> OTP<br />
be passed on to Windows during back-end authentication (Stored Password Proxy off).<br />
in<strong>for</strong>m the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> of a change to the User's Windows static password (Password<br />
Autolearn and Stored Password Proxy on).<br />
Serial Number<br />
The serial number <strong>for</strong> a User's assigned <strong>Digipass</strong> will be required if:<br />
this is the first time the User has logged in using a <strong>Digipass</strong>, AND<br />
the User is required to Self-Assign the <strong>Digipass</strong> using the login process (as opposed to<br />
the User Self Management Web Site)<br />
Server PIN<br />
If a Server PIN is required <strong>for</strong> the User's <strong>Digipass</strong>, this must be entered every time the User<br />
logs in. The User can change their PIN by providing the new PIN twice after the OTP (unless<br />
CHAP, MS-CHAP or EAP-MD5 is being used).<br />
Request Keyword<br />
A Keyword can be used to indicate a request to the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> an OTP to be sent to the<br />
User's mobile phone, or <strong>for</strong> a 2-step Challenge/Response login. A keyword may be used in<br />
conjunction with the static password or just on its own. However, if the keyword is used on its<br />
own to request a Virtual <strong>Digipass</strong> OTP, the static password must be entered in the second login<br />
step as well as the OTP.<br />
One Time Password<br />
A One Time Password is typically required to login via the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 46
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong> User Accounts<br />
3.4 Administration Privileges<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will allow access to <strong>Digipass</strong> User accounts and <strong>Digipass</strong> records based on a<br />
User's Active Directory privileges. Extra privileges may be granted via the Active Directory<br />
Users and Computers console.<br />
See the Administrator Reference <strong>for</strong> more in<strong>for</strong>mation.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 47
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong> User Accounts<br />
3.5 Authenticating Users<br />
Authentication settings may be applied to an individual User account, although typically these<br />
will be set by the Policy.<br />
3.5.1 Authentication Settings<br />
<strong>Digipass</strong> User account and Policy settings control the authentication process as follows:<br />
The authentication settings <strong>for</strong> a <strong>Digipass</strong> User account override a Policy setting.<br />
The relevant Policy is referred to if the authentication setting <strong>for</strong> a <strong>Digipass</strong> User account<br />
is “Default” or if a <strong>Digipass</strong> User account does not exist <strong>for</strong> the login.<br />
3.5.2 Local Authentication<br />
'Local' authentication is a term used to describe the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> authenticating a login based<br />
on in<strong>for</strong>mation in its data store and the One Time Password entered during the login.<br />
The Local Authentication setting specifies whether the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will authenticate a login<br />
based on an OTP or stored static password. Back-end authentication may also be utilized – in<br />
the latter two options, an authentication request will only be checked with the back-end<br />
authenticator if it passes authentication by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.<br />
None<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will not authenticate the User's credentials – the request will typically be<br />
checked with the back-end authenticator.<br />
<strong>Digipass</strong>/Password<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will always process authentication requests. If a User has had a <strong>Digipass</strong><br />
assigned, they must use an OTP during login, unless a Grace Period is still active <strong>for</strong> the<br />
<strong>Digipass</strong>. If a User does not have a <strong>Digipass</strong> assigned, they can use their static password to<br />
log in. The static password entered will be checked against the stored static password or if<br />
Back-End Authentication is used, the Windows static password.<br />
<strong>Digipass</strong> Only<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will always process authentication requests. Users must login using an OTP.<br />
Users without <strong>Digipass</strong> will not be able to log in.<br />
3.5.3 Back-End Authentication<br />
'Back-end' authentication applies to the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> checking login details (User ID and static<br />
password) with another system – Windows. This is used by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> mostly <strong>for</strong> the<br />
Dynamic User Registration and Self-Assignment processes.<br />
Back-end authentication settings specify whether the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will pass on an<br />
authentication request to Windows. The User's static password is required <strong>for</strong> this step, and is<br />
retrieved from either the login, or the stored static password in the <strong>Digipass</strong> User Account.<br />
None<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will not utilize back-end authentication.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 48
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong> User Accounts<br />
Always<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will send an authentication request to a back-end authenticator, using the<br />
protocol set <strong>for</strong> the Policy (Windows only at this stage).<br />
If Needed<br />
Back-end authentication will be used in situations where local authentication is not sufficient:<br />
Protocol<br />
Dynamic User Registration<br />
Self-Assignment<br />
Password Autolearn<br />
Requesting a challenge or Virtual <strong>Digipass</strong> OTP, when the Request Method includes a<br />
static password<br />
Static password authentication, when verifying a Virtual <strong>Digipass</strong> static password-OTP<br />
combination or during the Grace Period<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> needs to know the protocol to use in requesting authentication of a User's<br />
in<strong>for</strong>mation. Windows is currently the only option.<br />
3.5.4 User Account Locking<br />
A <strong>Digipass</strong> User account may be locked if the User has attempted, and failed, to log in a<br />
particular number of times. This number can be set in the Policy. Once the account is locked,<br />
an administrator must manually unlock it. Until it is unlocked, the User will be unable to log<br />
in.<br />
3.5.5 Windows Group Check<br />
Specific Windows Groups can be selected <strong>for</strong> authentication by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>. This feature<br />
might be used when:<br />
Deploying <strong>Digipass</strong> in stages, using Dynamic User Registration and Auto-Assignment.<br />
Two-factor authentication is needed only <strong>for</strong> access to sensitive data, which has been<br />
granted to certain Users (<strong>for</strong> example, administrators). Only this group of people will<br />
require <strong>Digipass</strong>, and will be authenticated by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>. Other Users will be<br />
authenticated only by <strong>IAS</strong> using another authentication method.<br />
Most Users will have <strong>Digipass</strong> and be permitted to log in to the system, but some Users<br />
should not be authenticated under any circumstances.<br />
The Group Check can work in one of two ways:<br />
Authenticate listed groups, pass others through<br />
Only process authentication requests <strong>for</strong> users in a group in the Group List; let requests <strong>for</strong><br />
other users pass through unmodified to <strong>IAS</strong> <strong>for</strong> authentication.<br />
Authenticate listed groups, reject others<br />
Only permit access <strong>for</strong> users belonging to a group in the Group List; reject access <strong>for</strong> other<br />
users.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 49
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong> User Accounts<br />
The group check is typically used with these settings:<br />
Dynamic User Registration enabled<br />
Auto-Assignment enabled<br />
3.5.5.2 Windows Group Check Process<br />
The diagram below shows the basic process involved in a Windows Group Check, when DUR<br />
and Auto-Assignment are enabled. It occurs during the User authentication process (see<br />
Image 21:<br />
Windows Group Check Process <strong>for</strong> an overview).<br />
Image 21: Windows Group Check Process<br />
© 2005 VASCO Data Security <strong>In</strong>c. 50
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>Digipass</strong> User Accounts<br />
3.5.6 Linking User Accounts<br />
If a User has more than one Active Directory user account, <strong>for</strong> example an administrative<br />
account and a 'normal user' account, the two <strong>Digipass</strong> User accounts can be linked together.<br />
This provides the ability <strong>for</strong> the two accounts to share a <strong>Digipass</strong>. The <strong>Digipass</strong> is assigned to<br />
one of the accounts, then the other account is linked to it.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 51
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Policies<br />
4 Policies<br />
4.1 What are Policies?<br />
Policies allow you comprehensive control over the authentication process. At least one Policy<br />
is required to determine whether various features are enabled, and how logins should be<br />
handled by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>. A number of example Policies are included when the <strong>Digipass</strong><br />
<strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> is installed.<br />
4.2 How Do They Work?<br />
The principle of Policies is that a single Policy is applied to an authentication request. The<br />
choice of Policy is made by the Component (eg. <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> or RADIUS Client). All login<br />
requests <strong>for</strong> a particular Component are handled according to the settings of its chosen Policy.<br />
<strong>In</strong> the case of the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>, a Component must be present <strong>for</strong> the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.<br />
This Component will identify the Policy to be used as a default <strong>for</strong> any requests that it handles.<br />
However, if you wish to apply a different Policy according to the RADIUS Client (eg. NAS, VPN<br />
appliance), you are allowed to create additional Component records that will specify the<br />
preferred Policies <strong>for</strong> those cases.<br />
User attempts to log into RADIUS Client<br />
RADIUS Client sends authentication<br />
request to <strong>IAS</strong><br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> checks if there is a<br />
Component record <strong>for</strong> the RADIUS Client<br />
If there is no RADIUS Client Component<br />
record, the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> looks up its own<br />
Component record<br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> selects the Policy set <strong>for</strong><br />
the Component<br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> handles authentication<br />
request according to Policy settings<br />
Image 22: Policy Selection<br />
© 2005 VASCO Data Security <strong>In</strong>c. 52
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Policies<br />
4.3 Policy Settings<br />
Settings controlled by Policies include the following groupings.<br />
Note<br />
The <strong>IAS</strong> service must be restarted be<strong>for</strong>e Policy setting changes will become<br />
effective.<br />
Local and/or Back-end Authentication<br />
Whether the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> should authenticate logins, and whether logins authenticated with<br />
in<strong>for</strong>mation held by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> should be checked with another system (eg. Windows).<br />
See these topics <strong>for</strong> more in<strong>for</strong>mation:<br />
3.5.2 Local Authentication<br />
3.5.3 Back-End Authentication<br />
User Accounts<br />
Determines how the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will handle <strong>Digipass</strong> User account creation, logins and<br />
passwords. See these topics <strong>for</strong> more in<strong>for</strong>mation:<br />
3.2.3 Dynamic User Registration<br />
3.5.4 User Account Locking<br />
3.2.4.1 Password Autolearn<br />
Windows Group Check<br />
Windows Group checks allow regulation of the local and back-end authentication <strong>for</strong> Users<br />
belonging to specified Windows Groups. See 3.5.5 Windows Group Check <strong>for</strong> more<br />
in<strong>for</strong>mation.<br />
<strong>Digipass</strong> Assignment<br />
The method <strong>for</strong> assignment of <strong>Digipass</strong> to Users, and settings relevant to <strong>Digipass</strong> assignment.<br />
See these topics <strong>for</strong> more in<strong>for</strong>mation:<br />
2.5.1 <strong>Digipass</strong> Assignment Options<br />
<strong>Digipass</strong> Settings<br />
Specifies the <strong>Digipass</strong> Applications, Types and actions allowed. See these topics <strong>for</strong> more<br />
in<strong>for</strong>mation:<br />
2.1 Types of <strong>Digipass</strong><br />
2.2.1 <strong>Digipass</strong> Applications<br />
1-Step Challenge/Response<br />
Whether 1-Step Challenge/Response is enabled, and settings relevant to it.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 53
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Policies<br />
Note<br />
1-Step Challenge/Response is not supported <strong>for</strong> use with RADIUS, but the<br />
settings are included <strong>for</strong> compatibility with other products.<br />
2-Step Challenge/Response<br />
How <strong>Digipass</strong> Users may request a 2-Step Challenge/Response login. See 3.3.1<br />
Processes <strong>for</strong> more in<strong>for</strong>mation.<br />
Primary Virtual <strong>Digipass</strong><br />
Login<br />
How <strong>Digipass</strong> Users may request a Primary Virtual <strong>Digipass</strong> login if multiple <strong>Digipass</strong>, including<br />
a Primary Virtual <strong>Digipass</strong>, are assigned to them. See 2.7.8 Virtual <strong>Digipass</strong> Login options<br />
<strong>for</strong> more in<strong>for</strong>mation.<br />
Backup Virtual <strong>Digipass</strong><br />
Whether the Backup Virtual <strong>Digipass</strong> feature is enabled, and how it may be used. See 2.2.4.4<br />
Backup Virtual <strong>Digipass</strong> <strong>for</strong> more in<strong>for</strong>mation.<br />
<strong>Digipass</strong> Control Parameters<br />
Settings which control how the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> handles the OTP provided by a <strong>Digipass</strong>, such as<br />
the time shift allowed, and how many days the <strong>Digipass</strong> may be inactive (not used <strong>for</strong> logins<br />
through this plug-in) be<strong>for</strong>e being flagged as inactive. See 2.2.4 <strong>Digipass</strong> Record Settings<br />
<strong>for</strong> more in<strong>for</strong>mation.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 54
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Policies<br />
4.4 Multiple Policies<br />
Multiple Policies can be created. The Policy selected <strong>for</strong> use by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will depend on<br />
the Component making the authentication request, as illustrated above.<br />
4.4.1 <strong>In</strong>heritance<br />
Policies may be set up in a hierarchy, where one Policy will inherit most of its attributes from a<br />
parent Policy, but with some modifications <strong>for</strong> a slightly different scenario.<br />
Image 23: Policy <strong>In</strong>heritance<br />
<strong>In</strong> the example above, all attributes are inherited from the parent Policy, except those<br />
explicitly set.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 55
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Policies<br />
4.4.2 Show Effective Settings<br />
As the various levels of settings in Policy inheritance can get confusing, functionality is<br />
available which allows you to view the settings effective <strong>for</strong> a selected Policy, taking inherited<br />
settings into account. The text below shows the effective settings <strong>for</strong> the <strong>IAS</strong> Windows Self-<br />
Assignment Policy:<br />
Effective Policy Settings<br />
[Local/Back-End Authentication] :<br />
Local Authentication : <strong>Digipass</strong>/Password<br />
Back-End Authentication : If Needed<br />
Back-End Protocol : Windows :<br />
[User Accounts] :<br />
Dynamic User Registration : Yes<br />
Password Autolearn : No<br />
Stored Password Proxy : No<br />
Default Domain :<br />
User Lock Threshold : 0<br />
[Windows Group Check] :<br />
Group Check Option : No Check<br />
Group List :<br />
[<strong>Digipass</strong> Assignment] :<br />
Assignment Mode : Self-Assignment<br />
Grace Period (days) : 0<br />
Serial No. Separator : |<br />
Search up Organizational Unit Hierarchy : Yes<br />
[<strong>Digipass</strong> Settings] :<br />
Application Names :<br />
Application Type : No Restriction<br />
<strong>Digipass</strong> Types :<br />
PIN Changed Allowed : Yes<br />
[1-Step Challenge Response] :<br />
Enabled : No<br />
Challenge Length : 0<br />
Challenge Check Digit : No<br />
[2-Step Challenge Response] :<br />
Request Method : Keyword<br />
Request Keyword :<br />
[Primary Virtual <strong>Digipass</strong>] :<br />
Request Method : None<br />
Request Keyword :<br />
[Backup Virtual <strong>Digipass</strong>] :<br />
Enabled : No<br />
Maximum Days : 0<br />
Maximum Uses : 0<br />
Request Method : KeywordPassword<br />
Request Keyword : otp<br />
[<strong>Digipass</strong> Control Parameters] :<br />
Identification Time Window : 20<br />
Signature Time Window : 24<br />
Event Window : 20<br />
<strong>In</strong>itial Time Window : 6<br />
Identification Threshold : 0<br />
Signature Threshold : 0<br />
Check Challenge Flag : 1<br />
Level of Online Signature : 0<br />
Allowed <strong>In</strong>active Days : 0<br />
You will note that the settings listed above include those set in Policies from which the <strong>IAS</strong><br />
Windows Self-Assignment Policy inherit.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 56
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Policies<br />
4.5 Pre-Loaded Policies<br />
These Policies are created <strong>for</strong> the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> on installation of the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>.<br />
They provide an example <strong>for</strong> setting up Policies in a typical environment.<br />
Policy Name Parent<br />
Policy<br />
Base Policy - Globally applicable settings.<br />
<strong>In</strong> general, all other Policies<br />
should inherit from this,<br />
directly or indirectly.<br />
<strong>IAS</strong> Base Policy Base Policy Settings applicable to all <strong>IAS</strong><br />
<strong>Plug</strong>-<strong>In</strong> Policies, including<br />
local authentication. <strong>In</strong><br />
general, all other <strong>IAS</strong><br />
policies should inherit from<br />
this, directly or indirectly.<br />
<strong>IAS</strong> Windows Auto-<br />
Assignment<br />
<strong>IAS</strong> Windows Self-<br />
Assignment<br />
<strong>IAS</strong> Base<br />
Policy<br />
<strong>IAS</strong> Base<br />
Policy<br />
Description Non-Default Settings<br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> model <strong>for</strong> Auto-<br />
Assignment with Dynamic<br />
User Registration, using<br />
Windows back-end<br />
authentication and a<br />
Windows group check.<br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> model <strong>for</strong> Self-<br />
Assignment with Dynamic<br />
User Registration, using<br />
Windows back-end<br />
authentication.<br />
User Lock Threshold = 3,<br />
PIN Change Allowed = Yes<br />
Challenge Request Method = Keyword (Note:<br />
the keyword is blank though)<br />
PVDP Request Method = Password<br />
BVDP Request Method = KeywordPassword<br />
BVDP Keyword = “otp”<br />
ITimeWindow = 100, EventWindow = 100<br />
SyncWindow = 6, IThreshold = 0<br />
Local Authentication = <strong>Digipass</strong>/Password<br />
Back-End Authentication = If Needed<br />
Back-End Protocol = Windows<br />
Dynamic User Registration = Yes<br />
Assignment Mode = Auto-Assignment<br />
Search up OU Path = Yes<br />
Grace Period = 7<br />
Group Check Mode = Passthrough<br />
Group List = “<strong>Digipass</strong> Users”<br />
Back-End Authentication = If Needed<br />
Back-End Protocol = Windows<br />
Dynamic User Registration = Yes<br />
Assignment Mode = Self-Assignment<br />
Search up OU Path = Yes<br />
Serial No. Separator = “|”<br />
© 2005 VASCO Data Security <strong>In</strong>c. 57
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Policies<br />
4.6 Differences from VACMAN Middleware 2.3<br />
Some settings used in VACMAN Middleware have been modified in the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>. Most<br />
Server settings are found in Policies.<br />
4.6.1 Authenticator Setting<br />
The Authenticator field from VACMAN Middleware has been split into several fields in the plugins:<br />
Local Auth<br />
Back-End Authentication<br />
Back-End Protocol<br />
Disabled (User setting)<br />
The correspondence of the other fields is different <strong>for</strong> (VM) RADIUS and Web:<br />
VACMAN<br />
Middleware<br />
Setting<br />
RADIUS<br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Settings<br />
Local Auth setting Back-End Auth<br />
setting<br />
Back-End Protocol<br />
setting<br />
Local Server <strong>Digipass</strong>/Password None No<br />
Local and Proxy <br />
Proxy Server <br />
Local and Windows <strong>Digipass</strong>/Password Always Windows No<br />
Windows None Always Windows No<br />
Disabled Yes<br />
Web<br />
Local Server <strong>Digipass</strong>/Password None No<br />
Local and Proxy <strong>Digipass</strong>/Password If Needed Windows No<br />
Proxy Server None If Needed Windows No<br />
Local and Windows <strong>Digipass</strong>/Password If Needed Windows No<br />
Windows None If Needed Windows No<br />
Disabled Yes<br />
Table 7: VACMAN Middleware and <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Authentication Settings<br />
Disabled<br />
checkbox<br />
© 2005 VASCO Data Security <strong>In</strong>c. 58
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Components<br />
5 Components<br />
5.1 What is a Component Record?<br />
A Component record should exist when a special authentication settings are required <strong>for</strong> logins<br />
from a particular server. For example, a company may have Users logging in via a NAS, a VPN<br />
appliance or the User Self-Management Web Site. A standard remote access Policy may be<br />
used <strong>for</strong> logins via the NAS, but some options may need to be disabled when the VPN<br />
appliance is used, or extra options enabled <strong>for</strong> the User Self-Management Web Site.<br />
Image 24: Component Overview<br />
© 2005 VASCO Data Security <strong>In</strong>c. 59
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Components<br />
5.1.1 No Component Record Exists <strong>for</strong> a RADIUS Client<br />
Any RADIUS Client which does not have an explicit Component record will be handled using<br />
the default <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Component.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 60
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Components<br />
5.1.2 Policy Selection<br />
Each Component record will have a Policy selected <strong>for</strong> use in processing its authentication<br />
requests.<br />
Image 25: Component Use by <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
5.2 Pre-loaded Component<br />
A <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Component is created on installation of the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>. The <strong>IAS</strong><br />
Base Policy is set as its Policy. Unless other Components are created or the Policy <strong>for</strong> the <strong>IAS</strong><br />
<strong>Plug</strong>-<strong>In</strong> Component is modified, all authentication requests handled by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will use<br />
the settings <strong>for</strong> the <strong>IAS</strong> Base Policy.<br />
5.3 Licensing<br />
The <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> is licensed per <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Component. The License Key provided<br />
upon licensing of the product is loaded into the Component record itself, and details of the<br />
license may be viewed via the Component property sheet.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 61
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Active Directory <strong>In</strong>tegration<br />
6 Active Directory <strong>In</strong>tegration<br />
6.1 What is Stored in Active Directory?<br />
The following in<strong>for</strong>mation is stored in Active Directory:<br />
<strong>Digipass</strong> User accounts<br />
<strong>Digipass</strong> and <strong>Digipass</strong> Application records<br />
<strong>Digipass</strong> configuration records (Policies, Components)<br />
6.2 Schema Extensions<br />
User attributes – vasco-UserExt class<br />
Extra VASCO attributes are added to an Active Directory User record via an 'auxiliary class'<br />
vasco-UserExt on the User class.<br />
<strong>Digipass</strong> and <strong>Digipass</strong> Application records<br />
The vasco-DPToken class is used to store <strong>Digipass</strong> attributes. It is also a container, in which<br />
vasco-DPApplication records <strong>for</strong> that <strong>Digipass</strong> are stored.<br />
Upon assignment to a User, the <strong>Digipass</strong> record is stored in the same location as the User.<br />
Policies and Components<br />
Policy and Component records are stored in vasco-Policy and vasco-Component objects. They<br />
are located in a single “<strong>Digipass</strong>-Configuration” container in a single Domain.<br />
As the data model is shared with other <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> and <strong>Digipass</strong> Pack products, the<br />
schema will also include the vasco-BackEndServer class. However, this is not used in <strong>Digipass</strong><br />
<strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>.<br />
6.3 Permissions Needed by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
The installation process will ensure that the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> has sufficient permissions. This is<br />
achieved by assigning permissions in the domain to the in-built “RAS and <strong>IAS</strong> Servers” group.<br />
It is necessary to make sure that the <strong>IAS</strong> server is added to that group.<br />
6.4 Sensitive Data Encryption<br />
Sensitive data is encrypted by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> using an embedded key. If needed, this<br />
encryption may be strengthened by including a custom encryption key. See the Administrator<br />
Reference <strong>for</strong> more in<strong>for</strong>mation.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 62
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Active Directory <strong>In</strong>tegration<br />
6.5 Administrative Permissions<br />
Administrative permissions <strong>for</strong> the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> administrators are controlled using Active<br />
Directory security properties. See the Permissions Needed by Administrators topic in the<br />
Administrator Reference <strong>for</strong> more in<strong>for</strong>mation.<br />
Domain Administrators may view and edit all <strong>Digipass</strong> and <strong>Digipass</strong> User in<strong>for</strong>mation in their<br />
domain, plus <strong>Digipass</strong> Configuration in<strong>for</strong>mation if the <strong>Digipass</strong> Configuration Container is<br />
located in their domain. No permissions setup is required <strong>for</strong> them.<br />
Delegated Administrators may view and edit all <strong>Digipass</strong> and <strong>Digipass</strong> User in<strong>for</strong>mation<br />
within their administrative scope of control. It is necessary to grant them full control, create<br />
and delete permissions over the <strong>Digipass</strong> and <strong>Digipass</strong> Application objects within their scope.<br />
Reduced Rights Administrators may per<strong>for</strong>m a subset of the administration tasks. 'Property<br />
sets' are defined with the directory which can be used to enable or limit them in various<br />
<strong>Digipass</strong> administration tasks (eg. Access to the <strong>Digipass</strong> blob).<br />
6.6 Active Directory Command Line Utility<br />
This utility has to per<strong>for</strong>m several tasks that are needed at various times during installation<br />
and upgrade if Active Directory is selected, or afterwards <strong>for</strong> maintenance. Some of the<br />
commands are run automatically by the installation program, while others are run manually.<br />
The commands that are run automatically can be run manually also, <strong>for</strong> example to<br />
troubleshoot why the installation is not succeeding.<br />
Command Description<br />
addschema Extend the Active Directory schema.<br />
checkschema Check that the schema extensions are all present.<br />
setupdomain Sets up the <strong>Digipass</strong> Configuration Container in the specified domain.<br />
setupaccess Assign permissions to a Windows group including:<br />
Table 8: DPADadmin tasks<br />
Full read access to everything in the domain<br />
Full control over vasco-DPToken objects<br />
Full control over vasco-DPApplication objects<br />
Ability to create and delete vasco-DPToken objects<br />
Full write access to extension attributes on user objects<br />
This command can optionally be used to also add a machine to the group.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 63
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Administration <strong>In</strong>terfaces<br />
7 Administration <strong>In</strong>terfaces<br />
7.1 <strong>Digipass</strong> Extension <strong>for</strong> Active Directory Users & Computers<br />
The <strong>Digipass</strong> Extension <strong>for</strong> Active Directory Users and Computers allows administration of<br />
<strong>Digipass</strong> User accounts and <strong>Digipass</strong> records within the Active Directory Users and Computers<br />
interface.<br />
7.2 Administration MMC <strong>In</strong>terface<br />
The Administration MMC <strong>In</strong>terface allows administration of Policies and Components in the<br />
<strong>Digipass</strong> Configuration Container.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 64
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Licensing<br />
8 Licensing<br />
8.1 Overview<br />
VASCO products are licensed per Component record in the <strong>Digipass</strong> Configuration container.<br />
The licensing relies upon a License Key which is checked when the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> starts. This<br />
License Key is tied to the location (usually IP address) where the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> is installed, and<br />
stored in the Component <strong>for</strong> the plug-in. The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will not function without a correct<br />
License Key.<br />
Evaluation Licenses<br />
If you have downloaded the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> from the VASCO website, you will note<br />
that it comes with an evaluation license. This means that you can use its full functionality until<br />
the evaluation period runs out. At the end of this period, you will need to either uninstall the<br />
product or buy a permanent license. Contact your distributor or the appropriate VASCO<br />
Reseller representative to acquire the licences you will need.<br />
8.2 Obtaining a License Key File<br />
The installation process will guide you through the process of requesting and loading a License<br />
Key. However, if <strong>for</strong> some reason it is not possible to complete the licensing at installation<br />
time, the Administration MMC <strong>In</strong>terface can be used to obtain and load a License Key <strong>for</strong> a<br />
Component. This process must be completed <strong>for</strong> each <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>, and requires an active<br />
internet connection to open the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> Activation Page.<br />
8.2.1 <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> Activation Page<br />
© 2005 VASCO Data Security <strong>In</strong>c. 65
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Auditing and Tracing<br />
9 Auditing and Tracing<br />
9.1 Auditing<br />
9.1.1 Audit System<br />
The VASCO Audit System records audit messages generated by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>. The level of<br />
audit messages generated may be configured using the Administration MMC <strong>In</strong>terface.<br />
Audit messages are generated by:<br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> (using default settings)<br />
Administration MMC <strong>In</strong>terface (when enabled)<br />
<strong>Digipass</strong> Extension <strong>for</strong> Active Directory Users and Computers (when enabled)<br />
Audit messages may be recorded to and viewed in:<br />
Windows Event Log<br />
Text file<br />
9.1.1.1 Audit message types<br />
Type Description<br />
Error The message contains details about a system, configuration, licensing or some internal error.<br />
Errors do not include normal processing events such as failed logins.<br />
Warning Warning messages contain details about potential problems within the system. This could include<br />
details such as a failed connection attempt to a Domain Controller.<br />
<strong>In</strong><strong>for</strong>mation <strong>In</strong><strong>for</strong>mational messages provide details about events within the system that need to be recorded<br />
but do not indicate errors or potential errors. An example of this may be a re-connection to<br />
Active Directory <strong>for</strong> load-balancing reasons.<br />
Success Success messages contain details about processing events that were correctly processed. This<br />
may include successful authentications or successful administration commands.<br />
Failure Failure messages contain details about processing events that failed. This may include rejected<br />
authentications, or administration actions that failed.<br />
Table 9: Audit message types<br />
9.1.1.2 Audit messages location<br />
Default<br />
The default auditing configuration is:<br />
All messages recorded to a text file<br />
Error messages also recorded to Windows Events log<br />
If a message was not recorded successfully to text file, it will be recorded to the<br />
Windows Event Log<br />
© 2005 VASCO Data Security <strong>In</strong>c. 66
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Auditing and Tracing<br />
Custom<br />
Auditing may be configured to suit your company's needs. For example, all messages might<br />
be recorded to the Windows Event Log, as this can be searched and filtered more easily than a<br />
simple text file. It also allows you to view audit messages as they are generated.<br />
9.1.2 Active Directory Auditing<br />
Active Directory auditing may be enabled and configured to record access and modifications to<br />
<strong>Digipass</strong> related data used by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>. See the Active Directory Auditing topic in the<br />
Administrator Reference <strong>for</strong> more in<strong>for</strong>mation.<br />
9.2 Tracing<br />
The level of tracing <strong>for</strong> the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> can be configured using the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Configuration<br />
utility.<br />
Tracing messages will be recorded to a text file.<br />
Basic Tracing<br />
Basic Tracing will record:<br />
Critical error/warning messages [CRITC]<br />
Major error/warning messages [MAJOR]<br />
Minor error/warning messages [MINOR]<br />
Configuration messages [CONFG]<br />
Full Tracing<br />
Full tracing will record:<br />
Critical error/warning messages [CRITC]<br />
Major error/warning messages [MAJOR]<br />
Minor error/warning messages [MINOR]<br />
Configuration messages [CONFG]<br />
<strong>In</strong><strong>for</strong>mational messages [INFO] and [VINFO] (verbose)<br />
Data tracing messages [DATA]<br />
Debugging messages (useful <strong>for</strong> support purposes) [DEBUG]<br />
Security messages, messages that may contain security sensitive data [SECUR]<br />
© 2005 VASCO Data Security <strong>In</strong>c. 67
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> User Self Management Web Site<br />
10 User Self Management Web Site<br />
The User Self Management Web Site allows Users to per<strong>for</strong>m functions which are unavailable<br />
during a usual login – either because the functionality is disabled within the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
configuration, or because CHAP or another protocol is in use which does not allow the<br />
functionality:<br />
User Registration and Auto-Assignment<br />
Self-Assignment<br />
Password Synchronization<br />
PIN Change<br />
Login Test<br />
© 2005 VASCO Data Security <strong>In</strong>c. 68
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> User Self Management Web Site<br />
The site can also be used to help Users get started with their <strong>Digipass</strong> while they are still in the<br />
office and help is available.<br />
10.1 Customizing the User Self Management Web Site<br />
It is anticipated that you may want to customize the web pages that are provided by default.<br />
You may wish to:<br />
change the colors and graphics to match your corporate colors/logos.<br />
integrate the pages into a larger web site.<br />
translate or customize the text<br />
The web site is designed to permit extensive customization, provided that you post the correct<br />
data to the CGI program. This section provides the instructions and reference material that<br />
you require to customize the site. It is assumed that the reader has some web development<br />
knowledge.<br />
You can change any cosmetic part of the web pages. You can even write completely new web<br />
pages, provided that you provide the correct posted <strong>for</strong>m fields to the CGI program, and<br />
interpret the query string variables correctly. You do not need to use plain HTML pages –<br />
server scripting languages such as PHP or ASP, or any other way of generating HTML, can be<br />
used.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 69
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> OTP Request Site<br />
11 OTP Request Site<br />
The OTP Request site provides a method <strong>for</strong> Users to request an OTP to be sent to their<br />
mobile, <strong>for</strong> use in logging in.<br />
Image 26: OTP Request Site<br />
The OTP Request Site is designed to customized in a similar way to the User Self Management<br />
Web Site.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 70
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> Message Delivery Component<br />
12 Message Delivery Component<br />
The Message Delivery Component (MDC) interfaces with the gateway service to send a One<br />
Time Password to a User’s mobile phone. The MDC acts as a service, accepting messages from<br />
the <strong>IAS</strong> server, which are then <strong>for</strong>warded to a text message gateway via the HTTP/HTTPS<br />
protocol.<br />
Since every gateway uses different submission parameters, a set of configuration values is<br />
required, which can be administered by the MDC Configuration GUI.<br />
The MDC service can be started and stopped through the Windows Service Manager Console.<br />
12.1 Configuration<br />
To configure gateway settings you will need:<br />
Gateway details OR a customized configuration file ordered from your VASCO supplier.<br />
This will need to be imported using the Configuration GUI.<br />
If you will not be using a configuration file, these details are required:<br />
Protocol to use in connecting to the gateway.<br />
An address string and port to use in connecting to the gateway.<br />
The path and filename of a certificate file, if required.<br />
The required Query String.<br />
The Query Method (GET or POST) required by the gateway.<br />
Username and password <strong>for</strong> the gateway account.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 71
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>In</strong>dex<br />
Alphabetical <strong>In</strong>dex<br />
Active Directory...................... 12, 17, 42, 62-64<br />
Administration MMC <strong>In</strong>terface.......................... 1<br />
Application.................................................. 27<br />
Auditing..................................................... 66<br />
Authentication......................................... 9, 13<br />
Auto-Assignment......................................... 17<br />
Backup Virtual <strong>Digipass</strong>.... 15, 22, 23, 25, 28, 29,<br />
39-41<br />
Challenge........................................ 23, 25, 26<br />
Challenge/Response.......................... 23, 25, 26<br />
CHAP......................................................... 18<br />
Check Digit............................................ 26-28<br />
Components............................... 12, 59, 62, 64<br />
Considerations............................................. 39<br />
Data Migration Tool................................ 12, 19<br />
<strong>Digipass</strong>.....ii, 9-13, 15, 17, 20-23, 25-30, 36-42,<br />
45-48, 51, 62, 64<br />
<strong>Digipass</strong>.........................................................<br />
Hardware <strong>Digipass</strong>........................ 11, 20, 39<br />
Software <strong>Digipass</strong>.............................. 11, 21<br />
Virtual <strong>Digipass</strong> 11, 12, 15, 22, 23, 25, 28, 29,<br />
39-41<br />
<strong>Digipass</strong> .................................................... 12<br />
<strong>Digipass</strong> Application................ 15, 23, 26-28, 36<br />
<strong>Digipass</strong> Configuration Container.................... 64<br />
<strong>Digipass</strong> Extension <strong>for</strong> Active Directory Users and<br />
Computers.................................................... 1<br />
<strong>Digipass</strong> <strong>for</strong> Palm......................................... 21<br />
<strong>Digipass</strong> <strong>for</strong> Pocket PC.................................. 21<br />
<strong>Digipass</strong> <strong>for</strong> SIM.......................................... 21<br />
<strong>Digipass</strong> <strong>for</strong> Windows................................... 21<br />
<strong>Digipass</strong> may be assigned............................. 38<br />
<strong>Digipass</strong> record................................. 17, 27, 38<br />
<strong>Digipass</strong> User...17, 30, 38, 42, 47, 48, 51, 62, 64<br />
Digital Signature.......................................... 23<br />
DP 260....................................................... 20<br />
DP 300....................................................... 20<br />
DP 585....................................................... 20<br />
DP 800....................................................... 21<br />
DUR..................................................... 17, 42<br />
EAP............................................................ 18<br />
Event-based........................................... 25-27<br />
GO 1.................................................... 20, 39<br />
GO 2.......................................................... 21<br />
GO 3.................................................... 20, 39<br />
Grace Period............................................... 23<br />
Hardware <strong>Digipass</strong>................. 11, 20, 22, 39, 41<br />
Keyword..................................................... 46<br />
Licensing.................................................... 65<br />
MD5........................................................... 18<br />
Message Delivery Component............. 12, 39, 71<br />
MS-CHAP.................................................... 18<br />
MS-CHAP2.................................................. 18<br />
One Time Password. 9, 12, 23, 25-28, 40, 41, 46,<br />
70<br />
OTP Request Site................... 12, 23, 25, 41, 70<br />
Palm.......................................................... 21<br />
PAP............................................................ 18<br />
Password Autolearn........................... 43, 44, 46<br />
PIN...............................................................<br />
<strong>Digipass</strong> PIN...................................... 25, 36<br />
Reset PIN............................................... 36<br />
Server PIN................................... 28, 36, 46<br />
Set........................................................ 36<br />
Pocket PC................................................... 21<br />
Policies............................................ 48, 52, 55<br />
Primary Virtual <strong>Digipass</strong>................22, 23, 39, 40<br />
Programming.............................................. 25<br />
RADIUS............................................. ii, 13, 25<br />
RADIUS Client............................................. 13<br />
RADIUS Client Simulator............................... 13<br />
RADIUS Server........................................ ii, 13<br />
Reset.............................................................<br />
Application............................................. 27<br />
<strong>Digipass</strong> Application............ 15, 23, 26-28, 36<br />
© 2005 VASCO Data Security <strong>In</strong>c. 72
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Product</strong> <strong>Guide</strong> <strong>In</strong>dex<br />
PIN........................................................ 36<br />
Response Only............................ 20, 23, 25, 26<br />
Schema...................................................... 62<br />
Self-Assignment..................................... 17, 37<br />
Serial Number.................................. 17, 38, 46<br />
Set PIN..........................................................<br />
PIN........................................................ 36<br />
SIM........................................................... 21<br />
Smartcard.................................................. 21<br />
Stored Password Proxy............................ 43, 46<br />
Time limit.............................................. 28, 29<br />
Time-based................................................. 26<br />
Tracing................................................. 66, 67<br />
Unlock........................................................ 36<br />
User Self Management Web Site... 12, 23, 43, 46,<br />
69<br />
Virtual <strong>Digipass</strong>.... 11, 12, 15, 22, 23, 25, 28, 29,<br />
39-41<br />
Virtual <strong>Digipass</strong>...............................................<br />
Backup Virtual <strong>Digipass</strong> 15, 22, 23, 25, 28, 29,<br />
39-41<br />
Primary Virtual <strong>Digipass</strong>........... 22, 23, 39, 40<br />
2-step Login.......................................... 25, 41<br />
© 2005 VASCO Data Security <strong>In</strong>c. 73