aXs GUARD Identifier Administration Reference - Vasco

aXsGUARD Identifier 

Administration Reference Guide 

3.0 

3.1.3.0

aXsGUARD Identifier 3.1.3.0 Administration Reference Guide v1.7 Legal Notice 

VASCO Products 

VASCO Data Security, Inc. and/or VASCO Data Security International GmbH are referred to in this document as 

‘VASCO’. VASCO Products comprise Hardware, Software, Services and Documentation. This document 

addresses potential and existing VASCO customers and has been provided to you and your organization for the 

sole purpose of helping you to use and evaluate VASCO Products. As such, it does not constitute a license to 

use VASCO Software or a contractual agreement to use VASCO Products. 

Disclaimer of Warranties and Limitations of Liabilities 

VASCO Products are provided ‘as is’ without warranty or conditions of any kind, whether implied, statutory, or 

related to trade use or dealership, including but not limited to implied warranties of satisfactory quality, 

merchantability, title, non-infringement or fitness for a particular purpose. 

VASCO, VASCO DISTRIBUTORS, RESELLERS AND SUPPLIERS HAVE NO LIABILITY UNDER ANY 

CIRCUMSTANCES FOR ANY LOSS, DAMAGE OR EXPENSE INCURRED BY YOU, YOUR ORGANIZATION OR ANY 

THIRD PARTY (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS 

INTERRUPTION OR LOSS OF DATA) ARISING DIRECTLY OR INDIRECTLY FROM THE USE, OR INABILITY TO USE 

VASCO SOFTWARE, HARDWARE, SERVICES OR DOCUMENTATION, REGARDLESS OF THE CAUSE OF THE 

LOSS, INCLUDING NEGLIGENCE, EVEN IF VASCO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH 

DAMAGES, OR IF THEY WERE FORESEEABLE. OUR MAXIMUM AGGREGATE LIABILITY TO YOU, AND THAT OF 

OUR DISTRIBUTORS, RESELLERS AND SUPPLIERS SHALL NOT EXCEED THE AMOUNT PAID BY YOU FOR THE 

PRODUCT. THE LIMITATIONS IN THIS SECTION SHALL APPLY WHETHER OR NOT THE ALLEGED BREACH OR 

DEFAULT IS A BREACH OF A FUNDAMENTAL CONDITION OR TERM, OR A FUNDAMENTAL BREACH. THIS 

SECTION WILL NOT APPLY ONLY WHEN AND TO THE EXTENT THAT APPLICABLE LAW SPECIFICALLY 

REQUIRES LIABILITY DESPITE THE FOREGOING EXCLUSIONS AND LIMITATIONS. 

Intellectual Property and Copyright 

VASCO Products contain proprietary and confidential information. VASCO Data Security, Inc. and/or VASCO 

Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, 

updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, 

database rights and all other intellectual and industrial property rights. No part of these Products may be 

transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or 

otherwise, for any purpose, except as expressly permitted by VASCO or its authorized licensee in writing. 

This document is protected under US and international copyright law as an unpublished work of authorship. No 

part of it may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, 

mechanical or otherwise, for any purpose, except as expressly permitted in writing by VASCO or its authorized 

licensee. 

Trademarks 

VASCO®, VACMAN®, IDENTIKEY®, aXsGUARD®, DIGIPASS®, and the ® logo are registered or 

unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the 

U.S. and other countries. Other company brand or product names or other designations, denominations, labels 

and/or other tags, titles, as well as all URLs (Internet addresses) linked to such designations or communications 

(irrespective of whether protected by intellectual property law or not), mentioned in VASCO Products may be the 

trademarks or registered trademarks or be part of any other entitlement of their respective owners. 

Radius Disclaimer 

Information on the RADIUS server provided in this document relates to its operation in the aXsGUARD Identifier 

environment. We recommend that you contact your NAS/RAS vendor for further information. 

Copyright © March 2009 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights 

reserved. 

© 2010 VASCO Data Security 2

aXsGUARD Identifier 3.1.3.0 Administration Reference Guide v1.7 Table of Contents 

Table of Contents 

1 Audience and Purpose of this Document................................................................................................... 6 

1.1 Documentation................................................................................................................................................6 

1.2 Available Guides..............................................................................................................................................7 

1.3 What is the aXsGUARD Identifier? ...................................................................................................................8 

1.4 About VASCO...................................................................................................................................................8 

2 Configuration Tool: Field Listings.............................................................................................................. 9 

2.1 System............................................................................................................................................................. 9 

2.2 Network Settings...........................................................................................................................................11 

2.3 IDENTIKEY...................................................................................................................................................... 12 

2.3.1 Settings....................................................................................................................................................12 

2.3.2 LDAP User Synchronization......................................................................................................................15 

3 Administration Web Interface: Field Listings............................................................................................ 18 

3.1 User Properties..............................................................................................................................................18 

3.2 Digipass Properties........................................................................................................................................21 

3.3 Policy Properties............................................................................................................................................23 

3.4 Pre-Loaded Policies.......................................................................................................................................32 

3.5 Client Properties............................................................................................................................................36 

3.6 Back-End Server Properties...........................................................................................................................37 

3.7 Organization................................................................................................................................................... 38 

3.8 Report Properties...........................................................................................................................................38 

3.8.1 How to define a Query..............................................................................................................................38 

3.8.2 Reporting Query Fields.............................................................................................................................41 

3.8.3 Standard Reports......................................................................................................................................44 

3.9 aXsGUARD Identifier Properties......................................................................................................................45 

4 Importing Users with Comma Separated Value Files................................................................................ 46 

5 Message Delivery Component................................................................................................................. 47 

5.1 MDC Tracing Levels.......................................................................................................................................47 

5.2 MDC Result Options.......................................................................................................................................47 

5.2.1 Overview..................................................................................................................................................47 

5.2.2 Gateway Result Page................................................................................................................................48 

5.2.3 Result Options..........................................................................................................................................48 

6 Login Options......................................................................................................................................... 51 

6.1 Login Permutations........................................................................................................................................51 

6.1.1 Login Methods..........................................................................................................................................51 

6.1.2 Login Actions............................................................................................................................................51 

6.1.3 Login Variables.........................................................................................................................................51 

6.1.4 Password Format.....................................................................................................................................52 



6.1.5 Policy Settings..........................................................................................................................................52 

6.1.6 Response Only – Cleartext Combined Password Format...........................................................................53 

6.1.7 Response Only – CHAP/MS-CHAP/MS-CHAP2..........................................................................................55 

6.1.8 2-Step Challenge/Response – Cleartext Combined Password Format......................................................55 

6.1.9 Virtual Digipass........................................................................................................................................57 

7 Firewall Ports.......................................................................................................................................... 58 

7.1 Overview........................................................................................................................................................ 58 

7.2 Incoming Ports...............................................................................................................................................58 

7.3 Outgoing Ports...............................................................................................................................................59 

8 Audit Messages...................................................................................................................................... 60 

8.1 Audit Message Listing....................................................................................................................................60 

9 Error and Status Codes........................................................................................................................... 73 

9.1 Error Codes....................................................................................................................................................73 

9.2 DIGIPASS Authentication for Windows Logon Error Messages........................................................................79 

9.3 Status Codes.................................................................................................................................................. 80 

10 Tracing................................................................................................................................................... 87 

11 Support Procedure.................................................................................................................................. 89 



Index of Tables 

Table 1: System Fields........................................................................................................................................................................ 9 

Table 2: Network Fields.....................................................................................................................................................................11 

Table 3: IDENTIKEY Settings Fields.................................................................................................................................................... 12 

Table 4: IDENTIKEY LDAP User Synchronization: General Fields......................................................................................................... 15 

Table 5: IDENTIKEY LDAP User Synchronization: Filter Fields............................................................................................................. 16 

Table 6: IDENTIKEY LDAP User Synchronization: Attribute Mapping Fields......................................................................................... 16 

Table 7: User Fields...........................................................................................................................................................................18 

Table 8: Digipass Fields.................................................................................................................................................................... 21 

Table 9: Policy Fields.........................................................................................................................................................................23 

Table 10: Pre-Loaded Policies .......................................................................................................................................................... 32 

Table 11: Client Fields.......................................................................................................................................................................36 

Table 12: Back-End Server Fields......................................................................................................................................................37 

Table 13: Domain Fields....................................................................................................................................................................38 

Table 14: Organizational Unit Fields...................................................................................................................................................38 

Table 15: Report fields...................................................................................................................................................................... 39 

Table 16: User Fields for Reporting....................................................................................................................................................41 

Table 17: DIGIPASS Fields for Reporting............................................................................................................................................ 42 

Table 18: Audit Fields for Reporting...................................................................................................................................................42 

Table 19: aXsGUARD Identifier Fields.................................................................................................................................................45 

Table 20: MDC Audit Message Variables........................................................................................................................................... 50 

Table 21: Login Permutations - Response Only Cleartext Combined (1)............................................................................................. 53 

Table 22: Login Permutations - Response Only Cleartext Combined (2)............................................................................................. 54 

Table 23: Login Permutations - Response Only CHAP/MS-CHAP/MS-CHAP2......................................................................................55 

Table 24: Login Permutations – 2-Step Challenge/Response Cleartext Combined..............................................................................56 

Table 25: Login Permutations – Virtual Digipass................................................................................................................................ 57 

Table 26: List of Incoming Ports Used by the aXsGUARD Identifier..................................................................................................... 58 

Table 27: List of Outgoing Ports Used by the aXsGUARD Identifier..................................................................................................... 59 

Table 28: Audit Messages List...........................................................................................................................................................60 

Table 29: Error Code List...................................................................................................................................................................73 

Table 30: Error Code List - DIGIPASS Authentication for Windows Logon........................................................................................... 79 

Table 31: Status Code List.................................................................................................................................................................80 

Table 32: Tracing Message Types..................................................................................................................................................... 87 

Table 33: Tracing Message Levels.....................................................................................................................................................88 

Table 34: Tracing Message Contents.................................................................................................................................................88 


aXsGUARD Identifier 3.1.3.0 Administration Reference Guide v1.7 Audience and Purpose of this Document 

1 Audience and Purpose of this Document 

1.1 Documentation 

This aXsGUARD ® Identifier Administration Reference Guide is part of a set of guides on the aXsGUARD 

Identifier. It provides lists of field explanations and other reference data for technical experts using the 

aXsGUARD Identifier and is intended for reference only. Information is provided in table format for quick 

reference, as follows: 

Section 2 describes the Configuration Tool fields. Only modifiable fields are listed. For more information on 

system actions (e.g. updates, backup and restore, reboot and shutdown etc.) please see the aXsGUARD 

Identifier Installation Guide. 

Section 3 lists the Administration Web Interface fields and their descriptions. For more information on actions 

possible in the Administration Web Interface, please refer to the aXsGUARD Identifier Product Guide. 

Section 4 lists the restrictions for importing user records using comma separated value files. 

Section 5 explains the Message Delivery Component trace levels and result options. 

Section 1.1 lists the login options and related reference data. 

Section 7 lists the firewall port reference data. 

Section 8 describes the audit messages. 

Section 9 describes the error and status codes. 

Section 10 describes the tracing types, levels and contents. 

Section 11 explains the support procedure for further help. 



1.2 Available Guides 

Other documents in the set of aXsGUARD Identifier documentation include: 

The aXsGUARD Identifier Installation Guide, which supports planning for and installation of the aXsGUARD 

Identifier. 

The aXsGUARD Identifier Product Guide, which is intended for technical experts interested in learning 

about the aXsGUARD Identifier. This document describes the structure of the product, the concepts 

underpinning authentication and how the aXsGUARD Identifier can support authentication within your IT 

infrastructure. 

The aXsGUARD Identifier SDK Programmer's Guide, which provides in-depth information required for 

development work using the SDK. This document is only relevant to SOAP Authentication, Electronic 

Signatures and Provisioning. 

A set of DIGIPASS Windows Logon Guides, which provide information on the concepts, installation and 

configuration, setting up and testing of . Additionally the DIGIPASS Windows User Guide provides 

information for end-users. 

Two Password Synchronization Manager Guides, for installation and end users respectively. 

A Filter Guide (for each available filter) for installation and end users. 

Access to the aXsGUARD Identifier guides is provided via the aXsGUARD Identifier Configuration Tool. The 

aXsGUARD Identifier Installation and Configuration Guide is also provided with delivery of the aXsGUARD 

Identifier. Manuals for aXsGUARD Identifier add-ons are provided on the CDROM delivered with the appliance. 

The remainder of this section briefly introduces the aXsGUARD Identifier and VASCO ® . 



1.3 What is the aXsGUARD Identifier? 

The aXsGUARD Identifier secures internal and remote access to network applications, and remote access to 

applications offered on line. It is a stand-alone authentication solution based on IDENTIKEY ® , a version of 

VASCO's VACMAN ® software, which is compatible with both LINUX and Windows environments. Together with 

DIGIPASS ® technology providing the client side component, the solution delivers strong two factor 

authentication. 

The aXsGUARD Identifier is a simple and cost-effective solution, which can easily be integrated into existing IT 

infrastructures to support authentication in small to medium sized enterprises. The product integrates usability 

features described as a 'convenience layer' including: 

simple installation and maintenance 

remote support from VASCO experts 

semi automatic updating (proactively prompting update, but still within the control of the administrator) 

simple registration 

backup and restore functionality 

real time feedback on system status with statistics 

The aXsGUARD Identifier has three user interfaces: 

the Configuration Tool for system administrators, for installation and maintenance. 

the Administration Web Interface, for system administrators to manage the daily use of the system. 

the Rescue Tool, intended for administrators to manage some limited settings. 

For more information on the aXsGUARD Identifier and the concepts underpinning its operation and 

architecture, please see the aXsGUARD Identifier Product Guide, available via the Help button in the 

Configuration Tool. 

1.4 About VASCO 

VASCO is a leading supplier of strong authentication and Electronic Signature solutions and services 

specializing in Internet Security applications and transactions. VASCO has positioned itself as global software 

company for Internet Security serving customers in more than 100 countries, including many international 

financial institutions. VASCO’s prime markets are the financial sector, enterprise security, e-commerce and egovernment. 

Over 50 of VASCO’s client authentication technologies, products and services are based on VASCO’s one and 

unique core authentication platform: VACMAN ® . VASCO solutions comprise combinations of the VACMAN core 

authentication platform, IDENTIKEY ® authentication server, aXsGUARD ® authentication appliances, DIGIPASS ® 

client Password and Electronic Signature software and DIGIPASS PLUS authentication services. 

For further information on these security solutions, please see www.vasco.com 


aXsGUARD Identifier 3.1.3.0 Administration Reference Guide v1.7 Configuration Tool: Field Listings 

2 Configuration Tool: Field Listings 

2.1 System 

Note: 

Only modifiable fields are listed; for more information on system actions (e.g. updates, 

backup and restore, reboot and shutdown etc.) or wizards, (e.g. Update and Registration) 

please see the aXsGUARD Identifier Installation Guide. 

Table 1: System Fields 

Settings 

Field Name Description 

Hostname This is the internal name of the aXsGUARD Identifier and is used: 

to uniquely identify log lines when sent to a remote syslog server. See the section on 

'Logging' in the aXsGUARD Identifier Product Guide for more information. 

Time 

to identify aXsGUARD Identifiers in a replication setup, and 

for selecting the correct aXsGUARD Identifier to log on to using the Administration 

Web Interface in a replication setup. See the section on 'Replication' in the 

aXsGUARD Identifier Product Guide for more information. 

Time zone Each log line and audit event in the aXsGUARD Identifier is generated with a time stamp. 

This time zone field determines the time-offset of the time stamp. We recommend setting 

the time zone to 'UTC' (=Greenwich Mean Time) for an efficient support service. 

NTP server(s) The Network Time Protocol (NTP) is designed to synchronize the clocks of computers over 

a network. Enter the IP address(es) of the NTP server(s) used in the company network. A 

comma-separated list of time servers can be used, in which case the first entry is used for 

synchronization. A subsequent entry in the list is used whenever the previous server in the 

list is unavailable. 



Logging 


Level The aXsGUARD Identifier convenience layer generates information in the logging system. 

This logging system does not contain information from the IDENTIKEY component. For 

more information on the aXsGUARD Identifier logging system, please see the 'Logging 

'section in the aXsGUARD Identifier Product Guide. 

Remote Logging 

The logging system can be configured to generate information at different levels. The 

meaning of these levels is explained below. 

Critical A system-critical warning that services may not be running. Please follow the 

support procedure described in section 11. 

Error Error condition: action required, although services may still be running. 

Warning Not an error, but an indication that an error may occur if action is not taken. 

Notice Events which are unusual but not error conditions. No immediate action 

required. 

Info Normal operational messages, may be collected for reporting etc. No action 

required. 

Debug Information useful to debug the application. Not useful during operations. 

Syslog server(s) The aXsGUARD Identifier logging system allows forwarding of log lines to a remote syslog 

server. Enter the IP address of the remote syslog server in this field. A comma-separated 

list of IP addresses can be used in which case the log lines are sent to all servers listed. 

For more information on the aXsGUARD Identifier logging system, please see the 'Logging' 

section in the aXsGUARD Identifier Product Guide. 

Level The logging system can be configured to generate information at different levels. A level 

can be selected for forwarding to the remote syslog server. The meaning of the levels is 

explained below. 

Backup and Restore tab 

Critical A system-critical warning that services may not be running. Please follow the 

support procedure described in section 11. 

Error Error condition: action required, although services may still be running. 

Warning Normal operational messages, which may be collected for reporting etc. No 

action required. 

Notice Not an error, but an indication that an error may occur if action is not taken. 

Info Information useful to debug the application. Not useful during operations. 

Debug Events which are unusual but not error conditions. No immediate action 

required. 

Create backup now Opens a dialog for downloading a backup file. 

Restore Provides an entry field for the URL of the file which is to be restored. The URL can be 

entered, or the 'Browse' button used to locate the correct path for the URL entry field. The 

'Restore' button restores the file from the URL entered. See the section on 'Backup and 

Restore' in the aXsGUARD Identifier Product Guide for more information. 



2.2 Network Settings 

Table 2: Network Fields 


IP address This field contains the IP address of the aXsGUARD Identifier used to communicate within 

the company network. The Classless Inter Domain Routing (CIDR) notation is used, for 

instance 192.168.0.100/24. 

Miscellaneous 

Default Gateway The default gateway is a server in your network, which routes the traffic from the 

aXsGUARD Identifier to the outside network. Enter the default gateway for your network. 

DNS suffix(es) The DNS search path or DNS suffix is used to complete a partial DNS name whenever a 

DNS lookup is performed, for example 'intranet' is completed to 

'intranet.mycompany.com'. Enter the domain used within your company in this field. A 

comma separated list of domains can be added in which case the partial DNS name is 

completed with each domain starting from the top of the list until a valid DNS name is 

found. 

DNS server(s) A DNS server is used to convert human readable DNS names into IP addresses used in the 

network. Add the DNS server used in your network in this field. A comma-separated list of 

DNS servers can be added. The first entry in the list is used to perform DNS resolving. A 

subsequent server in the list is used if the previous DNS server in the list is unavailable. 

Proxy 

A proxy server is used in larger companies and organizations to improve network operations and security. It can be used 

to prevent direct communication between two or more networks. A proxy server forwards all allowed data requests to 

remote servers. The use of a proxy server is optional. Proxy authentication works for basic authentication and DIGEST 

authentication, but not for form-based authentication. 

Use proxy for HTTP(S) 

access? 

Click on the checkbox to enable/disable use of a proxy server. 

Proxy Server Enter the IP address of the proxy server used in your network. 

Port Enter the port used to contact your proxy server. 

Need to authenticate? Click on the checkbox to enforce authentication for HTTP(S) access through the proxy 

server. 

User name Enter the user name to authenticate towards the proxy server in your network before a 

connection is allowed. 

Password Enter the password for the supplied user name to authenticate towards the proxy server in 

your network before a connection is allowed. 



2.3 IDENTIKEY 

2.3.1 Settings 

Table 3: IDENTIKEY Settings Fields 


Settings 

Server Discovery tab 

Enabled Enable this checkbox to activate Server Discovery for the aXsGUARD Identifier. For no DNS Service 

Registration, the checkbox should not be enabled. 

DNS Server 

Address 

Authentication 

Type 

Enter the IP address of the DNS Server. 

None Use this for DNS Service Registration with a DNS server supporting dynamic DNS 

anonymously. 

TSIG Use this for DNS Service Registration with a DNS server supporting dynamic DNS with 

TSIG authentication. 

TSIG Key File Browse to the TSIG Key File, if TSIG Authentication Type is being used (see previous field). 

Domain Name Enter the Domain Name. 

Priority Primary This aXsGUARD Identifier will be the first to which authentication requests are sent 

during Windows Logon, where more than one aXsGUARD Identifier exists on the network. 

MDC tab 

Backup This aXsGUARD Identifier will be the backup to which authentication requests are sent 

during Windows Logon, where more than one aXsGUARD Identifier exists on the network, 

but the aXsGUARD Identifier nominated as 'Primary' (see above) is unavailable. 

Enabled Enable this checkbox to activate the Message Delivery Component (MDC) for the aXsGUARD 

Identifier. The MDC is used for sending a One Time Password by SMS when a virtual DIGIPASS is 

used. More information on the MDC is available in the section on the MDC in the aXsGUARD 

Identifier Product Guide. 

Gateway 

Protocol This field is used to specify the protocol identifier to be used to connect to the HTTP gateway. The 

protocol identifier:“https://” can be used to SSL-encrypt the link between the MDC and the HTTP 

gateway. 

Port This field sets the port used to connect to the HTTP gateway. 

URL This field sets the URL to the HTTP gateway. The address should not contain any variables, ports 

or the protocol identifier. 

Query string This field defines the query string which is submitted to the HTTP server, either using POST or GET 

(as specified by Query method). This string must contain all the required variables that are 

expected by the HTTP gateway. The following parameters must be included in the query string and 

are set by the MDC before submitting the query: 

[acc_user] specifies the account name for the gateway used to submit the information 

[acc_pwd] sets the password for the gateway account specified by the [Username] parameters 




[otp_msg] specifies the part of the query string, where the OTP is substituted 

[otp_dest] specifies the part of the query string, where the destination for the OTP (usually the 

mobile phone number) is substituted. The query string should also incorporate any 

other parameters which might be expected by the gateway. 

Example: 

Query method This field designates either the GET or POST method for transferring account and message data to 

the HTTP/HTTPS gateway. Data type: String (“GET” or “POST”). 


User name This field sets the account user name for the HTTP gateway. The given value is used as content for 

the variable [acc_User] in the query string. 

Password/ Confirm 

Password 

Results 

This field sets the account password for the HTTP gateway. The given value is used as content for 

the variable [acc_pwd] in the query string. 

More information on the results options is available in section 5. 

Success / Failure / Malformed query tabs 

Matching pattern This field specifies the Result Page Template to match the result page returned by the HTTP 

service. If this template is matched, the corresponding audit message is composed and returned to 

the aXsGUARD Identifier Audit message. 

Message text This field specifies the Audit Message Template for the message to be compiled and sent back to 

the aXsGUARD Identifier. The message is returned as an Information, Warning or Error, depending 

on the MsgType parameter in the same section. Includes [variable] options. 

Scenarios tab 


Enabled Enable this checkbox to activate the authentication services on the aXsGUARD Identifier. 

Provisioning 

Enabled Enable this checkbox to activate the Provisioning services on the aXsGUARD Identifier. 

Minimum 

Reactivation 

Interval 

Maximum 

Reactivation 

Attempts 

Maximum 

Reactivation 

Locations 

Signature 

The minimum length of time (in minutes) permitted between activation attempts for a particular 

DIGIPASS. 

The total number of activation attempts (successful or unsuccessful) permitted per DIGIPASS. 

The maximum number of different Locations where a particular DIGIPASS can be activated. This 

only applies when the Location is specified for Provisioning (DIGIPASS for Web). 

Enabled Enable this checkbox to activate the Electronic Signature services on the aXsGUARD Identifier. 

Back-ends tab 




Active Directory 

Enabled Enable this checkbox to activate the Active directory LDAP back-end server type for the aXsGUARD 

Identifier. More information on Active directory LDAP back-end servers is available in the section 

describing the authentication process in the aXsGUARD Identifier Product Guide. 

e-Directory 

Enabled Enable this checkbox to activate the e-Directory LDAP back-end server type for the aXsGUARD 

Identifier. More information on e-Directory LDAP back-end servers is available in the section 

describing the authentication process in the aXsGUARD Identifier Product Guide. 

ADAM 

Enabled Enable this checkbox to activate the ADAM LDAP back-end server type for the aXsGUARD 

Identifier. More information on ADAM LDAP back-end servers is available in the section describing 

the authentication process in the aXsGUARD Identifier Product Guide. 

RADIUS 

Enabled Enable this checkbox to activate the RADIUS back-end server type for the aXsGUARD Identifier. 

More information on RADIUS back-end servers is available in the section describing the 

authentication process in the aXsGUARD Identifier Product Guide. 

Tracing tab 

IDENTIKEY Select the IDENTIKEY tracing file required, (none, basic or full) for downloading. 

Available tracing files are listed with buttons for downloading or deleting. 

MDC Select the MDC tracing file required, (none, basic or full) for downloading (see also section 5 ) . 

Available tracing files are listed with buttons for downloading or deleting. 



2.3.2 LDAP User Synchronization 

LDAP User Synchronization is not server-specific and therefore requires configuring specifically for different 

LDAP Servers. To set up a synchronization requires configuring a Synchronization Profile. The tables below 

present: 

General fields for a Synchronization Profile 

Filter fields: records to be synchronized from the source LDAP Server can be filtered by matching certain 

Attributes. All Attributes listed must match for a User Account to be synchronized. 

Attribute Mapping fields: this is the mapping of LDAP Server Attributes to aXsGUARD Identifier User 

Account Properties. 

Example configurations are described in the aXsGUARD Identifier Installation Guide. 

For information on the concepts of LDAP User Synchronization, please refer to the aXsGUARD Identifier 

Product Guide. 

Table 4: IDENTIKEY LDAP User Synchronization: General Fields 


ID This is a unique identifier for the Synchronization Profile, which cannot be changed 

later. User Accounts created or updated by the profile have this ID added. 

Enable This field must be checked to enable automatic synchronizations using this 

Synchronization Profile at the frequency defined in the Frequency field (see below). 

The default value is disabled, i.e. unchecked, in which case the profile is not 

operational and no User Accounts are updated or copied from the LDAP Server. 

Description A description should be entered to help identify this Synchronization Profile. 

Frequency The frequency defines the number of times per day automatic synchronization occurs, 

once the profile has been manually configured. Synchronization frequency can be 

configured up to 24 times per day. 

LDAP URI 

(Uniform Resource Identifier) 

This is the protocol and host of the source LDAP Server. 

Bind DN (if needed) This is the Distinguished Name to authenticate towards the LDAP Server. Entering the 

Bind DN is optional. 

Bind Password (if needed) This is the Bind Password to authenticate towards the LDAP Server. Entering the Bind 

Password is optional. 

Search Base The Search Base is the starting point for searches in the LDAP Server. This should be 

a string-represented DN as defined in RFC 1779. 

Search Scope The Search Scope can be limited to: 

one level deep, which only searches at the level below the Search Base 

whole subtree, which searches at and below the Search Base 



Table 5: IDENTIKEY LDAP User Synchronization: Filter Fields 


Attribute This must be the name of an LDAP Server Attribute. All Attributes listed must match 

for a User Account to be synchronized. 

Match This is the value for the Attribute defined in the previous field and must match for a 

User Account to be retrieved for synchronization. Asterisks can be used as a wild 

card for the value, indicating zero or more characters. 

Table 6: IDENTIKEY LDAP User Synchronization: Attribute Mapping Fields 


Type This defines whether the mapping is 

for an LDAP Attribute name (Type: ldap) or 

for a constant value (Type: constant). 

Source Attribute/Value For Type ldap, this entry should be an LDAP Attribute name. 

For Type constant, this entry should be the value of the corresponding aXsGUARD 

Identifier Property. 

Destination Property This is the Property name in the aXsGUARD Identifier which corresponds to the LDAP 

Server Attribute specified in the previous field. 

aXsGUARD Identifier Properties available for Attribute mapping are: 

User ID 

User Name 

Description 

Disabled (set to 'false' if unspecified) 

Static Password 

Locked (set to 'false' if unspecified) 

Local Authentication (set to 'Default' if unspecified) 

Back-end Authentication (set to 'Default' if unspecified) 

Mobile 

Phone 

Email 

For all possible values for these Properties, see section 3.1 (p17). 

Destination This is the domain and (optionally) the organizational unit in the aXsGUARD Identifier 

where User Accounts will be copied to or updated. If the domain is changed after User 

Accounts have already been copied, the User Accounts are copied to the new domain 

but not deleted from the previous domain. If the organizational unit is changed to 

another one in the same domain, User Accounts which have been created or updated 

by this Synchronization Profile are moved from the old to the new location. 

Update existing This field determines whether existing User Accounts (i.e. User Accounts which have 

not been created or previously updated by this Synchronization Profile) can be 

updated. To disable updating, the option should be unchecked and the 

Synchronization Profile ID (see above) removed from the User Account in the 

Administration Web Interface. 


aXsGUARD Identifier 3.1.3.0 Administration Reference Guide v1.7 Administration Web Interface: Field Listings 

3 Administration Web Interface: Field Listings 

3.1 User Properties 

Table 7: User Fields 


Static Password The static password. This may be used for static password checking by the aXsGUARD 

Identifier or may be a record of a password in a Back-End System. 

In view mode, the system will only show whether a password is set or not. 

The Set Password and Reset Password commands are used to change this, although it 

can also be entered when creating the Digipass User account. 

Local Authentication Specifies whether authentication requests for the User account will be handled by the 

aXsGUARD Identifier using Local Authentication (see the Authenticating Users section in 

the Product Guide for more details on Local Authentication and Back-End Authentication). 

Normally, this field will be Default, meaning that the Policy applicable to the authentication 

request determines the setting. This field on the Digipass User account is used to override 

the Policy setting for special cases. 

When Local Authentication is used, there are two factors that determine whether Digipass 

authentication is used – any Policy restrictions on Digipass Types and/or Applications that 

can be used and whether the Digipass User account has any assigned Digipass that meet 

the restrictions. For example, if the Policy requires a DP300 and the User just has a DP700, 

they cannot use Digipass authentication under that Policy. 

This setting also affects the Provisioning Registration process (see the Software Digipass 

Provisioning section in the Product Guide). 

Options: 

Default Use the setting of the effective Policy. 

None The aXsGUARD Identifier will not carry out Local Authentication for 

this User account. They may be handled using Back-End 

Authentication, or not handled at all by the aXsGUARD Identifier. 

Digipass/Password The aXsGUARD Identifier will always carry out Local Authentication 

for this User, using Digipass authentication if possible, otherwise 

the static password. Back-End Authentication may also be utilized. 

Digipass Only The aXsGUARD Identifier will always carry out Local Authentication 

for this User, using Digipass authentication. If Digipass 

authentication is not possible, the user cannot log in. Back-End 

Authentication may also be utilized. 

Back-End Authentication Specifies whether authentication requests for the User account will be handled by the 

aXsGUARD Identifier using Back-End Authentication (see the Authenticating Users section 

in the Product Guide for more details on Local Authentication and Back-End 

Authentication). 


request determines the setting. This field on the Digipass User account is used to override 

the Policy setting for special cases. 






Options: 


None Back-End Authentication will not be used. 

If Needed The aXsGUARD Identifier will utilize Back-End Authentication but 

only in certain cases: 

Dynamic User Registration 

Self-Assignment 

Password Autolearn 

Requesting a Challenge or Virtual Digipass OTP, when the 

Request Method includes a Password 

Static password authentication, when verifying a Virtual 

Digipass password-OTP combination or during the Grace 

Period 

Provisioning Registration 

Always The aXsGUARD Identifier will utilize Back-End Authentication for 

every authentication and Provisioning Registration request. 

Disabled Specifies whether a Digipass User account is enabled or disabled. If disabled, all requests 

for the User will be rejected by the aXsGUARD Identifier. 

The Disable and Enable commands are used to change this, although it can also be 

changed when creating or editing the Digipass User account. 

Locked Specifies whether a Digipass User account is locked or not. If locked, all requests for the 

User will be rejected by the aXsGUARD Identifier. 

The Locked indicator is normally set automatically when the User exceeds a certain number 

of failed authentication attempts. The User Lock Threshold is set in the Policy. 

The Unlock command is used to change this, although it can also be changed when editing 

the Digipass User account. 

Linked User Account It is possible to share Digipass between different User accounts, by linking User accounts 

together. This feature is intended for the case where one person, such as an administrator, 

has multiple User accounts. If their accounts are linked, there is no need to give more than 

one Digipass to that person. 

This feature is used by assigning the Digipass to one User account, then linking all the 

other User accounts for the person to the one that has the Digipass. 

Read only. The Link and Unlink commands must be used to change this. 

If a User is linked to another User, their Linked User Account field will show the UserId and 

Domain of the linked User, for example: 

testuser [vasco.com] 

Created On The date and time that the Digipass User account was created. Read-only. 

Last Modified On The date and time that the Digipass User account was last modified. Read-only. 

Domain The Domain to which the User belongs. 

Read only. This cannot be changed. 

Organizational Unit The Organizational Unit in which the User is located. This is optional as the User does not 

have to be located in an Organizational Unit. 

Read only. The Move command must be used to change this. 




User Name The full name of the User. 

Email Address The email address of the User. 

Phone No. The telephone number of the User. 

Mobile No. The mobile phone number of the User. This will be used for Virtual Digipass logins. 

Description Any descriptive text or notes. 

Assigned Digipass list This lists all Digipass that are assigned to the User. For each Digipass, the list of active 

Applications is given with the Application Type indicated in brackets(). For example: 

0058384426 RESP_ONLY(RO), CHALLENGE(CR) 

In this example line, the Digipass with Serial Number 0058384426 has two active 

Applications: one Response Only Application RESP_ONLY and one Challenge/Response 

Application CHALLENGE. 

Other Digipass properties are shown in this list – for more information, see the Digipass 

Properties table. 

If the User does not have any Digipass assigned directly, but is linked to another User to 

use their Digipass (see Linked User Account), the linked User's Digipass list is shown with 

the Serial Numbers in square brackets (eg. [0058384426]). 

Read-only. The Assign Digipass and Unassign Digipass commands much be used to 

change this. 

Administrative Privileges This lists all the administrative privileges for which the User has permission. 



3.2 Digipass Properties 

Table 8: Digipass Fields 


Domain The Domain to which the Digipass belongs. 


Organizational Unit The Organizational Unit in which the Digipass is located. This is optional as the Digipass 

does not have to be located in an Organizational Unit. 


Digipass Type The type of Digipass represented by the Digipass record (eg. DP300). 

Description A custom text description of the Digipass. This can be used to search for specific attributes 

of a Digipass, eg. color, company logo. 

Reserve for Individual 

Assignment 

When used, this option prevents the Digipass from being assigned using the Auto- 

Assignment feature or by Provisioning Registration. It also prevents it from being assigned 

by an administrator who uses the 'Assign next available...' option in the assignment wizard. 

Assigned to User User ID of the Digipass User account that the Digipass is assigned to, if it is assigned. This 

User account must be in the same Domain as the Digipass. 

Read-only. The Assign command must be used to change this. 

Date Assigned The date and time when the Digipass was assigned to its current User. 

Read-only. 

Grace Period End The date on which the Grace Period will expire, or did expire, for this Digipass. If the date 

shows today's date or before, the Grace Period has already expired. If it is blank, there is no 

Grace Period. 

BVDP Mode Specifies whether and how the Backup Virtual Digipass feature can be used for this 

Digipass. Note that in order for the Backup Virtual Digipass feature to function, it must 

also be activated in the DPX file for the Digipass. 


request determines the setting. This field on the Digipass record is used to override the 

Policy setting for special cases. 

Options: 


No Backup Virtual Digipass is not permitted. 

Yes - Permitted Backup Virtual Digipass is permitted, but not mandatory. 

The Enabled Until date is not applicable when using this 

option, but the Uses Remaining count is. 

Yes – Time Limited Backup Virtual Digipass is permitted, but not mandatory. 

Both the Enabled Until date and the Uses Remaining 

count will be in effect. 

Yes - Required Backup Virtual Digipass is mandatory. This may be useful 

if the User may have lost the Digipass, to prevent it from 

being used until they have found it again. 

The Enabled Until date is not applicable when using this 

option, but the Uses Remaining count is. 




Enabled Until The date on which the Backup Virtual Digipass feature may no longer be used, provided that 

the effective Enable Backup VDP setting is Yes – Time Limited (it is ignored otherwise). 

If this date is blank, it will be set automatically the first time that the User requests a 

Backup Virtual Digipass OTP, using the Backup Virtual Digipass Time Limit defined in the 

Policy. 

Once this date has expired, it requires administrator intervention either to extend it or to 

reset it to blank for the next time that the User needs to use Backup Virtual Digipass. 

Uses Remaining The remaining number of times that the Backup Virtual Digipass feature may be used for 

this Digipass. Once this number has reached zero, Backup Virtual Digipass can no longer be 

used with this Digipass, unless the administrator increases it or resets it to blank. 

If this number is blank and there is a Backup Virtual Digipass Max. Uses/User defined in the 

Policy, it will be set automatically the first time that the User requests a Backup Virtual 

Digipass OTP, based on the Max. Uses/User. 

Static Vector ID The presence of a value here indicates that a Digipass is a Software Digipass capable of 

Provisioning. Its specific value is not of use to an administrator normally. It represents a 

lookup key of a database record used in the Provisioning process (DPSoft Parameters) that 

stores the Static Vector value. 

Last Activation The date and time at which the last Provisioning Registration operation took place using this 

Digipass, when an Activation Code was generated for it. 

There is a configurable minimum interval of time between Registration operations for a 

Digipass. See the Software Digipass Provisioning section in the Product Guide for more 

details. 

This value is reset to blank by the Reset Activation command. 

Activation Locations This is typically only used for Digipass for Web, to keep track of the number of different 

locations at which a particular User has activated it. The value is a comma-separated list of 

hash values, where each hash value represents one location. 

There is a configurable maximum number of activation locations for a Digipass. See the 

Software Digipass Provisioning section in the Product Guide for more details. 

This value is reset to blank by the Reset Activation command. 

Activation Count The total number of Provisioning Registration operations that have taken place using this 

Digipass, when an Activation Code was generated for it. This includes Registration 

operations for which the corresponding Activate operation was not completed successfully. 

There is a configurable maximum number of activation attempts for a Digipass. See the 

Software Digipass Provisioning section in the Product Guide for more details. 

This value is reset to 0 by the Reset Activation command. 

Created On The date and time that the Digipass was created. Read-only. 

Last Modified On The date and time that the Digipass was last modified. Read-only. 



3.3 Policy Properties 

Table 9: Policy Fields 


Description This description can be entered to record the purpose of the Policy. 

Inherits from Policy Contains the Name of the Policy from which settings will be inherited, referred to as the 

'parent Policy'. Settings are inherited individually, depending on the value in the Policy 

field; they inherit the parent Policy value in the following cases: 

Choice lists/radio buttons – if the selected value is Default 

Text fields – if the field is blank 

Numeric fields – if the field is blank (not 0) 

List fields – if the list is empty 

The Show Effective Policy Settings... button can be used to display the result of 

inheriting settings combined with settings on the current Policy. 

Local Authentication Specifies whether authentication requests using the Policy will be handled by the 

aXsGUARD Identifier using Local Authentication (see the Authenticating Users section in 

the Product Guide for more details on Local Authentication and Back-End 


When Local Authentication is used, there are two factors that determine whether Digipass 

authentication is used – any Policy restrictions on Digipass Types and/or Applications that 

can be used and whether the Digipass User account has any assigned Digipass that meet 

the restrictions. For example, if the Policy requires a DP300 and the User just has a 

DP700, they cannot use Digipass authentication under that Policy. 



Options: 

Default Use the setting of the parent Policy. 

None The aXsGUARD Identifier will not carry out Local Authentication 

under this Policy. They may be handled using Back-End 

Authentication, or not handled at all by the aXsGUARD 


Digipass/Password The aXsGUARD Identifier will always carry out Local 

Authentication under this Policy, using Digipass authentication 

if possible, otherwise the static password. Back-End 

Authentication may also be utilized. 

Digipass Only The aXsGUARD Identifier will always carry out Local 

Authentication under this Policy, using Digipass authentication. 

If Digipass authentication is not possible, the user cannot log 

in. Back-End Authentication may also be utilized. 

Back-End Authentication Specifies whether authentication requests using the Policy will be handled by the 

aXsGUARD Identifier using Back-End Authentication (see the Authenticating Users 

section in the Product Guide for more details on Local Authentication and Back-End 




Options: 





None Back-End Authentication will not be used. 

If Needed The aXsGUARD Identifier will utilize Back-End Authentication 

but only in certain cases: 

Dynamic User Registration 

Self-Assignment 


Requesting a Challenge or Virtual Digipass OTP, when 

the Request Method includes a Password 

Static password authentication, when verifying a Virtual 

Digipass password-OTP combination or during the 

Grace Period 

Provisioning Registration 

Always The aXsGUARD Identifier will utilize Back-End Authentication 

for every authentication and Provisioning Registration request. 

Back-End Protocol Specifies the protocol to be used for Back-End Authentication. 

If you have your own Back-End Authentication Engines, they will have Protocol names to 

identify them. The name for the required Engine must be defined in the Back-End 

Protocol for the Policy. 

The following standard options are available: 

RADIUS Authentication using a RADIUS server. 

e-Directory Authentication using Novell's e-Directory. 

ADAM Authentication using a Microsoft ADAM server. 

Active Directory Authentication using Microsoft's Active Directory. 

Created On The date and time that the Policy was created. Read-only. 

Last Modified On The date and time that the Policy was last modified. Read-only. 

Dynamic User Registration Specifies whether the Dynamic User Registration (DUR) feature is enabled for the Policy. 

If this feature is used, when the aXsGUARD Identifier receives an authentication request 

for a User for the first time and Back-End Authentication is successful, it will create a 

Digipass User account automatically. If DUR is used in conjunction with Auto- 

Assignment, a Digipass will be assigned to the new User account immediately. 

This setting also determines whether the Provisioning Registration process is allowed to 

perform DUR or not. 

Password Autolearn Specifies whether the Password Autolearn feature is enabled for the Policy. This feature 

enables the aXsGUARD Identifier to update the password stored in the Digipass User 

account when Back-End Authentication is successful. 

This setting also determines whether the Provisioning Registration process will update 

the password after successful Back-End Authentication or not. 

Stored Password Proxy Specifies whether the Stored Password Proxy feature is enabled for the Policy. This 

feature can be used in conjunction with the Back-End Authentication Always setting and 

the Password Autolearn feature. With this combination, even though a Back-End 

Authentication check is done every login, it is done using the password stored in the 

Digipass User account. Therefore the User does not have to enter it during their login, 

unless it has changed in the Back-End System. This mode of operation is referred to as 

Password Replacement. 




Default Domain The default Domain in which the aXsGUARD Identifier should look for and create Digipass 

User accounts, if a Domain is not specified by the user credentials. The process of 

resolving the User ID and Domain name is described in the User ID and Domain 

Resolution section in the Product Guide and in of this document. 

User Lock Threshold This indicates the number of consecutive failed login attempts that will cause a Digipass 

User account to become Locked. For example, if the User Lock Threshold is 3, the 

account will become Locked on the third failed login attempt. Unlocking the account 

requires administrator action. 

Note that not all kinds of login failure will result in locking. For example, if the UserId is 

incorrect or the account is Disabled, the failure would not count towards the lock 

threshold. Locking is used mainly for incorrect OTPs and static passwords. 

The locking mechanism is also used for Provisioning and Signature Validation. 

Assignment Mode Specifies the method of automated Digipass Assignment that will be used for this Policy, 

if any. There are two methods, Auto-Assignment and Self-Assignment. 

Auto-Assignment is used in conjunction with Dynamic User Registration (DUR). When 

DUR occurs, the next available Digipass is assigned to the new Digipass User account. A 

Grace Period is set for the Digipass according to the Grace Period setting in the Policy. 

Self-Assignment is typically used with DUR also, but if the Digipass User accounts are 

created first by the administrator, DUR is not necessary. In the Self-Assignment mode, a 

User is able to assign themselves a Digipass by entering the Serial Number, a valid OTP 

from the Digipass and their static password. There is no Grace Period associated with 

Self-Assignment, because the User has to use the Digipass to perform Self-Assignment. 

In both cases, any Applicable Digipass restrictions for the Policy apply. For example, it will 

not be permitted to self-assign a DP300 if the Policy restricts Digipass Types to DPGO3 

and DPGO1. In addition, if the User already has a Digipass assigned that meets the Policy 

restrictions, they will not be able to self-assign another Digipass. 

This setting is not applicable to Provisioning or Signature Validation. 

Options: 


Auto-Assignment Use the Auto-Assignment method. 

Self-Assignment Use the Self-Assignment method. 

Neither Do not use either method of automated assignment. 

Grace Period Default time period (in days) to give Users between Auto-Assignment of a Digipass and 

the date they must start using their Digipass to login. Before that time they can still use a 

static password (unless the Local Authentication setting is Digipass Only). However, the 

first time that an OTP is used to log in, the Grace Period is ended at that point if it has not 

already ended. 

This setting does not affect manual assignment by an administrator or Provisioning. 

Serial No. Separator The character (or short sequence of characters) that will be included at the end of the 

Digipass Serial Number during a Self-Assignment login. It allows the aXsGUARD Identifier 

to easily recognize that a Self-Assignment attempt is being made and extract the Serial 

Number from the credentials. 

Search Upwards in Org. 

Unit hierarchy 

This controls the search scope for an available Digipass for Auto-Assignment or 

Provisioning Registration, or for a specific Digipass for Self-Assignment. 

This setting does not affect manual assignment by an administrator. 

Options: 





No The search scope is only the Organizational Unit in which the 

User account belongs. If the User does not belong to an 

Organizational Unit, the search will look for Digipass that also 

do not belong to an Organizational Unit. 

Yes The search will start in the User account's Organizational Unit, 

but if necessary it will then move upwards through the 

Organizational Unit hierarchy until it reaches the top. See the 

Location of Digipass Records topic in the Product Guide for 

more information. 

Application Names The Policy can specify a restriction on which Digipass Applications may be used when it is 

effective. If the list is empty, there is no restriction. If there are one or more entries, they 

will indicate the Application Names that are permitted. 

Application Type The Policy can restrict which Digipass Application Type (eg. Response Only, 

Challenge/Response) may be used when it is effective. 

Options: 


No Restriction Digipass Application Type is not restricted. 

Response Only Only Digipass Applications of Type RO (Response Only) or MM 

(Multi-Mode) may be used. 

Challenge/Response Only Digipass Applications of Type CR (Challenge/Response) 

or MM (Multi-Mode) may be used. 

Signature Only Digipass Applications of Type SG (Signature) or MM 

(Multi-Mode) may be used. 

Multi-Mode Only Digipass Applications of Type or MM (Multi-Mode) may 

be used. 

Digipass Types The Policy can specify a restriction on which Digipass Types may be used when it is 

effective. If the list is empty, there is no restriction. If there are one or more entries, they 

will indicate the Digipass Types that are permitted. 

Allow PIN change Specifies whether Digipass Users will be allowed to change their Server PIN during 

authentication requests to which the current Policy applies. Normally this setting is 

enabled, but it can be used to prevent PIN changes if required. 

1-Step Challenge/Response 

– Permitted 

Controls whether 1-step Challenge/Response logins will be enabled for the current Policy 

and, if so, where the challenge should originate. 

In order to enable 1-step Challenge/Response, you also need to set the Challenge Check 

Mode (see below). 

Note that 1-step Challenge/Response is not applicable in a RADIUS environment. 

Options: 

Default 

No 1-step Challenge/Response may not be used. 

Yes – Server Challenge 1-step Challenge/Response may be used provided that the 

aXsGUARD Identifier that verifies the response generated the 

challenge. 





– Challenge Length 


– Add Check Digit 


– Request Method 


– Request Keyword 

Primary Virtual Digipass – 

Request Method 

Primary Virtual Digipass – 

Request Keyword 

Backup Virtual Digipass – 

Enable Backup VDP 

Yes – Any Challenge 1-step Challenge/Response may be used with any random 

challenge. 

Specifies the length of the challenge (excluding a check digit) which should be generated 

for 1-step Challenge/Response logins. 

A check digit may be added to the generated challenge. This allows the Digipass to 

identify invalid Challenges more quickly. 

The method by which a User has to request a 2-step Challenge/Response login. 

This is the only mode of Challenge/Response available in a RADIUS environment. 

The 'request' is made in the password field during login. The request will fail if the User 

does not have a Challenge/Response-capable Digipass assigned. This includes Digipass 

Applications of Type CR, SG and MM. 

Options: 


None Do not use 2-step Challenge/Response. 

Keyword Use the Request Keyword. This is permitted to be blank. 

Password Use the static password. 

KeywordPassword Use the Request Keyword followed by the static password. No 

separator characters or whitespace should be between them. 

PasswordKeyword Use the static password followed by the Request Keyword. No 


Defines the Keyword that a User must enter to request a 2-step Challenge/Response 

login, if a method using a Keyword is selected in the Request Method. 

This is permitted to be blank. 

The method by which a User has to request a Primary Virtual Digipass login. 

The 'request' is made in the password field during login. The request will be ignored if the 

User does not have a Primary Virtual Digipass assigned. 

Options: 


None Do not use Primary Virtual Digipass. 







Defines the Keyword that a User must enter to request a Primary Virtual Digipass login, if 

a method using a Keyword is selected in the Request Method. This is permitted to be 

blank. 

Specifies whether and how the Backup Virtual Digipass feature can be used when this 

Policy is effective. Note that in order for the Backup Virtual Digipass feature to function, it 

must also be activated in the DPX file for the Digipass. 

Options: 





Time Limit 


Max. Uses/User 




No Backup Virtual Digipass is not permitted. 

Yes - Permitted Backup Virtual Digipass is permitted, but not mandatory. 

The Time Limit is not applicable when using this option, but 

the Max. Uses/User limit is. 

Yes – Time Limited Backup Virtual Digipass is permitted, but not mandatory. 

Both the Time Limit and the Max. Uses/User limit will be in 

effect. 

Yes - Required Backup Virtual Digipass is mandatory. 

The Time Limit is not applicable when using this option, but 

the Max. Uses/User limit is. 

When the Enable Backup VDP setting is Yes – Time Limited, the Time Limit setting 

indicates the number of days for which the Backup Virtual Digipass feature may be used 

by a User, once they start using it. 

The Backup Virtual Digipass Enabled Until setting on the Digipass record will be set 

automatically the first time that the User requests a Backup Virtual Digipass OTP, using 

the Time Limit defined in the Policy. Once this date has expired, it requires administrator 

intervention either to extend it or to reset it to blank for the next time that the User needs 

to use Backup Virtual Digipass. 

Note that if a User has more than one Digipass capable of Backup Virtual Digipass, they 

will have a separate limit for each one. 

The maximum number of uses of the Backup Virtual Digipass feature permitted for each 

User, if they do not have a specific limit set for them. 

If the Backup Virtual Digipass Uses Remaining on the Digipass record is blank and there 

is a Max. Uses/User limit defined in the Policy, the Uses Remaining will be set 

automatically the first time that the User requests a Backup Virtual Digipass OTP. 

Once the Uses Remaining has reached zero, Backup Virtual Digipass can no longer be 

used with this Digipass, unless the administrator increases it or resets it to blank. 

Note that if a User has more than one Digipass capable of Backup Virtual Digipass, they 

will have a separate limit for each one. 

The method by which a User has to request a Backup Virtual Digipass login. 

The 'request' is made in the password field during login. The request will be ignored if the 

User does not have a Digipass assigned that is activated for the Backup Virtual Digipass 

feature, or if other Policy or Digipass settings do not permit Backup Virtual Digipass use. 

Options: 


None Do not use Backup Virtual Digipass. 







Backup Virtual Digipass – Defines the Keyword that a User must enter to request a Backup Virtual Digipass login, if 




Request Keyword a method using a Keyword is selected in the Request Method. This is permitted to be 

blank. 

Identification Time Window Controls the maximum number of time steps' variation allowable between a Digipass and 

the aXsGUARD Identifier during login. This only applies to time-based Digipass 

Applications when verifying a One Time Password. 

The Dynamic Time Window option may be used to allow more variation according to the 

length of time since the last successful login. 

If this setting is not specified at all, there is an inbuilt default value of 20. 

Signature Time Window Controls the maximum number of time steps' variation allowable between a Digipass and 

the aXsGUARD Identifier during Digital Signature verification. This only applies to timebased 

Digipass Applications when validating a signature, but even then it may be used or 

not according to the Online Signature Level setting. 


Initial Time Window Controls the maximum allowed time variation allowable between a Digipass and the 

aXsGUARD Identifier, the first time that the Digipass is used. The time is specified in 

hours. This Initial Time Window is also used directly after a Reset Application operation, 

which can be used if it appears that the internal clock in the Digipass has drifted too 

much since the last successful login. 

This only applies to time-based Digipass Applications when verifying a One Time 

Password. 

In either case, after the first successful login, the Initial Time Window is no longer active. 


Event Window Controls the maximum number of events' variation allowable between a Digipass and the 

aXsGUARD Identifier during login. This only applies to event-based Digipass Applications. 

It always applies when verifying a One Time Password but for Signature validation, it 

depends on the Online Signature Level setting whether the Event Window is used or not. 


Identification Threshold Specifies the number of consecutive failed authentication attempts allowed before the 

Digipass Application is locked from future authentication attempts. Once the Digipass 

Application is locked, the Reset Appl Lock command is required to unlock it for further 


This locking mechanism is separate from the User Lock Threshold and is normally not 

necessary. It only applies when a single Digipass Application can be used for a login, 

either because the User only has one Digipass with one Application, or because the Policy 

restrictions narrow the list down to one Digipass Application. If Policy restrictions are used 

in this way, the Identification Threshold can be used to lock a User out of one kind of login 

(eg. a VPN) while still permitting them to use another kind (eg. a web application). 

If this setting is not specified at all, this feature is not used. 

Signature Threshold Specifies the number of consecutive failed Signature validation attempts allowed before 

the Digipass Application is set to be locked from future signature validation attempts. 

Once the Digipass Application is locked, the Reset Appl Lock command is required to 

unlock it for further signature validation. 

This locking mechanism is separate from the User Lock Threshold and is normally not 

necessary. It only applies when a single Digipass Application can be used for a signature 

validation, either because the User only has one Digipass with one signature-capable 

Application, or because the Policy restrictions narrow the list down to one Digipass 

Application. If Policy restrictions are used in this way, the Signature Threshold can be 




used to lock a User out of one kind of signature validation while still permitting them to 

use another kind. 


Max. Days Since Last Use This setting specifies the maximum number of days for which a Digipass Application can 

go unused for authentication or signature validation. After this limit, authentication and 

signature validation will be rejected until an admnistrator performs a Reset Application 

operation. 


Challenge Check Mode This setting is for advanced control over time-based Challenge/Response authentication. 

The value 1 should be used for standard RADIUS Challenge/Response. This is the inbuilt 

default value if the setting is not specified at all. 

0 No check is made. This is necessary for 1-step 

Challenge/Response. 

1 The challenge presented for verification must be the last one 

that was generated specifically for that Digipass. This is the 

normal mode of operation in 2-step Challenge/Response. 

2 The challenge presented for verification is ignored; the last 

one that was generated specifically for that Digipass is used. 

3 Only one verification is permitted per time step. This option 

only applies to time-based Challenge/Response. This is a 

method of avoiding a potential replay of a captured response if 

the same challenge comes up again in the same time step. 

4 If the same challenge and response are presented for 

verification twice in a row during the same time step, they are 

rejected. This is an advanced method of avoiding a potential 

replay of a capture challenge/response. 

Online Signature Level This setting is for advanced control of Signature validation. 

The value 0 can be used for Digipass Applications that are neither time- nor event-based. 

This is the inbuilt default value if the setting is not specified at all. 

0 The signature is validated in offline mode. This is useful when 

the signatures may not be validated in the same sequence as 

they were generated by the user. It is also useful when there 

may be some delay after the signature is generated by the 

user, before the signature is validated. 

For time-based Digipass Applications: 

This mode is typically used with a large time step. 

When this mode is used, no clock synchronization occurs 

between the Digipass and the aXsGUARD Identifier. The 

aXsGUARD Identifier will not reject an older signature than the 

most recently validated signature, provided it is still within the 

Signature Time Window. 

For event-based Digipass Applications: 

When this mode is used, the aXsGUARD Identifier will not 

reject an older signature than the most recently validated 

signature, provided it is still within the Event Window. 

1 The signature is validated in online mode. This is useful when 




the signatures are expected or required to be validated 

immediately after they are generated. 

For time-based Digipass Applications: 

This mode is typically used with a small time step. 

When this mode is used, clock synchronization occurs 

between the Digipass and the aXsGUARD Identifier. The 

aXsGUARD Identifier will reject an older signature than the 

most recently validated signature. A newer signature must be 

within the Signature Time Window. 

This mode will allow more than one signature to be validated 

in the same time step, provided that the same exact signature 

is not repeated twice in a row. 

For event-based Digipass Applications: 

When this mode is used, the aXsGUARD Identifier will reject an 

older signature than the most recently validated signature. A 

newer signature must be within the Event Window. 

2 The signature is validated in strict online mode. This is useful 

for time-based signatures when you want to prevent more 

than one signature from the same time step from being 

validated. Otherwise, this mode is the same as online mode. 

3 The signature is validated using the Deferred Event Count. 

This mode only applies to event-based signatures. For each 

signature validation request, the Deferred Event Count must be 

supplied as a parameter. 



3.4 Pre-Loaded Policies 

These Policies are created for the aXsGUARD Identifier on installation of the aXsGUARD Identifier. They provide 

an example for setting up Policies in a typical environment. 

Note: 

The Group Check feature will be supported in future releases. 

Table 10: Pre-Loaded Policies 

Policy Name Parent Policy Description Non-Default Settings 

Base Policy - Globally applicable settings. In 

general, all other Policies should 

inherit from this, directly or 

indirectly. 

Identikey 

Administration Logon 

Base Policy Settings for an administration 

logon including Audit Viewer live 

connection. Separated from the 

main authentication policies to 

avoid accidental interference. 

Locking is off to reduce the 

chance of a lock-out. 

User Lock Threshold=3 

PIN Change Allowed=Yes 

Challenge Request Method=Keyword 

Primary VDP Request 

Method=Password 

Backup VDP Request 

Method=KeywordPassword 

Backup VDP Request Keyword=otp 

Identification Time Window=20 

Check Challenge Mode=1 

Event Window=20 

Sync Window=6 

Online Signature Level= 0 

Identification Threshold=0 

Local Authentication=None 

Back-End Authentication=None 

DUR=No 

Password Autolearn=No 

Stored Password Proxy=No 

Group Check Mode=No Check 

Assignment Mode=Neither 

Search Up OU Path=No 

Application Types=No Restriction 

1-Step Challenge/Response=No 

1-Step Challenge Check Digit=No 

Backup VDP Enabled=No 

Local 

Authentication=Digipass/Password 

User Lock Threshold=0 




Identikey Local 


Identikey Microsoft AD 

Password 

Replacement 

Identikey Novell e- 

Directory Password 

Replacement 

Identikey Microsoft 

ADAM Password 

Replacement 


Auto Assignment 


ADAM Auto 

Assignment 


Self Assignment 


ADAM Self 

Assignment 

Base Policy Settings applicable to all 

IDENTIKEY Server authentication 

Policies, including local 

authentication. In general, all 

other IDENTIKEY Server Policies 

using local authentication should 

inherit from this, directly or 

indirectly. 










ADAM Password 

Replacement 


AD Password 

Replacement 


ADAM Password 

Replacement 

IDENTIKEY Server model for 

password replacement for 

Microsoft Active Directory 


password replacement for Novell 

e-Directory 


password replacement for 

Microsoft ADAM 

IDENTIKEY Server model for Auto 

Assignment for Microsoft Active 

Directory 

IDENTIKEY Server model for Auto 

Assignment for Microsoft ADAM 

IDENTIKEY Server model for Self- 

Assignment for AD Password 

Replacement 


Assignment for ADAM Password 

Replacement 

Local 

Authentication=Digipass/Password 

Local Auth=Default 

Backend Auth=Always 

Backend Protocol=Microsoft AD 

DUR=Yes 

Password Autolearn=Yes 

Stored Password Proxy=Yes 



Backend Protocol=Novell e-Directory 

DUR=Yes 





Backend Protocol=Microsoft ADAM 




Backend Auth=If Needed 

Backend Protocol=Microsoft AD 

Assignment Mode=Auto-Assignment 

Search-Up-OU-Path=Yes 

Local Auth = Default 

Backend Auth = If Needed 

Backend Protocol = Microsoft ADAM 

Assignment Mode = Auto-Assignment 

Search-Up-OU-Path = Yes 


Backend Auth = Always 

Backend Protocol = Microsoft AD 

Assignment Mode = Self-Assignment 



Backend Auth = If Needed 

Backend Protocol = Microsoft ADAM 







Directory Self 

Assignment 

Identikey RADIUS 

Password 

Replacement 

Identikey RADIUS 

Auto-Assignment 

Identikey RADIUS Self- 

Assignment 

Identikey Back-End 


Identikey DP110 

Provisioning 1 

Identikey DP110 


Identikey DP4Mobile 

Register 




Provsioning 2 


Provsioning 3 


Directory Password 

Replacement 







IDENTIKEY Server model for selfassignment 

for Novell e-Directory 


password replacement and 

Dynamic User Registration using 

a RADIUS server for back-end 



Auto-Assignment based on the 

RADIUS password replacement 

model. 


Assignment based on the 

RADIUS password replacement 

model. 

Base Policy IDENTIKEY Server model for only 

Back-End Authentication. 

Change the back-End Protocol to 

the one required. 

Base Policy IDENTIKEY Digipass for Web 

Provisioning model scenario 1 - 

Activation codes are encrypted 

with pre-loaded static 

passwords. 

Base Policy IDENTIKEY DP110 Provisioning 

model scenario 2 - Dynamic 

Registration using Back-End 

System. Change the Back-End 

Protocol to the one required. 

Base Policy IDENTIKEY Digipass for Mobile 

Register - pre-loaded User 

accounts and static passwords. 


provisioning model scenario 1 






Backend Auth = Always 

Backend Protocol = Novell e-Directory 



Backend Authentication=Always 

Backend Protocol=RADIUS 



Grace Period=7 

Search Up OU Path=Yes 

Assignment Mode=Self-Assignment 

Search Up OU Path=Yes 

Assignment Mode=Self-Assignment 

Self Assignment Separator=| 

Backend Protocol=RADIUS 

Backend Authentication=Always 

Local Auth = Digipass/Password 

1-Step Challenge/Response=Yes-Any 

challenge 


Back-End Authentication = Always 

1-Step Challenge/Response=Yes – 

Any challenge 

Online Signature Level = 1 Multiple 

Signatures allowed in same Time Step 

Local Authentication = 

DIGIPASS/PASSWORD 

Backend authentication= NONE 

Digipass type: ‘MOB30’ 

Local Authentication = 

DIGIPASS/PASSWORD 

Backend authentication= IF NEEDED 

Digipass type: ‘MOB30’ 




Identikey DP4Web 






Identikey Deferred 

Time signature 

Verfication 

Identikey Real-Time 

signature verfication 1 





Windows logon online 

authentication - LDAP 

AD Back-End 

Windows logon online 

and offline 

authentication – LDAP 

AD Back-End 



Activation codes are encrypted 

with pre-loaded static 

passwords. 



pre-loaded User accounts and 

static passwords. 



Dynamic Registration using 

Back-End System. Change the 

Back-End Protocol to the one 

required. 

Base Policy Deferred time signature 

verification settings: Time based. 

Base Policy Real-time signature verification 

settings: Time-based, several 

signatures are allowed in the 

same timestep but 2 identical 

successive signatures will be 

rejected. 

Base Policy Real-time signature verification 

settings: Time-based, one 

signature allowed per timestep. 

Base Policy Deferred time signature 

verification settings: Event based, 

off-line mode. 



Windows logon 

online 

authentication - 

LDAP AD Back-End 

Windows Logon for LDAP AD 

Back-End 

Windows logon online and offline 

authentication settings for LDAP 

AD Back-End 



DUR=Yes 

Signature Time Window = 24 

Online signature level = 1 - Multiple 

Signatures allowed in same Time Step 

Online signature level = 2 - Only 1 

Signature/Time Step allowed 

Signature Time Window = 24 

Back-End Authentication = Always 

Back-End Protocol = Microsoft AD 

Dynamic Component Registration = 

Yes 

Enable Random Password = No 

Client Group List = 

Client Group Mode = No check 

Offline Authentication = No 

Offline Authentication = Yes 

Offline Time Window (days) = 21 

Offline Event Window = 300 



3.5 Client Properties 

Table 11: Client Fields 


Client Type The type of Client component represented by the record. For SOAP clients, the type needs to 

match the Component Type parameter passed in the SOAP requests. Each application can 

identify itself as a different type of Client. 

In addition there are some standard 0ptions: 

Administration Program 

RADIUS Client 

Citrix Web Interface 

Outlook Web Access 

IIS6 Module 

Location The IP address or name of the machine represented by the record. For all Client types except 

RADIUS Clients, this must be the source IP address of requests originating from that Client. 

For a RADIUS Client, it must be the NAS-IP-Address or NAS-Identifier values sent in the RADIUS 

requests. 

A RADIUS Client of Location default can be used to accept RADIUS requests from all IP 

addresses, using the same Shared Secret. However, where a RADIUS Client record with the 

exact Location exists, its Shared Secret will be used in preference to the default RADIUS Client's 

Shared Secret. 

Protocol The protocol by which requests will be received from the Client. 

SOAP The standard SOAP protocol over HTTPS. This is used by 

programs using the SOAP interface from the aXsGUARD 

Identifier SDK and the Web Administration Interface. 

RADIUS The standard RADIUS protocol. This is used by various remote 

network access hardware and software systems. It can also be 

used as a simple authentication programming interface. 

SEAL A proprietary TCP/IP based protocol used by aXsGUARD Identifier 

and VACMAN Middleware 3.x. It is used by the IIS6 Module, 

Digipass TCL Command-Line Administration and for 

Replication between aXsGUARD Identifiers. 

Policy The name of the Policy that should be used for authentication, Provisioning and signature 

validation requests from the Component. 

Shared Secret The RADIUS Shared Secret between the aXsGUARD Identifier and the RADIUS Client. 

Confirm Shared 

Secret 

Allows confirmation of a new shared secret. 

Created On The date and time that the Client was created. Read-only. 

Last Modified On The date and time that the Client was last modified. Read-only. 

License Key For each SEAL authentication Clients (IIS Modules), a License Key is required. This consists of a 

set of parameters followed by a signature. See for more information. 



3.6 Back-End Server Properties 

Table 12: Back-End Server Fields 


Protocol Back-End Authentication Protocol. RADIUS, Active Directory, ADAM and e-Directory are 

currently supported. 

Domain This field provides the ability to assign particular Back-End Servers to a given Domain. 

This is optional. 

Priority The priority in the case that there are multiple Back-End Servers. The highest priority 

server is tried first, then the next highest, etc. 

Authentication IP IP Address on which the RADIUS Server receives authentication requests. 

Authentication Port UDP Port on which the RADIUS Server receives authentication requests. 

Accounting IP IP Address on which the RADIUS Server receives accounting requests. 

Accounting Port UDP Port on which the RADIUS Server receives accounting requests. 

Shared Secret Shared secret between the aXsGUARD Identifier and the RADIUS Server. 

Confirm Shared Secret Allows confirmation of a new shared secret. 

Timeout Number of seconds to wait for a response from the RADIUS Server before either retrying 

or trying another RADIUS Server. 

No. of Retries Number of times to retry if no response is received from the RADIUS Server. 

Base Search DN The DN where the search for user accounts starts. 

Security Principle DN The DN of the security principle used to access the directory. 

Security Principle Password the password of the security principle. 

Created On Date/time of creation. 

Last Modified On Date/time of last modification. 



3.7 Organization 

Table 13: Domain Fields 


Domain Domain name. Read-only after creation. 

Description A short description for the domain. 

Update History 

Created On The date and time when the record was created. Read-only. 

Last Modified On The date and time when the record was last modified. Read-only. 

Table 14: Organizational Unit Fields 


Domain The domain to which the Organizational Unit belongs. Read-only after creation. 

Description A short description for the Organizational Unit. 

Inherits from 

Organizational Unit 

Update History 

The name of the Organizational Unit immediately above this one in the Organizational structure. 

Created On The date and time when the record was created. Read-only. 

Last Modified On The date and time when the record was last modified. Read-only. 

3.8 Report Properties 

3.8.1 How to define a Query 

Queries consist of: 

a Datafield, which is a field from the database, 

an Operator, which is the operation to be performed on the datafield, 

a Value, which is the value the datafield will be compared against. A value is not necessary with all 

operators. 

To define a query you must select a datafield and an operator. Operators can be selected from the following: 

ISBLANK 

NOTBLANK 

EQUALS 

NOTEQUALS 



STARTS 

INCLUDES 

ENDS 

NOTSTARTS 

NOTENDS 

NOTINCLUDES 

> 

>= 

< 



therefore makes sub counts at a regular 

interval of the amount of times an item has 

occurred 

Description The description of the report that was entered when the report was created. 

Data Source Where the data in the report comes from. The sources can be: 

Users The User data will be used to generate the 

report 

Users + Audit The User data and audit data will be used to 

generate the report 

Digipass 

Digipass + Audit 

Audit 

Digipass data will be used to generate the 

report 

Digipass data and audit data will be used to 

generate the report. 

Only Audit data will be used to generate the 

report. 

Grouping Level The grouping level will be used to group the information on the report into the format you 

require. The grouping levels are: 

Client The report information will be grouped for 

each client 

Domain The report information will be grouped for 

each Domain 

Organizational Unit The report information will be grouped for 

each Organizational Unit 

User 

Digipass 

The report information will be grouped for 

each client 

The report information will be grouped for 

each Digipass 

Time Frequency For Trend Analysis reports. This type of report shows trends over a time period, taking sub 

counts at certain time periods. Use this field to specify the sub-count time frequency 

Created On Date the report was created 

Updated On Date the report definition was last modified 



3.8.2 Reporting Query Fields 

User, DIGIPASS record and Audit data fields can be used for queries to define customized reports. 

Table 16: User Fields for Reporting 

Name Type 

Back-end Authentication Number 

Created Time 

Description String 

DIGIPASS record String 

Disabled Y/N 

Domain String 

Email String 

Has DIGIPASS device Number 

Link_domain String 

Link_userid String 

Local Authentication Number 

Lock Count Number 

Locked Y/N 

Mobile Number 

Modified Time 

Organizational Unit String 

Phone String 

Profiles String 

Status String 

User ID String 

User Name String 



Table 17: DIGIPASS Fields for Reporting 

Name Type 

Application Names String 

Application Types String 

Assigned Date 

Backup VDP Enabled Y/N 

Backup VDP Expires Date 

Backup VDP Uses Left Number 

Created Time Date 


DIGIPASS Type String 

Domain String 

Grace Period End Date 

Modified Time Date 

Org_unit String 

Reserve Number 

Serial Number String 

Status String 

User ID String 

Table 18: Audit Fields for Reporting 

Name Type 

Action String 

AMID String 

Application String 

Area String 

Category String 

Characteristics String 

Client Location String 

Code String 

Command String 

Configuration Details String 

Credentials String 

Data Source String 

Data Source Location String 




Name Type 

Downtime Number 

Error Code Number 

Error Details String 

Error Message String 

Fields String 

From String 

Input Details String 

Message String 

Msg_type Number 

Object String 

Operation String 

Outcome String 

Output Details String 

Password Protocol String 

Policy ID String 

Quota Number 

Reason String 

Request ID String 

Request Type String 

Server Location String 

Session ID String 

Source String 

Source Location String 

Timestamp Date 

To String 

Type String 

Type Code 

Version String 



3.8.3 Standard Reports 

The aXsGUARD Identifier reporting package will come with standard reports. Standard reports are provided for 

the most common administration tasks. 

Purpose Name of Standard Report 

Reports produced by the 

Help desk to help with 

troubleshooting functional 

problems 

Reports produced by 

System administrators to 

help with troubleshooting 

system problems 


Administrators for 

Accounting information 


Administrators for System 

auditing information 

Detailed authentication report 

User authentication history report 

Detailed DIGIPASS registration report 

Detailed activity summary report 

Detailed Signature Validation report 

Detailed Provisioning report 

Signature Validation history report 

Failed Operations summary report 

Succeeded Operations summary report 

Authentication activity by user report 

Authentication activity by client report 

Provisioning activity by user report 

Provisioning activity by client report 

Transaction Signing Activity by User Application report 

Transaction Signing Activity by Client report 

Administration activity summary report 

DIGIPASS availability by type report 

DIGIPASS deployment trend report 

DIGIPASS deployment by type report 

Authentication trend report 

Transaction Signing Activity Trend 

Provisioning activity trend report 

Account lock trend report 

DIGIPASS assignment activity summary report 



3.9 aXsGUARD Identifier Properties 

Table 19: aXsGUARD Identifier Fields 


Location The IP address of the aXsGUARD Identifier represented by the record. 

Policy The name of the Policy that should be used for administration logon requests from the 

Component, including live connections from the Audit Viewer. This Policy is used if there is no 

specific Administration Program Client record for the location of the administration logon. 

Created On The date and time that the Client was created. Read-only. 

Last Modified On The date and time that the Client was last modified. Read-only. 

License Key For each aXsGUARD Identifier, a License Key is required. This consists of a set of parameters 

followed by a signature. See for more information. 


aXsGUARD Identifier 3.1.3.0 Administration Reference Guide v1.7 Importing Users with Comma Separated Value Files 

4 Importing Users with Comma Separated Value Files 

DIGIPASS User accounts can be imported into the database from a comma separated values (csv) text file, 

with the following restrictions: 

Each User account must be on a separate line in the text file. 

A header line must be included at the beginning of the file to specify the names of the fields included, and 

the order. The correct case is not required. 

Text strings must be surrounded by double quotes. If double quotes exist within the text string, these must 

be changed to double double quotes. 

These columns may exist in the text file: 

User ID (maximum 255 characters) 

User Name (maximum 64 characters) 

Serial Number (to assign a specific DIGIPASS device; this can be formatted as written on the DIGIPASS 

hardware e.g. 9087653-4 or as it appears in a DIGIPASS record e.g. 0090876534) 

Organizational Unit (Organizational Unit must already exist in the database) 

Domain (Domain must exist already in the database) 

Password (maximum 255 characters) 

Phone (maximum 64 characters) 

Email (maximum 64 characters) 

Mobile (maximum 64 characters) 

A DIGIPASS record must already exist in the database in the correct domain to be assigned to the User. 

If a domain is not specified for a User account, the User account will be added to the Master Domain. 

If the specified domain does not exist in the database, the User account will not be imported. 

Example text file 

USERID,DOMAIN,USERNAME,ORGANIZATIONALUNIT,PASSWORD,PHONE,EMAIL,MOBILE 

"testuser1","master","TestUser1","","password","0455584965","testus 

er1@company.com","0410 555 555" 

"testuser2","master","TestUser2","","secret","055511312","testuser2 

@company.com","" 


aXsGUARD Identifier 3.1.3.0 Administration Reference Guide v1.7 Message Delivery Component 

5 Message Delivery Component 

5.1 MDC Tracing Levels 

The MDC uses a trace file to record information on events occurring in the system, for troubleshooting 

purposes. Such records may include generic information, changing conditions, or problems and errors that 

have been encountered. 

The level of tracing used by the MDC depends on its configuration. 

Basic tracing includes: 

Critical error/warning messages [CRITC] 

Major error/warning messages [MAJOR] 

Minor error/warning messages [MINOR] 

Configuration messages [CONFG] 

Full tracing includes: 

Critical error/warning messages [CRITC] 

Major error/warning messages [MAJOR] 

Minor error/warning messages [MINOR] 

Configuration messages [CONFG] 

Informational messages [INFOR] 

Data tracing messages [DATA] 

Debugging messages (useful for support purposes) [DEBUG] 

Security messages, messages that may contain security sensitive data [SECUR] 

As there are no size limitations to the trace file, VASCO does not recommend enabling tracing permanently. 

However, if your system is configured with Basic Tracing always enabled, ensure that the file size does not 

cause problems by deleting or archiving it, whenever it gets too large. 

5.2 MDC Result Options 

5.2.1 Overview 

An MDC gateway returns a result for each request. This result is added as audit information in the aXsGUARD 

Identifier auditing system. 

Result options are available in the aXsGUARD Identifier Configuration Tool to transform these results into more 

user friendly text before forwarding the result to the auditing system. 

In the sections below, the different types of gateway results and the related result options are described. 



5.2.2 Gateway Result Page 

5.2.3 Result Options 

A result page is returned by the gateway service when a text message is submitted by the GET or POST 

methods. This page would normally be an HTML formatted page containing specific error codes and/or 

additional messages for success/failure. 

Three types of result messages are generally categorized as: 

Success: success of message delivery (the message has been accepted by the server) 

Failure: The submission/delivery failed, but it is most likely a specific error only affecting this User. The 

User’s login will fail on the first step. Possible causes are: 

Phone number invalid 

Temporary gateway failure 

Malformed query: error(s) occurred while attempting delivery. This means that the delivery failed for a 

particular User, but the error might be affecting all Users. In this case, the User’s login will fail 

immediately. Possible errors of this type are: 

Account data incorrect (Account User or password wrong) 

Account credit expired (for a pre-paid gateway account) 

Communication error with gateway (network error) 

Other permanent gateway errors 

A gateway result page can be recognized by key words and phrases, allowing an alternative message to be 

created for the auditing system. Variables can be extracted from the result page and used in the log message 

to provide extra information. 

Result Page Rules 

The result page rule patterns use the following syntax: 

[Var-Name1] [] [Var-Name2] … 

with the template constructed in the following way: 

: a character string which must be matched in the page returned by the gateway. Note that 

multiple can appear in a single template, but they must not be overlapping. Matching is 

case-sensitive. 

[]: omits a variable part of the result page between two segments, when matching a 

template. This can be useful to ignore arbitrary data or time/date data in the returned web page. 

[Var-Namex]: describes a segment of the result page between two segments or at the end of 

the result page, which is written to a variable. Usually this is data which can provide more detailed 

information about why a message submission failed. The variable name inside the [] brackets can then be 

used as part of the audit message template to create a meaningful message. 



Example 

If the server returns the following result page: 

“Submission successful at 10:00, 11/11/02, status: 00 - message delivery in progress.” 

for successful transmission, or 

“Submission unsuccessful at 10:05, 11/11/02, status: 47 – number too short” 

for an unsuccessful submission, the following result page rules can be configured: 

Message Rule Name: Success 

Message Rule Pattern: successful at [DateTime], status: [Status] – [Message] 

Variables retrieved: DateTimeStatusMessage 

Message Rule Name: Warning 

Message Rule Pattern: unsuccessful at [DateTime], status: 47 – [Message] 

Variables retrieved: DateTimeMessage 

Message Rule Name: Error 

Message Rule Pattern: unsuccessful at [DateTime], status: [status] – [Message] 

Variables retrieved: DateTimeStatusMessage 

No Match Available 

If no Rule matches a Result page returned, an error is logged in the auditing system, reporting that the result 

page returned from the gateway could not be matched. 

Ordering Rules 

The order of the result page template in the configuration data can be used to match more specific messages 

first and finally catch any “other” messages, which the gateway might send. 

Audit message template 

Once a result page template has been matched, a corresponding audit message is constructed with the 

variables retrieved from the result page rule. 

The message template uses the following syntax: 

[VAR-Name1] [Var-Name2] … 

: a character string which will appear literally in the constructed audit message. 

[Var-Namex]: Variable which is derived from the matched variables from the corresponding result page 

template. 

The following variables are predefined and can be used in the audit message template: 



Table 20: MDC Audit Message Variables 

Variable Description 

[otp_dest] The destination address (a mobile phone number) the OTP was sent to. 

[otp_msg] The message that was submitted. This variable also contains the OTP, so it should not be 

used for the construction of audit messages. 

[acc_user] Account name for the gateway. Not recommended for use in audit messages. 

[acc_pwd] Account password for the gateway. Not recommended for use in audit messages. 

[Username] User ID of the User requesting the OTP. 

Examples of variable use: 

Insufficient credit on account [acc_user] when sending to [username] 

Message not sent to User "[Username]"/[otp_dest]. Gateway reported: [message] 


aXsGUARD Identifier 3.1.3.0 Administration Reference Guide v1.7 Login Options 

6 Login Options 

6.1 Login Permutations 

6.1.1 Login Methods 

The information required to be entered during a login will vary according to the configuration settings of the 

relevant Policy, the login method, and any actions to be performed during the login. 

This section refers to authentication processing only, not Signature Validation or Provisioning. 

The login methods specified are: 

Response Only 

6.1.2 Login Actions 

Challenge/Response: 

6.1.3 Login Variables 

1-Step Challenge/Response: a random challenge is presented on the login page before the User ID is 

known. This is supported for SOAP clients and form-based IIS Modules. 

2-Step Challenge/Response: a challenge is generated after the user submits their User ID with a request 

to be given a challenge. The user then logs in with the response to the challenge in a second step. This is 

supported for all kinds of authentication client. 

Virtual Digipass - Primary or Backup 

A User may be allowed to do these things during a login: 

Set their Server PIN – on first use or after a PIN reset. 

Change their Server PIN. 

Inform the aXsGUARD Identifier that their static password for the Back-End System – eg. Active Directory - 

has been modified. 

Perform a Self-Assignment for a Digipass in their possession. 

The variables which a User may need to enter, in order to do one of the above functions are listed below. The 

code or word used to designate each variable in the following tables is included in brackets. 

One Time Password (OTP) 

Password (Password) 

Server PIN (PIN) 

Serial Number of their Digipass (Serial No) 



6.1.4 Password Format 

Serial Number Separator (Sep.) 

Request Keyword (Keyword) 

In a SOAP authentication request, there are two Password Formats that can be used: 

Cleartext Combined 

Using this format, all the login variables listed above must be entered into a single password field. This 

format applies when the login screen or web page cannot be extended with additional entry fields. 

Cleartext Separate 

6.1.5 Policy Settings 

Using this format, the login variables are entered in separate fields. 

In RADIUS authentication requests, the PAP password protocol corresponds to the Cleartext Combined 

password format. The CHAP, MS-CHAP and MS-CHAP2 password protocols are handled as different password 

formats (as the password is hashed in various ways according to the protocol). In general, these hash-based 

password formats are not capable of combining different login variables, unless all the variables are already 

known to the aXsGUARD Identifier. 

In administrative logons and IIS Module authentication requests, the Cleartext Combined password format is 

always used. 

The Policy settings which will affect the variables required in logins are: 

Stored Password Proxy 

If this attribute is set to Enabled, each User's password must be kept up to date in the aXsGUARD 

Identifier. This is typically achieved by enabling Password Autolearn. 


If the aXsGUARD Identifier is informed of a User's password change, the new password will only be 

recorded by the aXsGUARD Identifier if Password Autolearn is enabled in the relevant Policy 

Serial Number Separator 

If a Serial Number Separator is specified, the User may enter their Digipass serial number exactly as it 

appears on the back of their Digipass (or in the documentation provided to the User), including dashes. If 

a Serial Number Separator is not specified, the Digipass serial number must be padded to 10 characters, 

with all non-numerical characters removed. 

Back-End Authentication 

In the following login permutations tables, 'Back-End Authentication Required' means that the Back-End 

Authentication setting is set to Always or If Needed. 

Where Back-End Authentication is enabled, logins which receive a fail from the back-end authenticator 

may achieve a login action – for example, Change PIN – even though the login was unsuccessful. 



Note 

Back-End Authentication is required for Self-Assignment and Password Autolearn logins. 

6.1.6 Response Only – Cleartext Combined Password Format 

The following two tables apply to the following cases: 

SOAP using Cleartext Combined password format 

Administration logins 

RADIUS using PAP 

IIS Modules 

The first table applies in these cases when: 

EITHER the Stored Password Proxy feature is enabled 

OR Back-End Authentication is not enabled 

Table 21: Login Permutations - Response Only Cleartext Combined (1) 

Server PIN 

Required 

No Server 

PIN 

Required 

Login Type Existing PIN? 

Separator? 

Normal login Yes N/A PIN+OTP 

Password Field Contents 

Set PIN No N/A OTP+NewPIN+NewPIN 

Change PIN Yes N/A PIN+OTP+NewPIN+NewPIN 

Changed Password Yes N/A Password+PIN+OTP 

Set PIN and Changed Password No N/A Password+OTP+NewPIN+NewPIN 

Change PIN and Changed Password Yes N/A Password+PIN+OTP+NewPIN+NewPIN 

Self-Assignment 1 Yes Yes SerialNo+Sep.+Password+PIN+OTP 

Normal login N/A N/A OTP 

No SerialNo+Password+PIN+OTP 

Changed Password N/A N/A Password+OTP 

No Yes SerialNo+Sep.+Password+OTP+NewPIN+NewPIN 

No SerialNo+Password+OTP+NewPIN+NewPIN 

1 If a Serial Number Separator is not set, the serial number must have all non-numerical characters removed and be 

padded to 10 characters with preceding zeroes. Note that Back-End Authentication is required for successful Self- 

Assignment. 




Separator? 


Self-Assignment N/A Yes SerialNo+Sep.+Password+OTP 

The second table applies in these cases when: 

The Stored Password Proxy feature is not enabled 

AND Back-End Authentication is enabled 

Table 22: Login Permutations - Response Only Cleartext Combined (2) 

Server PIN 

Required 

No Server 

PIN 

Required 


No SerialNo+Password+OTP 

Normal login Yes N/A Password+PIN+OTP 

Separator? 


Set PIN No N/A Password+OTP+NewPIN+NewPIN 

Change PIN Yes N/A Password+PIN+OTP+NewPIN+NewPIN 

Changed Password Yes N/A Password+PIN+OTP 

Set PIN and Changed Password No N/A Password+OTP+NewPIN+NewPIN 

Change PIN and Changed Password Yes N/A Password+PIN+OTP+NewPIN+NewPIN 

Self-Assignment 2 Yes Yes SerialNo+Sep.+Password+PIN+OTP 

No SerialNo+Password+PIN+OTP 

Normal login N/A N/A Password+OTP 

Changed Password N/A N/A Password+OTP 

No Yes SerialNo+Sep.+Password+OTP+NewPIN+NewPIN 

No SerialNo+Password+OTP+NewPIN+NewPIN 

Self-Assignment N/A Yes SerialNo+Sep.+Password+OTP 

No SerialNo+Password+OTP 

Examples 

Self-Assignment of a GO 1 Digipass with no existing Server PIN and Serial Number Separator set to '::'. 

3-179-0987::pA192ss086382012341234 

Self-Assignment of a GO 3 Digipass with no Server PIN required and no Serial Number Separator set. 

0031790987PA192ss0863820 


padded to 10 characters with preceding zeroes. Note that Back-End Authentication is required for successful Self- 

Assignment. 



6.1.7 Response Only – CHAP/MS-CHAP/MS-CHAP2 

The following table applies to the following case only: 

RADIUS using CHAP, MS-CHAP or MS-CHAP2 

EITHER the Stored Password Proxy feature is enabled 

OR Back-End Authentication is not enabled 

Table 23: Login Permutations - Response Only CHAP/MS-CHAP/MS-CHAP2 

Login Type Server PIN 

Required? 

Normal login Yes PIN+OTP 

No OTP 


6.1.8 2-Step Challenge/Response – Cleartext Combined Password Format 

The following table applies to the following cases: 

SOAP using Cleartext Combined password format 

Administration logins 

RADIUS using PAP 

IIS Modules 

Challenge/Response in RADIUS is only supported for PAP. 

The column Stored Password Proxy Off AND Back-End Auth. Required contains Yes when: 

The Stored Password Proxy feature is not enabled 

AND Back-End Authentication is enabled 

In most cases, this does not affect 2-Step Challenge/Response; just when a Keyword only is used. 



Table 24: Login Permutations – 2-Step Challenge/Response Cleartext Combined 

Login Type Serial Number Separator? 



Stored 

Password 

Proxy Off 

AND Back- 

End Auth. 

Required 3 

Pre-Challenge Response 

Normal login N/A Keyword Yes Keyword Password+OTP 

No Keyword OTP 

Password N/A Password OTP 

Keyword-Password N/A Keyword+Password OTP 

Password-Keyword N/A Password+Keyword OTP 

Changed Password N/A Keyword N/A Keyword Password+OTP 

Password N/A Password OTP 

Keyword-Password N/A Keyword+Password OTP 

Password-Keyword N/A Password+Keyword OTP 

Self-Assignment 4 Yes N/A N/A SerialNo+Sep.+Password OTP 

No N/A N/A SerialNo+Password OTP 

3 Back-End Authentication is required for Self-Assignment and Password Autolearn logins. 


padded to 10 characters with preceding zeroes. 



6.1.9 Virtual Digipass 

The 2-step Virtual Digipass login is possible when using a SOAP client, the RADIUS Access-Challenge 

mechanism or an IIS Module in form-based authentication mode. The static password is required in either the 

first or the second step, but not both. 

However, many RADIUS environments and IIS Module 'basic authentication' do not support the 2-step login 

process. If the 2-step login process is not possible, two separate 1-step logins are required. The second login 

must include the Password as well as the OTP, but it is not necessary to provide the Password in the first 

login, if only a Keyword is used. 

Using the Cleartext Combined password format, all inputs in the table below are entered into the Password 

field. Using the Cleartext Separate password format, the Keyword and/or Password are always entered into 

the Static Password field, while the OTP is entered into the OTP field. 

Table 25: Login Permutations – Virtual Digipass 

Login 

Type 

Normal 

login 

Changed 

Password 

Request Method 2-step login Two 1-step logins 

Step 1 Step 2 Step 1 Step 2 

Keyword Keyword Password+OTP Keyword Password+OTP 

Password Password OTP Password Password+OTP 

Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP 

Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP 

Keyword-Only * Keyword OTP Keyword OTP 

Keyword Keyword Password+OTP Keyword Password+OTP 

Password Password OTP Password Password+OTP 

Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP 

Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP 

Keyword-Only* Keyword Password+OTP Keyword Password+OTP 

* This Request Method is only available with DIGIPASS Authentication for Windows Logon 


aXsGUARD Identifier 3.1.3.0 Administration Reference Guide v1.7 Firewall Ports 

7 Firewall Ports 

7.1 Overview 

The aXsGUARD Identifier uses several different ports to communicate. If these are blocked by a firewall, some 

features will not work correctly. Listed below are the ports used by the aXsGUARD Identifier and the default 

port number used for each. 

7.2 Incoming Ports 

Table 26: List of Incoming Ports Used by the aXsGUARD Identifier 

Port Default Configuration Source 

RADIUS Authentication Port UDP 1812 Not modifiable RADIUS Clients 

RADIUS Back-end servers 

RADIUS Accounting Port UDP 1813 Not modifiable RADIUS Clients 


SEAL Port TCP 20003 Not modifiable IIS Modules 

Replication from other aXsGUARD Identifiers 

SSL SEAL TCP 20004 Not modifiable Windows Logon Tool 

SOAP TCP 8080 Not modifiable SOAP Clients 

Audit Replication Port TCP 5432 Not modifiable aXsGUARD Identifier in replication setup 

Configuration Replication Port TCP 20003 Not modifiable aXsGUARD Identifier in replication setup 

Replication Wizard Port TCP 20101 Not modifiable Use replication wizard in aXsGUARD Identifier 


aXsGUARD Identifier 3.1.3.0 Administration Reference Guide v1.7 Firewall Ports 

7.3 Outgoing Ports 

Table 27: List of Outgoing Ports Used by the aXsGUARD Identifier 

Port Default Configuration Destination 

RADIUS Authentication Port UDP 1812 Back-end server records 

(Authentication Port field) 

RADIUS Accounting Port UDP 1813 Back-end server records 

(Accounting Port field) 

LDAP Port TCP 389 Back-end server records 

(Port field) 

SEAL Port TCP 20003 Replication section, Destination Servers 

tab, destination server properties, Port 

field 

HTTPS connection to the VASCO 

Service Center (SC) 



LDAP Back-end servers 

Replication to other 


TCP 443 Not modifiable sc.vasco.com 

Audit Replication Port TCP 5432 Not modifiable aXsGUARD Identifier in 

replication setup 

Configuration Replication Port TCP 20003 Not modifiable aXsGUARD Identifier in 

replication setup 

Replication Wizard Port TCP 20101 Not modifiable Use replication wizard in 



aXsGUARD Identifier 3.1.3.0 Administration Reference Guide v1.7 Audit Messages 

8 Audit Messages 

For an explanation of the concepts of Auditing, please refer to the aXsGUARD Identifier Product Guide, 

'Auditing' section. 

8.1 Audit Message Listing 

Table 28: Audit Messages List 

Message 

Code 

Description Notes 

E000001 A system error has occurred. This message is used whenever there is a general 

processing error. It will contain full details of the 

error. 

E001001 The Digipass Plug-In failed to start up. The Plug-In encountered a fatal error on startup 

such as an invalid or missing configuration file. 

E001002 The Digipass Plug-In has been forced into the 

disabled state. 

The Plug-In has started up, but is in a disabled state 

in which it will not process authentication requests. 

This is typically due to a license problem (an invalid 

or missing License Key in the Plug-In's Component 

record); an invalid Component Location setting in 

the configuration file; or a missing Component 

record for the Plug-In. 

E001003 The Authentication Server failed to start up The Authentication Server encountered a fatal error 

on startup. This is typically due to an invalid or 

missing configuration file or failure to connect to the 

data store. 

E002001 The Active Directory AAL3 library failed to 

initialize. 

E002002 The Digipass Authentication library failed to 

initialize. 

The Active Directory 'AAL3' library encountered a 

fatal error on initialization, eg. invalid configuration 

settings in the configuration file. 

The 'Authentication' library encountered a fatal error 

on initialization, eg. invalid configuration settings in 

the configuration file. 

E002004 The RADIUS protocol handler failed to initialize. The protocol handler that receives and processes 

RADIUS requests did not start up. This may be 

because of a missing License Key in the 

Authentication Server Component record, or 

because the License Key in that Component record 

does not enable RADIUS support. Look for the line 

RADIUS=Yes in the License Key details. 

A common reason for this error, when RADIUS is 

enabled in the License Key, is that the RADIUS ports 

are already in use by another process on the 

machine. 

Alternatively, the configuration settings may be 



Message 

Code 


invalid. 

E002006 The Replication library failed to initialize. The Replication library encountered a fatal error on 

initialization, eg. invalid configuration settings in the 

configuration file. 

E002007 Initialization of a Replication destination server 

failed. 

E002008 The Authentication Server protocol handler 

failed to initialize. 

E002009 The VM2 Compatibility protocol handler failed 

to initialize. 

E009001 An error occurred in the Virtual Digipass 

Message Delivery Component. 

E012001 The RADIUS Profile was not found in Steel- 

Belted RADIUS. 

E012002 The RADIUS Attribute was not known by Steel- 

Belted RADIUS. 

The Replication library found the configuration of a 

Destination Server to be invalid. The library will still 

start up if its main configuration settings are valid 

and there is at least one valid Destination Server. 

For the invalid Destination Servers, this audit 

message is generated. 

The protocol handler that receives and processes 

administration requests and authentication requests 

from the IIS modules failed initialization. This is 

typically due to invalid configuration settings or 

because the API port is already in use by another 

process on the machine. 


authentication requests from the VACMAN 

Middleware version 2 IIS modules failed 

initialization. This is typically due to invalid 

configuration settings or because the API port is 

already in use by another process on the machine. 

The MDC encountered an error during the process 

of submitting a request to the HTTP gateway and 

interpreting the response. This may indicate a 

configuration problem for the gateway or 

connectivity issues. The audit message may contain 

further details from the gateway. 

When a RADIUS Profile name is in the Digipass User 

Account but that name is not found in SBR, the 

login is failed with this error. 

This can also occur if there is no RADIUS Profile in 

the Digipass User Account, but there is a Default 

RADIUS Profile configured that was not found in 

SBR. 

When the Digipass User Account has a RADIUS 

attribute in its Authorization Profiles/Attributes list, 

the attribute must be found in SBR. When such an 

attribute is not known to SBR, the login is failed with 

this error. 

The most likely reason for this error to occur is that 

the spelling of the attribute Name is different in SBR 

compared to the Digipass User account. This may 

also occur if the Value of the attribute does not 

convert to the correct data type expected by SBR. 

For example, if an IP address attribute has a Value 



Message 

Code 

E013001 A connection to an ODBC data source could 

not be established. 

E013002 A connection to an ODBC data source is 

broken. 


which is not a representation of an IP address. 

An attempt to connect to an ODBC data source 

failed. This may occur because: 

the database is unavailable for some reason such as 

rebooting 

the database is too busy temporarily to service the 

connection 

there are networking problems 

your credentials used in connecting to the database 

are invalid. 

An established connection to an ODBC data source 

has broken. This may occur because: 

the database suddenly becomes unavailable for 

some reason such as rebooting 

the database becomes too busy temporarily to 

service the connection 

there are networking problems. 

W004001 A connection attempt to Active Directory failed. An attempt to connect to an Active Directory Domain 

Controller failed. This may occur because: the 

Domain Controller is unavailable for some reason 

such as rebooting; the Domain Controller is too busy 

temporarily to service the connection; or there are 

DNS or networking problems. 

W004004 A connection attempt to a Replication 

destination server failed. 

W005001 A connection to Active Directory has terminated 

due to an error. 

W005004 A connection to a Replication destination server 

has terminated due to an error. 

An attempt by the Replication library to connect to a 

Destination Server failed. This may occur because: 

the incorrect IP address or port is configured; the 

Destination Server is unavailable for some reason 

such as rebooting; or there are 

networking/connectivity problems such as an 

intermediate firewall blocking the port. 

An established connection to an Active Directory 

Domain Controller has broken. This may occur 

because: the Domain Controller suddenly becomes 

unavailable for some reason such as rebooting; the 

Domain Controller becomes too busy temporarily to 

service the connection; or there are DNS or 

networking problems. 

An established connection to a Destination Server 

has broken. This may occur because the Destination 

Server suddenly becomes unavailable for some 

reason such as rebooting, or because of a 

temporary networking or connectivity problem. 

W006001 An invalid RADIUS packet has been received. A RADIUS request received was invalid (did not 

conform to the RADIUS protocol). The request is 

discarded. 

This can also occur when a response is received 



Message 

Code 

W006002 A RADIUS request has been received from an 

unknown source. 

W006003 A request has been received from a RADIUS 

Client with no Shared Secret defined. 

W006004 A RADIUS request forwarded by this server has 

been received – there must be a circular proxy 

chain. 

W006005 An Access-Challenge received from the 

RADIUS Server cannot be handled. 


from a RADIUS Server to which a request was 

forwarded, if the response was invalid. The 

response is discarded. 

A RADIUS request was received but there is no 

RADIUS Client Component for the source of the 

request, and there is no “default” RADIUS Client 

Component. The request is discarded. 

This audit message will be repeated at intervals 

when the same unknown source sends requests, 

but not for every request. 

A RADIUS request was received where there is a 

RADIUS Client Component for the source of the 

request, but that Component record does not have a 

Shared Secret defined. Therefore, it is not possible 

to handle the request and it is discarded. 

This will not occur if there is a “default” RADIUS 

Client Component that has a Shared Secret. 

This audit message will be repeated at intervals 

when the same source sends requests, but not for 

every request. 

This can occur when the aXsGUARD Identifier 

forwards a request to a RADIUS Server, and the 

RADIUS Server forwards the request back, due to its 

own proxy rules. It can also occur indirectly in a 

longer 'proxy chain'. The request is discarded, 

otherwise an infinite loop could be created. 

If this occurs, there must be an error in the proxy 

configuration of the RADIUS Server(s). 


forwards a request to a RADIUS Server and the 

RADIUS Server responds with an Access-Challenge. 

An Access-Challenge can only be handled when the 

aXsGUARD Identifier forwards the password 

unmodified to the RADIUS Server. If the aXsGUARD 

Identifier verifies an OTP and forwards the static 

password to the RADIUS Server, it is not possible to 

handle an Access-Challenge from the RADIUS 

Server. 

W006006 A RADIUS Server is not responding. The aXsGUARD Identifier has not managed to get a 

response from the RADIUS Server for some time. 

This message indicates that there may be a problem 

with the RADIUS Server. 

W009001 Virtual Digipass One Time Password delivery 

failed. 

The MDC could not successfully deliver a text 

message via the HTTP gateway. The audit message 

should contain further details from the gateway. 

W010001 A blank password was used for Back-End This message only occurs when the Back-End 



Message 

Code 


Authentication, as Stored Password Proxy is 

disabled and the user did not enter a static 

password. 

W011001 A Backup Virtual Digipass quota of uses has 

been finished. 

W011002 No Digipass was found to assign to a new 

Digipass User Account for Auto-Assignment. 

Authentication setting is Always. 

When Stored Password Proxy is disabled, the 

aXsGUARD Identifier does not pass on the password 

stored in the Digipass User Account to Windows for 

Back-End Authentication. If a User does not enter 

their password as well as their OTP, the login will 

fail because their password has not been provided 

to Windows. 

BVDP Uses Remaining has just been decremented 

to 0 for a Digipass. The User will not be able to use 

that Digipass for Backup Virtual Digipass logins until 

the Uses Remaining is increased or cleared. 

No available Digipass were found for Auto- 

Assignment. This may be because: there were no 

unassigned Digipass in the right location; the 

unassigned Digipass did not conform to Policy 

restrictions; the unassigned Digipass were 

Reserved for individual assignment. 

The location in which the aXsGUARD Identifier 

searches for available Digipass records can be 

controlled to some extent using the Search 

Upwards in Org. Unit hierarchy setting. 

W011003 A Digipass User Account has become locked. A User just exceeded the User Lock Threshold of 

failed logins and their Digipass User Account is now 

Locked. Administrator action is required to unlock 

the account. 

W012002 A Replication update received has been 

ignored, as the local data is more up-to-date. 

W012003 A Replication queue entry has not been 

inserted. 

W013001 An invalid request has been received by the 

Authentication Server. 

W013002 A request has been received by the 

Authentication Server from an unknown 

source. 

The Authentication Server has received a data 

update from another Authentication Server via the 

Replication process, but its local data is already 

newer than the data received via Replication. 

It is normal that this can occur, but it can also 

indicate a potential synchronization issue. 

This can occur when a replication queue has 

reached its maximum size. This is most likely to 

occur when the destination server is down or cannot 

be contacted due to a networking problem. 

The Authentication Server has received an invalid 

authentication, administration or Replication 

request. 

The Authentication Server has received an 

authentication, administration or Replication request 

from an unknown or unauthorized source. If the 

request was from a valid source, this message 

indicates that a Component record is missing (or 

that a required restart of the Service has not been 

made since the creation of the necessary 



Message 

Code 


Component record). 

W014001 The License Key is missing or invalid. A valid, unexpired license key is required to process 

any kind of authentication request. This message 

will be generated periodically when authentication 

requests are received by the Authentication Server, 

when it does not have a valid License Key. 

I001001 The Digipass Plug-In has started up 

successfully. 

I001002 The Authentication Server has started up 

successfully. 

I002001 The Active Directory AAL3 library has been 

initialized successfully. 

I002002 The Digipass Authentication library has been 


I002004 The RADIUS protocol handler has been 


I002006 The Replication library has been initialized 

successfully. 

I002007 Initialization of a Replication destination server 

succeeded. 

I002008 The Authentication Server protocol handler has 

been initialized successfully. 

I002009 The VM2 Compatibility protocol handler has 

been initialized successfully. 

I003001 The Digipass Plug-In has shut down. 

I003002 The Authentication Server has shut down. 

I004001 A connection attempt to Active Directory was 

successful. 

Configuration details are given in the audit 

message. 


message. 

Note that the Authentication Server can start up 

successfully even if a component such as the 

RADIUS protocol handler does not start up 

successfully. 

The Active Directory 'AAL3' library has completed 

initialization. Configuration details are given in the 

audit message. 

The 'Authentication' library has completed 

initialization. Configuration details are given in the 



RADIUS requests started up. Configuration details 

are given in the audit message. 

The Replication library was initialized successfully. 


message. 

The Replication library initialized a Destination 

Server successfully. Configuration details are given 

in the audit message. 


administration requests and authentication requests 

from the IIS modules was initialized successfully. 


message. 


authentication requests from the VACMAN 

Middleware version 2 IIS modules was initialized 

successfully. Configuration details are given in the 




Message 

Code 

I004004 A connection attempt to a Replication 

destination server was successful. 

I005001 A connection to Active Directory has been 

terminated normally. 

I005002 A connection to Active Directory has been 

timed out for load-balancing. 

I005004 A connection to a Replication destination server 

has been terminated normally. 



Domain Controller has ended with a normal 

disconnection. 


Domain Controller has been ended for loadbalancing 

purposes. Periodically the connections 

will be dropped and new ones established, in case 

there is a less busy Domain Controller available. The 

time period is defined by the configuration setting 

Max-Bind-LifeTime in the file, in minutes. 

An established connection to a Replication 

Destination Server has ended with a normal 

disconnection. 

I006001 A RADIUS Access-Request has been received. The aXsGUARD Identifier has received an Access- 

Request. The audit message will indicate what 

action will be taken as well as key details of the 

request. 

I006002 A RADIUS Accounting-Request has been 

received. 

The aXsGUARD Identifier has received an 

Accounting-Request. The audit message will 

indicate what action will be taken as well as key 

details of the request. 

I006003 A RADIUS Server has started responding again. After the aXsGUARD Identifier had not managed to 

get a response from the RADIUS Server for some 

time, this message indicates that it is responding 

again. 

I007001 A RADIUS Access-Accept has been issued. The aXsGUARD Identifier has accepted an Access- 

Request. Note however that it is still possible that 

after the aXsGUARD Identifier has accepted the 

request, another component of the overall process 

may still decide to reject the request ultimately. 

I007002 A RADIUS Access-Challenge has been issued. The aXsGUARD Identifier has issued a challenge, 

either Challenge/Response or Virtual Digipass. 

I007003 A RADIUS Access-Reject has been issued. The aXsGUARD Identifier has rejected an Access- 

Request. 

I007004 A RADIUS Accounting-Response has been 

issued. 

I008001 A Digipass has been moved for assignment to 

a user. 

The aXsGUARD Identifier has acknowledged an 

Accounting-Request. Note however that unless the 

request is forwarded to a RADIUS Server, no 

processing is carried out by the aXsGUARD 


Upon assignment of a Digipass to a User, if the 

Digipass is not already in the same location 

(Organizational Unit) as the User, it is moved to that 



Message 

Code 

I008002 A user-to-user link has been removed due to 

assignment of a Digipass. 

I009001 A Virtual Digipass One Time Password has 

been delivered. 


location. 

If a Digipass User Account is linked to another in 

order to share the Digipass, it must not have a 

Digipass assigned itself. If a Digipass is assigned, 

the link will be broken. 

The MDC successfully delivered a text message via 

the HTTP gateway, as reported by the gateway. The 

audit message may contain further details from the 

gateway. 

Note that depending on the gateway, it may still be 

possible for delivery to fail after the gateway has 

reported success. 

I010001 User authentication was not handled. The aXsGUARD Identifier decided not to handle an 

authentication request due to Policy and/or Digipass 

User Account settings. The main reasons why this 

may occur are: the effective Local Authentication 

and Back-End Authentication settings were both 

None; the User failed the Windows Group Check, 

using the Pass requests for users not in listed 

groups back to host system option. 

Note that the 'effective' settings are the effective 

settings of the Policy, unless the Digipass User 

Account overrides the Policy. 

I010002 A stored password change was unhandled. The aXsGUARD Identifier decided not to handle a 

password change request due to Policy and/or 

Digipass User Account settings. The main reasons 

why this may occur are: the effective Local 

Authentication and Back-End Authentication 

settings were both None; the User failed the 

Windows Group Check, using the Pass requests for 

users not in listed groups back to host system 

option. 




I011001 A Digipass Grace Period has been ended by 

the use of a One Time Password. 

I011002 A Backup Virtual Digipass expiration date has 

been set due to the first request for a Virtual 

One Time Password. 

The first time that an assigned Digipass is used 

successfully to log in, if a Grace Period is still active, 

it is ended immediately. They must continue to use 

their Digipass to log in after that point. 

A User has requested a Backup Virtual Digipass OTP 

for the first time, when the effective Backup VDP 

Enabled setting is Yes – Time Limited and they did 

not already have an Enabled Until date set on their 

Digipass. At this time, they are given the Time Limit 

from the Policy by adding it to the current date. 

I011003 A Backup Virtual Digipass time limit has been A User who has been using Backup Virtual Digipass 



Message 

Code 


expired by the use of the normal One Time 

Password. 

I011004 A Backup Virtual Digipass quota of uses has 

been set due to the first request for a Virtual 

One Time Password. 

I011005 A Digipass User Account has been created 

using Dynamic User Registration. 

I011006 A new static password has been stored using 

Password Autolearn. 

I011007 A Digipass has been assigned to a new 

Digipass User Account using Auto-Assignment. 

I011008 A Digipass has been assigned to a Digipass 

User Account using Self-Assignment. 

I011009 A Digipass challenge has been issued for a 

Self-Assignment attempt. 

has used their normal OTP login using the Digipass 

again. When the effective Backup VDP Enabled 

setting is Yes – Time Limited, using the normal OTP 

login ends their time limit immediately. This is done 

by setting the Enabled Until date on their Digipass 

to the current date. 

An administrator action is required to reset their 

Enabled Until date, if the User is to be allowed to 

use Backup Virtual Digipass again. 

A User has requested a Backup Virtual Digipass OTP 

for the first time, when the effective Backup VDP 

Max. Uses/User setting is greater than 0 and they 

did not already have a Uses Remaining date set on 

their Digipass. At this time, they are given the Max. 

Uses/User limit from the Policy. 

A Digipass User Account has been created 

automatically upon successful Back-End 

Authentication. This occurs when the Dynamic 

User Registration feature is enabled. 

A new static password has been stored in the 

Digipass User Account after successful Back-End 

Authentication. This occurs when the Password 

Autolearn feature is enabled. 

Upon creation of a new Digipass User Account 

through Dynamic User Registration, an available 

Digipass has been assigned to the new account 

automatically. This occurs when the Auto- 

Assignment feature is enabled. 

A User has successfully assigned a Digipass to 

themselves using the Self-Assignment feature. 

A User has obtained a challenge during an attempt 

to assign a Digipass to themselves using the Self- 

Assignment feature. In order to complete the 

assignment, they must provide the correct response 

to the challenge from the Digipass. 

I011010 A user has changed their Digipass PIN. A User has changed their Server PIN during their 

login, or set it up on first use or after a PIN reset. 

I011011 Successfully assigned Digipass The Digipass has been successfully assigned during 

Software Digipass Provisioning. 

I011012 Added new Digipass for Web activation location A new Digipass has been added for a Web 

activation location during Software Digipass 

Provisioning. 

I011013 Static Password Update Successful The static password for the User has been 

successfully changed. 



Message 

Code 

I013001 A connection to an ODBC data source has 

been made successfully. 

I013002 A connection to an ODBC data source has 

been terminated normally. 

S001001 A query for a single [object] record was 

successful. 


An established connection to an ODBC data source 

has ended with a normal disconnection. 

The aXsGUARD Identifier or an administrator has 

made a successful query to the data store for a 

single record. In the case of the aXsGUARD 

Identifier this may be a search for its Component 

record; for an administrator it could be any single 

record query. The audit message has details of the 

record found. 

S001002 A query for [object] records was successful. The aXsGUARD Identifier or an administrator has 

made a successful query to the data store for some 

records. In the case of the aXsGUARD Identifier this 

may be a search for a RADIUS Client Component 

record; for an administrator it could be any list 

query. The audit message has details of the records 

found but this may be truncated. 

S001003 A command of type [object] [command] was 

successful. 

An administrator has issued a successful data 

modification command such as an update of 

settings or one of the Digipass Application 

operations like Reset PIN. The audit message has 

details of the command and results. 

S002001 User authentication was successful. The 'Authentication' library has passed 

authentication for a request. Note however that the 

aXsGUARD Identifier or another component of the 

overall process may still decide to reject the request 

ultimately. 

S002002 User authentication issued a challenge. The 'Authentication' library has issued a challenge 

for an authentication request, either 

Challenge/Response or Virtual Digipass. 

S002004 A stored password change was successful. The Authentication Server has successfully 

processed a password change request. 

S003001 A Replication update was sent successfully. This message is audited at the source server, when 

a database change is sent to a destination server 

and processed successfully. 

S003002 A Replication update received has been 

processed successfully. 

This message is audited at the destination server, 

when a database change is received and processed 

successfully. 

S004001 An administrative logon was successful. An administrative logon to the Authentication Server 

was successful. 

S004002 A Live Audit connection was successful. A Live Audit connection to the Authentication Server 

was successful. 

S005001 Registration Successful The registration of a Software Digipass during 



Message 

Code 


Provisioning was successful. 

S005002 Activation Successful The activation of a software Digipass during 

Software Digipass Provisioning was successful. 

S006001 Signature Validation Successful. When signing a transaction using the Signature 

Verification function, the signature validation was 

successful. 

S009001 A DNS record update was successful. The aXsGUARD Identifier has successfully updated a 

DNS record. 

F001001 A query for a single [object] record failed. The aXsGUARD Identifier or an administrator has 

made an unsuccessful query to the data store for a 

single record. In the case of the aXsGUARD 

Identifier this may be a search for its Component 

record; for an administrator it could be any single 

record query. The audit message has basic details 

of the failure, but there should be a preceding 

E000001 with more details. 

F001002 A query for [object] records failed. The aXsGUARD Identifier or an administrator has 

made an unsuccessful query to the data store for 

some records. In the case of the aXsGUARD 

Identifier this may be a search for a RADIUS Client 

Component record; for an administrator it could be 

any list query. The audit message has basic details 

of the failure, but there should be a preceding 

E000001 with more details. 

F001003 A command of type [object] [command] failed. An administrator has issued an unsuccessful data 

modification command such as an update of 

settings or one of the Digipass Application 

operations like Reset PIN. The audit message has 

basic details of the failure, and there may be a 

preceding E000001 with more details. 

F002001 User authentication failed. The 'Authentication' library has failed authentication 

for a request. The audit message has details of the 

failure (see 9 Error and Status Codes) and there 

may be a preceding E000001 with error details. 

F002003 A stored password change failed. The Authentication Server has not processed a 

password change request. The audit message has 

details of the failure (see 9 Error and Status 

Codes) and there may be a preceding E000001 

with error details. 

F003001 Sending a Replication update was 

unsuccessful. 

F003002 Processing a Replication update received was 

unsuccessful. 

This message is audited at the source server, when 

a database change is not sent to a destination 

server successfully, or it was sent but the 

processing at the destination was unsuccessful. 

This message is audited at the destination server, 

when a database change is received but is not 



Message 

Code 


processed successfully. 

F004001 An administrative logon was rejected. The 'Authentication' library has failed an 

administrative login request. The audit message has 

details of the failure (see 9 Error and Status 

Codes) and there may be a preceding E000001 

with error details. 

Note that this may occur even when preceded by a 

successful authentication (S002001) message, for 

example if the user's credentials were OK but they 

did not have Administrative Logon privilege. 

F004002 A Live Audit connection was rejected. The 'Authentication' library has failed a Live Audit 

connection request. The audit message has details 

of the failure (see 9 Error and Status Codes) 

and 

there may be a preceding E000001 with error 

details. 

Note that this may occur even when preceded by a 

successful authentication (S002001) message, for 

example if the user's credentials were OK but they 

did not have Administrative Logon or Live Audit 

Connection privilege. 

F005001 Static Password verification failed During Software Digipass Provisioning the static 

password for the User was not verified. 

F005001 Backend Authentication failed During Software Digipass Provisioning, the backend 

authentication for the User failed. 

F005001 Digipass assignment failed Assignment of the DIGIPASS failed during Software 

Digipass Provisioning. 

F005001 Reactivation not allowed. The specified Software Digipass may not be 

reactivated. The number of reactivations for 

Software Digipass is limited. The limit may have 

been exceeded. 

F005002 Multiple Digipass found where a single 

Digipass was required 

During Software Digipass Provisioning more than 

one Digipass was found that fulfilled the criteria 

specified. 

F005002 OTP verification Failed The One Time Password generated from the 

Digipass used in the Provisioning process has not 

passed validation. 

F006001 Signature Verification failed. When attempting to sign a transaction using an 

electronic Signature, the signature did not pass the 

verification phase. The transaction will not be 

signed. 

F006001 Multiple Digipass found where a single 

Digipass was required. 

When using the Signature function, aXsGUARD 

Identifier found more than one Digipass record 

assigned to the user. 

F006001 Required request input fields missing The Signature function requires up to eight input 



Message 

Code 


fields. The input fields are defined when the 

Signature function is set up. One or more of those 

input fields was missing in this transation. 

F009001 A DNS record update failed. The aXsGUARD Identifier has failed to update a DNS 

record. 


aXsGUARD Identifier 3.1.3.0 Administration Reference Guide v1.7 Error and Status Codes 

9 Error and Status Codes 

9.1 Error Codes 

This section lists the standard error and status codes with the associated messages. 

Table 29: Error Code List 

Error Code Message Notes 

0 (No error) 

-1 An unspecified error occurred This error code may occur when a more specific error 

code is not available or was recorded separately. 

-2 The parameters supplied were invalid Parameters supplied to a function or command were 

invalid. 

-3 A memory error occurred Memory allocation failed. This is normally due to the 

system running low on memory. 

-10 A communications error occurred Inter-process or inter-component communication failed. 

This may also occur with communications to Active 

Directory or a database. This error is normally 

accompanied by further details. 

-11 A license error has occurred General-purpose license failure when a more specific 

code is not available or was recorded separately. 

-12 An operating system call failed A system call failed. This may include file handling, 

Active Directory Services Interface and other calls. It is 

normally accompanied by further details. 

-13 The object was not found An attempt was made to perform an operation on an 

object, such as an Active Directory object, but the object 

did not exist. For example, this may occur when one 

administrator deletes a record that another administrator 

is about to update, when the update operation is 

attempted. 

-14 The object already exists An attempt was made to create an object, such as an 

Active Directory object, but the object already exists. For 

example, this may occur when two administrators try to 

create the same record at the same time. 

-15 The supplied buffer was of the incorrect size An internal data buffer was of insufficient length to hold 

the data required. 

-16 A version error has occurred A version mismatch has occurred. Further details in the 

error record will indicate what versions were 

mismatched. 

-17 The supplied data are invalid General-purpose error when input data to an operation is 

incorrect. Further details of the error will be recorded. 

-18 The object is invalid An attempt was made to perform an operation upon an 




object type that was not recognized. 

-19 The command is invalid An attempt was made to perform an operation using a 

command that was not recognized. 

-20 The object is in use An attempt was made to delete an object, such as an 

Active Directory object, but that object was in use. 

This may occur when you try to delete a Policy, but 

another Policy inherits from the one you are deleting, or a 

Component uses the Policy. 

-21 The operation is not supported General-purpose error when an operation is attempted on 

an object that does not support it. For example, an 

attempt is made to generate a Virtual Digipass OTP using 

a Digipass that is not enabled for Virtual Digipass. 

-22 An object error has occurred General-purpose error on an operation on an object. This 

should be supplemented with more specific details. 

-23 A required field was missing An operation was attempted without specifying one or 

more mandatory input fields. 

-24 Auditing failed An operation failed because auditing was mandatory, but 

failed. 

-30 The configuration is invalid The configuration data in the configuration file are invalid. 

The error record should indicate which specific data were 

invalid. 

-31 A type mismatch has occurred General-purpose error when one datatype is expected but 

a different datatype was provided. 

-32 One or more objects were not initialized Internal initialization error. More specific error details will 

be recorded. 

-33 The cache is full An attempt was made to add an entry to a cache, but the 

cache has reached its configured maximum size. 

-34 The cache entry has reached the maximum 

reference count 

-35 The system is currently too busy to service 

the request 

An attempt was made to retrieve an item from a cache, 

but the item was already in use and the configuration 

indicates a limit on the number of times an item can be 

retrieved from the cache at one time. 

The system received a new request for processing, but 

hit a resource usage limit of some type. This indicates 

that the system is too loaded to handle the request. For 

example, there may be no spare database connection to 

use, even after waiting a short time for one to become 

available. 

-80 A timeout has occurred An operation failed because of a timeout. 

-100 An invalid plugin was supplied Audit configuration specifies a plugin method that is 

unknown or that could not be successfully loaded. 

-101 There is no space left to write the message While auditing to text file, the server was unable to write. 

This would normally occur if disk space has run out. 

-140 A Digipass error has occurred General-purpose failure of a Digipass operation such as 

OTP verification, Reset PIN, Unlock, etc. This is normally 




-150 Delivery of the Virtual Digipass One-Time 

Password failed 

accompanied by a more specific error code and message 

from the VACMAN Controller library. 

A Virtual Digipass OTP was generated successfully, but 

delivery by text message failed. A separate message will 

give more details about the failure. 

-200 The license has expired The License Key has an expiration date set, and the date 

has passed. A permanent License Key must be obtained. 

-201 The license data are invalid One of the details embedded into the License Key is 

invalid for the Component in which it is being loaded. The 

Component will not be able to use the License Key. This 

may be IP address, Component Type, or any other detail 

that can be seen in the License Key text. 

-202 The License Key is corrupted The signature at the bottom of the License Key is invalid. 

This would typically occur if the License Key details were 

modified in any way. 

-250 Decryption has failed - no Storage Key is 

specified in the Encryption Settings 

-251 Decryption has failed - an incorrect Cipher is 

specified in the Encryption Settings 

-252 Decryption has failed - an incorrect Storage 

Key is specified in the Encryption Settings 

Some encrypted data has been created or modified using 

configured, rather than default, encryption settings. This 

error occurs when that data is read by a component that 

does not have configured encryption settings – the 

component is therefore unable to decrypt the data. 

It is necessary to configure the encryption settings in the 

component. See for more information on encryption 

settings. 


differently configured encryption settings. This error 

occurs when that data is read by a component with 

configured encryption settings that use a different Cipher 

Name – the component is therefore unable to decrypt 

the data. 

It is necessary to make sure that the encryption settings 

in all components are identical. See for more 

information. 


differently configured encryption settings. This error 

occurs when that data is read by a component with 

configured encryption settings that use a different 

Storage Key – the component is therefore unable to 

decrypt the data. 

It is necessary to make sure that the encryption settings 

in all components are identical. See for more 

information. 

-300 A database error occurred General-purpose error on a database operation. This 

should be supplemented with more specific details. 

-350 The request received was discarded A replication update that was received was found to be 

superseded by a later change. In this case, the update is 

discarded, as it is no longer relevant. 




This may occur when creating a record, after a record 

has been deleted then re-created. 

It may occur when modifying a record, if a later 

modification occurred before replication could apply the 

first change. 

-351 The request received must be retried A replication update that was received could not be 

applied immediately. In this case, the update is rejected. 

The retry mechanism at the source server will re-send 

the update, according to its configuration settings. 

This may occur if a record does not exist yet, when trying 

to apply a modification or deletion. 

It may occur after a record has been deleted and recreated, 

when a modification of the record is replicated 

but the sequence of deletion and re-creation has not 

been followed in the correct order. 

-352 A replication queue entry had an invalid hash 

value 

When an entry was read from the replication queue 

before sending, its integrity hash value check failed. This 

suggests that the queue entry may have been modified 

since it was added to the queue. In this case, the queue 

entry is not trusted and an error is reported. 

-353 The replication queue is full An operation failed because it needed to update the 

database, but the update could not be added to the 

Replication queue. If the queue is full, no database 

updates are allowed, to avoid the databases getting too 

far out of synchronization. 

Check the Replication Status dialog in the Administration 

MMC Interface and the Replication audit messages to 

investigate why the queue has become full. It is 

necessary to reduce the queue size in order for the 

system to continue to function. 

If this error occurs often, without good reason, consider 

increasing the maximum queue size. This can be 

configured in the Replication tab of the Authentication 

Server Configuration GUI. 

-500 The Service was already started When trying to start a Service, the Service was already 

running. 

-501 The Service was already stopped When trying to stop a Service, the Service was not 

running. 

-10051 File name is blank. No file name was specified. 

-10052 Failed to open File. The file could not be opened. The file does not exist or 

the user attempting to open the file does not have read 

permission for the file. 

-10057 User ID is longer than 255 characters. The maximum User ID length has been exceeded. 

-10059 Password is longer than 255 characters. The maximum Password length has been exceeded. 

-10060 User Name is longer than 64 characters. The maximum User Name length has been exceeded. 

-10061 Serial Number is longer than 10 characters. The maximum Serial Number length has been exceeded. 




-10062 Serial Number is less than 10 characters 

long. 

-10063 Serial Number contains non-alphanumeric 

characters. 

-10064 Organizational Unit is longer than 255 

characters. 

Serial Number must be 10 characters, with no dashes (-) 

and with leading zeros (0) to make it up to 10 characters. 

The minimum Serial Number length has not been 

provided. Serial Number must be 10 characters, with no 

dashes (-) and with leading zeros (0) to make it up to 10 

characters. 

The Serial Number contains non-alphanumeric 

characters. Serial Number must be 10 alphanumeric 

characters, with no dashes (-). 

The maximum Organizational Unit length has been 

exceeded. 

-10065 Domain is longer than 255 characters. The maximum Domain length has been exceeded. 

-10066 Distinguished Name is longer than 1024 

characters. 

The maximum LDAP Distinguished Name (DN) length has 

been exceeded. 

-10067 Mobile Number is longer than 64 characters. The maximum Mobile Phone length has been exceeded. 

-10069 A syntax error occurred reading from the file. A syntax error occurred while reading lines from the 

import file: double-quotes were missing; there are too 

many fields in the line; a comma is missing between 

fields. 

-10070 The file contains characters that are not UTF- 

8 encoded. 

The import file must be fully UTF-8 encoded when 

extended or Unicode characters are included. This 

message indicates that non-UTF-8 characters were 

found in the file. 

-10072 Phone Number is longer than 64 characters. The maximum Phone Number length has been exceeded. 

-10073 Email Address is longer than 64 characters. The maximum Email Address length has been exceeded. 

-10074 No User ID was given. Either the User ID or, 

for Active Directory, the Dishinguished Name 

is needed to import a user. 

-10075 The Mobile No. is invalid. Only numbers, 

spaces, dashes (-) and brackets are allowed 

with a + at the start to indicate a country 

code if needed. 

-10076 The Phone No. is invalid. Only numbers, 

spaces, dashes (-) and brackets are allowed 

with a + at the start to indicate a country 

code if needed. 

-10077 The specified email address contains invalid 

characters and is not in the form 

user@domain. 

-10078 The Field Header was not found or invalid 

when reading from the file. 

A User ID must be supplied to import a user. The only 

exception is when using Active Directory, it is sufficient to 

give the Distinguished Name instead of the User ID. 

The Mobile Number is only allowed to include numeric 

characters, spaces, dashes(-) and brackets (){}[]. In 

addition a + is allowed at the start for the country code. 

The Phone Number is only allowed to include numeric 

characters, spaces, dashes(-) and brackets (){}[]. In 

addition a + is allowed at the start for the country code. 

The Email Address is only allowed to include 

alphanumeric characters, @, dots (.), underscores (_) 

and dashes (-). 

The first line of an import file must be a header line. The 

header line is a comma-separated list of field names, 

indicating which fields are included in every other line of 

the file. 

This message indicates that the header line was not 




found, that it included unknown field names or that it was 

not a comma-separated list of field names. 

See the Import User Records topic in the online Help 

for the Administration MMC Interface for a definition of 

the import file header format. 

-400 There was no comms descriptor available The comms descriptor map has not been loaded. 

(support) 

-401 The supplied address could not be resolved name resolution, i.e. DNS, netbios etc 

-402 A socket error occurred. Descriptor should 

be closed 

(communication protocol mismatch 

-403 Descriptor was in the wrong state e.g. trying to bind the socket twice 

-404 The maximum number of open descriptors 

has been reached 

-405 The connection has been closed by the 

remote end 

-406 The command would block, use 'select' should not be seen as a runtime error 

-407 The command is in progress, use 'select' should not be seen as a runtime error 

-408 The comms descriptor is not valid e.g. the socket has not been created 

-450 The key received was invalid The encryption key is somehow invalid 

-550 The config file/registry data could not be 

read 

This error may be returned when a corrupt config file is 

used 

-600 One of the RADIUS attributes was invalid RADIUS attribute field layout is invalid 

-601 The action will result in a size limitation being 

exceeded 

A buffer overflow would occur, this is only used within the 

RADIUS library 

-602 An invalid dictionary file was used this does not appear to be returned anywhere 

-650 Initialisation of lock failed 

-700 Failed to open handle Normally occurs when a file cannot be opened 

-800 An invalid length was supplied looks like this error is currently only used in the case 

where a programming error has occurred, resulting in an 

incorrect length parameter being passed to the mschap 

function "CreateVSAttribute" 

-801 Memory allocation failed This appears to only be used by the "demotoken" code 

-802 Password was blank Can occur when attempting to verify a 

MSCHAP/MSCHAP2 password when the subsequently 

hashed password provided by the used is equivlent to 

hashing a blank string, i.e. the provided password is 

blank 

-803 Password was invalid Occurs within MSCHAP/MSCHAP2 password verification 

when the provided password is incorrect and it is not a 

blank string 

-1001 The packet is from an unknown source A client component does not exist for the client who sent 

the packet 




-1002 The shared secret of the packet's source is 

unknown 

There is no shared secret within the client component for 

the peer which sent this packet 

-1003 Incorrect response authenticator The response packet returned from the RADIUS server 

bears an incorrect authenticator 

-1004 The Message-Authenticator attribute was not 

correct 

The message-authenticator appears to only be checked 

in a response 

-1005 The packet is not from the address sent to The response from the backend does not match the 

source address to which the request was sent 

9.2 DIGIPASS Authentication for Windows Logon Error Messages 

These error messages may be received by a DIGIPASS Windows Logon client. 

Table 30: Error Code List - DIGIPASS Authentication for Windows Logon 


-750 An SSL error occurred 

-751 SSL certificate has expired The server certificate is no longer valid and should be 

regenerated. 

-752 SSL certificate not trusted The authority used for the server certificate is not 

included in the machine's Certificate Authority. 

-753 SSL certificate was rejected because its key 

usage does not permit certificate signing 

-754 SSL handshake timed out. This can occur 

when connecting to a non-SSL port 

Self-signed certificates may be used as both Certificate 

Authority (signing) certificates and server certificates. 

Commercial certificates require a separate Certificate 

Authority certificate. 

Check client and aXsGUARD Identifier configuration to 

ensure that the client is connecting to aXsGUARD 

Identifier using the secure port. 



9.3 Status Codes 

Table 31: Status Code List 

Status Code Message Notes 

0 No error 

 

The status codes from -1 downwards match the 

Error Codes above. 

1000 The credentials were invalid General-purpose failure due to invalid username or 

password, when a more specific status is 

unavailable. 

1002 The user failed the Windows Group Check The aXsGUARD Identifier rejected an authentication 

request due to the Windows Group Check failing. 

This can occur when the effective Windows Group 

Check option is Authenticate listed groups, reject 

others. 

Note that the 'effective' setting is the effective 

setting of the Policy, unless the Digipass User 


1004 The challenge has expired A response to challenge has been given, but the 

expiration time for the challenge has expired. The 

default expiration time is one minute, however this 

can be configured in the configuration file 

VASCO/AAL3/Authlib/Challenge-Cache/Max-Age 

setting (in seconds). 

1005 The user does not have permission to perform 

the specified action 

General-purpose failure of an administration 

command when the administrator does not have 

sufficient privileges to carry out the command. 

1007 The user account is locked The Digipass User Account is Locked. This is 

normally due to consecutive login failures, as 

determined by the Policy setting User Lock 

Threshold. Alternatively the administrator can 

actively lock the account. 

To unlock the User account, an administrator has to 

uncheck the Locked checkbox on the User record. 

1008 The One Time Password has already been 

used 

This status code occurs specifically when an OTP is 

rejected because it has already been used. It may 

also occur when the OTP has not been used but is 

older than the most recently used OTP. 

This can sometimes happen when an authentication 

request is re-sent automatically. 

1009 The user account is disabled The Digipass User Account is Disabled. This may be 

because the administrator has actively disabled the 

account, or because the corresponding Windows 

User account has become disabled or expired. 

1010 No user account was found An authentication request was rejected because no 




Digipass User account was found and Local 

Authentication is required by the Policy. 

1011 The static password was incorrect As part of Local Authentication, verification of the 

static password failed. 

1012 The One Time Password was incorrect Verification of the OTP failed. More specific details 

may be found in the VACMAN Controller error code 

and message. 

1013 The challenge was invalid A response to a challenge was given, but the 

challenge was not the latest one issued for that 

Digipass. This is controlled by the Check Challenge 

Policy setting. 

1014 The Digipass Grace Period has expired A User attempted to log in with their static 

password, but their Grace Period had already 

expired. They have to use a Digipass to log in. 

If they do not have their Digipass yet, the 

administrator will have to allow them more time by 

modifying the Grace Period End date on their 

Digipass record. 

1015 Backup Virtual Digipass is not allowed A User attempted to request a Backup Virtual 

Digipass OTP, but they were not permitted. This 

would normally occur when either: 

The effective Backup VDP Enabled setting is Yes – 

Time Limited, and the Digipass Backup VDP 

Enabled Until date is the current date or before. 

The Digipass Backup VDP Uses Remaining counter 

has reached 0. 

In both cases, administrator intervention is required 

to permit the User to continue to use Backup Virtual 

Digipass. The Enabled Until or Uses Remaining 

limits need to be increased to permit this. 


setting of the Policy, unless the Digipass record 

overrides the Policy. 

1016 The Digipass is not available A User attempted Self-Assignment, but the 

Digipass they requested either could not be found 

within the search scope or was already assigned to 

someone else. 

This may occur because of a mistyped Serial 

Number. Otherwise, the search scope may be 

incorrect or the Digipass may not be in the correct 

location to be made available to the User. See the 

Location of Digipass Records section in the Product 

Guide. 

1017 The user account has no mobile number for 

Virtual Digipass 

A User requested a Primary or Backup Virtual 

Digipass OTP, but it could not be delivered because 

the User account had no mobile phone number. In 

Active Directory this is the first Mobile No. on the 




1018 No password was supplied for a Virtual 

Digipass login 

record. 

A User attempted a Virtual Digipass login, but did 

not enter a password in the second stage of the 

login. See 6.1.9 Virtual Digipass for more 

information. 

1019 The new password confirmation failed In a password change request, the new password 

was not confirmed correctly. 

1020 Local authentication failed General-purpose failure of Local Authentication 

when a more specific status code is not available. 

Additional information should provide more specific 

details. 

1021 Back-end authentication reported that the 

password has expired 

Back-End Authentication (eg. Windows) failed 

because the password was correct but it has 

expired. 

1022 Back-end authentication failed Back-End Authentication (eg. Windows) failed. A 

specific error code and message will accompany 

this record. 

1030 The policy was invalid An authentication request was rejected because the 

applicable Policy had invalid settings or failed to 

load. This should not occur, but is possible due to 

the delay in Active Directory replication for example. 

The two main ways in which a Policy can become 

invalid are: 

One or more choice list settings are Default in the 

Policy, and its parent Policy if it has one. 

A circular chain of Policies has been created, for 

example: Policy A inherits from Policy B; Policy B 

inherits from Policy C; Policy C inherits from Policy 

A. 

The Policy must be fixed in order for authentication 

to be permitted using that Policy. 

1031 The policy does not allow a self-assignment 

attempt 

1032 Hashed passwords cannot be verified by 

Windows 

A User attempted Self-Assignment, but it is not 

permitted under the Policy. 

An authentication request could not be processed 

successfully because Back-End Authentication 

using Windows was required, but the User's 

password was hashed. It is not possible to verify 

hashed passwords with Windows. This can occur 

when a CHAP-based protocol is used – this includes 

CHAP, MS-CHAP, MS-CHAP2, EAP-MD5 and other 

more complex protocols that utilize a one-way hash 

of the password entered by the User. 

Note that the effective Back-End Authentication 

setting is the effective setting of the Policy, unless 

the Digipass User Account overrides the Policy. 

1033 A Digipass must be used The effective Local Authentication setting is 




1034 Challenge/Response is not supported by 

CHAP-based protocols 

1035 Challenge/Response is not supported by 

Windows 2000 

Digipass Only and the User tried to log in with a 

static password. 




Challenge/Response is only supported in RADIUS 

using the PAP protocol. An attempt was made to 

generate a challenge using a CHAP-based protocol 

– this includes CHAP, MS-CHAP, MS-CHAP2, EAP- 

MD5 and other more complex protocols. 

This status code can only occur in the Digipass 

Plug-In for IAS. There is a product limitation on 

Windows 2000 only that Challenge/Response is not 

supported. It will occur if the User attempted to 

request a challenge. 

1036 1-Step Challenge/Response is disabled A request was made to generate a random 

challenge for 1-step Challenge/Response, but the 

applicable Policy does not have 1-step 

Challenge/Response enabled or does not specify the 

challenge length and check digit indicator. 

1037 Password Autolearn is disabled A request was made to update a user's Stored 

Password, but Password Autolearn is disabled, so 

the update is not permitted. Password Autolearn 

must be enabled for the password update request to 

be processed. 

1038 The administration session ID is not known at 

this location 

An administration command has been received, but 

the internal session ID is not recognised at the 

location from which the command came. This can 

only occur by attempting to reuse a session ID from 

another location. 

1039 The administration session is no longer active An administration command has been received, but 

the session has stopped or is unrecognised. This 

can occur due to an idle timeout, a maximum 

session length timeout or a restart of the aXsGUARD 


1040 Back-end authentication returned a Challenge 

that cannot be handled 


forwards a request to a RADIUS Server and the 

RADIUS Server responds with an Access-Challenge. 

An Access-Challenge can only be handled when the 

aXsGUARD Identifier forwards the password 

unmodified to the RADIUS Server. If the aXsGUARD 

Identifier verifies an OTP and forwards the static 

password to the RADIUS Server, it is not possible to 

handle an Access-Challenge from the RADIUS 

Server. 

It can also occur if you use RADIUS Back-End 

Authentication for an IIS Module. In that case, 




1041 No Digipass was found for the given Serial 

Number 

1042 Self-Assignment was attempted but Back-End 

Authentication did not occur to authenticate the 

static password 

Access-Challenge is not supported from the RADIUS 

Server. 

During a Self-Assignment attempt, the Serial 

Number provided by the User was not found in the 

data store. This mainly occurs when the Serial 

Number is entered incorrectly. It can also occur 

because the Digipass record is not in the User's 

Domain or Organizational Unit. 

Self-Assignment is not allowed without Back-End 

Authentication. This is required to validate the static 

password. 

1050 Reactivation is not allowed A reactivation attempt was refused for one of the 

following reasons: 

The Digipass has already been activated from 

the maximum number of allowed locations. 

This limit is controlled by the Provisioning 

Scenario configuration setting Max 

Locations. 

The maximum number of allowed activation 

attempts has already been reached. This limit 

is controlled by the Provisioning Scenario 

configuration setting Max Attempts. 

The minimum time interval required between 

activation attempts has not yet been reached 

since the last activation attempt. This limit is 

controlled by the Provisioning Scenario 

configuration setting Min Interval. 

1051 Multiple Digipass found where a single 

Digipass was required 

1052 The user account has no static password to 

encrypt the activation code 

An activation attempt was made where the user had 

two or more Digipass that could be used. The 

activation request did not specify which Digipass 

should be used to handle the request. 

If no Local Authentication or Back-End 

Authentication is done during an activation request, 

a static password is required from the Digipass User 

account. The password is used to encrypt the 

activation code. 

1053 No Digipass was available for assignment No available Digipass was found for the Provisioning 

Register request. The Digipass must be capable of 

activation and meet the Digipass restrictions in the 

Policy settings if any. 

1054 Error generating activation code Generation of an activation code for Provisioning 

failed. More specific details may be found in the 

VACMAN Controller error code and message. 

1060 The Signature failed validation Verification of the signature failed. More specific 

details may be found in the VACMAN Controller 

error code and message. 

1061 The Signature has already been used This status code occurs specifically when a 




1062 A Host/Confirmation Code is required but the 

Digipass Application is not able to generate it 

signature is rejected because it has already been 

used. It may also occur when the signature has not 

been used but is older than the most recently used 

signature. 

This behaviour depends on the effective Online 

Signature Level Policy setting. 

For an authentication request, a Host Code was 

required to be returned. The Digipass Application for 

which the OTP was validated was not capable of 

generating a Host Code. 

For a signature validation request, a Confirmation 

Code was required to be returned. The Digipass 

Application for which the signature was validated 

was not capable of generating a Confirmation Code. 

The DPX file that was used to import the Digipass 

Application controls whether the Host or 

Confirmation Code can be generated. 

3001 A Digipass Challenge was returned This status code is the standard code when a 

challenge is issued and does not indicate any kind 

of error. 

3002 No challenge was identified for the 

authentication 

A response to a challenge was given, but no 

challenge could be found. The most likely reason for 

this to occur is that the challenge is too old and has 

been removed from the challenge cache. It can also 

occur if no 'challenge key' was supplied with which 

to look up the challenge. 

3003 Back-end authentication returned a Challenge This occurs when a RADIUS Server responds with 

an Access-Challenge, in a case where the 

aXsGUARD Identifier can handle it. 

5001 The user failed the Windows Group Check The aXsGUARD Identifier decided not to handle an 

authentication request due to the Windows Group 

Check failing. This can occur when the effective 

Windows Group Check option is Pass requests for 

users not in listed groups back to host system. 




5002 Neither local nor back-end authentication was 

done due to policy and/or user settings 

The aXsGUARD Identifier decided not to handle an 

authentication request because the effective Local 

Authentication and Back-End Authentication 

settings were both None. 





aXsGUARD Identifier 3.1.3.0 Administration Reference Guide v1.7 Tracing 

10 Tracing 

The level of tracing for the aXsGUARD Identifier can be configured using the aXsGUARD Identifier Configuration 

Tool. 

Tracing messages will be recorded to a text file. 

Table 32: Tracing Message Types 

Message Type 

Code 

[CRITC] Critical error/warning 

Notes Examples 

[MAJOR] Major error/warning [MAJOR] > Failed to execute command. Error 

[MINOR] Minor error/warning [MINOR]> Cannot get License Key from Component record 

[CONFG] Configuration/initialization [CONFG] > ODBC Database audit plugin is successfully 

loaded 

[CONFG] > Component cache configured as: 

max age : 900 

max size : 1000 

clean threshold : 800 

min clean interval : 60 

[ALERT] Alerts [ALERT] > disconnecting from server. 

[INFO] Informational messages [INFO ] > Audit: {Info} {Initialization} {I-002002} {The 

Digipass Authentication library has been initialized 

successfully.} 

[INFO ] > Creating Digipass object. 

[VINFO] Verbose informational messages [VINFO] > Event log source is 

[VINFO][ODBCConnection::OpenConnection] > Established 

connection to ODBC database 

[DATA] Data tracing [DATA ] > Prepared SQL statement "SELECT vdsDomain, 

vdsDescription, vdsCreateTime, vdsModifyTime FROM 

vdsDomain ORDER BY vdsDomain" 

[TEMP] Temporary data values [TEMP ] > Updated list is 

[RESRC] Resource usage [RESRC] > Socket Bound to 

[DEBUG] Debugging (useful for support 

purposes) 

[SECUR] Security messages, messages that 

may contain security sensitive data 

[DEBUG] > Registering Binary with Event 

log for Source < Identikey Server 3 

{Application}> 

[DEBUG] > Committed transaction 


aXsGUARD Identifier 3.1.3.0 Administration Reference Guide v1.7 Tracing 

There are two tracing levels available when configuring tracing from the aXsGUARD Identifier Configuration 

Tool – Basic and Full. This can be customised further if required by directly editing the configuration file. The 

message types recorded by each level are shown in the table below. 

Table 33: Tracing Message Levels 

CRITC 

MAJOR 

MINOR 

CONFG 

ALERT 

INFO 

Basic Full 

CRITC 

MAJOR 

MINOR 

CONFG 

ALERT 

INFO 

VINFO 

DATA 

TEMP 

RESRC 

DEBUG 

SECUR 

Basic and Full tracing levels output different amounts of information in trace messages. 

Table 34: Tracing Message Contents 

Trace Level Message Contents 

Basic [date_time] [thread ID] [level code] message 

Full [date_time] [thread ID] [level code] [internal function name] message 


aXsGUARD Identifier 3.1.3.0 Administration Reference Guide v1.7 Support Procedure 

11 Support Procedure 

If you encounter problems with a VASCO product, please follow the steps below: 

1. Check if your problem is resolved in the Knowledge Base located at the following URL: 

http://www.vasco.com/support. 

2. If you are unable to solve your problem with the Knowledge Base, please contact the company which 

sold you the VASCO product. 

3. If your supplier is unable to resolve your query, they will automatically contact the appropriate VASCO 

expert. If necessary, VASCO experts can access your aXsGUARD Identifier remotely to resolve any 

problems. Remote support and access to your aXsGUARD Identifier are achieved through the VASCO 

Service Center. For information on the VASCO Service Center, please refer to the aXsGUARD Identifier 

Product Guide. 


aXsGUARD Identifier 3.1.3.0 Administration Reference Guide v1.7 Index 

Alphabetical Index 

Accessing Further Reading.................................................................... 7 

Administration Web Interface................................................................. 8 

aXsGUARD Identifier............................................................................. 8 

Check Digit........................................................................................ 27 

Comma Separated Value Files............................................................. 46 

Configuration Tool............................................................................ 8, 9 

Convenience Layer............................................................................... 8 

Documents.......................................................................................... 6 

Firewall Ports..................................................................................... 58 

IDENTIKEY........................................................................................... 8 

LDAP User Synchronization........................................................... 15 

Settings...................................................................................... 12 

Synchronization Profile................................................................. 15 

IDENTIKEY Settings................................................................................. 

Active Directory........................................................................... 14 

ADAM......................................................................................... 14 

Authentication............................................................................. 13 

e-Directory.................................................................................. 14 

Gateway...................................................................................... 12 

MDC........................................................................................... 12 

Provisioning................................................................................. 13 

RADIUS....................................................................................... 14 

Scenarios.................................................................................... 13 

Server Discovery ......................................................................... 12 

Signature.................................................................................... 13 

Tracing....................................................................................... 14 

Login Permutations............................................................................. 51 

Message Delivery Component.............................................................. 47 

Network Fields....................................................................................... 

Default Gateway........................................................................... 11 

DNS............................................................................................ 11 

Proxy.......................................................................................... 11 

One Time Password...................................................................... 53, 54 

Organizational structure. .................................................................... 38 

Policies, Pre-loaded............................................................................ 32 

Report Fields.......................................................................................... 

Audit Query Fields........................................................................ 42 

Digipass Query Fields................................................................... 42 

Query Fields................................................................................ 41 

User Query Fields......................................................................... 41 

Rescue Tool......................................................................................... 8 

Response Only................................................................................... 53 

Standard Reports............................................................................... 44 

Support............................................................................................. 89 

System Fields........................................................................................ 

Backup and Restore..................................................................... 10 

Logging....................................................................................... 10 

Remote Logging.......................................................................... 10 

Settings........................................................................................ 9 

Time............................................................................................. 9 

VACMAN Software................................................................................ 8 

VASCO................................................................................................ 8

aXs GUARD Identifier Administration Reference - Vasco

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?