aXs GUARD Identifier Administration Reference - Vasco
aXs GUARD Identifier Administration Reference - Vasco
aXs GUARD Identifier Administration Reference - Vasco
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong><br />
<strong>Administration</strong> <strong>Reference</strong> Guide<br />
3.0<br />
3.1.3.0
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Legal Notice<br />
VASCO Products<br />
VASCO Data Security, Inc. and/or VASCO Data Security International GmbH are referred to in this document as<br />
‘VASCO’. VASCO Products comprise Hardware, Software, Services and Documentation. This document<br />
addresses potential and existing VASCO customers and has been provided to you and your organization for the<br />
sole purpose of helping you to use and evaluate VASCO Products. As such, it does not constitute a license to<br />
use VASCO Software or a contractual agreement to use VASCO Products.<br />
Disclaimer of Warranties and Limitations of Liabilities<br />
VASCO Products are provided ‘as is’ without warranty or conditions of any kind, whether implied, statutory, or<br />
related to trade use or dealership, including but not limited to implied warranties of satisfactory quality,<br />
merchantability, title, non-infringement or fitness for a particular purpose.<br />
VASCO, VASCO DISTRIBUTORS, RESELLERS AND SUPPLIERS HAVE NO LIABILITY UNDER ANY<br />
CIRCUMSTANCES FOR ANY LOSS, DAMAGE OR EXPENSE INCURRED BY YOU, YOUR ORGANIZATION OR ANY<br />
THIRD PARTY (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS<br />
INTERRUPTION OR LOSS OF DATA) ARISING DIRECTLY OR INDIRECTLY FROM THE USE, OR INABILITY TO USE<br />
VASCO SOFTWARE, HARDWARE, SERVICES OR DOCUMENTATION, REGARDLESS OF THE CAUSE OF THE<br />
LOSS, INCLUDING NEGLIGENCE, EVEN IF VASCO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH<br />
DAMAGES, OR IF THEY WERE FORESEEABLE. OUR MAXIMUM AGGREGATE LIABILITY TO YOU, AND THAT OF<br />
OUR DISTRIBUTORS, RESELLERS AND SUPPLIERS SHALL NOT EXCEED THE AMOUNT PAID BY YOU FOR THE<br />
PRODUCT. THE LIMITATIONS IN THIS SECTION SHALL APPLY WHETHER OR NOT THE ALLEGED BREACH OR<br />
DEFAULT IS A BREACH OF A FUNDAMENTAL CONDITION OR TERM, OR A FUNDAMENTAL BREACH. THIS<br />
SECTION WILL NOT APPLY ONLY WHEN AND TO THE EXTENT THAT APPLICABLE LAW SPECIFICALLY<br />
REQUIRES LIABILITY DESPITE THE FOREGOING EXCLUSIONS AND LIMITATIONS.<br />
Intellectual Property and Copyright<br />
VASCO Products contain proprietary and confidential information. VASCO Data Security, Inc. and/or VASCO<br />
Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products,<br />
updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights,<br />
database rights and all other intellectual and industrial property rights. No part of these Products may be<br />
transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or<br />
otherwise, for any purpose, except as expressly permitted by VASCO or its authorized licensee in writing.<br />
This document is protected under US and international copyright law as an unpublished work of authorship. No<br />
part of it may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic,<br />
mechanical or otherwise, for any purpose, except as expressly permitted in writing by VASCO or its authorized<br />
licensee.<br />
Trademarks<br />
VASCO®, VACMAN®, IDENTIKEY®, <strong>aXs</strong><strong>GUARD</strong>®, DIGIPASS®, and the ® logo are registered or<br />
unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the<br />
U.S. and other countries. Other company brand or product names or other designations, denominations, labels<br />
and/or other tags, titles, as well as all URLs (Internet addresses) linked to such designations or communications<br />
(irrespective of whether protected by intellectual property law or not), mentioned in VASCO Products may be the<br />
trademarks or registered trademarks or be part of any other entitlement of their respective owners.<br />
Radius Disclaimer<br />
Information on the RADIUS server provided in this document relates to its operation in the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong><br />
environment. We recommend that you contact your NAS/RAS vendor for further information.<br />
Copyright © March 2009 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights<br />
reserved.<br />
© 2010 VASCO Data Security 2
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Table of Contents<br />
Table of Contents<br />
1 Audience and Purpose of this Document................................................................................................... 6<br />
1.1 Documentation................................................................................................................................................6<br />
1.2 Available Guides..............................................................................................................................................7<br />
1.3 What is the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>? ...................................................................................................................8<br />
1.4 About VASCO...................................................................................................................................................8<br />
2 Configuration Tool: Field Listings.............................................................................................................. 9<br />
2.1 System............................................................................................................................................................. 9<br />
2.2 Network Settings...........................................................................................................................................11<br />
2.3 IDENTIKEY...................................................................................................................................................... 12<br />
2.3.1 Settings....................................................................................................................................................12<br />
2.3.2 LDAP User Synchronization......................................................................................................................15<br />
3 <strong>Administration</strong> Web Interface: Field Listings............................................................................................ 18<br />
3.1 User Properties..............................................................................................................................................18<br />
3.2 Digipass Properties........................................................................................................................................21<br />
3.3 Policy Properties............................................................................................................................................23<br />
3.4 Pre-Loaded Policies.......................................................................................................................................32<br />
3.5 Client Properties............................................................................................................................................36<br />
3.6 Back-End Server Properties...........................................................................................................................37<br />
3.7 Organization................................................................................................................................................... 38<br />
3.8 Report Properties...........................................................................................................................................38<br />
3.8.1 How to define a Query..............................................................................................................................38<br />
3.8.2 Reporting Query Fields.............................................................................................................................41<br />
3.8.3 Standard Reports......................................................................................................................................44<br />
3.9 <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Properties......................................................................................................................45<br />
4 Importing Users with Comma Separated Value Files................................................................................ 46<br />
5 Message Delivery Component................................................................................................................. 47<br />
5.1 MDC Tracing Levels.......................................................................................................................................47<br />
5.2 MDC Result Options.......................................................................................................................................47<br />
5.2.1 Overview..................................................................................................................................................47<br />
5.2.2 Gateway Result Page................................................................................................................................48<br />
5.2.3 Result Options..........................................................................................................................................48<br />
6 Login Options......................................................................................................................................... 51<br />
6.1 Login Permutations........................................................................................................................................51<br />
6.1.1 Login Methods..........................................................................................................................................51<br />
6.1.2 Login Actions............................................................................................................................................51<br />
6.1.3 Login Variables.........................................................................................................................................51<br />
6.1.4 Password Format.....................................................................................................................................52<br />
© 2010 VASCO Data Security 3
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Table of Contents<br />
6.1.5 Policy Settings..........................................................................................................................................52<br />
6.1.6 Response Only – Cleartext Combined Password Format...........................................................................53<br />
6.1.7 Response Only – CHAP/MS-CHAP/MS-CHAP2..........................................................................................55<br />
6.1.8 2-Step Challenge/Response – Cleartext Combined Password Format......................................................55<br />
6.1.9 Virtual Digipass........................................................................................................................................57<br />
7 Firewall Ports.......................................................................................................................................... 58<br />
7.1 Overview........................................................................................................................................................ 58<br />
7.2 Incoming Ports...............................................................................................................................................58<br />
7.3 Outgoing Ports...............................................................................................................................................59<br />
8 Audit Messages...................................................................................................................................... 60<br />
8.1 Audit Message Listing....................................................................................................................................60<br />
9 Error and Status Codes........................................................................................................................... 73<br />
9.1 Error Codes....................................................................................................................................................73<br />
9.2 DIGIPASS Authentication for Windows Logon Error Messages........................................................................79<br />
9.3 Status Codes.................................................................................................................................................. 80<br />
10 Tracing................................................................................................................................................... 87<br />
11 Support Procedure.................................................................................................................................. 89<br />
© 2010 VASCO Data Security 4
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Table of Contents<br />
Index of Tables<br />
Table 1: System Fields........................................................................................................................................................................ 9<br />
Table 2: Network Fields.....................................................................................................................................................................11<br />
Table 3: IDENTIKEY Settings Fields.................................................................................................................................................... 12<br />
Table 4: IDENTIKEY LDAP User Synchronization: General Fields......................................................................................................... 15<br />
Table 5: IDENTIKEY LDAP User Synchronization: Filter Fields............................................................................................................. 16<br />
Table 6: IDENTIKEY LDAP User Synchronization: Attribute Mapping Fields......................................................................................... 16<br />
Table 7: User Fields...........................................................................................................................................................................18<br />
Table 8: Digipass Fields.................................................................................................................................................................... 21<br />
Table 9: Policy Fields.........................................................................................................................................................................23<br />
Table 10: Pre-Loaded Policies .......................................................................................................................................................... 32<br />
Table 11: Client Fields.......................................................................................................................................................................36<br />
Table 12: Back-End Server Fields......................................................................................................................................................37<br />
Table 13: Domain Fields....................................................................................................................................................................38<br />
Table 14: Organizational Unit Fields...................................................................................................................................................38<br />
Table 15: Report fields...................................................................................................................................................................... 39<br />
Table 16: User Fields for Reporting....................................................................................................................................................41<br />
Table 17: DIGIPASS Fields for Reporting............................................................................................................................................ 42<br />
Table 18: Audit Fields for Reporting...................................................................................................................................................42<br />
Table 19: <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Fields.................................................................................................................................................45<br />
Table 20: MDC Audit Message Variables........................................................................................................................................... 50<br />
Table 21: Login Permutations - Response Only Cleartext Combined (1)............................................................................................. 53<br />
Table 22: Login Permutations - Response Only Cleartext Combined (2)............................................................................................. 54<br />
Table 23: Login Permutations - Response Only CHAP/MS-CHAP/MS-CHAP2......................................................................................55<br />
Table 24: Login Permutations – 2-Step Challenge/Response Cleartext Combined..............................................................................56<br />
Table 25: Login Permutations – Virtual Digipass................................................................................................................................ 57<br />
Table 26: List of Incoming Ports Used by the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>..................................................................................................... 58<br />
Table 27: List of Outgoing Ports Used by the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>..................................................................................................... 59<br />
Table 28: Audit Messages List...........................................................................................................................................................60<br />
Table 29: Error Code List...................................................................................................................................................................73<br />
Table 30: Error Code List - DIGIPASS Authentication for Windows Logon........................................................................................... 79<br />
Table 31: Status Code List.................................................................................................................................................................80<br />
Table 32: Tracing Message Types..................................................................................................................................................... 87<br />
Table 33: Tracing Message Levels.....................................................................................................................................................88<br />
Table 34: Tracing Message Contents.................................................................................................................................................88<br />
© 2010 VASCO Data Security 5
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Audience and Purpose of this Document<br />
1 Audience and Purpose of this Document<br />
1.1 Documentation<br />
This <strong>aXs</strong><strong>GUARD</strong> ® <strong>Identifier</strong> <strong>Administration</strong> <strong>Reference</strong> Guide is part of a set of guides on the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong>. It provides lists of field explanations and other reference data for technical experts using the<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> and is intended for reference only. Information is provided in table format for quick<br />
reference, as follows:<br />
Section 2 describes the Configuration Tool fields. Only modifiable fields are listed. For more information on<br />
system actions (e.g. updates, backup and restore, reboot and shutdown etc.) please see the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong> Installation Guide.<br />
Section 3 lists the <strong>Administration</strong> Web Interface fields and their descriptions. For more information on actions<br />
possible in the <strong>Administration</strong> Web Interface, please refer to the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Product Guide.<br />
Section 4 lists the restrictions for importing user records using comma separated value files.<br />
Section 5 explains the Message Delivery Component trace levels and result options.<br />
Section 1.1 lists the login options and related reference data.<br />
Section 7 lists the firewall port reference data.<br />
Section 8 describes the audit messages.<br />
Section 9 describes the error and status codes.<br />
Section 10 describes the tracing types, levels and contents.<br />
Section 11 explains the support procedure for further help.<br />
© 2010 VASCO Data Security 6
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Audience and Purpose of this Document<br />
1.2 Available Guides<br />
Other documents in the set of <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> documentation include:<br />
The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Installation Guide, which supports planning for and installation of the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong>.<br />
The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Product Guide, which is intended for technical experts interested in learning<br />
about the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>. This document describes the structure of the product, the concepts<br />
underpinning authentication and how the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> can support authentication within your IT<br />
infrastructure.<br />
The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> SDK Programmer's Guide, which provides in-depth information required for<br />
development work using the SDK. This document is only relevant to SOAP Authentication, Electronic<br />
Signatures and Provisioning.<br />
A set of DIGIPASS Windows Logon Guides, which provide information on the concepts, installation and<br />
configuration, setting up and testing of . Additionally the DIGIPASS Windows User Guide provides<br />
information for end-users.<br />
Two Password Synchronization Manager Guides, for installation and end users respectively.<br />
A Filter Guide (for each available filter) for installation and end users.<br />
Access to the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> guides is provided via the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Configuration Tool. The<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Installation and Configuration Guide is also provided with delivery of the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong>. Manuals for <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> add-ons are provided on the CDROM delivered with the appliance.<br />
The remainder of this section briefly introduces the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> and VASCO ® .<br />
© 2010 VASCO Data Security 7
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Audience and Purpose of this Document<br />
1.3 What is the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>?<br />
The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> secures internal and remote access to network applications, and remote access to<br />
applications offered on line. It is a stand-alone authentication solution based on IDENTIKEY ® , a version of<br />
VASCO's VACMAN ® software, which is compatible with both LINUX and Windows environments. Together with<br />
DIGIPASS ® technology providing the client side component, the solution delivers strong two factor<br />
authentication.<br />
The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> is a simple and cost-effective solution, which can easily be integrated into existing IT<br />
infrastructures to support authentication in small to medium sized enterprises. The product integrates usability<br />
features described as a 'convenience layer' including:<br />
simple installation and maintenance<br />
remote support from VASCO experts<br />
semi automatic updating (proactively prompting update, but still within the control of the administrator)<br />
simple registration<br />
backup and restore functionality<br />
real time feedback on system status with statistics<br />
The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> has three user interfaces:<br />
the Configuration Tool for system administrators, for installation and maintenance.<br />
the <strong>Administration</strong> Web Interface, for system administrators to manage the daily use of the system.<br />
the Rescue Tool, intended for administrators to manage some limited settings.<br />
For more information on the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> and the concepts underpinning its operation and<br />
architecture, please see the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Product Guide, available via the Help button in the<br />
Configuration Tool.<br />
1.4 About VASCO<br />
VASCO is a leading supplier of strong authentication and Electronic Signature solutions and services<br />
specializing in Internet Security applications and transactions. VASCO has positioned itself as global software<br />
company for Internet Security serving customers in more than 100 countries, including many international<br />
financial institutions. VASCO’s prime markets are the financial sector, enterprise security, e-commerce and egovernment.<br />
Over 50 of VASCO’s client authentication technologies, products and services are based on VASCO’s one and<br />
unique core authentication platform: VACMAN ® . VASCO solutions comprise combinations of the VACMAN core<br />
authentication platform, IDENTIKEY ® authentication server, <strong>aXs</strong><strong>GUARD</strong> ® authentication appliances, DIGIPASS ®<br />
client Password and Electronic Signature software and DIGIPASS PLUS authentication services.<br />
For further information on these security solutions, please see www.vasco.com<br />
© 2010 VASCO Data Security 8
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Configuration Tool: Field Listings<br />
2 Configuration Tool: Field Listings<br />
2.1 System<br />
Note:<br />
Only modifiable fields are listed; for more information on system actions (e.g. updates,<br />
backup and restore, reboot and shutdown etc.) or wizards, (e.g. Update and Registration)<br />
please see the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Installation Guide.<br />
Table 1: System Fields<br />
Settings<br />
Field Name Description<br />
Hostname This is the internal name of the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> and is used:<br />
to uniquely identify log lines when sent to a remote syslog server. See the section on<br />
'Logging' in the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Product Guide for more information.<br />
Time<br />
to identify <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>s in a replication setup, and<br />
for selecting the correct <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> to log on to using the <strong>Administration</strong><br />
Web Interface in a replication setup. See the section on 'Replication' in the<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Product Guide for more information.<br />
Time zone Each log line and audit event in the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> is generated with a time stamp.<br />
This time zone field determines the time-offset of the time stamp. We recommend setting<br />
the time zone to 'UTC' (=Greenwich Mean Time) for an efficient support service.<br />
NTP server(s) The Network Time Protocol (NTP) is designed to synchronize the clocks of computers over<br />
a network. Enter the IP address(es) of the NTP server(s) used in the company network. A<br />
comma-separated list of time servers can be used, in which case the first entry is used for<br />
synchronization. A subsequent entry in the list is used whenever the previous server in the<br />
list is unavailable.<br />
© 2010 VASCO Data Security 9
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Configuration Tool: Field Listings<br />
Logging<br />
Field Name Description<br />
Level The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> convenience layer generates information in the logging system.<br />
This logging system does not contain information from the IDENTIKEY component. For<br />
more information on the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> logging system, please see the 'Logging<br />
'section in the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Product Guide.<br />
Remote Logging<br />
The logging system can be configured to generate information at different levels. The<br />
meaning of these levels is explained below.<br />
Critical A system-critical warning that services may not be running. Please follow the<br />
support procedure described in section 11.<br />
Error Error condition: action required, although services may still be running.<br />
Warning Not an error, but an indication that an error may occur if action is not taken.<br />
Notice Events which are unusual but not error conditions. No immediate action<br />
required.<br />
Info Normal operational messages, may be collected for reporting etc. No action<br />
required.<br />
Debug Information useful to debug the application. Not useful during operations.<br />
Syslog server(s) The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> logging system allows forwarding of log lines to a remote syslog<br />
server. Enter the IP address of the remote syslog server in this field. A comma-separated<br />
list of IP addresses can be used in which case the log lines are sent to all servers listed.<br />
For more information on the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> logging system, please see the 'Logging'<br />
section in the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Product Guide.<br />
Level The logging system can be configured to generate information at different levels. A level<br />
can be selected for forwarding to the remote syslog server. The meaning of the levels is<br />
explained below.<br />
Backup and Restore tab<br />
Critical A system-critical warning that services may not be running. Please follow the<br />
support procedure described in section 11.<br />
Error Error condition: action required, although services may still be running.<br />
Warning Normal operational messages, which may be collected for reporting etc. No<br />
action required.<br />
Notice Not an error, but an indication that an error may occur if action is not taken.<br />
Info Information useful to debug the application. Not useful during operations.<br />
Debug Events which are unusual but not error conditions. No immediate action<br />
required.<br />
Create backup now Opens a dialog for downloading a backup file.<br />
Restore Provides an entry field for the URL of the file which is to be restored. The URL can be<br />
entered, or the 'Browse' button used to locate the correct path for the URL entry field. The<br />
'Restore' button restores the file from the URL entered. See the section on 'Backup and<br />
Restore' in the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Product Guide for more information.<br />
© 2010 VASCO Data Security 10
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Configuration Tool: Field Listings<br />
2.2 Network Settings<br />
Table 2: Network Fields<br />
Field Name Description<br />
IP address This field contains the IP address of the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> used to communicate within<br />
the company network. The Classless Inter Domain Routing (CIDR) notation is used, for<br />
instance 192.168.0.100/24.<br />
Miscellaneous<br />
Default Gateway The default gateway is a server in your network, which routes the traffic from the<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> to the outside network. Enter the default gateway for your network.<br />
DNS suffix(es) The DNS search path or DNS suffix is used to complete a partial DNS name whenever a<br />
DNS lookup is performed, for example 'intranet' is completed to<br />
'intranet.mycompany.com'. Enter the domain used within your company in this field. A<br />
comma separated list of domains can be added in which case the partial DNS name is<br />
completed with each domain starting from the top of the list until a valid DNS name is<br />
found.<br />
DNS server(s) A DNS server is used to convert human readable DNS names into IP addresses used in the<br />
network. Add the DNS server used in your network in this field. A comma-separated list of<br />
DNS servers can be added. The first entry in the list is used to perform DNS resolving. A<br />
subsequent server in the list is used if the previous DNS server in the list is unavailable.<br />
Proxy<br />
A proxy server is used in larger companies and organizations to improve network operations and security. It can be used<br />
to prevent direct communication between two or more networks. A proxy server forwards all allowed data requests to<br />
remote servers. The use of a proxy server is optional. Proxy authentication works for basic authentication and DIGEST<br />
authentication, but not for form-based authentication.<br />
Use proxy for HTTP(S)<br />
access?<br />
Click on the checkbox to enable/disable use of a proxy server.<br />
Proxy Server Enter the IP address of the proxy server used in your network.<br />
Port Enter the port used to contact your proxy server.<br />
Need to authenticate? Click on the checkbox to enforce authentication for HTTP(S) access through the proxy<br />
server.<br />
User name Enter the user name to authenticate towards the proxy server in your network before a<br />
connection is allowed.<br />
Password Enter the password for the supplied user name to authenticate towards the proxy server in<br />
your network before a connection is allowed.<br />
© 2010 VASCO Data Security 11
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Configuration Tool: Field Listings<br />
2.3 IDENTIKEY<br />
2.3.1 Settings<br />
Table 3: IDENTIKEY Settings Fields<br />
Field Name Description<br />
Settings<br />
Server Discovery tab<br />
Enabled Enable this checkbox to activate Server Discovery for the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>. For no DNS Service<br />
Registration, the checkbox should not be enabled.<br />
DNS Server<br />
Address<br />
Authentication<br />
Type<br />
Enter the IP address of the DNS Server.<br />
None Use this for DNS Service Registration with a DNS server supporting dynamic DNS<br />
anonymously.<br />
TSIG Use this for DNS Service Registration with a DNS server supporting dynamic DNS with<br />
TSIG authentication.<br />
TSIG Key File Browse to the TSIG Key File, if TSIG Authentication Type is being used (see previous field).<br />
Domain Name Enter the Domain Name.<br />
Priority Primary This <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> will be the first to which authentication requests are sent<br />
during Windows Logon, where more than one <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> exists on the network.<br />
MDC tab<br />
Backup This <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> will be the backup to which authentication requests are sent<br />
during Windows Logon, where more than one <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> exists on the network,<br />
but the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> nominated as 'Primary' (see above) is unavailable.<br />
Enabled Enable this checkbox to activate the Message Delivery Component (MDC) for the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong>. The MDC is used for sending a One Time Password by SMS when a virtual DIGIPASS is<br />
used. More information on the MDC is available in the section on the MDC in the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong> Product Guide.<br />
Gateway<br />
Protocol This field is used to specify the protocol identifier to be used to connect to the HTTP gateway. The<br />
protocol identifier:“https://” can be used to SSL-encrypt the link between the MDC and the HTTP<br />
gateway.<br />
Port This field sets the port used to connect to the HTTP gateway.<br />
URL This field sets the URL to the HTTP gateway. The address should not contain any variables, ports<br />
or the protocol identifier.<br />
Query string This field defines the query string which is submitted to the HTTP server, either using POST or GET<br />
(as specified by Query method). This string must contain all the required variables that are<br />
expected by the HTTP gateway. The following parameters must be included in the query string and<br />
are set by the MDC before submitting the query:<br />
[acc_user] specifies the account name for the gateway used to submit the information<br />
[acc_pwd] sets the password for the gateway account specified by the [Username] parameters<br />
© 2010 VASCO Data Security 12
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Configuration Tool: Field Listings<br />
Field Name Description<br />
[otp_msg] specifies the part of the query string, where the OTP is substituted<br />
[otp_dest] specifies the part of the query string, where the destination for the OTP (usually the<br />
mobile phone number) is substituted. The query string should also incorporate any<br />
other parameters which might be expected by the gateway.<br />
Example: <br />
Query method This field designates either the GET or POST method for transferring account and message data to<br />
the HTTP/HTTPS gateway. Data type: String (“GET” or “POST”).<br />
Authentication<br />
User name This field sets the account user name for the HTTP gateway. The given value is used as content for<br />
the variable [acc_User] in the query string.<br />
Password/ Confirm<br />
Password<br />
Results<br />
This field sets the account password for the HTTP gateway. The given value is used as content for<br />
the variable [acc_pwd] in the query string.<br />
More information on the results options is available in section 5.<br />
Success / Failure / Malformed query tabs<br />
Matching pattern This field specifies the Result Page Template to match the result page returned by the HTTP<br />
service. If this template is matched, the corresponding audit message is composed and returned to<br />
the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Audit message.<br />
Message text This field specifies the Audit Message Template for the message to be compiled and sent back to<br />
the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>. The message is returned as an Information, Warning or Error, depending<br />
on the MsgType parameter in the same section. Includes [variable] options.<br />
Scenarios tab<br />
Authentication<br />
Enabled Enable this checkbox to activate the authentication services on the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>.<br />
Provisioning<br />
Enabled Enable this checkbox to activate the Provisioning services on the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>.<br />
Minimum<br />
Reactivation<br />
Interval<br />
Maximum<br />
Reactivation<br />
Attempts<br />
Maximum<br />
Reactivation<br />
Locations<br />
Signature<br />
The minimum length of time (in minutes) permitted between activation attempts for a particular<br />
DIGIPASS.<br />
The total number of activation attempts (successful or unsuccessful) permitted per DIGIPASS.<br />
The maximum number of different Locations where a particular DIGIPASS can be activated. This<br />
only applies when the Location is specified for Provisioning (DIGIPASS for Web).<br />
Enabled Enable this checkbox to activate the Electronic Signature services on the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>.<br />
Back-ends tab<br />
© 2010 VASCO Data Security 13
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Configuration Tool: Field Listings<br />
Field Name Description<br />
Active Directory<br />
Enabled Enable this checkbox to activate the Active directory LDAP back-end server type for the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong>. More information on Active directory LDAP back-end servers is available in the section<br />
describing the authentication process in the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Product Guide.<br />
e-Directory<br />
Enabled Enable this checkbox to activate the e-Directory LDAP back-end server type for the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong>. More information on e-Directory LDAP back-end servers is available in the section<br />
describing the authentication process in the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Product Guide.<br />
ADAM<br />
Enabled Enable this checkbox to activate the ADAM LDAP back-end server type for the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong>. More information on ADAM LDAP back-end servers is available in the section describing<br />
the authentication process in the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Product Guide.<br />
RADIUS<br />
Enabled Enable this checkbox to activate the RADIUS back-end server type for the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>.<br />
More information on RADIUS back-end servers is available in the section describing the<br />
authentication process in the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Product Guide.<br />
Tracing tab<br />
IDENTIKEY Select the IDENTIKEY tracing file required, (none, basic or full) for downloading.<br />
Available tracing files are listed with buttons for downloading or deleting.<br />
MDC Select the MDC tracing file required, (none, basic or full) for downloading (see also section 5 ) .<br />
Available tracing files are listed with buttons for downloading or deleting.<br />
© 2010 VASCO Data Security 14
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Configuration Tool: Field Listings<br />
2.3.2 LDAP User Synchronization<br />
LDAP User Synchronization is not server-specific and therefore requires configuring specifically for different<br />
LDAP Servers. To set up a synchronization requires configuring a Synchronization Profile. The tables below<br />
present:<br />
General fields for a Synchronization Profile<br />
Filter fields: records to be synchronized from the source LDAP Server can be filtered by matching certain<br />
Attributes. All Attributes listed must match for a User Account to be synchronized.<br />
Attribute Mapping fields: this is the mapping of LDAP Server Attributes to <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> User<br />
Account Properties.<br />
Example configurations are described in the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Installation Guide.<br />
For information on the concepts of LDAP User Synchronization, please refer to the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong><br />
Product Guide.<br />
Table 4: IDENTIKEY LDAP User Synchronization: General Fields<br />
Field Name Description<br />
ID This is a unique identifier for the Synchronization Profile, which cannot be changed<br />
later. User Accounts created or updated by the profile have this ID added.<br />
Enable This field must be checked to enable automatic synchronizations using this<br />
Synchronization Profile at the frequency defined in the Frequency field (see below).<br />
The default value is disabled, i.e. unchecked, in which case the profile is not<br />
operational and no User Accounts are updated or copied from the LDAP Server.<br />
Description A description should be entered to help identify this Synchronization Profile.<br />
Frequency The frequency defines the number of times per day automatic synchronization occurs,<br />
once the profile has been manually configured. Synchronization frequency can be<br />
configured up to 24 times per day.<br />
LDAP URI<br />
(Uniform Resource <strong>Identifier</strong>)<br />
This is the protocol and host of the source LDAP Server.<br />
Bind DN (if needed) This is the Distinguished Name to authenticate towards the LDAP Server. Entering the<br />
Bind DN is optional.<br />
Bind Password (if needed) This is the Bind Password to authenticate towards the LDAP Server. Entering the Bind<br />
Password is optional.<br />
Search Base The Search Base is the starting point for searches in the LDAP Server. This should be<br />
a string-represented DN as defined in RFC 1779.<br />
Search Scope The Search Scope can be limited to:<br />
one level deep, which only searches at the level below the Search Base<br />
whole subtree, which searches at and below the Search Base<br />
© 2010 VASCO Data Security 15
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Configuration Tool: Field Listings<br />
Table 5: IDENTIKEY LDAP User Synchronization: Filter Fields<br />
Field Name Description<br />
Attribute This must be the name of an LDAP Server Attribute. All Attributes listed must match<br />
for a User Account to be synchronized.<br />
Match This is the value for the Attribute defined in the previous field and must match for a<br />
User Account to be retrieved for synchronization. Asterisks can be used as a wild<br />
card for the value, indicating zero or more characters.<br />
Table 6: IDENTIKEY LDAP User Synchronization: Attribute Mapping Fields<br />
Field Name Description<br />
Type This defines whether the mapping is<br />
for an LDAP Attribute name (Type: ldap) or<br />
for a constant value (Type: constant).<br />
Source Attribute/Value For Type ldap, this entry should be an LDAP Attribute name.<br />
For Type constant, this entry should be the value of the corresponding <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong> Property.<br />
Destination Property This is the Property name in the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> which corresponds to the LDAP<br />
Server Attribute specified in the previous field.<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Properties available for Attribute mapping are:<br />
User ID<br />
User Name<br />
Description<br />
Disabled (set to 'false' if unspecified)<br />
Static Password<br />
Locked (set to 'false' if unspecified)<br />
Local Authentication (set to 'Default' if unspecified)<br />
Back-end Authentication (set to 'Default' if unspecified)<br />
Mobile<br />
Phone<br />
Email<br />
For all possible values for these Properties, see section 3.1 (p17).<br />
Destination This is the domain and (optionally) the organizational unit in the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong><br />
where User Accounts will be copied to or updated. If the domain is changed after User<br />
Accounts have already been copied, the User Accounts are copied to the new domain<br />
but not deleted from the previous domain. If the organizational unit is changed to<br />
another one in the same domain, User Accounts which have been created or updated<br />
by this Synchronization Profile are moved from the old to the new location.<br />
Update existing This field determines whether existing User Accounts (i.e. User Accounts which have<br />
not been created or previously updated by this Synchronization Profile) can be<br />
updated. To disable updating, the option should be unchecked and the<br />
Synchronization Profile ID (see above) removed from the User Account in the<br />
<strong>Administration</strong> Web Interface.<br />
© 2010 VASCO Data Security 16
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
3 <strong>Administration</strong> Web Interface: Field Listings<br />
3.1 User Properties<br />
Table 7: User Fields<br />
Field Name Description<br />
Static Password The static password. This may be used for static password checking by the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong> or may be a record of a password in a Back-End System.<br />
In view mode, the system will only show whether a password is set or not.<br />
The Set Password and Reset Password commands are used to change this, although it<br />
can also be entered when creating the Digipass User account.<br />
Local Authentication Specifies whether authentication requests for the User account will be handled by the<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> using Local Authentication (see the Authenticating Users section in<br />
the Product Guide for more details on Local Authentication and Back-End Authentication).<br />
Normally, this field will be Default, meaning that the Policy applicable to the authentication<br />
request determines the setting. This field on the Digipass User account is used to override<br />
the Policy setting for special cases.<br />
When Local Authentication is used, there are two factors that determine whether Digipass<br />
authentication is used – any Policy restrictions on Digipass Types and/or Applications that<br />
can be used and whether the Digipass User account has any assigned Digipass that meet<br />
the restrictions. For example, if the Policy requires a DP300 and the User just has a DP700,<br />
they cannot use Digipass authentication under that Policy.<br />
This setting also affects the Provisioning Registration process (see the Software Digipass<br />
Provisioning section in the Product Guide).<br />
Options:<br />
Default Use the setting of the effective Policy.<br />
None The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> will not carry out Local Authentication for<br />
this User account. They may be handled using Back-End<br />
Authentication, or not handled at all by the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>.<br />
Digipass/Password The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> will always carry out Local Authentication<br />
for this User, using Digipass authentication if possible, otherwise<br />
the static password. Back-End Authentication may also be utilized.<br />
Digipass Only The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> will always carry out Local Authentication<br />
for this User, using Digipass authentication. If Digipass<br />
authentication is not possible, the user cannot log in. Back-End<br />
Authentication may also be utilized.<br />
Back-End Authentication Specifies whether authentication requests for the User account will be handled by the<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> using Back-End Authentication (see the Authenticating Users section<br />
in the Product Guide for more details on Local Authentication and Back-End<br />
Authentication).<br />
Normally, this field will be Default, meaning that the Policy applicable to the authentication<br />
request determines the setting. This field on the Digipass User account is used to override<br />
the Policy setting for special cases.<br />
This setting also affects the Provisioning Registration process (see the Software Digipass<br />
© 2010 VASCO Data Security 17
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
Field Name Description<br />
Provisioning section in the Product Guide).<br />
Options:<br />
Default Use the setting of the effective Policy.<br />
None Back-End Authentication will not be used.<br />
If Needed The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> will utilize Back-End Authentication but<br />
only in certain cases:<br />
Dynamic User Registration<br />
Self-Assignment<br />
Password Autolearn<br />
Requesting a Challenge or Virtual Digipass OTP, when the<br />
Request Method includes a Password<br />
Static password authentication, when verifying a Virtual<br />
Digipass password-OTP combination or during the Grace<br />
Period<br />
Provisioning Registration<br />
Always The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> will utilize Back-End Authentication for<br />
every authentication and Provisioning Registration request.<br />
Disabled Specifies whether a Digipass User account is enabled or disabled. If disabled, all requests<br />
for the User will be rejected by the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>.<br />
The Disable and Enable commands are used to change this, although it can also be<br />
changed when creating or editing the Digipass User account.<br />
Locked Specifies whether a Digipass User account is locked or not. If locked, all requests for the<br />
User will be rejected by the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>.<br />
The Locked indicator is normally set automatically when the User exceeds a certain number<br />
of failed authentication attempts. The User Lock Threshold is set in the Policy.<br />
The Unlock command is used to change this, although it can also be changed when editing<br />
the Digipass User account.<br />
Linked User Account It is possible to share Digipass between different User accounts, by linking User accounts<br />
together. This feature is intended for the case where one person, such as an administrator,<br />
has multiple User accounts. If their accounts are linked, there is no need to give more than<br />
one Digipass to that person.<br />
This feature is used by assigning the Digipass to one User account, then linking all the<br />
other User accounts for the person to the one that has the Digipass.<br />
Read only. The Link and Unlink commands must be used to change this.<br />
If a User is linked to another User, their Linked User Account field will show the UserId and<br />
Domain of the linked User, for example:<br />
testuser [vasco.com]<br />
Created On The date and time that the Digipass User account was created. Read-only.<br />
Last Modified On The date and time that the Digipass User account was last modified. Read-only.<br />
Domain The Domain to which the User belongs.<br />
Read only. This cannot be changed.<br />
Organizational Unit The Organizational Unit in which the User is located. This is optional as the User does not<br />
have to be located in an Organizational Unit.<br />
Read only. The Move command must be used to change this.<br />
© 2010 VASCO Data Security 18
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
Field Name Description<br />
User Name The full name of the User.<br />
Email Address The email address of the User.<br />
Phone No. The telephone number of the User.<br />
Mobile No. The mobile phone number of the User. This will be used for Virtual Digipass logins.<br />
Description Any descriptive text or notes.<br />
Assigned Digipass list This lists all Digipass that are assigned to the User. For each Digipass, the list of active<br />
Applications is given with the Application Type indicated in brackets(). For example:<br />
0058384426 RESP_ONLY(RO), CHALLENGE(CR)<br />
In this example line, the Digipass with Serial Number 0058384426 has two active<br />
Applications: one Response Only Application RESP_ONLY and one Challenge/Response<br />
Application CHALLENGE.<br />
Other Digipass properties are shown in this list – for more information, see the Digipass<br />
Properties table.<br />
If the User does not have any Digipass assigned directly, but is linked to another User to<br />
use their Digipass (see Linked User Account), the linked User's Digipass list is shown with<br />
the Serial Numbers in square brackets (eg. [0058384426]).<br />
Read-only. The Assign Digipass and Unassign Digipass commands much be used to<br />
change this.<br />
Administrative Privileges This lists all the administrative privileges for which the User has permission.<br />
© 2010 VASCO Data Security 19
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
3.2 Digipass Properties<br />
Table 8: Digipass Fields<br />
Field Name Description<br />
Domain The Domain to which the Digipass belongs.<br />
Read only. The Move command must be used to change this.<br />
Organizational Unit The Organizational Unit in which the Digipass is located. This is optional as the Digipass<br />
does not have to be located in an Organizational Unit.<br />
Read only. The Move command must be used to change this.<br />
Digipass Type The type of Digipass represented by the Digipass record (eg. DP300).<br />
Description A custom text description of the Digipass. This can be used to search for specific attributes<br />
of a Digipass, eg. color, company logo.<br />
Reserve for Individual<br />
Assignment<br />
When used, this option prevents the Digipass from being assigned using the Auto-<br />
Assignment feature or by Provisioning Registration. It also prevents it from being assigned<br />
by an administrator who uses the 'Assign next available...' option in the assignment wizard.<br />
Assigned to User User ID of the Digipass User account that the Digipass is assigned to, if it is assigned. This<br />
User account must be in the same Domain as the Digipass.<br />
Read-only. The Assign command must be used to change this.<br />
Date Assigned The date and time when the Digipass was assigned to its current User.<br />
Read-only.<br />
Grace Period End The date on which the Grace Period will expire, or did expire, for this Digipass. If the date<br />
shows today's date or before, the Grace Period has already expired. If it is blank, there is no<br />
Grace Period.<br />
BVDP Mode Specifies whether and how the Backup Virtual Digipass feature can be used for this<br />
Digipass. Note that in order for the Backup Virtual Digipass feature to function, it must<br />
also be activated in the DPX file for the Digipass.<br />
Normally, this field will be Default, meaning that the Policy applicable to the authentication<br />
request determines the setting. This field on the Digipass record is used to override the<br />
Policy setting for special cases.<br />
Options:<br />
Default Use the setting of the effective Policy.<br />
No Backup Virtual Digipass is not permitted.<br />
Yes - Permitted Backup Virtual Digipass is permitted, but not mandatory.<br />
The Enabled Until date is not applicable when using this<br />
option, but the Uses Remaining count is.<br />
Yes – Time Limited Backup Virtual Digipass is permitted, but not mandatory.<br />
Both the Enabled Until date and the Uses Remaining<br />
count will be in effect.<br />
Yes - Required Backup Virtual Digipass is mandatory. This may be useful<br />
if the User may have lost the Digipass, to prevent it from<br />
being used until they have found it again.<br />
The Enabled Until date is not applicable when using this<br />
option, but the Uses Remaining count is.<br />
© 2010 VASCO Data Security 20
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
Field Name Description<br />
Enabled Until The date on which the Backup Virtual Digipass feature may no longer be used, provided that<br />
the effective Enable Backup VDP setting is Yes – Time Limited (it is ignored otherwise).<br />
If this date is blank, it will be set automatically the first time that the User requests a<br />
Backup Virtual Digipass OTP, using the Backup Virtual Digipass Time Limit defined in the<br />
Policy.<br />
Once this date has expired, it requires administrator intervention either to extend it or to<br />
reset it to blank for the next time that the User needs to use Backup Virtual Digipass.<br />
Uses Remaining The remaining number of times that the Backup Virtual Digipass feature may be used for<br />
this Digipass. Once this number has reached zero, Backup Virtual Digipass can no longer be<br />
used with this Digipass, unless the administrator increases it or resets it to blank.<br />
If this number is blank and there is a Backup Virtual Digipass Max. Uses/User defined in the<br />
Policy, it will be set automatically the first time that the User requests a Backup Virtual<br />
Digipass OTP, based on the Max. Uses/User.<br />
Static Vector ID The presence of a value here indicates that a Digipass is a Software Digipass capable of<br />
Provisioning. Its specific value is not of use to an administrator normally. It represents a<br />
lookup key of a database record used in the Provisioning process (DPSoft Parameters) that<br />
stores the Static Vector value.<br />
Last Activation The date and time at which the last Provisioning Registration operation took place using this<br />
Digipass, when an Activation Code was generated for it.<br />
There is a configurable minimum interval of time between Registration operations for a<br />
Digipass. See the Software Digipass Provisioning section in the Product Guide for more<br />
details.<br />
This value is reset to blank by the Reset Activation command.<br />
Activation Locations This is typically only used for Digipass for Web, to keep track of the number of different<br />
locations at which a particular User has activated it. The value is a comma-separated list of<br />
hash values, where each hash value represents one location.<br />
There is a configurable maximum number of activation locations for a Digipass. See the<br />
Software Digipass Provisioning section in the Product Guide for more details.<br />
This value is reset to blank by the Reset Activation command.<br />
Activation Count The total number of Provisioning Registration operations that have taken place using this<br />
Digipass, when an Activation Code was generated for it. This includes Registration<br />
operations for which the corresponding Activate operation was not completed successfully.<br />
There is a configurable maximum number of activation attempts for a Digipass. See the<br />
Software Digipass Provisioning section in the Product Guide for more details.<br />
This value is reset to 0 by the Reset Activation command.<br />
Created On The date and time that the Digipass was created. Read-only.<br />
Last Modified On The date and time that the Digipass was last modified. Read-only.<br />
© 2010 VASCO Data Security 21
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
3.3 Policy Properties<br />
Table 9: Policy Fields<br />
Field Name Description<br />
Description This description can be entered to record the purpose of the Policy.<br />
Inherits from Policy Contains the Name of the Policy from which settings will be inherited, referred to as the<br />
'parent Policy'. Settings are inherited individually, depending on the value in the Policy<br />
field; they inherit the parent Policy value in the following cases:<br />
Choice lists/radio buttons – if the selected value is Default<br />
Text fields – if the field is blank<br />
Numeric fields – if the field is blank (not 0)<br />
List fields – if the list is empty<br />
The Show Effective Policy Settings... button can be used to display the result of<br />
inheriting settings combined with settings on the current Policy.<br />
Local Authentication Specifies whether authentication requests using the Policy will be handled by the<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> using Local Authentication (see the Authenticating Users section in<br />
the Product Guide for more details on Local Authentication and Back-End<br />
Authentication).<br />
When Local Authentication is used, there are two factors that determine whether Digipass<br />
authentication is used – any Policy restrictions on Digipass Types and/or Applications that<br />
can be used and whether the Digipass User account has any assigned Digipass that meet<br />
the restrictions. For example, if the Policy requires a DP300 and the User just has a<br />
DP700, they cannot use Digipass authentication under that Policy.<br />
This setting also affects the Provisioning Registration process (see the Software Digipass<br />
Provisioning section in the Product Guide).<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
None The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> will not carry out Local Authentication<br />
under this Policy. They may be handled using Back-End<br />
Authentication, or not handled at all by the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong>.<br />
Digipass/Password The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> will always carry out Local<br />
Authentication under this Policy, using Digipass authentication<br />
if possible, otherwise the static password. Back-End<br />
Authentication may also be utilized.<br />
Digipass Only The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> will always carry out Local<br />
Authentication under this Policy, using Digipass authentication.<br />
If Digipass authentication is not possible, the user cannot log<br />
in. Back-End Authentication may also be utilized.<br />
Back-End Authentication Specifies whether authentication requests using the Policy will be handled by the<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> using Back-End Authentication (see the Authenticating Users<br />
section in the Product Guide for more details on Local Authentication and Back-End<br />
Authentication).<br />
This setting also affects the Provisioning Registration process (see the Software Digipass<br />
Provisioning section in the Product Guide).<br />
Options:<br />
© 2010 VASCO Data Security 22
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
Field Name Description<br />
Default Use the setting of the parent Policy.<br />
None Back-End Authentication will not be used.<br />
If Needed The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> will utilize Back-End Authentication<br />
but only in certain cases:<br />
Dynamic User Registration<br />
Self-Assignment<br />
Password Autolearn<br />
Requesting a Challenge or Virtual Digipass OTP, when<br />
the Request Method includes a Password<br />
Static password authentication, when verifying a Virtual<br />
Digipass password-OTP combination or during the<br />
Grace Period<br />
Provisioning Registration<br />
Always The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> will utilize Back-End Authentication<br />
for every authentication and Provisioning Registration request.<br />
Back-End Protocol Specifies the protocol to be used for Back-End Authentication.<br />
If you have your own Back-End Authentication Engines, they will have Protocol names to<br />
identify them. The name for the required Engine must be defined in the Back-End<br />
Protocol for the Policy.<br />
The following standard options are available:<br />
RADIUS Authentication using a RADIUS server.<br />
e-Directory Authentication using Novell's e-Directory.<br />
ADAM Authentication using a Microsoft ADAM server.<br />
Active Directory Authentication using Microsoft's Active Directory.<br />
Created On The date and time that the Policy was created. Read-only.<br />
Last Modified On The date and time that the Policy was last modified. Read-only.<br />
Dynamic User Registration Specifies whether the Dynamic User Registration (DUR) feature is enabled for the Policy.<br />
If this feature is used, when the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> receives an authentication request<br />
for a User for the first time and Back-End Authentication is successful, it will create a<br />
Digipass User account automatically. If DUR is used in conjunction with Auto-<br />
Assignment, a Digipass will be assigned to the new User account immediately.<br />
This setting also determines whether the Provisioning Registration process is allowed to<br />
perform DUR or not.<br />
Password Autolearn Specifies whether the Password Autolearn feature is enabled for the Policy. This feature<br />
enables the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> to update the password stored in the Digipass User<br />
account when Back-End Authentication is successful.<br />
This setting also determines whether the Provisioning Registration process will update<br />
the password after successful Back-End Authentication or not.<br />
Stored Password Proxy Specifies whether the Stored Password Proxy feature is enabled for the Policy. This<br />
feature can be used in conjunction with the Back-End Authentication Always setting and<br />
the Password Autolearn feature. With this combination, even though a Back-End<br />
Authentication check is done every login, it is done using the password stored in the<br />
Digipass User account. Therefore the User does not have to enter it during their login,<br />
unless it has changed in the Back-End System. This mode of operation is referred to as<br />
Password Replacement.<br />
© 2010 VASCO Data Security 23
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
Field Name Description<br />
Default Domain The default Domain in which the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> should look for and create Digipass<br />
User accounts, if a Domain is not specified by the user credentials. The process of<br />
resolving the User ID and Domain name is described in the User ID and Domain<br />
Resolution section in the Product Guide and in of this document.<br />
User Lock Threshold This indicates the number of consecutive failed login attempts that will cause a Digipass<br />
User account to become Locked. For example, if the User Lock Threshold is 3, the<br />
account will become Locked on the third failed login attempt. Unlocking the account<br />
requires administrator action.<br />
Note that not all kinds of login failure will result in locking. For example, if the UserId is<br />
incorrect or the account is Disabled, the failure would not count towards the lock<br />
threshold. Locking is used mainly for incorrect OTPs and static passwords.<br />
The locking mechanism is also used for Provisioning and Signature Validation.<br />
Assignment Mode Specifies the method of automated Digipass Assignment that will be used for this Policy,<br />
if any. There are two methods, Auto-Assignment and Self-Assignment.<br />
Auto-Assignment is used in conjunction with Dynamic User Registration (DUR). When<br />
DUR occurs, the next available Digipass is assigned to the new Digipass User account. A<br />
Grace Period is set for the Digipass according to the Grace Period setting in the Policy.<br />
Self-Assignment is typically used with DUR also, but if the Digipass User accounts are<br />
created first by the administrator, DUR is not necessary. In the Self-Assignment mode, a<br />
User is able to assign themselves a Digipass by entering the Serial Number, a valid OTP<br />
from the Digipass and their static password. There is no Grace Period associated with<br />
Self-Assignment, because the User has to use the Digipass to perform Self-Assignment.<br />
In both cases, any Applicable Digipass restrictions for the Policy apply. For example, it will<br />
not be permitted to self-assign a DP300 if the Policy restricts Digipass Types to DPGO3<br />
and DPGO1. In addition, if the User already has a Digipass assigned that meets the Policy<br />
restrictions, they will not be able to self-assign another Digipass.<br />
This setting is not applicable to Provisioning or Signature Validation.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
Auto-Assignment Use the Auto-Assignment method.<br />
Self-Assignment Use the Self-Assignment method.<br />
Neither Do not use either method of automated assignment.<br />
Grace Period Default time period (in days) to give Users between Auto-Assignment of a Digipass and<br />
the date they must start using their Digipass to login. Before that time they can still use a<br />
static password (unless the Local Authentication setting is Digipass Only). However, the<br />
first time that an OTP is used to log in, the Grace Period is ended at that point if it has not<br />
already ended.<br />
This setting does not affect manual assignment by an administrator or Provisioning.<br />
Serial No. Separator The character (or short sequence of characters) that will be included at the end of the<br />
Digipass Serial Number during a Self-Assignment login. It allows the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong><br />
to easily recognize that a Self-Assignment attempt is being made and extract the Serial<br />
Number from the credentials.<br />
Search Upwards in Org.<br />
Unit hierarchy<br />
This controls the search scope for an available Digipass for Auto-Assignment or<br />
Provisioning Registration, or for a specific Digipass for Self-Assignment.<br />
This setting does not affect manual assignment by an administrator.<br />
Options:<br />
© 2010 VASCO Data Security 24
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
Field Name Description<br />
Default Use the setting of the parent Policy.<br />
No The search scope is only the Organizational Unit in which the<br />
User account belongs. If the User does not belong to an<br />
Organizational Unit, the search will look for Digipass that also<br />
do not belong to an Organizational Unit.<br />
Yes The search will start in the User account's Organizational Unit,<br />
but if necessary it will then move upwards through the<br />
Organizational Unit hierarchy until it reaches the top. See the<br />
Location of Digipass Records topic in the Product Guide for<br />
more information.<br />
Application Names The Policy can specify a restriction on which Digipass Applications may be used when it is<br />
effective. If the list is empty, there is no restriction. If there are one or more entries, they<br />
will indicate the Application Names that are permitted.<br />
Application Type The Policy can restrict which Digipass Application Type (eg. Response Only,<br />
Challenge/Response) may be used when it is effective.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
No Restriction Digipass Application Type is not restricted.<br />
Response Only Only Digipass Applications of Type RO (Response Only) or MM<br />
(Multi-Mode) may be used.<br />
Challenge/Response Only Digipass Applications of Type CR (Challenge/Response)<br />
or MM (Multi-Mode) may be used.<br />
Signature Only Digipass Applications of Type SG (Signature) or MM<br />
(Multi-Mode) may be used.<br />
Multi-Mode Only Digipass Applications of Type or MM (Multi-Mode) may<br />
be used.<br />
Digipass Types The Policy can specify a restriction on which Digipass Types may be used when it is<br />
effective. If the list is empty, there is no restriction. If there are one or more entries, they<br />
will indicate the Digipass Types that are permitted.<br />
Allow PIN change Specifies whether Digipass Users will be allowed to change their Server PIN during<br />
authentication requests to which the current Policy applies. Normally this setting is<br />
enabled, but it can be used to prevent PIN changes if required.<br />
1-Step Challenge/Response<br />
– Permitted<br />
Controls whether 1-step Challenge/Response logins will be enabled for the current Policy<br />
and, if so, where the challenge should originate.<br />
In order to enable 1-step Challenge/Response, you also need to set the Challenge Check<br />
Mode (see below).<br />
Note that 1-step Challenge/Response is not applicable in a RADIUS environment.<br />
Options:<br />
Default<br />
No 1-step Challenge/Response may not be used.<br />
Yes – Server Challenge 1-step Challenge/Response may be used provided that the<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> that verifies the response generated the<br />
challenge.<br />
© 2010 VASCO Data Security 25
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
Field Name Description<br />
1-Step Challenge/Response<br />
– Challenge Length<br />
1-Step Challenge/Response<br />
– Add Check Digit<br />
2-Step Challenge/Response<br />
– Request Method<br />
2-Step Challenge/Response<br />
– Request Keyword<br />
Primary Virtual Digipass –<br />
Request Method<br />
Primary Virtual Digipass –<br />
Request Keyword<br />
Backup Virtual Digipass –<br />
Enable Backup VDP<br />
Yes – Any Challenge 1-step Challenge/Response may be used with any random<br />
challenge.<br />
Specifies the length of the challenge (excluding a check digit) which should be generated<br />
for 1-step Challenge/Response logins.<br />
A check digit may be added to the generated challenge. This allows the Digipass to<br />
identify invalid Challenges more quickly.<br />
The method by which a User has to request a 2-step Challenge/Response login.<br />
This is the only mode of Challenge/Response available in a RADIUS environment.<br />
The 'request' is made in the password field during login. The request will fail if the User<br />
does not have a Challenge/Response-capable Digipass assigned. This includes Digipass<br />
Applications of Type CR, SG and MM.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
None Do not use 2-step Challenge/Response.<br />
Keyword Use the Request Keyword. This is permitted to be blank.<br />
Password Use the static password.<br />
KeywordPassword Use the Request Keyword followed by the static password. No<br />
separator characters or whitespace should be between them.<br />
PasswordKeyword Use the static password followed by the Request Keyword. No<br />
separator characters or whitespace should be between them.<br />
Defines the Keyword that a User must enter to request a 2-step Challenge/Response<br />
login, if a method using a Keyword is selected in the Request Method.<br />
This is permitted to be blank.<br />
The method by which a User has to request a Primary Virtual Digipass login.<br />
The 'request' is made in the password field during login. The request will be ignored if the<br />
User does not have a Primary Virtual Digipass assigned.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
None Do not use Primary Virtual Digipass.<br />
Keyword Use the Request Keyword. This is permitted to be blank.<br />
Password Use the static password.<br />
KeywordPassword Use the Request Keyword followed by the static password. No<br />
separator characters or whitespace should be between them.<br />
PasswordKeyword Use the static password followed by the Request Keyword. No<br />
separator characters or whitespace should be between them.<br />
Defines the Keyword that a User must enter to request a Primary Virtual Digipass login, if<br />
a method using a Keyword is selected in the Request Method. This is permitted to be<br />
blank.<br />
Specifies whether and how the Backup Virtual Digipass feature can be used when this<br />
Policy is effective. Note that in order for the Backup Virtual Digipass feature to function, it<br />
must also be activated in the DPX file for the Digipass.<br />
Options:<br />
© 2010 VASCO Data Security 26
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
Field Name Description<br />
Backup Virtual Digipass –<br />
Time Limit<br />
Backup Virtual Digipass –<br />
Max. Uses/User<br />
Backup Virtual Digipass –<br />
Request Method<br />
Default Use the setting of the parent Policy.<br />
No Backup Virtual Digipass is not permitted.<br />
Yes - Permitted Backup Virtual Digipass is permitted, but not mandatory.<br />
The Time Limit is not applicable when using this option, but<br />
the Max. Uses/User limit is.<br />
Yes – Time Limited Backup Virtual Digipass is permitted, but not mandatory.<br />
Both the Time Limit and the Max. Uses/User limit will be in<br />
effect.<br />
Yes - Required Backup Virtual Digipass is mandatory.<br />
The Time Limit is not applicable when using this option, but<br />
the Max. Uses/User limit is.<br />
When the Enable Backup VDP setting is Yes – Time Limited, the Time Limit setting<br />
indicates the number of days for which the Backup Virtual Digipass feature may be used<br />
by a User, once they start using it.<br />
The Backup Virtual Digipass Enabled Until setting on the Digipass record will be set<br />
automatically the first time that the User requests a Backup Virtual Digipass OTP, using<br />
the Time Limit defined in the Policy. Once this date has expired, it requires administrator<br />
intervention either to extend it or to reset it to blank for the next time that the User needs<br />
to use Backup Virtual Digipass.<br />
Note that if a User has more than one Digipass capable of Backup Virtual Digipass, they<br />
will have a separate limit for each one.<br />
The maximum number of uses of the Backup Virtual Digipass feature permitted for each<br />
User, if they do not have a specific limit set for them.<br />
If the Backup Virtual Digipass Uses Remaining on the Digipass record is blank and there<br />
is a Max. Uses/User limit defined in the Policy, the Uses Remaining will be set<br />
automatically the first time that the User requests a Backup Virtual Digipass OTP.<br />
Once the Uses Remaining has reached zero, Backup Virtual Digipass can no longer be<br />
used with this Digipass, unless the administrator increases it or resets it to blank.<br />
Note that if a User has more than one Digipass capable of Backup Virtual Digipass, they<br />
will have a separate limit for each one.<br />
The method by which a User has to request a Backup Virtual Digipass login.<br />
The 'request' is made in the password field during login. The request will be ignored if the<br />
User does not have a Digipass assigned that is activated for the Backup Virtual Digipass<br />
feature, or if other Policy or Digipass settings do not permit Backup Virtual Digipass use.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
None Do not use Backup Virtual Digipass.<br />
Keyword Use the Request Keyword. This is permitted to be blank.<br />
Password Use the static password.<br />
KeywordPassword Use the Request Keyword followed by the static password. No<br />
separator characters or whitespace should be between them.<br />
PasswordKeyword Use the static password followed by the Request Keyword. No<br />
separator characters or whitespace should be between them.<br />
Backup Virtual Digipass – Defines the Keyword that a User must enter to request a Backup Virtual Digipass login, if<br />
© 2010 VASCO Data Security 27
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
Field Name Description<br />
Request Keyword a method using a Keyword is selected in the Request Method. This is permitted to be<br />
blank.<br />
Identification Time Window Controls the maximum number of time steps' variation allowable between a Digipass and<br />
the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> during login. This only applies to time-based Digipass<br />
Applications when verifying a One Time Password.<br />
The Dynamic Time Window option may be used to allow more variation according to the<br />
length of time since the last successful login.<br />
If this setting is not specified at all, there is an inbuilt default value of 20.<br />
Signature Time Window Controls the maximum number of time steps' variation allowable between a Digipass and<br />
the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> during Digital Signature verification. This only applies to timebased<br />
Digipass Applications when validating a signature, but even then it may be used or<br />
not according to the Online Signature Level setting.<br />
If this setting is not specified at all, there is an inbuilt default value of 24.<br />
Initial Time Window Controls the maximum allowed time variation allowable between a Digipass and the<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>, the first time that the Digipass is used. The time is specified in<br />
hours. This Initial Time Window is also used directly after a Reset Application operation,<br />
which can be used if it appears that the internal clock in the Digipass has drifted too<br />
much since the last successful login.<br />
This only applies to time-based Digipass Applications when verifying a One Time<br />
Password.<br />
In either case, after the first successful login, the Initial Time Window is no longer active.<br />
If this setting is not specified at all, there is an inbuilt default value of 6.<br />
Event Window Controls the maximum number of events' variation allowable between a Digipass and the<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> during login. This only applies to event-based Digipass Applications.<br />
It always applies when verifying a One Time Password but for Signature validation, it<br />
depends on the Online Signature Level setting whether the Event Window is used or not.<br />
If this setting is not specified at all, there is an inbuilt default value of 20.<br />
Identification Threshold Specifies the number of consecutive failed authentication attempts allowed before the<br />
Digipass Application is locked from future authentication attempts. Once the Digipass<br />
Application is locked, the Reset Appl Lock command is required to unlock it for further<br />
authentication.<br />
This locking mechanism is separate from the User Lock Threshold and is normally not<br />
necessary. It only applies when a single Digipass Application can be used for a login,<br />
either because the User only has one Digipass with one Application, or because the Policy<br />
restrictions narrow the list down to one Digipass Application. If Policy restrictions are used<br />
in this way, the Identification Threshold can be used to lock a User out of one kind of login<br />
(eg. a VPN) while still permitting them to use another kind (eg. a web application).<br />
If this setting is not specified at all, this feature is not used.<br />
Signature Threshold Specifies the number of consecutive failed Signature validation attempts allowed before<br />
the Digipass Application is set to be locked from future signature validation attempts.<br />
Once the Digipass Application is locked, the Reset Appl Lock command is required to<br />
unlock it for further signature validation.<br />
This locking mechanism is separate from the User Lock Threshold and is normally not<br />
necessary. It only applies when a single Digipass Application can be used for a signature<br />
validation, either because the User only has one Digipass with one signature-capable<br />
Application, or because the Policy restrictions narrow the list down to one Digipass<br />
Application. If Policy restrictions are used in this way, the Signature Threshold can be<br />
© 2010 VASCO Data Security 28
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
Field Name Description<br />
used to lock a User out of one kind of signature validation while still permitting them to<br />
use another kind.<br />
If this setting is not specified at all, this feature is not used.<br />
Max. Days Since Last Use This setting specifies the maximum number of days for which a Digipass Application can<br />
go unused for authentication or signature validation. After this limit, authentication and<br />
signature validation will be rejected until an admnistrator performs a Reset Application<br />
operation.<br />
If this setting is not specified at all, this feature is not used.<br />
Challenge Check Mode This setting is for advanced control over time-based Challenge/Response authentication.<br />
The value 1 should be used for standard RADIUS Challenge/Response. This is the inbuilt<br />
default value if the setting is not specified at all.<br />
0 No check is made. This is necessary for 1-step<br />
Challenge/Response.<br />
1 The challenge presented for verification must be the last one<br />
that was generated specifically for that Digipass. This is the<br />
normal mode of operation in 2-step Challenge/Response.<br />
2 The challenge presented for verification is ignored; the last<br />
one that was generated specifically for that Digipass is used.<br />
3 Only one verification is permitted per time step. This option<br />
only applies to time-based Challenge/Response. This is a<br />
method of avoiding a potential replay of a captured response if<br />
the same challenge comes up again in the same time step.<br />
4 If the same challenge and response are presented for<br />
verification twice in a row during the same time step, they are<br />
rejected. This is an advanced method of avoiding a potential<br />
replay of a capture challenge/response.<br />
Online Signature Level This setting is for advanced control of Signature validation.<br />
The value 0 can be used for Digipass Applications that are neither time- nor event-based.<br />
This is the inbuilt default value if the setting is not specified at all.<br />
0 The signature is validated in offline mode. This is useful when<br />
the signatures may not be validated in the same sequence as<br />
they were generated by the user. It is also useful when there<br />
may be some delay after the signature is generated by the<br />
user, before the signature is validated.<br />
For time-based Digipass Applications:<br />
This mode is typically used with a large time step.<br />
When this mode is used, no clock synchronization occurs<br />
between the Digipass and the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>. The<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> will not reject an older signature than the<br />
most recently validated signature, provided it is still within the<br />
Signature Time Window.<br />
For event-based Digipass Applications:<br />
When this mode is used, the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> will not<br />
reject an older signature than the most recently validated<br />
signature, provided it is still within the Event Window.<br />
1 The signature is validated in online mode. This is useful when<br />
© 2010 VASCO Data Security 29
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
Field Name Description<br />
the signatures are expected or required to be validated<br />
immediately after they are generated.<br />
For time-based Digipass Applications:<br />
This mode is typically used with a small time step.<br />
When this mode is used, clock synchronization occurs<br />
between the Digipass and the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>. The<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> will reject an older signature than the<br />
most recently validated signature. A newer signature must be<br />
within the Signature Time Window.<br />
This mode will allow more than one signature to be validated<br />
in the same time step, provided that the same exact signature<br />
is not repeated twice in a row.<br />
For event-based Digipass Applications:<br />
When this mode is used, the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> will reject an<br />
older signature than the most recently validated signature. A<br />
newer signature must be within the Event Window.<br />
2 The signature is validated in strict online mode. This is useful<br />
for time-based signatures when you want to prevent more<br />
than one signature from the same time step from being<br />
validated. Otherwise, this mode is the same as online mode.<br />
3 The signature is validated using the Deferred Event Count.<br />
This mode only applies to event-based signatures. For each<br />
signature validation request, the Deferred Event Count must be<br />
supplied as a parameter.<br />
© 2010 VASCO Data Security 30
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
3.4 Pre-Loaded Policies<br />
These Policies are created for the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> on installation of the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>. They provide<br />
an example for setting up Policies in a typical environment.<br />
Note:<br />
The Group Check feature will be supported in future releases.<br />
Table 10: Pre-Loaded Policies<br />
Policy Name Parent Policy Description Non-Default Settings<br />
Base Policy - Globally applicable settings. In<br />
general, all other Policies should<br />
inherit from this, directly or<br />
indirectly.<br />
Identikey<br />
<strong>Administration</strong> Logon<br />
Base Policy Settings for an administration<br />
logon including Audit Viewer live<br />
connection. Separated from the<br />
main authentication policies to<br />
avoid accidental interference.<br />
Locking is off to reduce the<br />
chance of a lock-out.<br />
User Lock Threshold=3<br />
PIN Change Allowed=Yes<br />
Challenge Request Method=Keyword<br />
Primary VDP Request<br />
Method=Password<br />
Backup VDP Request<br />
Method=KeywordPassword<br />
Backup VDP Request Keyword=otp<br />
Identification Time Window=20<br />
Check Challenge Mode=1<br />
Event Window=20<br />
Sync Window=6<br />
Online Signature Level= 0<br />
Identification Threshold=0<br />
Local Authentication=None<br />
Back-End Authentication=None<br />
DUR=No<br />
Password Autolearn=No<br />
Stored Password Proxy=No<br />
Group Check Mode=No Check<br />
Assignment Mode=Neither<br />
Search Up OU Path=No<br />
Application Types=No Restriction<br />
1-Step Challenge/Response=No<br />
1-Step Challenge Check Digit=No<br />
Backup VDP Enabled=No<br />
Local<br />
Authentication=Digipass/Password<br />
User Lock Threshold=0<br />
© 2010 VASCO Data Security 31
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
Policy Name Parent Policy Description Non-Default Settings<br />
Identikey Local<br />
Authentication<br />
Identikey Microsoft AD<br />
Password<br />
Replacement<br />
Identikey Novell e-<br />
Directory Password<br />
Replacement<br />
Identikey Microsoft<br />
ADAM Password<br />
Replacement<br />
Identikey Microsoft AD<br />
Auto Assignment<br />
Identikey Microsoft<br />
ADAM Auto<br />
Assignment<br />
Identikey Microsoft AD<br />
Self Assignment<br />
Identikey Microsoft<br />
ADAM Self<br />
Assignment<br />
Base Policy Settings applicable to all<br />
IDENTIKEY Server authentication<br />
Policies, including local<br />
authentication. In general, all<br />
other IDENTIKEY Server Policies<br />
using local authentication should<br />
inherit from this, directly or<br />
indirectly.<br />
Identikey Local<br />
Authentication<br />
Identikey Local<br />
Authentication<br />
Identikey Local<br />
Authentication<br />
Identikey Local<br />
Authentication<br />
Identikey Microsoft<br />
ADAM Password<br />
Replacement<br />
Identikey Microsoft<br />
AD Password<br />
Replacement<br />
Identikey Microsoft<br />
ADAM Password<br />
Replacement<br />
IDENTIKEY Server model for<br />
password replacement for<br />
Microsoft Active Directory<br />
IDENTIKEY Server model for<br />
password replacement for Novell<br />
e-Directory<br />
IDENTIKEY Server model for<br />
password replacement for<br />
Microsoft ADAM<br />
IDENTIKEY Server model for Auto<br />
Assignment for Microsoft Active<br />
Directory<br />
IDENTIKEY Server model for Auto<br />
Assignment for Microsoft ADAM<br />
IDENTIKEY Server model for Self-<br />
Assignment for AD Password<br />
Replacement<br />
IDENTIKEY Server model for Self-<br />
Assignment for ADAM Password<br />
Replacement<br />
Local<br />
Authentication=Digipass/Password<br />
Local Auth=Default<br />
Backend Auth=Always<br />
Backend Protocol=Microsoft AD<br />
DUR=Yes<br />
Password Autolearn=Yes<br />
Stored Password Proxy=Yes<br />
Local Auth=Default<br />
Backend Auth=Always<br />
Backend Protocol=Novell e-Directory<br />
DUR=Yes<br />
Password Autolearn=Yes<br />
Stored Password Proxy=Yes<br />
Local Auth=Default<br />
Backend Auth=Always<br />
Backend Protocol=Microsoft ADAM<br />
Password Autolearn=Yes<br />
Stored Password Proxy=Yes<br />
Local Auth=Default<br />
Backend Auth=If Needed<br />
Backend Protocol=Microsoft AD<br />
Assignment Mode=Auto-Assignment<br />
Search-Up-OU-Path=Yes<br />
Local Auth = Default<br />
Backend Auth = If Needed<br />
Backend Protocol = Microsoft ADAM<br />
Assignment Mode = Auto-Assignment<br />
Search-Up-OU-Path = Yes<br />
Local Auth = Default<br />
Backend Auth = Always<br />
Backend Protocol = Microsoft AD<br />
Assignment Mode = Self-Assignment<br />
Search-Up-OU-Path = Yes<br />
Local Auth = Default<br />
Backend Auth = If Needed<br />
Backend Protocol = Microsoft ADAM<br />
Assignment Mode = Self-Assignment<br />
Search-Up-OU-Path = Yes<br />
© 2010 VASCO Data Security 32
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
Policy Name Parent Policy Description Non-Default Settings<br />
Identikey Novell e-<br />
Directory Self<br />
Assignment<br />
Identikey RADIUS<br />
Password<br />
Replacement<br />
Identikey RADIUS<br />
Auto-Assignment<br />
Identikey RADIUS Self-<br />
Assignment<br />
Identikey Back-End<br />
Authentication<br />
Identikey DP110<br />
Provisioning 1<br />
Identikey DP110<br />
Provisioning 2<br />
Identikey DP4Mobile<br />
Register<br />
Identikey DP4Mobile<br />
Provisioning 1<br />
Identikey DP4Mobile<br />
Provsioning 2<br />
Identikey DP4Mobile<br />
Provsioning 3<br />
Identikey Novell e-<br />
Directory Password<br />
Replacement<br />
Identikey Local<br />
Authentication<br />
Identikey Local<br />
Authentication<br />
Identikey Local<br />
Authentication<br />
IDENTIKEY Server model for selfassignment<br />
for Novell e-Directory<br />
IDENTIKEY Server model for<br />
password replacement and<br />
Dynamic User Registration using<br />
a RADIUS server for back-end<br />
authentication.<br />
IDENTIKEY Server model for<br />
Auto-Assignment based on the<br />
RADIUS password replacement<br />
model.<br />
IDENTIKEY Server model for Self-<br />
Assignment based on the<br />
RADIUS password replacement<br />
model.<br />
Base Policy IDENTIKEY Server model for only<br />
Back-End Authentication.<br />
Change the back-End Protocol to<br />
the one required.<br />
Base Policy IDENTIKEY Digipass for Web<br />
Provisioning model scenario 1 -<br />
Activation codes are encrypted<br />
with pre-loaded static<br />
passwords.<br />
Base Policy IDENTIKEY DP110 Provisioning<br />
model scenario 2 - Dynamic<br />
Registration using Back-End<br />
System. Change the Back-End<br />
Protocol to the one required.<br />
Base Policy IDENTIKEY Digipass for Mobile<br />
Register - pre-loaded User<br />
accounts and static passwords.<br />
Base Policy IDENTIKEY Digipass for Mobile<br />
provisioning model scenario 1<br />
Base Policy IDENTIKEY Digipass for Mobile<br />
provisioning model scenario 2<br />
Base Policy IDENTIKEY Digipass for Mobile<br />
provisioning model scenario 3<br />
Local Auth = Default<br />
Backend Auth = Always<br />
Backend Protocol = Novell e-Directory<br />
Assignment Mode = Self-Assignment<br />
Search-Up-OU-Path = Yes<br />
Backend Authentication=Always<br />
Backend Protocol=RADIUS<br />
Password Autolearn=Yes<br />
Stored Password Proxy=Yes<br />
Grace Period=7<br />
Search Up OU Path=Yes<br />
Assignment Mode=Self-Assignment<br />
Search Up OU Path=Yes<br />
Assignment Mode=Self-Assignment<br />
Self Assignment Separator=|<br />
Backend Protocol=RADIUS<br />
Backend Authentication=Always<br />
Local Auth = Digipass/Password<br />
1-Step Challenge/Response=Yes-Any<br />
challenge<br />
Local Auth = Digipass/Password<br />
Back-End Authentication = Always<br />
1-Step Challenge/Response=Yes –<br />
Any challenge<br />
Online Signature Level = 1 Multiple<br />
Signatures allowed in same Time Step<br />
Local Authentication =<br />
DIGIPASS/PASSWORD<br />
Backend authentication= NONE<br />
Digipass type: ‘MOB30’<br />
Local Authentication =<br />
DIGIPASS/PASSWORD<br />
Backend authentication= IF NEEDED<br />
Digipass type: ‘MOB30’<br />
© 2010 VASCO Data Security 33
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
Policy Name Parent Policy Description Non-Default Settings<br />
Identikey DP4Web<br />
Provisioning 1<br />
Identikey DP4Web<br />
Provisioning 2<br />
Identikey DP4Web<br />
Provisioning 3<br />
Identikey Deferred<br />
Time signature<br />
Verfication<br />
Identikey Real-Time<br />
signature verfication 1<br />
Identikey Real-Time<br />
signature verfication 2<br />
Identikey Real-Time<br />
signature verfication 3<br />
Windows logon online<br />
authentication - LDAP<br />
AD Back-End<br />
Windows logon online<br />
and offline<br />
authentication – LDAP<br />
AD Back-End<br />
Base Policy IDENTIKEY Digipass for Web<br />
Provisioning model scenario 1 -<br />
Activation codes are encrypted<br />
with pre-loaded static<br />
passwords.<br />
Base Policy IDENTIKEY Digipass for Web<br />
Provisioning model scenario 2 -<br />
pre-loaded User accounts and<br />
static passwords.<br />
Base Policy IDENTIKEY Digipass for Web<br />
Provisioning model scenario 3 -<br />
Dynamic Registration using<br />
Back-End System. Change the<br />
Back-End Protocol to the one<br />
required.<br />
Base Policy Deferred time signature<br />
verification settings: Time based.<br />
Base Policy Real-time signature verification<br />
settings: Time-based, several<br />
signatures are allowed in the<br />
same timestep but 2 identical<br />
successive signatures will be<br />
rejected.<br />
Base Policy Real-time signature verification<br />
settings: Time-based, one<br />
signature allowed per timestep.<br />
Base Policy Deferred time signature<br />
verification settings: Event based,<br />
off-line mode.<br />
Identikey Local<br />
Authentication<br />
Windows logon<br />
online<br />
authentication -<br />
LDAP AD Back-End<br />
Windows Logon for LDAP AD<br />
Back-End<br />
Windows logon online and offline<br />
authentication settings for LDAP<br />
AD Back-End<br />
Local Auth = Digipass/Password<br />
Local Auth = Digipass/Password<br />
DUR=Yes<br />
Signature Time Window = 24<br />
Online signature level = 1 - Multiple<br />
Signatures allowed in same Time Step<br />
Online signature level = 2 - Only 1<br />
Signature/Time Step allowed<br />
Signature Time Window = 24<br />
Back-End Authentication = Always<br />
Back-End Protocol = Microsoft AD<br />
Dynamic Component Registration =<br />
Yes<br />
Enable Random Password = No<br />
Client Group List =<br />
Client Group Mode = No check<br />
Offline Authentication = No<br />
Offline Authentication = Yes<br />
Offline Time Window (days) = 21<br />
Offline Event Window = 300<br />
© 2010 VASCO Data Security 34
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
3.5 Client Properties<br />
Table 11: Client Fields<br />
Field Name Description<br />
Client Type The type of Client component represented by the record. For SOAP clients, the type needs to<br />
match the Component Type parameter passed in the SOAP requests. Each application can<br />
identify itself as a different type of Client.<br />
In addition there are some standard 0ptions:<br />
<strong>Administration</strong> Program<br />
RADIUS Client<br />
Citrix Web Interface<br />
Outlook Web Access<br />
IIS6 Module<br />
Location The IP address or name of the machine represented by the record. For all Client types except<br />
RADIUS Clients, this must be the source IP address of requests originating from that Client.<br />
For a RADIUS Client, it must be the NAS-IP-Address or NAS-<strong>Identifier</strong> values sent in the RADIUS<br />
requests.<br />
A RADIUS Client of Location default can be used to accept RADIUS requests from all IP<br />
addresses, using the same Shared Secret. However, where a RADIUS Client record with the<br />
exact Location exists, its Shared Secret will be used in preference to the default RADIUS Client's<br />
Shared Secret.<br />
Protocol The protocol by which requests will be received from the Client.<br />
SOAP The standard SOAP protocol over HTTPS. This is used by<br />
programs using the SOAP interface from the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong> SDK and the Web <strong>Administration</strong> Interface.<br />
RADIUS The standard RADIUS protocol. This is used by various remote<br />
network access hardware and software systems. It can also be<br />
used as a simple authentication programming interface.<br />
SEAL A proprietary TCP/IP based protocol used by <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong><br />
and VACMAN Middleware 3.x. It is used by the IIS6 Module,<br />
Digipass TCL Command-Line <strong>Administration</strong> and for<br />
Replication between <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>s.<br />
Policy The name of the Policy that should be used for authentication, Provisioning and signature<br />
validation requests from the Component.<br />
Shared Secret The RADIUS Shared Secret between the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> and the RADIUS Client.<br />
Confirm Shared<br />
Secret<br />
Allows confirmation of a new shared secret.<br />
Created On The date and time that the Client was created. Read-only.<br />
Last Modified On The date and time that the Client was last modified. Read-only.<br />
License Key For each SEAL authentication Clients (IIS Modules), a License Key is required. This consists of a<br />
set of parameters followed by a signature. See for more information.<br />
© 2010 VASCO Data Security 35
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
3.6 Back-End Server Properties<br />
Table 12: Back-End Server Fields<br />
Field Name Description<br />
Protocol Back-End Authentication Protocol. RADIUS, Active Directory, ADAM and e-Directory are<br />
currently supported.<br />
Domain This field provides the ability to assign particular Back-End Servers to a given Domain.<br />
This is optional.<br />
Priority The priority in the case that there are multiple Back-End Servers. The highest priority<br />
server is tried first, then the next highest, etc.<br />
Authentication IP IP Address on which the RADIUS Server receives authentication requests.<br />
Authentication Port UDP Port on which the RADIUS Server receives authentication requests.<br />
Accounting IP IP Address on which the RADIUS Server receives accounting requests.<br />
Accounting Port UDP Port on which the RADIUS Server receives accounting requests.<br />
Shared Secret Shared secret between the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> and the RADIUS Server.<br />
Confirm Shared Secret Allows confirmation of a new shared secret.<br />
Timeout Number of seconds to wait for a response from the RADIUS Server before either retrying<br />
or trying another RADIUS Server.<br />
No. of Retries Number of times to retry if no response is received from the RADIUS Server.<br />
Base Search DN The DN where the search for user accounts starts.<br />
Security Principle DN The DN of the security principle used to access the directory.<br />
Security Principle Password the password of the security principle.<br />
Created On Date/time of creation.<br />
Last Modified On Date/time of last modification.<br />
© 2010 VASCO Data Security 36
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
3.7 Organization<br />
Table 13: Domain Fields<br />
Field Name Description<br />
Domain Domain name. Read-only after creation.<br />
Description A short description for the domain.<br />
Update History<br />
Created On The date and time when the record was created. Read-only.<br />
Last Modified On The date and time when the record was last modified. Read-only.<br />
Table 14: Organizational Unit Fields<br />
Field Name Description<br />
Domain The domain to which the Organizational Unit belongs. Read-only after creation.<br />
Description A short description for the Organizational Unit.<br />
Inherits from<br />
Organizational Unit<br />
Update History<br />
The name of the Organizational Unit immediately above this one in the Organizational structure.<br />
Created On The date and time when the record was created. Read-only.<br />
Last Modified On The date and time when the record was last modified. Read-only.<br />
3.8 Report Properties<br />
3.8.1 How to define a Query<br />
Queries consist of:<br />
a Datafield, which is a field from the database,<br />
an Operator, which is the operation to be performed on the datafield,<br />
a Value, which is the value the datafield will be compared against. A value is not necessary with all<br />
operators.<br />
To define a query you must select a datafield and an operator. Operators can be selected from the following:<br />
ISBLANK<br />
NOTBLANK<br />
EQUALS<br />
NOTEQUALS<br />
© 2010 VASCO Data Security 37
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
STARTS<br />
INCLUDES<br />
ENDS<br />
NOTSTARTS<br />
NOTENDS<br />
NOTINCLUDES<br />
><br />
>=<br />
<<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
Field Name Description<br />
therefore makes sub counts at a regular<br />
interval of the amount of times an item has<br />
occurred<br />
Description The description of the report that was entered when the report was created.<br />
Data Source Where the data in the report comes from. The sources can be:<br />
Users The User data will be used to generate the<br />
report<br />
Users + Audit The User data and audit data will be used to<br />
generate the report<br />
Digipass<br />
Digipass + Audit<br />
Audit<br />
Digipass data will be used to generate the<br />
report<br />
Digipass data and audit data will be used to<br />
generate the report.<br />
Only Audit data will be used to generate the<br />
report.<br />
Grouping Level The grouping level will be used to group the information on the report into the format you<br />
require. The grouping levels are:<br />
Client The report information will be grouped for<br />
each client<br />
Domain The report information will be grouped for<br />
each Domain<br />
Organizational Unit The report information will be grouped for<br />
each Organizational Unit<br />
User<br />
Digipass<br />
The report information will be grouped for<br />
each client<br />
The report information will be grouped for<br />
each Digipass<br />
Time Frequency For Trend Analysis reports. This type of report shows trends over a time period, taking sub<br />
counts at certain time periods. Use this field to specify the sub-count time frequency<br />
Created On Date the report was created<br />
Updated On Date the report definition was last modified<br />
© 2010 VASCO Data Security 39
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
3.8.2 Reporting Query Fields<br />
User, DIGIPASS record and Audit data fields can be used for queries to define customized reports.<br />
Table 16: User Fields for Reporting<br />
Name Type<br />
Back-end Authentication Number<br />
Created Time<br />
Description String<br />
DIGIPASS record String<br />
Disabled Y/N<br />
Domain String<br />
Email String<br />
Has DIGIPASS device Number<br />
Link_domain String<br />
Link_userid String<br />
Local Authentication Number<br />
Lock Count Number<br />
Locked Y/N<br />
Mobile Number<br />
Modified Time<br />
Organizational Unit String<br />
Phone String<br />
Profiles String<br />
Status String<br />
User ID String<br />
User Name String<br />
© 2010 VASCO Data Security 40
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
Table 17: DIGIPASS Fields for Reporting<br />
Name Type<br />
Application Names String<br />
Application Types String<br />
Assigned Date<br />
Backup VDP Enabled Y/N<br />
Backup VDP Expires Date<br />
Backup VDP Uses Left Number<br />
Created Time Date<br />
Description String<br />
DIGIPASS Type String<br />
Domain String<br />
Grace Period End Date<br />
Modified Time Date<br />
Org_unit String<br />
Reserve Number<br />
Serial Number String<br />
Status String<br />
User ID String<br />
Table 18: Audit Fields for Reporting<br />
Name Type<br />
Action String<br />
AMID String<br />
Application String<br />
Area String<br />
Category String<br />
Characteristics String<br />
Client Location String<br />
Code String<br />
Command String<br />
Configuration Details String<br />
Credentials String<br />
Data Source String<br />
Data Source Location String<br />
Description String<br />
© 2010 VASCO Data Security 41
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
Name Type<br />
Downtime Number<br />
Error Code Number<br />
Error Details String<br />
Error Message String<br />
Fields String<br />
From String<br />
Input Details String<br />
Message String<br />
Msg_type Number<br />
Object String<br />
Operation String<br />
Outcome String<br />
Output Details String<br />
Password Protocol String<br />
Policy ID String<br />
Quota Number<br />
Reason String<br />
Request ID String<br />
Request Type String<br />
Server Location String<br />
Session ID String<br />
Source String<br />
Source Location String<br />
Timestamp Date<br />
To String<br />
Type String<br />
Type Code<br />
Version String<br />
© 2010 VASCO Data Security 42
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
3.8.3 Standard Reports<br />
The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> reporting package will come with standard reports. Standard reports are provided for<br />
the most common administration tasks.<br />
Purpose Name of Standard Report<br />
Reports produced by the<br />
Help desk to help with<br />
troubleshooting functional<br />
problems<br />
Reports produced by<br />
System administrators to<br />
help with troubleshooting<br />
system problems<br />
Reports produced by<br />
Administrators for<br />
Accounting information<br />
Reports produced by<br />
Administrators for System<br />
auditing information<br />
Detailed authentication report<br />
User authentication history report<br />
Detailed DIGIPASS registration report<br />
Detailed activity summary report<br />
Detailed Signature Validation report<br />
Detailed Provisioning report<br />
Signature Validation history report<br />
Failed Operations summary report<br />
Succeeded Operations summary report<br />
Authentication activity by user report<br />
Authentication activity by client report<br />
Provisioning activity by user report<br />
Provisioning activity by client report<br />
Transaction Signing Activity by User Application report<br />
Transaction Signing Activity by Client report<br />
<strong>Administration</strong> activity summary report<br />
DIGIPASS availability by type report<br />
DIGIPASS deployment trend report<br />
DIGIPASS deployment by type report<br />
Authentication trend report<br />
Transaction Signing Activity Trend<br />
Provisioning activity trend report<br />
Account lock trend report<br />
DIGIPASS assignment activity summary report<br />
© 2010 VASCO Data Security 43
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 <strong>Administration</strong> Web Interface: Field Listings<br />
3.9 <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Properties<br />
Table 19: <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Fields<br />
Field Name Description<br />
Location The IP address of the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> represented by the record.<br />
Policy The name of the Policy that should be used for administration logon requests from the<br />
Component, including live connections from the Audit Viewer. This Policy is used if there is no<br />
specific <strong>Administration</strong> Program Client record for the location of the administration logon.<br />
Created On The date and time that the Client was created. Read-only.<br />
Last Modified On The date and time that the Client was last modified. Read-only.<br />
License Key For each <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>, a License Key is required. This consists of a set of parameters<br />
followed by a signature. See for more information.<br />
© 2010 VASCO Data Security 44
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Importing Users with Comma Separated Value Files<br />
4 Importing Users with Comma Separated Value Files<br />
DIGIPASS User accounts can be imported into the database from a comma separated values (csv) text file,<br />
with the following restrictions:<br />
Each User account must be on a separate line in the text file.<br />
A header line must be included at the beginning of the file to specify the names of the fields included, and<br />
the order. The correct case is not required.<br />
Text strings must be surrounded by double quotes. If double quotes exist within the text string, these must<br />
be changed to double double quotes.<br />
These columns may exist in the text file:<br />
User ID (maximum 255 characters)<br />
User Name (maximum 64 characters)<br />
Serial Number (to assign a specific DIGIPASS device; this can be formatted as written on the DIGIPASS<br />
hardware e.g. 9087653-4 or as it appears in a DIGIPASS record e.g. 0090876534)<br />
Organizational Unit (Organizational Unit must already exist in the database)<br />
Domain (Domain must exist already in the database)<br />
Password (maximum 255 characters)<br />
Phone (maximum 64 characters)<br />
Email (maximum 64 characters)<br />
Mobile (maximum 64 characters)<br />
A DIGIPASS record must already exist in the database in the correct domain to be assigned to the User.<br />
If a domain is not specified for a User account, the User account will be added to the Master Domain.<br />
If the specified domain does not exist in the database, the User account will not be imported.<br />
Example text file<br />
USERID,DOMAIN,USERNAME,ORGANIZATIONALUNIT,PASSWORD,PHONE,EMAIL,MOBILE<br />
"testuser1","master","TestUser1","","password","0455584965","testus<br />
er1@company.com","0410 555 555"<br />
"testuser2","master","TestUser2","","secret","055511312","testuser2<br />
@company.com",""<br />
© 2010 VASCO Data Security 45
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Message Delivery Component<br />
5 Message Delivery Component<br />
5.1 MDC Tracing Levels<br />
The MDC uses a trace file to record information on events occurring in the system, for troubleshooting<br />
purposes. Such records may include generic information, changing conditions, or problems and errors that<br />
have been encountered.<br />
The level of tracing used by the MDC depends on its configuration.<br />
Basic tracing includes:<br />
Critical error/warning messages [CRITC]<br />
Major error/warning messages [MAJOR]<br />
Minor error/warning messages [MINOR]<br />
Configuration messages [CONFG]<br />
Full tracing includes:<br />
Critical error/warning messages [CRITC]<br />
Major error/warning messages [MAJOR]<br />
Minor error/warning messages [MINOR]<br />
Configuration messages [CONFG]<br />
Informational messages [INFOR]<br />
Data tracing messages [DATA]<br />
Debugging messages (useful for support purposes) [DEBUG]<br />
Security messages, messages that may contain security sensitive data [SECUR]<br />
As there are no size limitations to the trace file, VASCO does not recommend enabling tracing permanently.<br />
However, if your system is configured with Basic Tracing always enabled, ensure that the file size does not<br />
cause problems by deleting or archiving it, whenever it gets too large.<br />
5.2 MDC Result Options<br />
5.2.1 Overview<br />
An MDC gateway returns a result for each request. This result is added as audit information in the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong> auditing system.<br />
Result options are available in the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Configuration Tool to transform these results into more<br />
user friendly text before forwarding the result to the auditing system.<br />
In the sections below, the different types of gateway results and the related result options are described.<br />
© 2010 VASCO Data Security 46
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Message Delivery Component<br />
5.2.2 Gateway Result Page<br />
5.2.3 Result Options<br />
A result page is returned by the gateway service when a text message is submitted by the GET or POST<br />
methods. This page would normally be an HTML formatted page containing specific error codes and/or<br />
additional messages for success/failure.<br />
Three types of result messages are generally categorized as:<br />
Success: success of message delivery (the message has been accepted by the server)<br />
Failure: The submission/delivery failed, but it is most likely a specific error only affecting this User. The<br />
User’s login will fail on the first step. Possible causes are:<br />
Phone number invalid<br />
Temporary gateway failure<br />
Malformed query: error(s) occurred while attempting delivery. This means that the delivery failed for a<br />
particular User, but the error might be affecting all Users. In this case, the User’s login will fail<br />
immediately. Possible errors of this type are:<br />
Account data incorrect (Account User or password wrong)<br />
Account credit expired (for a pre-paid gateway account)<br />
Communication error with gateway (network error)<br />
Other permanent gateway errors<br />
A gateway result page can be recognized by key words and phrases, allowing an alternative message to be<br />
created for the auditing system. Variables can be extracted from the result page and used in the log message<br />
to provide extra information.<br />
Result Page Rules<br />
The result page rule patterns use the following syntax:<br />
[Var-Name1] [] [Var-Name2] …<br />
with the template constructed in the following way:<br />
: a character string which must be matched in the page returned by the gateway. Note that<br />
multiple can appear in a single template, but they must not be overlapping. Matching is<br />
case-sensitive.<br />
[]: omits a variable part of the result page between two segments, when matching a<br />
template. This can be useful to ignore arbitrary data or time/date data in the returned web page.<br />
[Var-Namex]: describes a segment of the result page between two segments or at the end of<br />
the result page, which is written to a variable. Usually this is data which can provide more detailed<br />
information about why a message submission failed. The variable name inside the [] brackets can then be<br />
used as part of the audit message template to create a meaningful message.<br />
© 2010 VASCO Data Security 47
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Message Delivery Component<br />
Example<br />
If the server returns the following result page:<br />
“Submission successful at 10:00, 11/11/02, status: 00 - message delivery in progress.”<br />
for successful transmission, or<br />
“Submission unsuccessful at 10:05, 11/11/02, status: 47 – number too short”<br />
for an unsuccessful submission, the following result page rules can be configured:<br />
Message Rule Name: Success<br />
Message Rule Pattern: successful at [DateTime], status: [Status] – [Message]<br />
Variables retrieved: DateTimeStatusMessage<br />
Message Rule Name: Warning<br />
Message Rule Pattern: unsuccessful at [DateTime], status: 47 – [Message]<br />
Variables retrieved: DateTimeMessage<br />
Message Rule Name: Error<br />
Message Rule Pattern: unsuccessful at [DateTime], status: [status] – [Message]<br />
Variables retrieved: DateTimeStatusMessage<br />
No Match Available<br />
If no Rule matches a Result page returned, an error is logged in the auditing system, reporting that the result<br />
page returned from the gateway could not be matched.<br />
Ordering Rules<br />
The order of the result page template in the configuration data can be used to match more specific messages<br />
first and finally catch any “other” messages, which the gateway might send.<br />
Audit message template<br />
Once a result page template has been matched, a corresponding audit message is constructed with the<br />
variables retrieved from the result page rule.<br />
The message template uses the following syntax:<br />
[VAR-Name1] [Var-Name2] …<br />
: a character string which will appear literally in the constructed audit message.<br />
[Var-Namex]: Variable which is derived from the matched variables from the corresponding result page<br />
template.<br />
The following variables are predefined and can be used in the audit message template:<br />
© 2010 VASCO Data Security 48
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Message Delivery Component<br />
Table 20: MDC Audit Message Variables<br />
Variable Description<br />
[otp_dest] The destination address (a mobile phone number) the OTP was sent to.<br />
[otp_msg] The message that was submitted. This variable also contains the OTP, so it should not be<br />
used for the construction of audit messages.<br />
[acc_user] Account name for the gateway. Not recommended for use in audit messages.<br />
[acc_pwd] Account password for the gateway. Not recommended for use in audit messages.<br />
[Username] User ID of the User requesting the OTP.<br />
Examples of variable use:<br />
Insufficient credit on account [acc_user] when sending to [username]<br />
Message not sent to User "[Username]"/[otp_dest]. Gateway reported: [message]<br />
© 2010 VASCO Data Security 49
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Login Options<br />
6 Login Options<br />
6.1 Login Permutations<br />
6.1.1 Login Methods<br />
The information required to be entered during a login will vary according to the configuration settings of the<br />
relevant Policy, the login method, and any actions to be performed during the login.<br />
This section refers to authentication processing only, not Signature Validation or Provisioning.<br />
The login methods specified are:<br />
Response Only<br />
6.1.2 Login Actions<br />
Challenge/Response:<br />
6.1.3 Login Variables<br />
1-Step Challenge/Response: a random challenge is presented on the login page before the User ID is<br />
known. This is supported for SOAP clients and form-based IIS Modules.<br />
2-Step Challenge/Response: a challenge is generated after the user submits their User ID with a request<br />
to be given a challenge. The user then logs in with the response to the challenge in a second step. This is<br />
supported for all kinds of authentication client.<br />
Virtual Digipass - Primary or Backup<br />
A User may be allowed to do these things during a login:<br />
Set their Server PIN – on first use or after a PIN reset.<br />
Change their Server PIN.<br />
Inform the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> that their static password for the Back-End System – eg. Active Directory -<br />
has been modified.<br />
Perform a Self-Assignment for a Digipass in their possession.<br />
The variables which a User may need to enter, in order to do one of the above functions are listed below. The<br />
code or word used to designate each variable in the following tables is included in brackets.<br />
One Time Password (OTP)<br />
Password (Password)<br />
Server PIN (PIN)<br />
Serial Number of their Digipass (Serial No)<br />
© 2010 VASCO Data Security 50
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Login Options<br />
6.1.4 Password Format<br />
Serial Number Separator (Sep.)<br />
Request Keyword (Keyword)<br />
In a SOAP authentication request, there are two Password Formats that can be used:<br />
Cleartext Combined<br />
Using this format, all the login variables listed above must be entered into a single password field. This<br />
format applies when the login screen or web page cannot be extended with additional entry fields.<br />
Cleartext Separate<br />
6.1.5 Policy Settings<br />
Using this format, the login variables are entered in separate fields.<br />
In RADIUS authentication requests, the PAP password protocol corresponds to the Cleartext Combined<br />
password format. The CHAP, MS-CHAP and MS-CHAP2 password protocols are handled as different password<br />
formats (as the password is hashed in various ways according to the protocol). In general, these hash-based<br />
password formats are not capable of combining different login variables, unless all the variables are already<br />
known to the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>.<br />
In administrative logons and IIS Module authentication requests, the Cleartext Combined password format is<br />
always used.<br />
The Policy settings which will affect the variables required in logins are:<br />
Stored Password Proxy<br />
If this attribute is set to Enabled, each User's password must be kept up to date in the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong>. This is typically achieved by enabling Password Autolearn.<br />
Password Autolearn<br />
If the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> is informed of a User's password change, the new password will only be<br />
recorded by the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> if Password Autolearn is enabled in the relevant Policy<br />
Serial Number Separator<br />
If a Serial Number Separator is specified, the User may enter their Digipass serial number exactly as it<br />
appears on the back of their Digipass (or in the documentation provided to the User), including dashes. If<br />
a Serial Number Separator is not specified, the Digipass serial number must be padded to 10 characters,<br />
with all non-numerical characters removed.<br />
Back-End Authentication<br />
In the following login permutations tables, 'Back-End Authentication Required' means that the Back-End<br />
Authentication setting is set to Always or If Needed.<br />
Where Back-End Authentication is enabled, logins which receive a fail from the back-end authenticator<br />
may achieve a login action – for example, Change PIN – even though the login was unsuccessful.<br />
© 2010 VASCO Data Security 51
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Login Options<br />
Note<br />
Back-End Authentication is required for Self-Assignment and Password Autolearn logins.<br />
6.1.6 Response Only – Cleartext Combined Password Format<br />
The following two tables apply to the following cases:<br />
SOAP using Cleartext Combined password format<br />
<strong>Administration</strong> logins<br />
RADIUS using PAP<br />
IIS Modules<br />
The first table applies in these cases when:<br />
EITHER the Stored Password Proxy feature is enabled<br />
OR Back-End Authentication is not enabled<br />
Table 21: Login Permutations - Response Only Cleartext Combined (1)<br />
Server PIN<br />
Required<br />
No Server<br />
PIN<br />
Required<br />
Login Type Existing PIN?<br />
Separator?<br />
Normal login Yes N/A PIN+OTP<br />
Password Field Contents<br />
Set PIN No N/A OTP+NewPIN+NewPIN<br />
Change PIN Yes N/A PIN+OTP+NewPIN+NewPIN<br />
Changed Password Yes N/A Password+PIN+OTP<br />
Set PIN and Changed Password No N/A Password+OTP+NewPIN+NewPIN<br />
Change PIN and Changed Password Yes N/A Password+PIN+OTP+NewPIN+NewPIN<br />
Self-Assignment 1 Yes Yes SerialNo+Sep.+Password+PIN+OTP<br />
Normal login N/A N/A OTP<br />
No SerialNo+Password+PIN+OTP<br />
Changed Password N/A N/A Password+OTP<br />
No Yes SerialNo+Sep.+Password+OTP+NewPIN+NewPIN<br />
No SerialNo+Password+OTP+NewPIN+NewPIN<br />
1 If a Serial Number Separator is not set, the serial number must have all non-numerical characters removed and be<br />
padded to 10 characters with preceding zeroes. Note that Back-End Authentication is required for successful Self-<br />
Assignment.<br />
© 2010 VASCO Data Security 52
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Login Options<br />
Login Type Existing PIN?<br />
Separator?<br />
Password Field Contents<br />
Self-Assignment N/A Yes SerialNo+Sep.+Password+OTP<br />
The second table applies in these cases when:<br />
The Stored Password Proxy feature is not enabled<br />
AND Back-End Authentication is enabled<br />
Table 22: Login Permutations - Response Only Cleartext Combined (2)<br />
Server PIN<br />
Required<br />
No Server<br />
PIN<br />
Required<br />
Login Type Existing PIN?<br />
No SerialNo+Password+OTP<br />
Normal login Yes N/A Password+PIN+OTP<br />
Separator?<br />
Password Field Contents<br />
Set PIN No N/A Password+OTP+NewPIN+NewPIN<br />
Change PIN Yes N/A Password+PIN+OTP+NewPIN+NewPIN<br />
Changed Password Yes N/A Password+PIN+OTP<br />
Set PIN and Changed Password No N/A Password+OTP+NewPIN+NewPIN<br />
Change PIN and Changed Password Yes N/A Password+PIN+OTP+NewPIN+NewPIN<br />
Self-Assignment 2 Yes Yes SerialNo+Sep.+Password+PIN+OTP<br />
No SerialNo+Password+PIN+OTP<br />
Normal login N/A N/A Password+OTP<br />
Changed Password N/A N/A Password+OTP<br />
No Yes SerialNo+Sep.+Password+OTP+NewPIN+NewPIN<br />
No SerialNo+Password+OTP+NewPIN+NewPIN<br />
Self-Assignment N/A Yes SerialNo+Sep.+Password+OTP<br />
No SerialNo+Password+OTP<br />
Examples<br />
Self-Assignment of a GO 1 Digipass with no existing Server PIN and Serial Number Separator set to '::'.<br />
3-179-0987::pA192ss086382012341234<br />
Self-Assignment of a GO 3 Digipass with no Server PIN required and no Serial Number Separator set.<br />
0031790987PA192ss0863820<br />
2 If a Serial Number Separator is not set, the serial number must have all non-numerical characters removed and be<br />
padded to 10 characters with preceding zeroes. Note that Back-End Authentication is required for successful Self-<br />
Assignment.<br />
© 2010 VASCO Data Security 53
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Login Options<br />
6.1.7 Response Only – CHAP/MS-CHAP/MS-CHAP2<br />
The following table applies to the following case only:<br />
RADIUS using CHAP, MS-CHAP or MS-CHAP2<br />
EITHER the Stored Password Proxy feature is enabled<br />
OR Back-End Authentication is not enabled<br />
Table 23: Login Permutations - Response Only CHAP/MS-CHAP/MS-CHAP2<br />
Login Type Server PIN<br />
Required?<br />
Normal login Yes PIN+OTP<br />
No OTP<br />
Password Field Contents<br />
6.1.8 2-Step Challenge/Response – Cleartext Combined Password Format<br />
The following table applies to the following cases:<br />
SOAP using Cleartext Combined password format<br />
<strong>Administration</strong> logins<br />
RADIUS using PAP<br />
IIS Modules<br />
Challenge/Response in RADIUS is only supported for PAP.<br />
The column Stored Password Proxy Off AND Back-End Auth. Required contains Yes when:<br />
The Stored Password Proxy feature is not enabled<br />
AND Back-End Authentication is enabled<br />
In most cases, this does not affect 2-Step Challenge/Response; just when a Keyword only is used.<br />
© 2010 VASCO Data Security 54
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Login Options<br />
Table 24: Login Permutations – 2-Step Challenge/Response Cleartext Combined<br />
Login Type Serial Number Separator?<br />
Request Method<br />
2-Step Challenge/Response<br />
Stored<br />
Password<br />
Proxy Off<br />
AND Back-<br />
End Auth.<br />
Required 3<br />
Pre-Challenge Response<br />
Normal login N/A Keyword Yes Keyword Password+OTP<br />
No Keyword OTP<br />
Password N/A Password OTP<br />
Keyword-Password N/A Keyword+Password OTP<br />
Password-Keyword N/A Password+Keyword OTP<br />
Changed Password N/A Keyword N/A Keyword Password+OTP<br />
Password N/A Password OTP<br />
Keyword-Password N/A Keyword+Password OTP<br />
Password-Keyword N/A Password+Keyword OTP<br />
Self-Assignment 4 Yes N/A N/A SerialNo+Sep.+Password OTP<br />
No N/A N/A SerialNo+Password OTP<br />
3 Back-End Authentication is required for Self-Assignment and Password Autolearn logins.<br />
4 If a Serial Number Separator is not set, the serial number must have all non-numerical characters removed and be<br />
padded to 10 characters with preceding zeroes.<br />
© 2010 VASCO Data Security 55
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Login Options<br />
6.1.9 Virtual Digipass<br />
The 2-step Virtual Digipass login is possible when using a SOAP client, the RADIUS Access-Challenge<br />
mechanism or an IIS Module in form-based authentication mode. The static password is required in either the<br />
first or the second step, but not both.<br />
However, many RADIUS environments and IIS Module 'basic authentication' do not support the 2-step login<br />
process. If the 2-step login process is not possible, two separate 1-step logins are required. The second login<br />
must include the Password as well as the OTP, but it is not necessary to provide the Password in the first<br />
login, if only a Keyword is used.<br />
Using the Cleartext Combined password format, all inputs in the table below are entered into the Password<br />
field. Using the Cleartext Separate password format, the Keyword and/or Password are always entered into<br />
the Static Password field, while the OTP is entered into the OTP field.<br />
Table 25: Login Permutations – Virtual Digipass<br />
Login<br />
Type<br />
Normal<br />
login<br />
Changed<br />
Password<br />
Request Method 2-step login Two 1-step logins<br />
Step 1 Step 2 Step 1 Step 2<br />
Keyword Keyword Password+OTP Keyword Password+OTP<br />
Password Password OTP Password Password+OTP<br />
Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP<br />
Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP<br />
Keyword-Only * Keyword OTP Keyword OTP<br />
Keyword Keyword Password+OTP Keyword Password+OTP<br />
Password Password OTP Password Password+OTP<br />
Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP<br />
Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP<br />
Keyword-Only* Keyword Password+OTP Keyword Password+OTP<br />
* This Request Method is only available with DIGIPASS Authentication for Windows Logon<br />
© 2010 VASCO Data Security 56
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Firewall Ports<br />
7 Firewall Ports<br />
7.1 Overview<br />
The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> uses several different ports to communicate. If these are blocked by a firewall, some<br />
features will not work correctly. Listed below are the ports used by the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> and the default<br />
port number used for each.<br />
7.2 Incoming Ports<br />
Table 26: List of Incoming Ports Used by the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong><br />
Port Default Configuration Source<br />
RADIUS Authentication Port UDP 1812 Not modifiable RADIUS Clients<br />
RADIUS Back-end servers<br />
RADIUS Accounting Port UDP 1813 Not modifiable RADIUS Clients<br />
RADIUS Back-end servers<br />
SEAL Port TCP 20003 Not modifiable IIS Modules<br />
Replication from other <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>s<br />
SSL SEAL TCP 20004 Not modifiable Windows Logon Tool<br />
SOAP TCP 8080 Not modifiable SOAP Clients<br />
Audit Replication Port TCP 5432 Not modifiable <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> in replication setup<br />
Configuration Replication Port TCP 20003 Not modifiable <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> in replication setup<br />
Replication Wizard Port TCP 20101 Not modifiable Use replication wizard in <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong><br />
© 2010 VASCO Data Security 57
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Firewall Ports<br />
7.3 Outgoing Ports<br />
Table 27: List of Outgoing Ports Used by the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong><br />
Port Default Configuration Destination<br />
RADIUS Authentication Port UDP 1812 Back-end server records<br />
(Authentication Port field)<br />
RADIUS Accounting Port UDP 1813 Back-end server records<br />
(Accounting Port field)<br />
LDAP Port TCP 389 Back-end server records<br />
(Port field)<br />
SEAL Port TCP 20003 Replication section, Destination Servers<br />
tab, destination server properties, Port<br />
field<br />
HTTPS connection to the VASCO<br />
Service Center (SC)<br />
RADIUS Back-end servers<br />
RADIUS Back-end servers<br />
LDAP Back-end servers<br />
Replication to other<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong><br />
TCP 443 Not modifiable sc.vasco.com<br />
Audit Replication Port TCP 5432 Not modifiable <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> in<br />
replication setup<br />
Configuration Replication Port TCP 20003 Not modifiable <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> in<br />
replication setup<br />
Replication Wizard Port TCP 20101 Not modifiable Use replication wizard in<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong><br />
© 2010 VASCO Data Security 58
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Audit Messages<br />
8 Audit Messages<br />
For an explanation of the concepts of Auditing, please refer to the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Product Guide,<br />
'Auditing' section.<br />
8.1 Audit Message Listing<br />
Table 28: Audit Messages List<br />
Message<br />
Code<br />
Description Notes<br />
E000001 A system error has occurred. This message is used whenever there is a general<br />
processing error. It will contain full details of the<br />
error.<br />
E001001 The Digipass Plug-In failed to start up. The Plug-In encountered a fatal error on startup<br />
such as an invalid or missing configuration file.<br />
E001002 The Digipass Plug-In has been forced into the<br />
disabled state.<br />
The Plug-In has started up, but is in a disabled state<br />
in which it will not process authentication requests.<br />
This is typically due to a license problem (an invalid<br />
or missing License Key in the Plug-In's Component<br />
record); an invalid Component Location setting in<br />
the configuration file; or a missing Component<br />
record for the Plug-In.<br />
E001003 The Authentication Server failed to start up The Authentication Server encountered a fatal error<br />
on startup. This is typically due to an invalid or<br />
missing configuration file or failure to connect to the<br />
data store.<br />
E002001 The Active Directory AAL3 library failed to<br />
initialize.<br />
E002002 The Digipass Authentication library failed to<br />
initialize.<br />
The Active Directory 'AAL3' library encountered a<br />
fatal error on initialization, eg. invalid configuration<br />
settings in the configuration file.<br />
The 'Authentication' library encountered a fatal error<br />
on initialization, eg. invalid configuration settings in<br />
the configuration file.<br />
E002004 The RADIUS protocol handler failed to initialize. The protocol handler that receives and processes<br />
RADIUS requests did not start up. This may be<br />
because of a missing License Key in the<br />
Authentication Server Component record, or<br />
because the License Key in that Component record<br />
does not enable RADIUS support. Look for the line<br />
RADIUS=Yes in the License Key details.<br />
A common reason for this error, when RADIUS is<br />
enabled in the License Key, is that the RADIUS ports<br />
are already in use by another process on the<br />
machine.<br />
Alternatively, the configuration settings may be<br />
© 2010 VASCO Data Security 59
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Audit Messages<br />
Message<br />
Code<br />
Description Notes<br />
invalid.<br />
E002006 The Replication library failed to initialize. The Replication library encountered a fatal error on<br />
initialization, eg. invalid configuration settings in the<br />
configuration file.<br />
E002007 Initialization of a Replication destination server<br />
failed.<br />
E002008 The Authentication Server protocol handler<br />
failed to initialize.<br />
E002009 The VM2 Compatibility protocol handler failed<br />
to initialize.<br />
E009001 An error occurred in the Virtual Digipass<br />
Message Delivery Component.<br />
E012001 The RADIUS Profile was not found in Steel-<br />
Belted RADIUS.<br />
E012002 The RADIUS Attribute was not known by Steel-<br />
Belted RADIUS.<br />
The Replication library found the configuration of a<br />
Destination Server to be invalid. The library will still<br />
start up if its main configuration settings are valid<br />
and there is at least one valid Destination Server.<br />
For the invalid Destination Servers, this audit<br />
message is generated.<br />
The protocol handler that receives and processes<br />
administration requests and authentication requests<br />
from the IIS modules failed initialization. This is<br />
typically due to invalid configuration settings or<br />
because the API port is already in use by another<br />
process on the machine.<br />
The protocol handler that receives and processes<br />
authentication requests from the VACMAN<br />
Middleware version 2 IIS modules failed<br />
initialization. This is typically due to invalid<br />
configuration settings or because the API port is<br />
already in use by another process on the machine.<br />
The MDC encountered an error during the process<br />
of submitting a request to the HTTP gateway and<br />
interpreting the response. This may indicate a<br />
configuration problem for the gateway or<br />
connectivity issues. The audit message may contain<br />
further details from the gateway.<br />
When a RADIUS Profile name is in the Digipass User<br />
Account but that name is not found in SBR, the<br />
login is failed with this error.<br />
This can also occur if there is no RADIUS Profile in<br />
the Digipass User Account, but there is a Default<br />
RADIUS Profile configured that was not found in<br />
SBR.<br />
When the Digipass User Account has a RADIUS<br />
attribute in its Authorization Profiles/Attributes list,<br />
the attribute must be found in SBR. When such an<br />
attribute is not known to SBR, the login is failed with<br />
this error.<br />
The most likely reason for this error to occur is that<br />
the spelling of the attribute Name is different in SBR<br />
compared to the Digipass User account. This may<br />
also occur if the Value of the attribute does not<br />
convert to the correct data type expected by SBR.<br />
For example, if an IP address attribute has a Value<br />
© 2010 VASCO Data Security 60
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Audit Messages<br />
Message<br />
Code<br />
E013001 A connection to an ODBC data source could<br />
not be established.<br />
E013002 A connection to an ODBC data source is<br />
broken.<br />
Description Notes<br />
which is not a representation of an IP address.<br />
An attempt to connect to an ODBC data source<br />
failed. This may occur because:<br />
the database is unavailable for some reason such as<br />
rebooting<br />
the database is too busy temporarily to service the<br />
connection<br />
there are networking problems<br />
your credentials used in connecting to the database<br />
are invalid.<br />
An established connection to an ODBC data source<br />
has broken. This may occur because:<br />
the database suddenly becomes unavailable for<br />
some reason such as rebooting<br />
the database becomes too busy temporarily to<br />
service the connection<br />
there are networking problems.<br />
W004001 A connection attempt to Active Directory failed. An attempt to connect to an Active Directory Domain<br />
Controller failed. This may occur because: the<br />
Domain Controller is unavailable for some reason<br />
such as rebooting; the Domain Controller is too busy<br />
temporarily to service the connection; or there are<br />
DNS or networking problems.<br />
W004004 A connection attempt to a Replication<br />
destination server failed.<br />
W005001 A connection to Active Directory has terminated<br />
due to an error.<br />
W005004 A connection to a Replication destination server<br />
has terminated due to an error.<br />
An attempt by the Replication library to connect to a<br />
Destination Server failed. This may occur because:<br />
the incorrect IP address or port is configured; the<br />
Destination Server is unavailable for some reason<br />
such as rebooting; or there are<br />
networking/connectivity problems such as an<br />
intermediate firewall blocking the port.<br />
An established connection to an Active Directory<br />
Domain Controller has broken. This may occur<br />
because: the Domain Controller suddenly becomes<br />
unavailable for some reason such as rebooting; the<br />
Domain Controller becomes too busy temporarily to<br />
service the connection; or there are DNS or<br />
networking problems.<br />
An established connection to a Destination Server<br />
has broken. This may occur because the Destination<br />
Server suddenly becomes unavailable for some<br />
reason such as rebooting, or because of a<br />
temporary networking or connectivity problem.<br />
W006001 An invalid RADIUS packet has been received. A RADIUS request received was invalid (did not<br />
conform to the RADIUS protocol). The request is<br />
discarded.<br />
This can also occur when a response is received<br />
© 2010 VASCO Data Security 61
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Audit Messages<br />
Message<br />
Code<br />
W006002 A RADIUS request has been received from an<br />
unknown source.<br />
W006003 A request has been received from a RADIUS<br />
Client with no Shared Secret defined.<br />
W006004 A RADIUS request forwarded by this server has<br />
been received – there must be a circular proxy<br />
chain.<br />
W006005 An Access-Challenge received from the<br />
RADIUS Server cannot be handled.<br />
Description Notes<br />
from a RADIUS Server to which a request was<br />
forwarded, if the response was invalid. The<br />
response is discarded.<br />
A RADIUS request was received but there is no<br />
RADIUS Client Component for the source of the<br />
request, and there is no “default” RADIUS Client<br />
Component. The request is discarded.<br />
This audit message will be repeated at intervals<br />
when the same unknown source sends requests,<br />
but not for every request.<br />
A RADIUS request was received where there is a<br />
RADIUS Client Component for the source of the<br />
request, but that Component record does not have a<br />
Shared Secret defined. Therefore, it is not possible<br />
to handle the request and it is discarded.<br />
This will not occur if there is a “default” RADIUS<br />
Client Component that has a Shared Secret.<br />
This audit message will be repeated at intervals<br />
when the same source sends requests, but not for<br />
every request.<br />
This can occur when the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong><br />
forwards a request to a RADIUS Server, and the<br />
RADIUS Server forwards the request back, due to its<br />
own proxy rules. It can also occur indirectly in a<br />
longer 'proxy chain'. The request is discarded,<br />
otherwise an infinite loop could be created.<br />
If this occurs, there must be an error in the proxy<br />
configuration of the RADIUS Server(s).<br />
This can occur when the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong><br />
forwards a request to a RADIUS Server and the<br />
RADIUS Server responds with an Access-Challenge.<br />
An Access-Challenge can only be handled when the<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> forwards the password<br />
unmodified to the RADIUS Server. If the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong> verifies an OTP and forwards the static<br />
password to the RADIUS Server, it is not possible to<br />
handle an Access-Challenge from the RADIUS<br />
Server.<br />
W006006 A RADIUS Server is not responding. The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> has not managed to get a<br />
response from the RADIUS Server for some time.<br />
This message indicates that there may be a problem<br />
with the RADIUS Server.<br />
W009001 Virtual Digipass One Time Password delivery<br />
failed.<br />
The MDC could not successfully deliver a text<br />
message via the HTTP gateway. The audit message<br />
should contain further details from the gateway.<br />
W010001 A blank password was used for Back-End This message only occurs when the Back-End<br />
© 2010 VASCO Data Security 62
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Audit Messages<br />
Message<br />
Code<br />
Description Notes<br />
Authentication, as Stored Password Proxy is<br />
disabled and the user did not enter a static<br />
password.<br />
W011001 A Backup Virtual Digipass quota of uses has<br />
been finished.<br />
W011002 No Digipass was found to assign to a new<br />
Digipass User Account for Auto-Assignment.<br />
Authentication setting is Always.<br />
When Stored Password Proxy is disabled, the<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> does not pass on the password<br />
stored in the Digipass User Account to Windows for<br />
Back-End Authentication. If a User does not enter<br />
their password as well as their OTP, the login will<br />
fail because their password has not been provided<br />
to Windows.<br />
BVDP Uses Remaining has just been decremented<br />
to 0 for a Digipass. The User will not be able to use<br />
that Digipass for Backup Virtual Digipass logins until<br />
the Uses Remaining is increased or cleared.<br />
No available Digipass were found for Auto-<br />
Assignment. This may be because: there were no<br />
unassigned Digipass in the right location; the<br />
unassigned Digipass did not conform to Policy<br />
restrictions; the unassigned Digipass were<br />
Reserved for individual assignment.<br />
The location in which the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong><br />
searches for available Digipass records can be<br />
controlled to some extent using the Search<br />
Upwards in Org. Unit hierarchy setting.<br />
W011003 A Digipass User Account has become locked. A User just exceeded the User Lock Threshold of<br />
failed logins and their Digipass User Account is now<br />
Locked. Administrator action is required to unlock<br />
the account.<br />
W012002 A Replication update received has been<br />
ignored, as the local data is more up-to-date.<br />
W012003 A Replication queue entry has not been<br />
inserted.<br />
W013001 An invalid request has been received by the<br />
Authentication Server.<br />
W013002 A request has been received by the<br />
Authentication Server from an unknown<br />
source.<br />
The Authentication Server has received a data<br />
update from another Authentication Server via the<br />
Replication process, but its local data is already<br />
newer than the data received via Replication.<br />
It is normal that this can occur, but it can also<br />
indicate a potential synchronization issue.<br />
This can occur when a replication queue has<br />
reached its maximum size. This is most likely to<br />
occur when the destination server is down or cannot<br />
be contacted due to a networking problem.<br />
The Authentication Server has received an invalid<br />
authentication, administration or Replication<br />
request.<br />
The Authentication Server has received an<br />
authentication, administration or Replication request<br />
from an unknown or unauthorized source. If the<br />
request was from a valid source, this message<br />
indicates that a Component record is missing (or<br />
that a required restart of the Service has not been<br />
made since the creation of the necessary<br />
© 2010 VASCO Data Security 63
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Audit Messages<br />
Message<br />
Code<br />
Description Notes<br />
Component record).<br />
W014001 The License Key is missing or invalid. A valid, unexpired license key is required to process<br />
any kind of authentication request. This message<br />
will be generated periodically when authentication<br />
requests are received by the Authentication Server,<br />
when it does not have a valid License Key.<br />
I001001 The Digipass Plug-In has started up<br />
successfully.<br />
I001002 The Authentication Server has started up<br />
successfully.<br />
I002001 The Active Directory AAL3 library has been<br />
initialized successfully.<br />
I002002 The Digipass Authentication library has been<br />
initialized successfully.<br />
I002004 The RADIUS protocol handler has been<br />
initialized successfully.<br />
I002006 The Replication library has been initialized<br />
successfully.<br />
I002007 Initialization of a Replication destination server<br />
succeeded.<br />
I002008 The Authentication Server protocol handler has<br />
been initialized successfully.<br />
I002009 The VM2 Compatibility protocol handler has<br />
been initialized successfully.<br />
I003001 The Digipass Plug-In has shut down.<br />
I003002 The Authentication Server has shut down.<br />
I004001 A connection attempt to Active Directory was<br />
successful.<br />
Configuration details are given in the audit<br />
message.<br />
Configuration details are given in the audit<br />
message.<br />
Note that the Authentication Server can start up<br />
successfully even if a component such as the<br />
RADIUS protocol handler does not start up<br />
successfully.<br />
The Active Directory 'AAL3' library has completed<br />
initialization. Configuration details are given in the<br />
audit message.<br />
The 'Authentication' library has completed<br />
initialization. Configuration details are given in the<br />
audit message.<br />
The protocol handler that receives and processes<br />
RADIUS requests started up. Configuration details<br />
are given in the audit message.<br />
The Replication library was initialized successfully.<br />
Configuration details are given in the audit<br />
message.<br />
The Replication library initialized a Destination<br />
Server successfully. Configuration details are given<br />
in the audit message.<br />
The protocol handler that receives and processes<br />
administration requests and authentication requests<br />
from the IIS modules was initialized successfully.<br />
Configuration details are given in the audit<br />
message.<br />
The protocol handler that receives and processes<br />
authentication requests from the VACMAN<br />
Middleware version 2 IIS modules was initialized<br />
successfully. Configuration details are given in the<br />
audit message.<br />
© 2010 VASCO Data Security 64
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Audit Messages<br />
Message<br />
Code<br />
I004004 A connection attempt to a Replication<br />
destination server was successful.<br />
I005001 A connection to Active Directory has been<br />
terminated normally.<br />
I005002 A connection to Active Directory has been<br />
timed out for load-balancing.<br />
I005004 A connection to a Replication destination server<br />
has been terminated normally.<br />
Description Notes<br />
An established connection to an Active Directory<br />
Domain Controller has ended with a normal<br />
disconnection.<br />
An established connection to an Active Directory<br />
Domain Controller has been ended for loadbalancing<br />
purposes. Periodically the connections<br />
will be dropped and new ones established, in case<br />
there is a less busy Domain Controller available. The<br />
time period is defined by the configuration setting<br />
Max-Bind-LifeTime in the file, in minutes.<br />
An established connection to a Replication<br />
Destination Server has ended with a normal<br />
disconnection.<br />
I006001 A RADIUS Access-Request has been received. The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> has received an Access-<br />
Request. The audit message will indicate what<br />
action will be taken as well as key details of the<br />
request.<br />
I006002 A RADIUS Accounting-Request has been<br />
received.<br />
The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> has received an<br />
Accounting-Request. The audit message will<br />
indicate what action will be taken as well as key<br />
details of the request.<br />
I006003 A RADIUS Server has started responding again. After the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> had not managed to<br />
get a response from the RADIUS Server for some<br />
time, this message indicates that it is responding<br />
again.<br />
I007001 A RADIUS Access-Accept has been issued. The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> has accepted an Access-<br />
Request. Note however that it is still possible that<br />
after the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> has accepted the<br />
request, another component of the overall process<br />
may still decide to reject the request ultimately.<br />
I007002 A RADIUS Access-Challenge has been issued. The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> has issued a challenge,<br />
either Challenge/Response or Virtual Digipass.<br />
I007003 A RADIUS Access-Reject has been issued. The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> has rejected an Access-<br />
Request.<br />
I007004 A RADIUS Accounting-Response has been<br />
issued.<br />
I008001 A Digipass has been moved for assignment to<br />
a user.<br />
The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> has acknowledged an<br />
Accounting-Request. Note however that unless the<br />
request is forwarded to a RADIUS Server, no<br />
processing is carried out by the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong>.<br />
Upon assignment of a Digipass to a User, if the<br />
Digipass is not already in the same location<br />
(Organizational Unit) as the User, it is moved to that<br />
© 2010 VASCO Data Security 65
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Audit Messages<br />
Message<br />
Code<br />
I008002 A user-to-user link has been removed due to<br />
assignment of a Digipass.<br />
I009001 A Virtual Digipass One Time Password has<br />
been delivered.<br />
Description Notes<br />
location.<br />
If a Digipass User Account is linked to another in<br />
order to share the Digipass, it must not have a<br />
Digipass assigned itself. If a Digipass is assigned,<br />
the link will be broken.<br />
The MDC successfully delivered a text message via<br />
the HTTP gateway, as reported by the gateway. The<br />
audit message may contain further details from the<br />
gateway.<br />
Note that depending on the gateway, it may still be<br />
possible for delivery to fail after the gateway has<br />
reported success.<br />
I010001 User authentication was not handled. The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> decided not to handle an<br />
authentication request due to Policy and/or Digipass<br />
User Account settings. The main reasons why this<br />
may occur are: the effective Local Authentication<br />
and Back-End Authentication settings were both<br />
None; the User failed the Windows Group Check,<br />
using the Pass requests for users not in listed<br />
groups back to host system option.<br />
Note that the 'effective' settings are the effective<br />
settings of the Policy, unless the Digipass User<br />
Account overrides the Policy.<br />
I010002 A stored password change was unhandled. The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> decided not to handle a<br />
password change request due to Policy and/or<br />
Digipass User Account settings. The main reasons<br />
why this may occur are: the effective Local<br />
Authentication and Back-End Authentication<br />
settings were both None; the User failed the<br />
Windows Group Check, using the Pass requests for<br />
users not in listed groups back to host system<br />
option.<br />
Note that the 'effective' settings are the effective<br />
settings of the Policy, unless the Digipass User<br />
Account overrides the Policy.<br />
I011001 A Digipass Grace Period has been ended by<br />
the use of a One Time Password.<br />
I011002 A Backup Virtual Digipass expiration date has<br />
been set due to the first request for a Virtual<br />
One Time Password.<br />
The first time that an assigned Digipass is used<br />
successfully to log in, if a Grace Period is still active,<br />
it is ended immediately. They must continue to use<br />
their Digipass to log in after that point.<br />
A User has requested a Backup Virtual Digipass OTP<br />
for the first time, when the effective Backup VDP<br />
Enabled setting is Yes – Time Limited and they did<br />
not already have an Enabled Until date set on their<br />
Digipass. At this time, they are given the Time Limit<br />
from the Policy by adding it to the current date.<br />
I011003 A Backup Virtual Digipass time limit has been A User who has been using Backup Virtual Digipass<br />
© 2010 VASCO Data Security 66
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Audit Messages<br />
Message<br />
Code<br />
Description Notes<br />
expired by the use of the normal One Time<br />
Password.<br />
I011004 A Backup Virtual Digipass quota of uses has<br />
been set due to the first request for a Virtual<br />
One Time Password.<br />
I011005 A Digipass User Account has been created<br />
using Dynamic User Registration.<br />
I011006 A new static password has been stored using<br />
Password Autolearn.<br />
I011007 A Digipass has been assigned to a new<br />
Digipass User Account using Auto-Assignment.<br />
I011008 A Digipass has been assigned to a Digipass<br />
User Account using Self-Assignment.<br />
I011009 A Digipass challenge has been issued for a<br />
Self-Assignment attempt.<br />
has used their normal OTP login using the Digipass<br />
again. When the effective Backup VDP Enabled<br />
setting is Yes – Time Limited, using the normal OTP<br />
login ends their time limit immediately. This is done<br />
by setting the Enabled Until date on their Digipass<br />
to the current date.<br />
An administrator action is required to reset their<br />
Enabled Until date, if the User is to be allowed to<br />
use Backup Virtual Digipass again.<br />
A User has requested a Backup Virtual Digipass OTP<br />
for the first time, when the effective Backup VDP<br />
Max. Uses/User setting is greater than 0 and they<br />
did not already have a Uses Remaining date set on<br />
their Digipass. At this time, they are given the Max.<br />
Uses/User limit from the Policy.<br />
A Digipass User Account has been created<br />
automatically upon successful Back-End<br />
Authentication. This occurs when the Dynamic<br />
User Registration feature is enabled.<br />
A new static password has been stored in the<br />
Digipass User Account after successful Back-End<br />
Authentication. This occurs when the Password<br />
Autolearn feature is enabled.<br />
Upon creation of a new Digipass User Account<br />
through Dynamic User Registration, an available<br />
Digipass has been assigned to the new account<br />
automatically. This occurs when the Auto-<br />
Assignment feature is enabled.<br />
A User has successfully assigned a Digipass to<br />
themselves using the Self-Assignment feature.<br />
A User has obtained a challenge during an attempt<br />
to assign a Digipass to themselves using the Self-<br />
Assignment feature. In order to complete the<br />
assignment, they must provide the correct response<br />
to the challenge from the Digipass.<br />
I011010 A user has changed their Digipass PIN. A User has changed their Server PIN during their<br />
login, or set it up on first use or after a PIN reset.<br />
I011011 Successfully assigned Digipass The Digipass has been successfully assigned during<br />
Software Digipass Provisioning.<br />
I011012 Added new Digipass for Web activation location A new Digipass has been added for a Web<br />
activation location during Software Digipass<br />
Provisioning.<br />
I011013 Static Password Update Successful The static password for the User has been<br />
successfully changed.<br />
© 2010 VASCO Data Security 67
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Audit Messages<br />
Message<br />
Code<br />
I013001 A connection to an ODBC data source has<br />
been made successfully.<br />
I013002 A connection to an ODBC data source has<br />
been terminated normally.<br />
S001001 A query for a single [object] record was<br />
successful.<br />
Description Notes<br />
An established connection to an ODBC data source<br />
has ended with a normal disconnection.<br />
The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> or an administrator has<br />
made a successful query to the data store for a<br />
single record. In the case of the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong> this may be a search for its Component<br />
record; for an administrator it could be any single<br />
record query. The audit message has details of the<br />
record found.<br />
S001002 A query for [object] records was successful. The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> or an administrator has<br />
made a successful query to the data store for some<br />
records. In the case of the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> this<br />
may be a search for a RADIUS Client Component<br />
record; for an administrator it could be any list<br />
query. The audit message has details of the records<br />
found but this may be truncated.<br />
S001003 A command of type [object] [command] was<br />
successful.<br />
An administrator has issued a successful data<br />
modification command such as an update of<br />
settings or one of the Digipass Application<br />
operations like Reset PIN. The audit message has<br />
details of the command and results.<br />
S002001 User authentication was successful. The 'Authentication' library has passed<br />
authentication for a request. Note however that the<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> or another component of the<br />
overall process may still decide to reject the request<br />
ultimately.<br />
S002002 User authentication issued a challenge. The 'Authentication' library has issued a challenge<br />
for an authentication request, either<br />
Challenge/Response or Virtual Digipass.<br />
S002004 A stored password change was successful. The Authentication Server has successfully<br />
processed a password change request.<br />
S003001 A Replication update was sent successfully. This message is audited at the source server, when<br />
a database change is sent to a destination server<br />
and processed successfully.<br />
S003002 A Replication update received has been<br />
processed successfully.<br />
This message is audited at the destination server,<br />
when a database change is received and processed<br />
successfully.<br />
S004001 An administrative logon was successful. An administrative logon to the Authentication Server<br />
was successful.<br />
S004002 A Live Audit connection was successful. A Live Audit connection to the Authentication Server<br />
was successful.<br />
S005001 Registration Successful The registration of a Software Digipass during<br />
© 2010 VASCO Data Security 68
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Audit Messages<br />
Message<br />
Code<br />
Description Notes<br />
Provisioning was successful.<br />
S005002 Activation Successful The activation of a software Digipass during<br />
Software Digipass Provisioning was successful.<br />
S006001 Signature Validation Successful. When signing a transaction using the Signature<br />
Verification function, the signature validation was<br />
successful.<br />
S009001 A DNS record update was successful. The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> has successfully updated a<br />
DNS record.<br />
F001001 A query for a single [object] record failed. The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> or an administrator has<br />
made an unsuccessful query to the data store for a<br />
single record. In the case of the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong> this may be a search for its Component<br />
record; for an administrator it could be any single<br />
record query. The audit message has basic details<br />
of the failure, but there should be a preceding<br />
E000001 with more details.<br />
F001002 A query for [object] records failed. The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> or an administrator has<br />
made an unsuccessful query to the data store for<br />
some records. In the case of the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong> this may be a search for a RADIUS Client<br />
Component record; for an administrator it could be<br />
any list query. The audit message has basic details<br />
of the failure, but there should be a preceding<br />
E000001 with more details.<br />
F001003 A command of type [object] [command] failed. An administrator has issued an unsuccessful data<br />
modification command such as an update of<br />
settings or one of the Digipass Application<br />
operations like Reset PIN. The audit message has<br />
basic details of the failure, and there may be a<br />
preceding E000001 with more details.<br />
F002001 User authentication failed. The 'Authentication' library has failed authentication<br />
for a request. The audit message has details of the<br />
failure (see 9 Error and Status Codes) and there<br />
may be a preceding E000001 with error details.<br />
F002003 A stored password change failed. The Authentication Server has not processed a<br />
password change request. The audit message has<br />
details of the failure (see 9 Error and Status<br />
Codes) and there may be a preceding E000001<br />
with error details.<br />
F003001 Sending a Replication update was<br />
unsuccessful.<br />
F003002 Processing a Replication update received was<br />
unsuccessful.<br />
This message is audited at the source server, when<br />
a database change is not sent to a destination<br />
server successfully, or it was sent but the<br />
processing at the destination was unsuccessful.<br />
This message is audited at the destination server,<br />
when a database change is received but is not<br />
© 2010 VASCO Data Security 69
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Audit Messages<br />
Message<br />
Code<br />
Description Notes<br />
processed successfully.<br />
F004001 An administrative logon was rejected. The 'Authentication' library has failed an<br />
administrative login request. The audit message has<br />
details of the failure (see 9 Error and Status<br />
Codes) and there may be a preceding E000001<br />
with error details.<br />
Note that this may occur even when preceded by a<br />
successful authentication (S002001) message, for<br />
example if the user's credentials were OK but they<br />
did not have Administrative Logon privilege.<br />
F004002 A Live Audit connection was rejected. The 'Authentication' library has failed a Live Audit<br />
connection request. The audit message has details<br />
of the failure (see 9 Error and Status Codes)<br />
and<br />
there may be a preceding E000001 with error<br />
details.<br />
Note that this may occur even when preceded by a<br />
successful authentication (S002001) message, for<br />
example if the user's credentials were OK but they<br />
did not have Administrative Logon or Live Audit<br />
Connection privilege.<br />
F005001 Static Password verification failed During Software Digipass Provisioning the static<br />
password for the User was not verified.<br />
F005001 Backend Authentication failed During Software Digipass Provisioning, the backend<br />
authentication for the User failed.<br />
F005001 Digipass assignment failed Assignment of the DIGIPASS failed during Software<br />
Digipass Provisioning.<br />
F005001 Reactivation not allowed. The specified Software Digipass may not be<br />
reactivated. The number of reactivations for<br />
Software Digipass is limited. The limit may have<br />
been exceeded.<br />
F005002 Multiple Digipass found where a single<br />
Digipass was required<br />
During Software Digipass Provisioning more than<br />
one Digipass was found that fulfilled the criteria<br />
specified.<br />
F005002 OTP verification Failed The One Time Password generated from the<br />
Digipass used in the Provisioning process has not<br />
passed validation.<br />
F006001 Signature Verification failed. When attempting to sign a transaction using an<br />
electronic Signature, the signature did not pass the<br />
verification phase. The transaction will not be<br />
signed.<br />
F006001 Multiple Digipass found where a single<br />
Digipass was required.<br />
When using the Signature function, <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong> found more than one Digipass record<br />
assigned to the user.<br />
F006001 Required request input fields missing The Signature function requires up to eight input<br />
© 2010 VASCO Data Security 70
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Audit Messages<br />
Message<br />
Code<br />
Description Notes<br />
fields. The input fields are defined when the<br />
Signature function is set up. One or more of those<br />
input fields was missing in this transation.<br />
F009001 A DNS record update failed. The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> has failed to update a DNS<br />
record.<br />
© 2010 VASCO Data Security 71
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Error and Status Codes<br />
9 Error and Status Codes<br />
9.1 Error Codes<br />
This section lists the standard error and status codes with the associated messages.<br />
Table 29: Error Code List<br />
Error Code Message Notes<br />
0 (No error)<br />
-1 An unspecified error occurred This error code may occur when a more specific error<br />
code is not available or was recorded separately.<br />
-2 The parameters supplied were invalid Parameters supplied to a function or command were<br />
invalid.<br />
-3 A memory error occurred Memory allocation failed. This is normally due to the<br />
system running low on memory.<br />
-10 A communications error occurred Inter-process or inter-component communication failed.<br />
This may also occur with communications to Active<br />
Directory or a database. This error is normally<br />
accompanied by further details.<br />
-11 A license error has occurred General-purpose license failure when a more specific<br />
code is not available or was recorded separately.<br />
-12 An operating system call failed A system call failed. This may include file handling,<br />
Active Directory Services Interface and other calls. It is<br />
normally accompanied by further details.<br />
-13 The object was not found An attempt was made to perform an operation on an<br />
object, such as an Active Directory object, but the object<br />
did not exist. For example, this may occur when one<br />
administrator deletes a record that another administrator<br />
is about to update, when the update operation is<br />
attempted.<br />
-14 The object already exists An attempt was made to create an object, such as an<br />
Active Directory object, but the object already exists. For<br />
example, this may occur when two administrators try to<br />
create the same record at the same time.<br />
-15 The supplied buffer was of the incorrect size An internal data buffer was of insufficient length to hold<br />
the data required.<br />
-16 A version error has occurred A version mismatch has occurred. Further details in the<br />
error record will indicate what versions were<br />
mismatched.<br />
-17 The supplied data are invalid General-purpose error when input data to an operation is<br />
incorrect. Further details of the error will be recorded.<br />
-18 The object is invalid An attempt was made to perform an operation upon an<br />
© 2010 VASCO Data Security 72
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Error and Status Codes<br />
Error Code Message Notes<br />
object type that was not recognized.<br />
-19 The command is invalid An attempt was made to perform an operation using a<br />
command that was not recognized.<br />
-20 The object is in use An attempt was made to delete an object, such as an<br />
Active Directory object, but that object was in use.<br />
This may occur when you try to delete a Policy, but<br />
another Policy inherits from the one you are deleting, or a<br />
Component uses the Policy.<br />
-21 The operation is not supported General-purpose error when an operation is attempted on<br />
an object that does not support it. For example, an<br />
attempt is made to generate a Virtual Digipass OTP using<br />
a Digipass that is not enabled for Virtual Digipass.<br />
-22 An object error has occurred General-purpose error on an operation on an object. This<br />
should be supplemented with more specific details.<br />
-23 A required field was missing An operation was attempted without specifying one or<br />
more mandatory input fields.<br />
-24 Auditing failed An operation failed because auditing was mandatory, but<br />
failed.<br />
-30 The configuration is invalid The configuration data in the configuration file are invalid.<br />
The error record should indicate which specific data were<br />
invalid.<br />
-31 A type mismatch has occurred General-purpose error when one datatype is expected but<br />
a different datatype was provided.<br />
-32 One or more objects were not initialized Internal initialization error. More specific error details will<br />
be recorded.<br />
-33 The cache is full An attempt was made to add an entry to a cache, but the<br />
cache has reached its configured maximum size.<br />
-34 The cache entry has reached the maximum<br />
reference count<br />
-35 The system is currently too busy to service<br />
the request<br />
An attempt was made to retrieve an item from a cache,<br />
but the item was already in use and the configuration<br />
indicates a limit on the number of times an item can be<br />
retrieved from the cache at one time.<br />
The system received a new request for processing, but<br />
hit a resource usage limit of some type. This indicates<br />
that the system is too loaded to handle the request. For<br />
example, there may be no spare database connection to<br />
use, even after waiting a short time for one to become<br />
available.<br />
-80 A timeout has occurred An operation failed because of a timeout.<br />
-100 An invalid plugin was supplied Audit configuration specifies a plugin method that is<br />
unknown or that could not be successfully loaded.<br />
-101 There is no space left to write the message While auditing to text file, the server was unable to write.<br />
This would normally occur if disk space has run out.<br />
-140 A Digipass error has occurred General-purpose failure of a Digipass operation such as<br />
OTP verification, Reset PIN, Unlock, etc. This is normally<br />
© 2010 VASCO Data Security 73
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Error and Status Codes<br />
Error Code Message Notes<br />
-150 Delivery of the Virtual Digipass One-Time<br />
Password failed<br />
accompanied by a more specific error code and message<br />
from the VACMAN Controller library.<br />
A Virtual Digipass OTP was generated successfully, but<br />
delivery by text message failed. A separate message will<br />
give more details about the failure.<br />
-200 The license has expired The License Key has an expiration date set, and the date<br />
has passed. A permanent License Key must be obtained.<br />
-201 The license data are invalid One of the details embedded into the License Key is<br />
invalid for the Component in which it is being loaded. The<br />
Component will not be able to use the License Key. This<br />
may be IP address, Component Type, or any other detail<br />
that can be seen in the License Key text.<br />
-202 The License Key is corrupted The signature at the bottom of the License Key is invalid.<br />
This would typically occur if the License Key details were<br />
modified in any way.<br />
-250 Decryption has failed - no Storage Key is<br />
specified in the Encryption Settings<br />
-251 Decryption has failed - an incorrect Cipher is<br />
specified in the Encryption Settings<br />
-252 Decryption has failed - an incorrect Storage<br />
Key is specified in the Encryption Settings<br />
Some encrypted data has been created or modified using<br />
configured, rather than default, encryption settings. This<br />
error occurs when that data is read by a component that<br />
does not have configured encryption settings – the<br />
component is therefore unable to decrypt the data.<br />
It is necessary to configure the encryption settings in the<br />
component. See for more information on encryption<br />
settings.<br />
Some encrypted data has been created or modified using<br />
differently configured encryption settings. This error<br />
occurs when that data is read by a component with<br />
configured encryption settings that use a different Cipher<br />
Name – the component is therefore unable to decrypt<br />
the data.<br />
It is necessary to make sure that the encryption settings<br />
in all components are identical. See for more<br />
information.<br />
Some encrypted data has been created or modified using<br />
differently configured encryption settings. This error<br />
occurs when that data is read by a component with<br />
configured encryption settings that use a different<br />
Storage Key – the component is therefore unable to<br />
decrypt the data.<br />
It is necessary to make sure that the encryption settings<br />
in all components are identical. See for more<br />
information.<br />
-300 A database error occurred General-purpose error on a database operation. This<br />
should be supplemented with more specific details.<br />
-350 The request received was discarded A replication update that was received was found to be<br />
superseded by a later change. In this case, the update is<br />
discarded, as it is no longer relevant.<br />
© 2010 VASCO Data Security 74
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Error and Status Codes<br />
Error Code Message Notes<br />
This may occur when creating a record, after a record<br />
has been deleted then re-created.<br />
It may occur when modifying a record, if a later<br />
modification occurred before replication could apply the<br />
first change.<br />
-351 The request received must be retried A replication update that was received could not be<br />
applied immediately. In this case, the update is rejected.<br />
The retry mechanism at the source server will re-send<br />
the update, according to its configuration settings.<br />
This may occur if a record does not exist yet, when trying<br />
to apply a modification or deletion.<br />
It may occur after a record has been deleted and recreated,<br />
when a modification of the record is replicated<br />
but the sequence of deletion and re-creation has not<br />
been followed in the correct order.<br />
-352 A replication queue entry had an invalid hash<br />
value<br />
When an entry was read from the replication queue<br />
before sending, its integrity hash value check failed. This<br />
suggests that the queue entry may have been modified<br />
since it was added to the queue. In this case, the queue<br />
entry is not trusted and an error is reported.<br />
-353 The replication queue is full An operation failed because it needed to update the<br />
database, but the update could not be added to the<br />
Replication queue. If the queue is full, no database<br />
updates are allowed, to avoid the databases getting too<br />
far out of synchronization.<br />
Check the Replication Status dialog in the <strong>Administration</strong><br />
MMC Interface and the Replication audit messages to<br />
investigate why the queue has become full. It is<br />
necessary to reduce the queue size in order for the<br />
system to continue to function.<br />
If this error occurs often, without good reason, consider<br />
increasing the maximum queue size. This can be<br />
configured in the Replication tab of the Authentication<br />
Server Configuration GUI.<br />
-500 The Service was already started When trying to start a Service, the Service was already<br />
running.<br />
-501 The Service was already stopped When trying to stop a Service, the Service was not<br />
running.<br />
-10051 File name is blank. No file name was specified.<br />
-10052 Failed to open File. The file could not be opened. The file does not exist or<br />
the user attempting to open the file does not have read<br />
permission for the file.<br />
-10057 User ID is longer than 255 characters. The maximum User ID length has been exceeded.<br />
-10059 Password is longer than 255 characters. The maximum Password length has been exceeded.<br />
-10060 User Name is longer than 64 characters. The maximum User Name length has been exceeded.<br />
-10061 Serial Number is longer than 10 characters. The maximum Serial Number length has been exceeded.<br />
© 2010 VASCO Data Security 75
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Error and Status Codes<br />
Error Code Message Notes<br />
-10062 Serial Number is less than 10 characters<br />
long.<br />
-10063 Serial Number contains non-alphanumeric<br />
characters.<br />
-10064 Organizational Unit is longer than 255<br />
characters.<br />
Serial Number must be 10 characters, with no dashes (-)<br />
and with leading zeros (0) to make it up to 10 characters.<br />
The minimum Serial Number length has not been<br />
provided. Serial Number must be 10 characters, with no<br />
dashes (-) and with leading zeros (0) to make it up to 10<br />
characters.<br />
The Serial Number contains non-alphanumeric<br />
characters. Serial Number must be 10 alphanumeric<br />
characters, with no dashes (-).<br />
The maximum Organizational Unit length has been<br />
exceeded.<br />
-10065 Domain is longer than 255 characters. The maximum Domain length has been exceeded.<br />
-10066 Distinguished Name is longer than 1024<br />
characters.<br />
The maximum LDAP Distinguished Name (DN) length has<br />
been exceeded.<br />
-10067 Mobile Number is longer than 64 characters. The maximum Mobile Phone length has been exceeded.<br />
-10069 A syntax error occurred reading from the file. A syntax error occurred while reading lines from the<br />
import file: double-quotes were missing; there are too<br />
many fields in the line; a comma is missing between<br />
fields.<br />
-10070 The file contains characters that are not UTF-<br />
8 encoded.<br />
The import file must be fully UTF-8 encoded when<br />
extended or Unicode characters are included. This<br />
message indicates that non-UTF-8 characters were<br />
found in the file.<br />
-10072 Phone Number is longer than 64 characters. The maximum Phone Number length has been exceeded.<br />
-10073 Email Address is longer than 64 characters. The maximum Email Address length has been exceeded.<br />
-10074 No User ID was given. Either the User ID or,<br />
for Active Directory, the Dishinguished Name<br />
is needed to import a user.<br />
-10075 The Mobile No. is invalid. Only numbers,<br />
spaces, dashes (-) and brackets are allowed<br />
with a + at the start to indicate a country<br />
code if needed.<br />
-10076 The Phone No. is invalid. Only numbers,<br />
spaces, dashes (-) and brackets are allowed<br />
with a + at the start to indicate a country<br />
code if needed.<br />
-10077 The specified email address contains invalid<br />
characters and is not in the form<br />
user@domain.<br />
-10078 The Field Header was not found or invalid<br />
when reading from the file.<br />
A User ID must be supplied to import a user. The only<br />
exception is when using Active Directory, it is sufficient to<br />
give the Distinguished Name instead of the User ID.<br />
The Mobile Number is only allowed to include numeric<br />
characters, spaces, dashes(-) and brackets (){}[]. In<br />
addition a + is allowed at the start for the country code.<br />
The Phone Number is only allowed to include numeric<br />
characters, spaces, dashes(-) and brackets (){}[]. In<br />
addition a + is allowed at the start for the country code.<br />
The Email Address is only allowed to include<br />
alphanumeric characters, @, dots (.), underscores (_)<br />
and dashes (-).<br />
The first line of an import file must be a header line. The<br />
header line is a comma-separated list of field names,<br />
indicating which fields are included in every other line of<br />
the file.<br />
This message indicates that the header line was not<br />
© 2010 VASCO Data Security 76
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Error and Status Codes<br />
Error Code Message Notes<br />
found, that it included unknown field names or that it was<br />
not a comma-separated list of field names.<br />
See the Import User Records topic in the online Help<br />
for the <strong>Administration</strong> MMC Interface for a definition of<br />
the import file header format.<br />
-400 There was no comms descriptor available The comms descriptor map has not been loaded.<br />
(support)<br />
-401 The supplied address could not be resolved name resolution, i.e. DNS, netbios etc<br />
-402 A socket error occurred. Descriptor should<br />
be closed<br />
(communication protocol mismatch<br />
-403 Descriptor was in the wrong state e.g. trying to bind the socket twice<br />
-404 The maximum number of open descriptors<br />
has been reached<br />
-405 The connection has been closed by the<br />
remote end<br />
-406 The command would block, use 'select' should not be seen as a runtime error<br />
-407 The command is in progress, use 'select' should not be seen as a runtime error<br />
-408 The comms descriptor is not valid e.g. the socket has not been created<br />
-450 The key received was invalid The encryption key is somehow invalid<br />
-550 The config file/registry data could not be<br />
read<br />
This error may be returned when a corrupt config file is<br />
used<br />
-600 One of the RADIUS attributes was invalid RADIUS attribute field layout is invalid<br />
-601 The action will result in a size limitation being<br />
exceeded<br />
A buffer overflow would occur, this is only used within the<br />
RADIUS library<br />
-602 An invalid dictionary file was used this does not appear to be returned anywhere<br />
-650 Initialisation of lock failed<br />
-700 Failed to open handle Normally occurs when a file cannot be opened<br />
-800 An invalid length was supplied looks like this error is currently only used in the case<br />
where a programming error has occurred, resulting in an<br />
incorrect length parameter being passed to the mschap<br />
function "CreateVSAttribute"<br />
-801 Memory allocation failed This appears to only be used by the "demotoken" code<br />
-802 Password was blank Can occur when attempting to verify a<br />
MSCHAP/MSCHAP2 password when the subsequently<br />
hashed password provided by the used is equivlent to<br />
hashing a blank string, i.e. the provided password is<br />
blank<br />
-803 Password was invalid Occurs within MSCHAP/MSCHAP2 password verification<br />
when the provided password is incorrect and it is not a<br />
blank string<br />
-1001 The packet is from an unknown source A client component does not exist for the client who sent<br />
the packet<br />
© 2010 VASCO Data Security 77
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Error and Status Codes<br />
Error Code Message Notes<br />
-1002 The shared secret of the packet's source is<br />
unknown<br />
There is no shared secret within the client component for<br />
the peer which sent this packet<br />
-1003 Incorrect response authenticator The response packet returned from the RADIUS server<br />
bears an incorrect authenticator<br />
-1004 The Message-Authenticator attribute was not<br />
correct<br />
The message-authenticator appears to only be checked<br />
in a response<br />
-1005 The packet is not from the address sent to The response from the backend does not match the<br />
source address to which the request was sent<br />
9.2 DIGIPASS Authentication for Windows Logon Error Messages<br />
These error messages may be received by a DIGIPASS Windows Logon client.<br />
Table 30: Error Code List - DIGIPASS Authentication for Windows Logon<br />
Error Code Message Notes<br />
-750 An SSL error occurred<br />
-751 SSL certificate has expired The server certificate is no longer valid and should be<br />
regenerated.<br />
-752 SSL certificate not trusted The authority used for the server certificate is not<br />
included in the machine's Certificate Authority.<br />
-753 SSL certificate was rejected because its key<br />
usage does not permit certificate signing<br />
-754 SSL handshake timed out. This can occur<br />
when connecting to a non-SSL port<br />
Self-signed certificates may be used as both Certificate<br />
Authority (signing) certificates and server certificates.<br />
Commercial certificates require a separate Certificate<br />
Authority certificate.<br />
Check client and <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> configuration to<br />
ensure that the client is connecting to <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong> using the secure port.<br />
© 2010 VASCO Data Security 78
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Error and Status Codes<br />
9.3 Status Codes<br />
Table 31: Status Code List<br />
Status Code Message Notes<br />
0 No error<br />
<br />
The status codes from -1 downwards match the<br />
Error Codes above.<br />
1000 The credentials were invalid General-purpose failure due to invalid username or<br />
password, when a more specific status is<br />
unavailable.<br />
1002 The user failed the Windows Group Check The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> rejected an authentication<br />
request due to the Windows Group Check failing.<br />
This can occur when the effective Windows Group<br />
Check option is Authenticate listed groups, reject<br />
others.<br />
Note that the 'effective' setting is the effective<br />
setting of the Policy, unless the Digipass User<br />
Account overrides the Policy.<br />
1004 The challenge has expired A response to challenge has been given, but the<br />
expiration time for the challenge has expired. The<br />
default expiration time is one minute, however this<br />
can be configured in the configuration file<br />
VASCO/AAL3/Authlib/Challenge-Cache/Max-Age<br />
setting (in seconds).<br />
1005 The user does not have permission to perform<br />
the specified action<br />
General-purpose failure of an administration<br />
command when the administrator does not have<br />
sufficient privileges to carry out the command.<br />
1007 The user account is locked The Digipass User Account is Locked. This is<br />
normally due to consecutive login failures, as<br />
determined by the Policy setting User Lock<br />
Threshold. Alternatively the administrator can<br />
actively lock the account.<br />
To unlock the User account, an administrator has to<br />
uncheck the Locked checkbox on the User record.<br />
1008 The One Time Password has already been<br />
used<br />
This status code occurs specifically when an OTP is<br />
rejected because it has already been used. It may<br />
also occur when the OTP has not been used but is<br />
older than the most recently used OTP.<br />
This can sometimes happen when an authentication<br />
request is re-sent automatically.<br />
1009 The user account is disabled The Digipass User Account is Disabled. This may be<br />
because the administrator has actively disabled the<br />
account, or because the corresponding Windows<br />
User account has become disabled or expired.<br />
1010 No user account was found An authentication request was rejected because no<br />
© 2010 VASCO Data Security 79
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Error and Status Codes<br />
Status Code Message Notes<br />
Digipass User account was found and Local<br />
Authentication is required by the Policy.<br />
1011 The static password was incorrect As part of Local Authentication, verification of the<br />
static password failed.<br />
1012 The One Time Password was incorrect Verification of the OTP failed. More specific details<br />
may be found in the VACMAN Controller error code<br />
and message.<br />
1013 The challenge was invalid A response to a challenge was given, but the<br />
challenge was not the latest one issued for that<br />
Digipass. This is controlled by the Check Challenge<br />
Policy setting.<br />
1014 The Digipass Grace Period has expired A User attempted to log in with their static<br />
password, but their Grace Period had already<br />
expired. They have to use a Digipass to log in.<br />
If they do not have their Digipass yet, the<br />
administrator will have to allow them more time by<br />
modifying the Grace Period End date on their<br />
Digipass record.<br />
1015 Backup Virtual Digipass is not allowed A User attempted to request a Backup Virtual<br />
Digipass OTP, but they were not permitted. This<br />
would normally occur when either:<br />
The effective Backup VDP Enabled setting is Yes –<br />
Time Limited, and the Digipass Backup VDP<br />
Enabled Until date is the current date or before.<br />
The Digipass Backup VDP Uses Remaining counter<br />
has reached 0.<br />
In both cases, administrator intervention is required<br />
to permit the User to continue to use Backup Virtual<br />
Digipass. The Enabled Until or Uses Remaining<br />
limits need to be increased to permit this.<br />
Note that the 'effective' setting is the effective<br />
setting of the Policy, unless the Digipass record<br />
overrides the Policy.<br />
1016 The Digipass is not available A User attempted Self-Assignment, but the<br />
Digipass they requested either could not be found<br />
within the search scope or was already assigned to<br />
someone else.<br />
This may occur because of a mistyped Serial<br />
Number. Otherwise, the search scope may be<br />
incorrect or the Digipass may not be in the correct<br />
location to be made available to the User. See the<br />
Location of Digipass Records section in the Product<br />
Guide.<br />
1017 The user account has no mobile number for<br />
Virtual Digipass<br />
A User requested a Primary or Backup Virtual<br />
Digipass OTP, but it could not be delivered because<br />
the User account had no mobile phone number. In<br />
Active Directory this is the first Mobile No. on the<br />
© 2010 VASCO Data Security 80
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Error and Status Codes<br />
Status Code Message Notes<br />
1018 No password was supplied for a Virtual<br />
Digipass login<br />
record.<br />
A User attempted a Virtual Digipass login, but did<br />
not enter a password in the second stage of the<br />
login. See 6.1.9 Virtual Digipass for more<br />
information.<br />
1019 The new password confirmation failed In a password change request, the new password<br />
was not confirmed correctly.<br />
1020 Local authentication failed General-purpose failure of Local Authentication<br />
when a more specific status code is not available.<br />
Additional information should provide more specific<br />
details.<br />
1021 Back-end authentication reported that the<br />
password has expired<br />
Back-End Authentication (eg. Windows) failed<br />
because the password was correct but it has<br />
expired.<br />
1022 Back-end authentication failed Back-End Authentication (eg. Windows) failed. A<br />
specific error code and message will accompany<br />
this record.<br />
1030 The policy was invalid An authentication request was rejected because the<br />
applicable Policy had invalid settings or failed to<br />
load. This should not occur, but is possible due to<br />
the delay in Active Directory replication for example.<br />
The two main ways in which a Policy can become<br />
invalid are:<br />
One or more choice list settings are Default in the<br />
Policy, and its parent Policy if it has one.<br />
A circular chain of Policies has been created, for<br />
example: Policy A inherits from Policy B; Policy B<br />
inherits from Policy C; Policy C inherits from Policy<br />
A.<br />
The Policy must be fixed in order for authentication<br />
to be permitted using that Policy.<br />
1031 The policy does not allow a self-assignment<br />
attempt<br />
1032 Hashed passwords cannot be verified by<br />
Windows<br />
A User attempted Self-Assignment, but it is not<br />
permitted under the Policy.<br />
An authentication request could not be processed<br />
successfully because Back-End Authentication<br />
using Windows was required, but the User's<br />
password was hashed. It is not possible to verify<br />
hashed passwords with Windows. This can occur<br />
when a CHAP-based protocol is used – this includes<br />
CHAP, MS-CHAP, MS-CHAP2, EAP-MD5 and other<br />
more complex protocols that utilize a one-way hash<br />
of the password entered by the User.<br />
Note that the effective Back-End Authentication<br />
setting is the effective setting of the Policy, unless<br />
the Digipass User Account overrides the Policy.<br />
1033 A Digipass must be used The effective Local Authentication setting is<br />
© 2010 VASCO Data Security 81
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Error and Status Codes<br />
Status Code Message Notes<br />
1034 Challenge/Response is not supported by<br />
CHAP-based protocols<br />
1035 Challenge/Response is not supported by<br />
Windows 2000<br />
Digipass Only and the User tried to log in with a<br />
static password.<br />
Note that the 'effective' setting is the effective<br />
setting of the Policy, unless the Digipass User<br />
Account overrides the Policy.<br />
Challenge/Response is only supported in RADIUS<br />
using the PAP protocol. An attempt was made to<br />
generate a challenge using a CHAP-based protocol<br />
– this includes CHAP, MS-CHAP, MS-CHAP2, EAP-<br />
MD5 and other more complex protocols.<br />
This status code can only occur in the Digipass<br />
Plug-In for IAS. There is a product limitation on<br />
Windows 2000 only that Challenge/Response is not<br />
supported. It will occur if the User attempted to<br />
request a challenge.<br />
1036 1-Step Challenge/Response is disabled A request was made to generate a random<br />
challenge for 1-step Challenge/Response, but the<br />
applicable Policy does not have 1-step<br />
Challenge/Response enabled or does not specify the<br />
challenge length and check digit indicator.<br />
1037 Password Autolearn is disabled A request was made to update a user's Stored<br />
Password, but Password Autolearn is disabled, so<br />
the update is not permitted. Password Autolearn<br />
must be enabled for the password update request to<br />
be processed.<br />
1038 The administration session ID is not known at<br />
this location<br />
An administration command has been received, but<br />
the internal session ID is not recognised at the<br />
location from which the command came. This can<br />
only occur by attempting to reuse a session ID from<br />
another location.<br />
1039 The administration session is no longer active An administration command has been received, but<br />
the session has stopped or is unrecognised. This<br />
can occur due to an idle timeout, a maximum<br />
session length timeout or a restart of the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong>.<br />
1040 Back-end authentication returned a Challenge<br />
that cannot be handled<br />
This can occur when the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong><br />
forwards a request to a RADIUS Server and the<br />
RADIUS Server responds with an Access-Challenge.<br />
An Access-Challenge can only be handled when the<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> forwards the password<br />
unmodified to the RADIUS Server. If the <strong>aXs</strong><strong>GUARD</strong><br />
<strong>Identifier</strong> verifies an OTP and forwards the static<br />
password to the RADIUS Server, it is not possible to<br />
handle an Access-Challenge from the RADIUS<br />
Server.<br />
It can also occur if you use RADIUS Back-End<br />
Authentication for an IIS Module. In that case,<br />
© 2010 VASCO Data Security 82
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Error and Status Codes<br />
Status Code Message Notes<br />
1041 No Digipass was found for the given Serial<br />
Number<br />
1042 Self-Assignment was attempted but Back-End<br />
Authentication did not occur to authenticate the<br />
static password<br />
Access-Challenge is not supported from the RADIUS<br />
Server.<br />
During a Self-Assignment attempt, the Serial<br />
Number provided by the User was not found in the<br />
data store. This mainly occurs when the Serial<br />
Number is entered incorrectly. It can also occur<br />
because the Digipass record is not in the User's<br />
Domain or Organizational Unit.<br />
Self-Assignment is not allowed without Back-End<br />
Authentication. This is required to validate the static<br />
password.<br />
1050 Reactivation is not allowed A reactivation attempt was refused for one of the<br />
following reasons:<br />
The Digipass has already been activated from<br />
the maximum number of allowed locations.<br />
This limit is controlled by the Provisioning<br />
Scenario configuration setting Max<br />
Locations.<br />
The maximum number of allowed activation<br />
attempts has already been reached. This limit<br />
is controlled by the Provisioning Scenario<br />
configuration setting Max Attempts.<br />
The minimum time interval required between<br />
activation attempts has not yet been reached<br />
since the last activation attempt. This limit is<br />
controlled by the Provisioning Scenario<br />
configuration setting Min Interval.<br />
1051 Multiple Digipass found where a single<br />
Digipass was required<br />
1052 The user account has no static password to<br />
encrypt the activation code<br />
An activation attempt was made where the user had<br />
two or more Digipass that could be used. The<br />
activation request did not specify which Digipass<br />
should be used to handle the request.<br />
If no Local Authentication or Back-End<br />
Authentication is done during an activation request,<br />
a static password is required from the Digipass User<br />
account. The password is used to encrypt the<br />
activation code.<br />
1053 No Digipass was available for assignment No available Digipass was found for the Provisioning<br />
Register request. The Digipass must be capable of<br />
activation and meet the Digipass restrictions in the<br />
Policy settings if any.<br />
1054 Error generating activation code Generation of an activation code for Provisioning<br />
failed. More specific details may be found in the<br />
VACMAN Controller error code and message.<br />
1060 The Signature failed validation Verification of the signature failed. More specific<br />
details may be found in the VACMAN Controller<br />
error code and message.<br />
1061 The Signature has already been used This status code occurs specifically when a<br />
© 2010 VASCO Data Security 83
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Error and Status Codes<br />
Status Code Message Notes<br />
1062 A Host/Confirmation Code is required but the<br />
Digipass Application is not able to generate it<br />
signature is rejected because it has already been<br />
used. It may also occur when the signature has not<br />
been used but is older than the most recently used<br />
signature.<br />
This behaviour depends on the effective Online<br />
Signature Level Policy setting.<br />
For an authentication request, a Host Code was<br />
required to be returned. The Digipass Application for<br />
which the OTP was validated was not capable of<br />
generating a Host Code.<br />
For a signature validation request, a Confirmation<br />
Code was required to be returned. The Digipass<br />
Application for which the signature was validated<br />
was not capable of generating a Confirmation Code.<br />
The DPX file that was used to import the Digipass<br />
Application controls whether the Host or<br />
Confirmation Code can be generated.<br />
3001 A Digipass Challenge was returned This status code is the standard code when a<br />
challenge is issued and does not indicate any kind<br />
of error.<br />
3002 No challenge was identified for the<br />
authentication<br />
A response to a challenge was given, but no<br />
challenge could be found. The most likely reason for<br />
this to occur is that the challenge is too old and has<br />
been removed from the challenge cache. It can also<br />
occur if no 'challenge key' was supplied with which<br />
to look up the challenge.<br />
3003 Back-end authentication returned a Challenge This occurs when a RADIUS Server responds with<br />
an Access-Challenge, in a case where the<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> can handle it.<br />
5001 The user failed the Windows Group Check The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> decided not to handle an<br />
authentication request due to the Windows Group<br />
Check failing. This can occur when the effective<br />
Windows Group Check option is Pass requests for<br />
users not in listed groups back to host system.<br />
Note that the 'effective' setting is the effective<br />
setting of the Policy, unless the Digipass User<br />
Account overrides the Policy.<br />
5002 Neither local nor back-end authentication was<br />
done due to policy and/or user settings<br />
The <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> decided not to handle an<br />
authentication request because the effective Local<br />
Authentication and Back-End Authentication<br />
settings were both None.<br />
Note that the 'effective' settings are the effective<br />
settings of the Policy, unless the Digipass User<br />
Account overrides the Policy.<br />
© 2010 VASCO Data Security 84
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Tracing<br />
10 Tracing<br />
The level of tracing for the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> can be configured using the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Configuration<br />
Tool.<br />
Tracing messages will be recorded to a text file.<br />
Table 32: Tracing Message Types<br />
Message Type<br />
Code<br />
[CRITC] Critical error/warning<br />
Notes Examples<br />
[MAJOR] Major error/warning [MAJOR] > Failed to execute command. Error <br />
[MINOR] Minor error/warning [MINOR]> Cannot get License Key from Component record<br />
[CONFG] Configuration/initialization [CONFG] > ODBC Database audit plugin is successfully<br />
loaded<br />
[CONFG] > Component cache configured as:<br />
max age : 900<br />
max size : 1000<br />
clean threshold : 800<br />
min clean interval : 60<br />
[ALERT] Alerts [ALERT] > disconnecting from server.<br />
[INFO] Informational messages [INFO ] > Audit: {Info} {Initialization} {I-002002} {The<br />
Digipass Authentication library has been initialized<br />
successfully.}<br />
[INFO ] > Creating Digipass object.<br />
[VINFO] Verbose informational messages [VINFO] > Event log source is <br />
[VINFO][ODBCConnection::OpenConnection] > Established<br />
connection to ODBC database<br />
[DATA] Data tracing [DATA ] > Prepared SQL statement "SELECT vdsDomain,<br />
vdsDescription, vdsCreateTime, vdsModifyTime FROM<br />
vdsDomain ORDER BY vdsDomain"<br />
[TEMP] Temporary data values [TEMP ] > Updated list is <br />
[RESRC] Resource usage [RESRC] > Socket Bound to <br />
[DEBUG] Debugging (useful for support<br />
purposes)<br />
[SECUR] Security messages, messages that<br />
may contain security sensitive data<br />
[DEBUG] > Registering Binary with Event<br />
log for Source < Identikey Server 3<br />
{Application}><br />
[DEBUG] > Committed transaction<br />
© 2010 VASCO Data Security 85
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Tracing<br />
There are two tracing levels available when configuring tracing from the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> Configuration<br />
Tool – Basic and Full. This can be customised further if required by directly editing the configuration file. The<br />
message types recorded by each level are shown in the table below.<br />
Table 33: Tracing Message Levels<br />
CRITC<br />
MAJOR<br />
MINOR<br />
CONFG<br />
ALERT<br />
INFO<br />
Basic Full<br />
CRITC<br />
MAJOR<br />
MINOR<br />
CONFG<br />
ALERT<br />
INFO<br />
VINFO<br />
DATA<br />
TEMP<br />
RESRC<br />
DEBUG<br />
SECUR<br />
Basic and Full tracing levels output different amounts of information in trace messages.<br />
Table 34: Tracing Message Contents<br />
Trace Level Message Contents<br />
Basic [date_time] [thread ID] [level code] message<br />
Full [date_time] [thread ID] [level code] [internal function name] message<br />
© 2010 VASCO Data Security 86
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Support Procedure<br />
11 Support Procedure<br />
If you encounter problems with a VASCO product, please follow the steps below:<br />
1. Check if your problem is resolved in the Knowledge Base located at the following URL:<br />
http://www.vasco.com/support.<br />
2. If you are unable to solve your problem with the Knowledge Base, please contact the company which<br />
sold you the VASCO product.<br />
3. If your supplier is unable to resolve your query, they will automatically contact the appropriate VASCO<br />
expert. If necessary, VASCO experts can access your <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> remotely to resolve any<br />
problems. Remote support and access to your <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> are achieved through the VASCO<br />
Service Center. For information on the VASCO Service Center, please refer to the <strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong><br />
Product Guide.<br />
© 2010 VASCO Data Security 87
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong> 3.1.3.0 <strong>Administration</strong> <strong>Reference</strong> Guide v1.7 Index<br />
Alphabetical Index<br />
Accessing Further Reading.................................................................... 7<br />
<strong>Administration</strong> Web Interface................................................................. 8<br />
<strong>aXs</strong><strong>GUARD</strong> <strong>Identifier</strong>............................................................................. 8<br />
Check Digit........................................................................................ 27<br />
Comma Separated Value Files............................................................. 46<br />
Configuration Tool............................................................................ 8, 9<br />
Convenience Layer............................................................................... 8<br />
Documents.......................................................................................... 6<br />
Firewall Ports..................................................................................... 58<br />
IDENTIKEY........................................................................................... 8<br />
LDAP User Synchronization........................................................... 15<br />
Settings...................................................................................... 12<br />
Synchronization Profile................................................................. 15<br />
IDENTIKEY Settings.................................................................................<br />
Active Directory........................................................................... 14<br />
ADAM......................................................................................... 14<br />
Authentication............................................................................. 13<br />
e-Directory.................................................................................. 14<br />
Gateway...................................................................................... 12<br />
MDC........................................................................................... 12<br />
Provisioning................................................................................. 13<br />
RADIUS....................................................................................... 14<br />
Scenarios.................................................................................... 13<br />
Server Discovery ......................................................................... 12<br />
Signature.................................................................................... 13<br />
Tracing....................................................................................... 14<br />
Login Permutations............................................................................. 51<br />
Message Delivery Component.............................................................. 47<br />
Network Fields.......................................................................................<br />
Default Gateway........................................................................... 11<br />
DNS............................................................................................ 11<br />
Proxy.......................................................................................... 11<br />
One Time Password...................................................................... 53, 54<br />
Organizational structure. .................................................................... 38<br />
Policies, Pre-loaded............................................................................ 32<br />
Report Fields..........................................................................................<br />
Audit Query Fields........................................................................ 42<br />
Digipass Query Fields................................................................... 42<br />
Query Fields................................................................................ 41<br />
User Query Fields......................................................................... 41<br />
Rescue Tool......................................................................................... 8<br />
Response Only................................................................................... 53<br />
Standard Reports............................................................................... 44<br />
Support............................................................................................. 89<br />
System Fields........................................................................................<br />
Backup and Restore..................................................................... 10<br />
Logging....................................................................................... 10<br />
Remote Logging.......................................................................... 10<br />
Settings........................................................................................ 9<br />
Time............................................................................................. 9<br />
VACMAN Software................................................................................ 8<br />
VASCO................................................................................................ 8<br />
© 2010 VASCO Data Security 88