Академический Документы
Профессиональный Документы
Культура Документы
3.3
Copyright
Copyright 2011 VASCO Data Security, Inc., VASCO Data Security International GmbH. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc.
Trademarks
VASCO, Vacman, IDENTIKEY, aXsGUARD, DIGIPASS, and are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries.
Table of Contents
Table of Contents
1 Introduction.................................................................................................................................................... 4
1.1 1.2 1.3 1.4 1.5 About this guide .................................................................................................................................................. 4 IDENTIKEY Server Implementation........................................................................................................................ 5 IDENTIKEY Server Testing.................................................................................................................................... 5 Topics Not Included............................................................................................................................................. 5 Before you start................................................................................................................................................... 5
Testing......................................................................................................................................................... 13
3.1 3.2 3.3 3.4 Test Local Authentication................................................................................................................................... 14 Test Windows Back-End Authentication............................................................................................................. 16 Test RADIUS Back-End Authentication............................................................................................................... 19 Test Management Features............................................................................................................................... 23
Demo Tokens............................................................................................................................................... 28
4.1 4.2 Using the Demo DP300...................................................................................................................................... 28 Using the Demo Go 3 or Go 6............................................................................................................................. 29
Introduction
1
1.1
Introduction
About this guide
This Getting Started Guide will introduce you to IDENTIKEY Server. It will help you set up a basic installation of IDENTIKEY Server and get to know the product and the tools it includes. It covers only basic information and the most common configuration requirements. Other options and more in-depth instructions are covered in other manuals.
1.2
1.3
1.4
1.5
Introduction
Installation Guide
2
2.1
2.2
2.
Note
The RADIUS Client Simulator uses the port 1812 for authentication requests and port 1813 for accounting requests, by default. If you are using Microsoft Windows Small Business Server 2008, these ports are used for other services, so configure the RADIUS Client Simulator to other ports by updating the Auth. Port and Acct. Port fields on the RADIUS Client Simulator. Ensure that the ports are available through the firewall, and that the RADIUS client is amended to use the same ports.
2.3
RADIUS Topology
When prompted to select a RADIUS topology, select either: IDENTIKEY Server as standalone RADIUS Server (this will require you to skip the RADIUS Back-End Authentication topic) IDENTIKEY Server in front of RADIUS Server
Automatic Settings
Some settings which are created automatically for the IDENTIKEY Server are: Example Policies A Component record for the IDENTIKEY Server, which will point to a default Policy A default RADIUS Client Component record
Auditing
The Audit Viewer will be installed with IDENTIKEY Server.
2.4
2.4.1
2.4.2
Note
The Shared Secret for the default RADIUS Client record, and the RADIUS Client Simulator, is set to default.
2.4.3
2.4.4
2.4.5
2.4.6
2.5
2.6
Set Up Auditing
1. 2. Open the Audit Viewer (Start Menu -> Programs -> VASCO -> Identikey Server -> Audit Viewer). Expand the Servers item in the navigation pane.
11
12
Testing
Testing
This section will guide you through testing direct logins to IDENTIKEY Server and a back-end RADIUS server, testing Back-End Authentication, testing various management features, and the configuration or administration changes required. At various points in the process, test logins are recommended to ensure that the previous steps have not caused unexpected problems. This also helps in troubleshooting, as it helps to pinpoint where in the process a problem occurred. The diagram below illustrates the basic testing procedure.
Test Prerequisites
If you are going to test all types of login methods and authentication options available, you will need: A DIGIPASS User account with: A corresponding Windows User account A stored static password which is the same as the Windows account's password A DIGIPASS or Demo DIGIPASS with Response Only and Challenge/Response Applications, assigned to the DIGIPASS User account. A new Policy named 'Test'.
13
Testing
3. 4. Find and click on the Test Policy. Click on the required tab: Local Authentication and Back-End Authentication settings can be found under the Policy tab Dynamic User Registration, Password Autolearn and Stored Password Proxy settings can be found under the User tab. Application Type, Assignment Mode, Grace Period, Serial Number Separator and Search Upwards in Org. Unit Hierarchy settings can be found under the DIGIPASS tab. Challenge/Response settings can be found under the Challenge tab. 5. 6. 7. Click on Edit. Make the required changes. Click on Save.
3.1
3.1.1
Static Password
Modify Test Policy
Make these changes to the Test Policy (see Modifying the Test Policy for instructions): Set Local Auth. to DIGIPASS/Password. Set Back-End Auth. to None.
14
Testing
Set Password Autolearn to Yes.
Test Login
Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for instructions), using the DIGIPASS User ID and static stored password.
3.1.2
Response Only
Modify Test Policy
Make these changes to the Test Policy (see Modifying the Test Policy for instructions): Set Application Type to Response Only. Set Local Auth. to Digipass/Password. Set Back-End Auth. to None.
Test Login
Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for instructions), using the DIGIPASS User ID and the OTP from your DIGIPASS.
3.1.3
Challenge/Response
Modify Test Policy
Make these changes to the Test Policy (see Modifying the Test Policy for instructions): Set Application Type to Challenge/Response. Set 2-step Challenge/Response Request Method to Keyword. Set Keyword to 2StepCR. Set Local Auth. to Digipass/Password. Set Back-End Auth. to None.
Test Login
Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for instructions), using the DIGIPASS User ID and the keyword (2StepCR). Enter the Challenge provided by the RCS into your DIGIPASS. Enter the same DIGIPASS User ID and the Response provided by your DIGIPASS.
15
Testing
3.2
3.2.1
3.2.1.1
Test Login
Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for instructions), using the DIGIPASS User ID and static stored password.
3.2.2
3.2.2.1
16
Testing
Set Back-End Auth. to Always. Set Back-End Protocol to Windows.
Test Login
Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for instructions), using the DIGIPASS User ID and static stored password.
3.2.2.2
Response Only
Modify Test Policy
Make these changes to the Test Policy (see Modifying the Test Policy for instructions): Set Application Type to Response Only. Set Local Auth. to Digipass/Password. Set Back-End Auth. to Always. Set Back-End Protocol to Windows. Set Stored Password Proxy to Yes.
Test Login
Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for instructions), using the DIGIPASS User ID and the OTP from your DIGIPASS.
3.2.2.3
Challenge/Response
Modify Test Policy
Make these changes to the Test Policy (see Modifying the Test Policy for instructions): Set Application Type to Challenge/Response. Set 2-step Challenge/Response Request Method to Keyword. Set Keyword to 2StepCR. Set Local Auth. to Digipass/Password. Set Back-End Auth. to Always. Set Back-End Protocol to Windows. Set Stored Password Proxy to Yes.
17
18
Testing
3.3
3.3.1
Requirements
To complete the recommended steps, you will need: An installed RADIUS Server.
19
Testing
An administrator login for the RADIUS server.
Enable Tracing
Depending on the RADIUS Server product, some facilities will be available for tracing. This may be referred to as logging or debugging instead. If this is enabled, it will help to find out what is happening if the observed behaviour is not as expected.
3.3.2
20
Testing
3.3.3
3.3.3.1
3.3.3.2
3.3.4
21
Testing
2. Ensure that the RADIUS Client Simulator client record is using the configured Policy.
In the RADIUS Client Simulator: 3. 4. 5. 6. 7. 8. 9. 10. 11. Enter the IP address of the IDENTIKEY Server. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window. Enter the User ID for the User account you are using for test logins in the User ID field. Enter the User account's RADIUS Server password followed by an OTP from the DIGIPASS in the Password field. There should be no spaces between the password and the OTP. Click on the Login button. The Status information field will indicate the success or failure of your logon. Below you should see the RADIUS reply attributes from the RADIUS Server. Enter a new OTP from the DIGIPASS into the Password field, without the RADIUS Server password in front. Click on the Login button. The Status information field will indicate the success or failure of your logon. Below you should see the RADIUS reply attributes from the RADIUS Server.
22
Testing
3.4
3.4.1
Auto-Assignment
Initial Setup
1. 2. 3. 4. 5. 6. Open the Administration Web Interface. Click on Clients -> List. Click on the client record for the RADIUS Client Simulator. Ensure that the Test Policy is selected in the Policy drop down list. Click on OK. Make these changes to the Test Policy (see Modifying the Test Policy for instructions): Set Local Auth. to Digipass/Password. Set Back-End Auth. to Always. Set Back-End Protocol to RADIUS. Set Password Autolearn to Yes. Set Stored Password Proxy to Yes. Set Dynamic User Registration to No. Set Assignment Mode to Neither. Set Grace Period 7 days is the standard time period used. Set Search Upwards in Organizational Unit hierarchy to Yes. Set Application Type to No Restriction. 7. 8. Create or use a User account in the RADIUS Server which does not currently have a corresponding DIGIPASS User account. Check that at least one unassigned DIGIPASS is available in the DIGIPASS Container.
Test Auto-Assignment - 1
In the following test, both Dynamic User Registration and Auto-Assignment should fail, meaning that a DIGIPASS User account will not be created, and a DIGIPASS will not be assigned to the User. This shows that the IDENTIKEY Server record has been configured successfully. In the RADIUS Client Simulator: 9. 10. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window. Enter the User ID for the RADIUS Server User account you created earlier (step 7) in the User ID field.
23
Testing
11. 12. Enter the password for the RADIUS Server User account. Click on the Login button. The Status information field will indicate the success or failure of your logon.
Modify Settings
13. Make these changes to the Test Policy (see Modifying the Test Policy for instructions): Set Dynamic User Registration to Yes. Set Assignment Mode to Auto-Assignment.
Test Auto-Assignment - 2
In the following test, both Dynamic User Registration and Auto-Assignment should succeed, meaning that a DIGIPASS User account will be created, and an available DIGIPASS will be assigned to the User. In the RADIUS Client Simulator: 14. 15. 16. 17. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window. Enter the User ID for the RADIUS Server User account you created earlier (step 7) in the User ID field. Enter the password for the User account. Click on the Login button.
The Status information field will indicate the success or failure of your logon.
24
Testing
OTP login 22. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's User ID and One Time Password. This should be successful. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's User ID and password only. As the OTP login from the previous step should have ended the Grace Period for the DIGIPASS, this login should fail. Check the Grace Period End in the User record. It should contain today's date.
24.
3.4.2
Self-Assignment
To complete this test, you will need to have a DIGIPASS physically available, and free to be assigned to a test User account.
Initial Setup
1. Make these changes to the Test Policy (see Modifying the Test Policy for instructions): Set Dynamic User Registration to No. Set Assignment Mode to Neither. Set Search Upwards in Organizational Unit hierarchy to Yes. Set Serial Number Separator to : (colon). 2. 3. Create or use a User account in the RADIUS Server which does not currently have a corresponding DIGIPASS User account. Check that the desired DIGIPASS is in the DIGIPASS Container and unassigned.
Test Self-Assignment - 1
In the following test, both Dynamic User Registration and Self-Assignment should fail, meaning that a DIGIPASS User account will not be created, and the selected DIGIPASS will not be assigned to the User. In the RADIUS Client Simulator: 1. 2. 3. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window. Enter the User ID for the RADIUS Server User account you created earlier (step 7) in the User ID field. Enter the Serial Number for the DIGIPASS, the Separator, the RADIUS Server User's Password, a Server PIN (if required) and a One Time Password from the DIGIPASS into the Password field. eg. 98765432| password12340098787 (see the Login Permutations topic in the Administrator Reference for more information). Click on the Login button. The Status information field will indicate the success or failure of your logon.
4.
25
Modify Settings
5. Make these changes to the Test Policy (see Modifying the Test Policy for instructions): Set Dynamic User Registration to Yes. Set Assignment Mode to Self-Assignment.
Test Self-Assignment - 2
In the following test, both Dynamic User Registration and Self-Assignment should succeed, meaning that a DIGIPASS User account will be created, and the intended DIGIPASS will be assigned to the User. In the RADIUS Client Simulator: 6. 7. 8. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window. Enter the User ID for the RADIUS Server User account you created earlier (step 7) in the User ID field. Enter the Serial Number for the DIGIPASS, the Separator, the RADIUS Server User's Password, a Server PIN (if required) and a One Time Password from the DIGIPASS into the Password field. eg. 98765432| password12340098787 (see the Login Permutations topic in the Administrator Reference for more information). Click on the Login button. The Status information field will indicate the success or failure of your logon.
9.
Password login
13. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's User ID and password only. This should fail, as a Grace Period is not set for a Self-Assignment.
26
27
Demo Tokens
4
4.1
Demo Tokens
Using the Demo DP300
This topic explains the activation and use of the demonstration DP300.
4.1.1
28
Demo Tokens
4.1.2
4.1.3
Auto-Off Function
To preserve the maximum battery life, the Demo DP300 automatically turns off after 30 seconds of inactivity.
4.1.4
4.2
Note
The Demo Go 3 and Go 6, and other Go 3/Go 6 tokens, only produce a time-based One Time Password - referred to as a Response. This is referred to as the Response Only authentication method. The Go 3 and Go 6 tokens are used with a PIN, which is entered before the Response.
4.2.1
4.2.2
29
Demo Tokens
This response number is generated based on the secret code stored within the token, and the current time. At logon, the Users' Server PIN and the One Time Password from the Go 3/Go 6 should be entered as into the appropriate password field in the logon screen or web page. The Server PIN is initially 1234. For example, if the One Time Password generated by the Demo Go 3/Go 6 was 235761, 1234235761 should be entered in the login screen.
4.2.3
Example
To change the Server PIN for a Demo DIGIPASS from 1234 to 5678, where the OTP generated was 111111, enter: 123411111156785678 in the password field and login.
Any time you login using the Demo or another Go 3/Go 6, you may use this method to change your PIN, except for RADIUS authentications where any form of CHAP is in use (E.g., CHAP, MS-CHAP, MS-CHAP2). This is because the information is one-way hashed and cannot be retrieved from the packet. If CHAP protocols are used, refer to the User Self-Management Web Site Guide for more information about alternative web based methods for PIN change (eg. using your intranet).
30
5
5.1
31