VACMAN Middleware Getting Started - Vasco
VACMAN Middleware Getting Started - Vasco
VACMAN Middleware Getting Started - Vasco
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Modify these field values (right-click and select Fields) to change text throughout the<br />
document:<br />
NOTE: Diagrams may appear or disappear depending on these field settings – so BE CAREFUL<br />
adding and removing diagrams, as you may be stuffing up formatting.<br />
ADDITIONAL NOTE: Be careful adding and removing text, too. Just because you see something<br />
in the document that looks like it shouldn't be there, doesn't mean removing it is a smart idea.<br />
Do a print preview to check if it will show up in the final document before you do anything.<br />
(the field values are currently just (relatively) rubbish values – modified at times to check that<br />
text conditions are working correctly)<br />
<strong>VACMAN</strong> <strong>Middleware</strong><br />
Authentication Server<br />
Starter<br />
RADIUS<br />
IIS Module<br />
RADIUS<br />
ODBCAD<br />
<strong>VACMAN</strong>_<strong>Middleware</strong>_300_setup.exe<br />
Digipass Authentication Server<br />
<strong>VACMAN</strong> <strong>Middleware</strong><br />
VM3<br />
Authentication Server<br />
<strong>VACMAN</strong> <strong>Middleware</strong><br />
RADIUS<br />
RADIUS<br />
Starter<br />
IIS Module<br />
ODBCAD<br />
<strong>VACMAN</strong>_<strong>Middleware</strong>_300_setup.exe<br />
Digipass Authentication Server<br />
<strong>VACMAN</strong> <strong>Middleware</strong><br />
VM3<br />
<strong>Getting</strong> S tarted
Disclaimer of Warranties and Limitations of Liabilities<br />
Disclaimer of Warranties and Limitations of Liabilities<br />
The Product is provided on an 'as is' basis, without any other warranties, or conditions, express<br />
or implied, including but not limited to warranties of merchantable quality, merchantability of<br />
fitness for a particular purpose, or those arising by law, statute, usage of trade or course of<br />
dealing. The entire risk as to the results and performance of the product is assumed by you.<br />
Neither we nor our dealers or suppliers shall have any liability to you or any other person or<br />
entity for any indirect, incidental, special or consequential damages whatsoever, including but<br />
not limited to loss of revenue or profit, lost or damaged data of other commercial or economic<br />
loss, even if we have been advised of the possibility of such damages or they are foreseeable;<br />
or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers<br />
and suppliers shall not exceed the amount paid by you for the Product. The limitations in this<br />
section shall apply whether or not the alleged breach or default is a breach of a fundamental<br />
condition or term, or a fundamental breach. Some states/countries do not allow the exclusion<br />
or limitation or liability for consequential or incidental damages so the above limitation may<br />
not apply to you.<br />
RADIUS Documentation Disclaimer<br />
The RADIUS documentation featured in this manual is focused on supplying required<br />
information pertaining to the RADIUS server and its operation in the <strong>VACMAN</strong> <strong>Middleware</strong><br />
environment. It is recommended that further information be gathered from your NAS/RAS<br />
vendor for information on the use of RADIUS.<br />
Copyright<br />
© 2006 VASCO Data Security Inc. All rights reserved.<br />
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in<br />
any form or by any means, electronic, mechanical, photocopying, recording, or otherwise,<br />
without the prior written permission of VASCO Data Security Inc.<br />
Trademarks<br />
<strong>VACMAN</strong> and Digipass are registered trademarks of VASCO Data Security International Inc.<br />
Microsoft and Windows are registered trademarks of Microsoft Corporation.<br />
All other trademarks are the property of their respective holders.<br />
© 2006 VASCO Data Security Inc. 2
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Table of Contents<br />
Table of Contents<br />
1 Introduction.......................................................................................................... 5<br />
1.1 What You Need to Know/Have before Starting.............................................................. 6<br />
1.2 System Requirements.................................................................................................... 6<br />
1.2.1 Requirements Specific to Active Directory...................................................................... 6<br />
1.2.2 Requirements Specific to ODBC Database...................................................................... 6<br />
1.3 Available Guides.............................................................................................................7<br />
2 Initial Setup and Testing....................................................................................... 8<br />
2.1 Basic Procedure............................................................................................................. 8<br />
2.2 Install the RADIUS Client Simulator............................................................................... 9<br />
2.3 Active Directory Changes............................................................................................... 9<br />
2.4 Active Directory SSL....................................................................................................... 9<br />
2.5 Install <strong>VACMAN</strong> <strong>Middleware</strong>........................................................................................... 9<br />
2.6 Configure the Authentication Server............................................................................ 10<br />
2.7 Log in to Administration Interfaces.............................................................................. 10<br />
2.7.1 Administration MMC Interface.................................................................................... 10<br />
2.7.2 Active Directory Users and Computers......................................................................... 11<br />
2.8 Configure <strong>VACMAN</strong> <strong>Middleware</strong>.................................................................................... 11<br />
2.9 Import and Assign Digipass Records............................................................................ 12<br />
2.9.1 Assign Digipass Record(s)......................................................................................... 12<br />
3 Test Logins..........................................................................................................14<br />
3.1 Test Pre-requisites....................................................................................................... 14<br />
3.1.1 Create a Test Policy.................................................................................................. 14<br />
3.2 Configure Authentication Method................................................................................. 15<br />
3.2.1 Local Authentication Only.......................................................................................... 15<br />
3.2.2 Windows Back-End Authentication Only....................................................................... 15<br />
3.2.3 Local and Windows Back-End Authentication................................................................ 15<br />
3.3 Configure Login Methods..............................................................................................16<br />
3.3.1 Static Password....................................................................................................... 16<br />
3.3.2 Response Only......................................................................................................... 16<br />
3.3.3 2-Step Challenge/Response....................................................................................... 16<br />
3.4 Test Logins...................................................................................................................17<br />
4 Test Back-End Authentication..............................................................................18<br />
4.1 Set up Back-End RADIUS Server...................................................................................18<br />
4.1.1 Requirements.......................................................................................................... 18<br />
4.1.2 Create RADIUS Client records.................................................................................... 18<br />
4.1.3 Create a User account.............................................................................................. 19<br />
4.1.4 Enable Tracing......................................................................................................... 19<br />
4.2 Test Direct Login to RADIUS Server..............................................................................19<br />
4.3 Configure <strong>VACMAN</strong> <strong>Middleware</strong> for RADIUS Back-End Authentication.......................... 19<br />
4.3.1 Local and Back-End Authentication............................................................................. 20<br />
4.3.2 Create Back-End Server Record.................................................................................. 20<br />
4.4 Test Logins with Local and Back-End Authentication....................................................21<br />
© 2006 VASCO Data Security Inc. 3
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Table of Contents<br />
5 Test Management Features..................................................................................22<br />
5.1 Auto-Assignment..........................................................................................................22<br />
5.2 Self-Assignment........................................................................................................... 25<br />
6 Demo Tokens.......................................................................................................28<br />
6.1 Obtaining a Demo Digipass.......................................................................................... 28<br />
6.2 Using the Demo Go 1 or Go 3........................................................................................28<br />
6.2.1 Activating the Demo Go 1/Go 3.................................................................................. 28<br />
6.2.2 Obtaining a One Time Password................................................................................. 28<br />
6.2.3 Changing the Demo Go 1/Go 3 Server PIN................................................................... 29<br />
6.3 Using the Demo DP300.................................................................................................29<br />
6.3.1 Activate the Demo DP300.......................................................................................... 29<br />
6.3.2 Change the PIN....................................................................................................... 30<br />
6.3.3 Auto-Off Function..................................................................................................... 30<br />
6.3.4 Unlock the Demo DP300........................................................................................... 30<br />
7 Set up Live System.............................................................................................. 32<br />
7.1 Checklist...................................................................................................................... 32<br />
© 2006 VASCO Data Security Inc. 4
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Introduction<br />
1 Introduction<br />
This <strong>Getting</strong> <strong>Started</strong> Guide will introduce you to <strong>VACMAN</strong> <strong>Middleware</strong>. It will help you set up a<br />
basic installation of <strong>VACMAN</strong> <strong>Middleware</strong> and get to know the product and the tools it includes.<br />
It covers only basic information and the most common configuration requirements. Other<br />
options and more in-depth instructions are covered in other manuals.<br />
This guide covers a standard implementation of <strong>VACMAN</strong> <strong>Middleware</strong>:<br />
RADIUS environment<br />
Typical installation:<br />
Authentication Server<br />
Active Directory or an ODBC database used as the data store<br />
Administration MMC Interface<br />
Digipass Extension for Active Directory Users and Computers (if Active Directory is<br />
used as the data store)<br />
It includes information on:<br />
Basic configuration of <strong>VACMAN</strong> <strong>Middleware</strong><br />
Testing Digipass logins and administrative functionality<br />
This guide does not cover topics such as:<br />
Installation instructions<br />
Detailed introduction to <strong>VACMAN</strong> <strong>Middleware</strong>, its features and components<br />
Detailed instructions on the use of <strong>VACMAN</strong> <strong>Middleware</strong><br />
Additional components<br />
Virtual Digipass<br />
Backup and recovery<br />
© 2006 VASCO Data Security Inc. 5
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Introduction<br />
1.1 What You Need to Know/Have before Starting<br />
The encrypted DPX file provided with Digipass (unless you will only use the provided<br />
demo Digipass files)<br />
Encryption Key for the DPX file (if using your own file)<br />
Installation Guide<br />
1.2 System Requirements<br />
Operating System<br />
Windows Server 2003 (32-bit version only) with Service Pack 1 or above, or<br />
Windows XP Professional (32-bit version only) with Service Pack 2 or above, or<br />
Windows 2000 with Service Pack 4 or above<br />
Language<br />
<strong>VACMAN</strong> <strong>Middleware</strong> is designed to function on any language version of Windows.<br />
However, the product has only been comprehensively tested on English language<br />
versions of Windows.<br />
1.2.1 Requirements Specific to Active Directory<br />
Digipass Extension for Active Directory Users and Computers<br />
Active Directory Users and Computers Snap-In<br />
Active Directory set up for SSL<br />
In the following cases, SSL must be available for <strong>VACMAN</strong> <strong>Middleware</strong> components to connect<br />
to Active Directory:<br />
Authentication Server not installed on a Domain Controller.<br />
Administration Interfaces not installed on a Domain Controller.<br />
Authentication Server and/or Administration Interface(s) on a Domain Controller, but<br />
accessing data in another domain.<br />
An Enterprise Certificate Authority must be installed in the forest to enable SSL. Windows<br />
Certificate Services is available as an optional Windows component.<br />
However, if you do not wish to install a CA, you can select during installation not to use SSL.<br />
1.2.2 Requirements Specific to ODBC Database<br />
<strong>VACMAN</strong> <strong>Middleware</strong> will support most modern ODBC-compliant relational, transactional<br />
databases. It has been tested on the following databases:<br />
Oracle 9i<br />
Microsoft SQL Server 2000<br />
Microsoft SQL Server 2005<br />
DB2 8.1<br />
Sybase Adaptive Server Anywhere 9.0<br />
PostgreSQL 8.1.3<br />
© 2006 VASCO Data Security Inc. 6
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Introduction<br />
1.3 Available Guides<br />
The following guides are available:<br />
Product Guide<br />
The Product Guide will introduce you to the features and concepts of <strong>VACMAN</strong> <strong>Middleware</strong> and<br />
the various options you have for using it.<br />
Installation Guide<br />
Use this guide when planning and working through an installation of <strong>VACMAN</strong> <strong>Middleware</strong>.<br />
<strong>Getting</strong> <strong>Started</strong><br />
To get you up and running quickly with a simple installation and setup of <strong>VACMAN</strong> <strong>Middleware</strong>.<br />
Administrator Reference<br />
In-depth information required for administration of <strong>VACMAN</strong> <strong>Middleware</strong>. This includes<br />
references such as data attribute lists, backup and recovery and utility commands.<br />
Data Migration Tool Guide<br />
Takes you through a data migration from one VASCO product to another, using the VASCO<br />
Data Migration Tool.<br />
Help Files<br />
Context-sensitive help accompanies the administration interfaces.<br />
© 2006 VASCO Data Security Inc. 7
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Initial Setup and Testing<br />
2 Initial Setup and Testing<br />
2.1 Basic Procedure<br />
The diagram below illustrates the basic procedure which this Guide will take you through in the<br />
initial setup and tests for <strong>VACMAN</strong> <strong>Middleware</strong>. At various points in the process, test logins are<br />
recommended to ensure that the previous steps have not caused unexpected problems. This<br />
also helps in troubleshooting, as it helps to pinpoint where in the process a problem occurred.<br />
Image 1: Basic Setup Procedure<br />
© 2006 VASCO Data Security Inc. 8
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Initial Setup and Testing<br />
2.2 Install the RADIUS Client Simulator<br />
The RADIUS Client Simulator is a program that simulates RADIUS Authentication and<br />
Accounting processing in a similar fashion to RADIUS enabled Network Access Server and<br />
Firewall devices. The RCS can be used to test User authentication, Digipass authentication,<br />
estimate RADIUS Server performance or test system overload.<br />
Install the RADIUS Client Simulator on a machine in the required Domain:<br />
1. Locate and run the <strong>VACMAN</strong> RADIUS Client Simulator Setup.exe.<br />
2. Follow the prompts until the installation is complete.<br />
If you chose the default install location, the Simulator will be installed to the<br />
C:\Program Files\VASCO\<strong>VACMAN</strong> RADIUS Client Simulator directory.<br />
3. Launch the Simulator from the Start menu.<br />
Note<br />
The RADIUS Client Simulator uses the port 1812 for authentication requests<br />
and port 1813 for accounting requests, by default.<br />
2.3 Active Directory Changes<br />
Extend the Active Directory Schema according to the instructions in the Installation Guide.<br />
2.4 Active Directory SSL<br />
Set up SSL if required. See the Pre-installation Tasks section of the Installation Guide for<br />
more information.<br />
2.5 Install <strong>VACMAN</strong> <strong>Middleware</strong><br />
Install <strong>VACMAN</strong> <strong>Middleware</strong> according to the instructions in the Installation Guide.<br />
Some settings which are created automatically for the Authentication Server are:<br />
Example Policies.<br />
A Component for the Authentication Server, which will point to a default Policy.<br />
A default RADIUS Client Component.<br />
Permissions within Active Directory for the Authentication Server.<br />
© 2006 VASCO Data Security Inc. 9
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Initial Setup and Testing<br />
2.6 Configure the Authentication Server<br />
When the install process for <strong>VACMAN</strong> <strong>Middleware</strong> is completed, open the Authentication Server<br />
Configuration Interface. In particular, these should be configured:<br />
Auditing – log to a text file or to the Windows Event Log. You can also set up a live Audit<br />
Viewer connection to the Authentication Server if preferred, but it is simpler if you are<br />
working on the server machine anyway to use the text files.<br />
Tracing.<br />
Domain connection parameters (Active Directory only) – modify or select a Domain<br />
Controller to connect to if required.<br />
The Authentication Server must be enabled and licensed.<br />
2.7 Log in to Administration Interfaces<br />
2.7.1 Administration MMC Interface<br />
The Administration MMC Interface is a standalone MMC snap-in that can be used to administer<br />
Policies and Components for the Authentication Server.<br />
Active Directory<br />
If Active Directory is used as the data store, the Administration MMC Interface can be used for<br />
administration of Policy, Component and Back-end Server records (see the Product Guide for<br />
explanations of each term). The Digipass Extension for Active Directory Users and Computers<br />
Snap-In is used for Digipass User accounts and Digipass records.<br />
1. Select Programs -> VASCO -> <strong>VACMAN</strong> <strong>Middleware</strong> -> Administration MMC<br />
Interface from the Start menu.<br />
2. Expand the Digipass Administration node.<br />
3. Right-click on the domain node.<br />
4. Select Connect from the list.<br />
ODBC Database or Embedded Database<br />
If an ODBC database (including the embedded PostgreSQLdatabase) is used as the data store,<br />
the Administration MMC Interface can be used for administration of all Digipass-related data.<br />
1. Select Programs -> VASCO -> <strong>VACMAN</strong> <strong>Middleware</strong> -> Administration MMC<br />
Interface from the Start menu.<br />
2. Expand the Digipass Administration node.<br />
3. Right-click on the DSN.<br />
4. Select Connect from the list.<br />
5. Enter your User ID and password.<br />
6. Click on OK.<br />
© 2006 VASCO Data Security Inc. 10
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Initial Setup and Testing<br />
2.7.2 Active Directory Users and Computers<br />
The Digipass Extension for Active Directory Users and Computers can be used to administer<br />
Digipass and Digipass User accounts where Active Directory is used as the data store.<br />
1. Open the Active Directory Users and Computers Snap-In.<br />
2.8 Configure <strong>VACMAN</strong> <strong>Middleware</strong><br />
To test stand-alone logins, the Authentication Server Component should use a Policy which has<br />
Local Authentication enabled and Back-End Authentication disabled. The RADIUS Client<br />
Simulator should use the default RADIUS Client Component which is automatically created<br />
during installation.<br />
Note<br />
The Shared Secret for the default RADIUS Client record, and the RADIUS Client<br />
Simulator, is set to default.<br />
© 2006 VASCO Data Security Inc. 11
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Initial Setup and Testing<br />
2.9 Import and Assign Digipass Records<br />
Before a Digipass may be assigned to a Digipass User, a record for it must be imported into<br />
the data store. This record includes all important information about the Digipass, including its<br />
serial number, Applications, and programming information. This information is transported to<br />
you in the form of a .dpx file. Demo Digipass may be used for the testing and familiarisation<br />
tasks in this guide.<br />
Active Directory<br />
To import Digipass records:<br />
1. Open the Active Directory Users and Computers interface.<br />
2. Right-click on the container or Organizational Unit where the test user account is<br />
located.<br />
3. Click on Import Digipass...<br />
4. Enter or browse for the import path and filename for the DPX file.<br />
5. Enter the encryption key – this is 11111111111111111111111111111111 for the<br />
installed demo Digipass DPX files (press the 1 key 32 times).<br />
6. Click on Import All Applications.<br />
OR<br />
a. Click on Show Applications.<br />
b. Select the Digipass Applications to import.<br />
c. Click on Import Selected Applications.<br />
ODBC Database or Embedded Database<br />
To import Digipass records:<br />
1. Open the Administration MMC Interface.<br />
2. Right-click on the Digipass node.<br />
3. Click on Import Digipass...<br />
4. Enter or browse for the import path and filename for the DPX file.<br />
5. Enter the encryption key – this is 11111111111111111111111111111111 for the<br />
installed demo Digipass DPX files (press the 1 key 32 times).<br />
6. Click on Import All Applications.<br />
OR<br />
a. Click on Show Applications.<br />
b. Select the Digipass Applications to import.<br />
c. Click on Import Selected Applications.<br />
2.9.1 Assign Digipass Record(s)<br />
Before a User can use a Digipass to login, the Digipass must be assigned to their User account<br />
within the data store.<br />
© 2006 VASCO Data Security Inc. 12
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Initial Setup and Testing<br />
Active Directory<br />
To assign a Digipass record to a User account:<br />
1. Open the Active Directory Users and Computers Snap-In.<br />
2. Select the User account to be assigned a Digipass.<br />
3. Right-click on the record and select Assign Digipass...<br />
4. Select the Digipass record to be assigned to the User account.<br />
5. Click on OK.<br />
This procedure will create a Digipass User account for an Active Directory User if one did not<br />
previously exist.<br />
ODBC Database or Embedded Database<br />
To assign a Digipass record to a User account:<br />
1. Open the Administration MMC Interface.<br />
2. Click on the Users node.<br />
3. Create the Digipass User account if it does not currently exist for the User.<br />
4. Select the Digipass User account to be assigned a Digipass.<br />
5. Right-click on the record and select Assign Digipass...<br />
6. Enter the Serial Number for the Digipass.<br />
7. Click on Find.<br />
8. Select the Digipass record to be assigned to the User account.<br />
9. Click on OK.<br />
© 2006 VASCO Data Security Inc. 13
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Test Logins<br />
3 Test Logins<br />
Using the User account to which you assigned a Digipass, and the Digipass, you can test the<br />
various authentication methods, login methods and protocols needed.<br />
You may wish to try various combinations of authentication method, login method and<br />
protocol, or simply the combination required for your system.<br />
3.1 Test Pre-requisites<br />
If you are going to test all types of login methods available, you will need:<br />
A Digipass User account to test logins with - this can be the same one as in previous<br />
tests.<br />
A Digipass or Demo Digipass with Response Only and Challenge/Response Applications,<br />
assigned to the Digipass User account.<br />
A new Policy named 'Test'.<br />
3.1.1 Create a Test Policy<br />
To create the required test Policy:<br />
1. Open the Administration MMC Interface.<br />
2. Click on the Policies node.<br />
3. In the Policies list on the right, find and right-click VM3 Local Authentication.<br />
4. Click on New Copy...<br />
5. Enter Test in the Name field.<br />
6. Enter an explanation of the Policy in the Description field.<br />
7. Select the Inherit default settings from another Policy option button.<br />
8. Select VM3 Local Authentication from the Inherit from Policy drop down list.<br />
9. Click on OK.<br />
10. If Active Directory is used as the data store, stop and start the Digipass Authentication<br />
Server service.<br />
© 2006 VASCO Data Security Inc. 14
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Test Logins<br />
3.2 Configure Authentication Method<br />
Create a Policy for each authentication method required, or use a 'Test' Policy which can be<br />
modified as desired.<br />
At this stage we are testing authentication without a Back-End RADIUS Server. If you wish to<br />
try out Windows Authentication, this can be done as detailed below with Windows Back-<br />
End Authentication. In this case, make sure that a corresponding active Windows user<br />
account exists.<br />
You can test the following authentication methods:<br />
Local Authentication only<br />
Windows Back-End Authentication only<br />
Local and Windows Back-End Authentication<br />
Caution – Active Directory only<br />
After changing a Policy, Component or Back-End Server record, ensure that<br />
you stop and start the Digipass Authentication Server service, to be sure that<br />
the new settings will take effect immediately.<br />
This is not necessary for an ODBC Database or Embedded Database.<br />
3.2.1 Local Authentication Only<br />
Local authentication means that only the Authentication Server will authenticate a login.<br />
The recommended Policy settings for Local Authentication tests are:<br />
Local Auth. should be set to Digipass/Password.<br />
Back-End Auth. should be set to None.<br />
3.2.2 Windows Back-End Authentication Only<br />
At this point, configuring the Authentication Server to use back-end authentication means that<br />
only Windows will authenticate a login.<br />
The recommended Policy settings for Back-end Authentication tests are:<br />
Local Auth. should be set to None.<br />
Back-End Auth. should be set to Always.<br />
Back-End Protocol must be set to Windows.<br />
3.2.3 Local and Windows Back-End Authentication<br />
At this point, configuring the Authentication Server to use local and back-end authentication<br />
means that both the Authentication Server and Windows will authenticate a login.<br />
The recommended Policy settings for Local and Back-end Authentication tests are:<br />
© 2006 VASCO Data Security Inc. 15
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Test Logins<br />
Local Auth. should be set to Digipass/Password.<br />
Back-End Auth. should be set to Always.<br />
Back-End Protocol must be set to Windows.<br />
3.3 Configure Login Methods<br />
You can test the following login methods:<br />
Static password (does not require a Digipass)<br />
Response Only (requires a Digipass with a Response Only application)<br />
Challenge/Response (requires a Digipass with a Challenge/Response application)<br />
For explanations of these login methods, see the Digipass Introduction topic in the Product<br />
Guide.<br />
3.3.1 Static Password<br />
For static password logins, a Digipass User account is required with a Stored Password. If a<br />
Digipass is assigned to the account, it must be within its grace period, or the login will be<br />
rejected.<br />
To configure the test Policy to allow static password logins:<br />
1. Open the Administration MMC Interface.<br />
2. Click on the Policies node.<br />
3. Find and double-click on the Test Policy.<br />
4. Click on the Main Settings tab.<br />
5. Select Digipass/Password from the Local Auth. drop down list.<br />
6. Click on OK.<br />
3.3.2 Response Only<br />
To configure the test Policy to allow only Response Only logins:<br />
1. Open the Administration MMC Interface.<br />
2. Click on the Policies node.<br />
3. Find and double-click on the Test Policy.<br />
4. Click on the Digipass Settings tab.<br />
5. Select Response Only from the Application Type drop down list.<br />
6. Click on OK.<br />
3.3.3 2-Step Challenge/Response<br />
To configure the test Policy to allow only Challenge/Response logins:<br />
1. Open the Administration MMC Interface.<br />
2. Click on the Policies node.<br />
© 2006 VASCO Data Security Inc. 16
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Test Logins<br />
3. Find and double-click on the Test Policy.<br />
4. Click on the Digipass Settings tab.<br />
5. Select Challenge/Response from the Application Type drop down list.<br />
6. Click on Apply.<br />
7. Click on the Challenge Settings tab.<br />
8. Select Keyword from the 2-step Challenge/Response Request Method drop down<br />
list.<br />
9. Enter a Keyword to use (eg. '2stepCR') in the Keyword field. You can leave this field<br />
blank, so that an empty password can be used to get a challenge.<br />
10. Click on OK.<br />
3.4 Test Logins<br />
1. Configure the Test Policy for the authentication method, login method and protocol to<br />
be tested.<br />
2. Ensure that the Authentication Server Component is using the Test Policy.<br />
3. If Active Directory is used as the data store, stop and start the Digipass Authentication<br />
Server service.<br />
In the RADIUS Client Simulator:<br />
4. Configure the RADIUS Client Simulator with the details for the Authentication Server:<br />
a. IP address<br />
b. Shared Secret (if modified from the default)<br />
c. Accounting and Authentication Port numbers (if modified from the defaults)<br />
5. Click on any port in the Simulated NAS Ports group to display the Manual Simulation<br />
window.<br />
6. Enter the User ID for the User account you are using for test logins in the User ID<br />
field.<br />
7. Enter the password for the User account and (if required) an OTP from the Digipass in<br />
the Password field.<br />
8. Click on the Login button.<br />
9. The Status information field will indicate the success or failure of your logon.<br />
© 2006 VASCO Data Security Inc. 17
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Test Back-End Authentication<br />
4 Test Back-End Authentication<br />
In this section, you will guided through configuring the Authentication Server to use a RADIUS<br />
Back-End Server, and testing Back-End Authentication using that Back-End Server.<br />
4.1 Set up Back-End RADIUS Server<br />
There are some steps you will need to follow in order to set up the RADIUS Server to be used<br />
for Back-End Authentication:<br />
The diagram below shows the basic process involved. For help in completing each of these<br />
steps, see the relevant sub-section.<br />
Image 2: RADIUS Server Setup<br />
4.1.1 Requirements<br />
To complete the recommended steps, you will need:<br />
An installed RADIUS Server.<br />
An administrator login for the RADIUS server.<br />
4.1.2 Create RADIUS Client records<br />
Create a RADIUS Client record within the RADIUS Server for the machine on which the RADIUS<br />
Client Simulator will be running and the machine on which <strong>VACMAN</strong> <strong>Middleware</strong> is installed.<br />
© 2006 VASCO Data Security Inc. 18
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Test Back-End Authentication<br />
4.1.3 Create a User account<br />
Create a User account in the RADIUS Server, or identify an existing account that can be used if<br />
preferred. Make sure this account has the necessary permissions so that a RADIUS Access-<br />
Request from both the RADIUS Client Simulator and from the Authentication Server will be<br />
accepted (given the correct password of course). Also make sure this account has some<br />
RADIUS 'reply attributes'.<br />
4.1.4 Enable Tracing<br />
Depending on the RADIUS Server product, some facilities will be available for tracing. This may<br />
be referred to as “logging” or “debugging” instead. If this is enabled, it will help to find out<br />
what is happening if the observed behaviour is not as expected.<br />
4.2 Test Direct Login to RADIUS Server<br />
Once the RADIUS Server has been set up, attempt a direct login using the RADIUS Client<br />
Simulator and the User account created for testing.<br />
1. Open the RADIUS Client Simulator.<br />
2. Enter the IP address of the RADIUS Server.<br />
3. Enter Authentication and Accounting port numbers if they vary from the default.<br />
4. Enter the Shared Secret you entered for the RADIUS Client created earlier.<br />
5. Select a protocol to use.<br />
6. Click on any port icon to attempt a login.<br />
7. Enter the User ID and password and click on Login.<br />
8. The 'reply attributes' set up for that User account should be displayed in the RADIUS<br />
Client Simulator.<br />
4.3 Configure <strong>VACMAN</strong> <strong>Middleware</strong> for RADIUS Back-End<br />
Authentication<br />
Create a Policy for RADIUS Back-End Authentication, or use a 'Test' Policy which can be<br />
modified as desired.<br />
Caution – Active Directory only<br />
After creating or changing a Policy, Component or Back-End Server record,<br />
make sure that you stop and start the Digipass Authentication Server service,<br />
to be sure that the new settings will take effect immediately.<br />
This is not necessary for an ODBC Database or Embedded Database.<br />
© 2006 VASCO Data Security Inc. 19
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Test Back-End Authentication<br />
4.3.1 Local and Back-End Authentication<br />
Local and back-end authentication means that both the Authentication Server and the RADIUS<br />
Server will authenticate a login. This allows RADIUS reply attributes to be retrieved from the<br />
RADIUS Server.<br />
In this scenario, it is normal to use the Password Autolearn and Stored Password Proxy<br />
features. With these features enabled, the Authentication Server will learn the user's RADIUS<br />
Server password, so that the user does not need to log in with both their password and<br />
Digipass One Time Password at each login. However, the first time that the user logs in, they<br />
will need to provide their RADIUS Server password so that the Authentication Server can learn<br />
it. In subsequent logins, they can just log in with their One Time Password and the<br />
Authentication Server will send the stored password to the RADIUS Server.<br />
The recommended Policy settings for Local and Back-End Authentication tests are:<br />
Local Auth. should be set to Digipass/Password.<br />
Back-End Auth. should be set to Always.<br />
Back-End Protocol must be set to RADIUS.<br />
Password Autolearn should be set to Yes.<br />
Stored Password Proxy should be set to Yes.<br />
4.3.2 Create Back-End Server Record<br />
The Authentication Server must be instructed where to find the RADIUS Server. Create a Back-<br />
End Server record as follows:<br />
1. Open the Administration MMC Interface.<br />
2. Click on the Back-End Servers node.<br />
The Back-End Servers list will be displayed in the Result pane.<br />
3. Right-click on the Back-End Servers node and select the New Back-End Server<br />
menu option.<br />
The New Back-End Server dialog will be displayed.<br />
4. Enter a display name for the Back-End Server in the Back-End Server ID field.<br />
5. Select RADIUS for the Protocol.<br />
6. Enter the Authentication and Accounting IP Address and Port values.<br />
7. Enter the Shared Secret that was configured in the RADIUS Client record in the<br />
RADIUS Server for <strong>VACMAN</strong> <strong>Middleware</strong>.<br />
8. Enter a suitable Timeout and No. of Retries.<br />
9. Click OK to create the record.<br />
10. If Active Directory is used as the data store, stop and start the Digipass Authentication<br />
Server service.<br />
© 2006 VASCO Data Security Inc. 20
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Test Back-End Authentication<br />
4.4 Test Logins with Local and Back-End Authentication<br />
1. Configure a Policy for the authentication method, login method and protocol to be<br />
tested.<br />
2. Ensure that the RADIUS Client Simulator Component is using the configured Policy.<br />
3. If Active Directory is used as the data store, stop and start the Digipass Authentication<br />
Server service.<br />
In the RADIUS Client Simulator:<br />
4. Click on any port in the Simulated NAS Ports group to display the Manual Simulation<br />
window.<br />
5. Enter the User ID for the User account you are using for test logins in the User ID<br />
field.<br />
6. Enter the User account's RADIUS Server password followed by an OTP from the<br />
Digipass in the Password field. There should be no spaces between the password and<br />
the OTP.<br />
7. Click on the Login button.<br />
8. The Status information field will indicate the success or failure of your logon. Below<br />
you should see the RADIUS reply attributes from the RADIUS Server.<br />
9. Enter a new OTP from the Digipass into the Password field, without the RADIUS<br />
Server password in front.<br />
10. Click on the Login button.<br />
11. The Status information field will indicate the success or failure of your logon. Below<br />
you should see the RADIUS reply attributes from the RADIUS Server.<br />
Now other protocols and login types can be tried out.<br />
© 2006 VASCO Data Security Inc. 21
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Test Management Features<br />
5 Test Management Features<br />
5.1 Auto-Assignment<br />
Initial Setup<br />
1. Open the Administration MMC Interface.<br />
2. Click on the Components node.<br />
The Components list will be displayed in the Result pane.<br />
3. Double-click on the RADIUS Client Component for the RADIUS Client Simulator.<br />
The Component property sheet will be displayed.<br />
4. Ensure that the VM3 Local Authentication is selected in the Policy drop down list.<br />
5. Click on OK.<br />
6. If Active Directory is used as the data store, stop and start the Digipass Authentication<br />
Server service.<br />
7. Create or use a User account in the RADIUS Server which does not currently have a<br />
corresponding Digipass User account.<br />
8. Check that at least one unassigned Digipass is available in either:<br />
the same Organizational Unit,<br />
a parent Organizational Unit, or<br />
the Digipass Container<br />
If one of the latter two options, ensure that the Search Upwards in Organizational Unit<br />
hierarchy option is enabled for the VM3 Local Authentication.<br />
Test Auto-Assignment - 1<br />
In the following test, both Dynamic User Registration and Auto-Assignment should fail,<br />
meaning that a Digipass User account will not be created, and a Digipass will not be assigned<br />
to the User. This shows that the Authentication Server Component has been configured<br />
successfully.<br />
In the RADIUS Client Simulator:<br />
9. Click on any port in the Simulated NAS Ports group to display the Manual<br />
Simulation window.<br />
10. Enter the User ID for the RADIUS Server User account you created earlier (step 7) in<br />
the User ID field.<br />
11. Enter the password for the RADIUS Server User account.<br />
12. Click on the Login button.<br />
The Status information field will indicate the success or failure of your logon.<br />
Check Test Results<br />
To check whether a Digipass User account has been created for the User when Active Directory<br />
is your data store:<br />
© 2006 VASCO Data Security Inc. 22
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Test Management Features<br />
13. Open the Active Directory Users and Computers Snap-In.<br />
14. Find the User account record and right-click on it.<br />
15. Select Properties from the list.<br />
The User property sheet will be displayed.<br />
16. Click on the Digipass User Account tab.<br />
17. If the Created On field is blank, a Digipass User account does not exist for the User.<br />
If an ODBC or Embedded Database is your data store, simply search for the User account<br />
record in the Administration MMC Interface.<br />
Modify Settings<br />
18. Modify the Authentication Server Component to use the VM3 RADIUS Auto-<br />
Assignment Policy.<br />
19. If Active Directory is used as the data store, stop and start the Digipass Authentication<br />
Server service.<br />
Test Auto-Assignment - 2<br />
In the following test, both Dynamic User Registration and Auto-Assignment should succeed,<br />
meaning that a Digipass User account will be created, and an available Digipass will be<br />
assigned to the User.<br />
In the RADIUS Client Simulator:<br />
20. Click on any port in the Simulated NAS Ports group to display the Manual Simulation<br />
window.<br />
21. Enter the User ID for the RADIUS Server User account you created earlier (step 7) in<br />
the User ID field.<br />
22. Enter the password for the User account.<br />
23. Click on the Login button.<br />
The Status information field will indicate the success or failure of your logon.<br />
Check Test Results<br />
To check whether a Digipass User account has been created for the User when Active Directory<br />
is your data store:<br />
24. Open the Active Directory Users and Computers Snap-In.<br />
25. Find the User account record and right-click on it.<br />
26. Select Properties from the list.<br />
The User property sheet will be displayed.<br />
27. Click on the Digipass User Account tab.<br />
If the Created On field is not blank, a Digipass User account exists for the User.<br />
If an ODBC or Embedded Database is your data store, simply search for the User account<br />
record in the Administration MMC Interface.<br />
To check whether a Digipass has been assigned to the User:<br />
© 2006 VASCO Data Security Inc. 23
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Test Management Features<br />
28. Click on the Digipass Assignment tab.<br />
29. If a Digipass is listed under this tab, the User has been assigned the listed Digipass.<br />
30. Check the Grace Period End field to see that a Grace Period of the correct length (7<br />
days by default) has been set.<br />
Check Grace Period<br />
Password login<br />
31. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's<br />
User ID and password only. If the Grace Period is still effective, this should be<br />
successful.<br />
OTP login<br />
32. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's<br />
User ID and One Time Password. This should be successful.<br />
Password login<br />
33. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's<br />
User ID and password only. As the OTP login from the previous step should have<br />
ended the Grace Period for the Digipass, this login should fail.<br />
34. Check the Grace Period End in the User record. It should contain today's date.<br />
© 2006 VASCO Data Security Inc. 24
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Test Management Features<br />
5.2 Self-Assignment<br />
Initial Setup<br />
1. Open the Administration MMC Interface.<br />
2. Click on the Components node.<br />
The Components list will be displayed in the Result pane.<br />
3. Double-click on the RADIUS Client Component for the RADIUS Client Simulator.<br />
The Component property sheet will be displayed.<br />
4. Ensure that the VM3 Local Authentication is selected in the Policy drop down list.<br />
5. Click on OK.<br />
6. If Active Directory is used as the data store, stop and start the Digipass Authentication<br />
Server service.<br />
7. Create or use a User account in the RADIUS Server which does not currently have a<br />
corresponding Digipass User account.<br />
8. Check that the record for the Digipass to be used in the Self-Assignment is available in<br />
either:<br />
the same Organizational Unit,<br />
a parent Organizational Unit, or<br />
the Digipass Container<br />
If one of the latter two options, ensure that the Search Upwards in Organizational Unit<br />
hierarchy option is enabled for the VM3 Local Authentication.<br />
Test Self-Assignment - 1<br />
In the following test, both Dynamic User Registration and Self-Assignment should fail,<br />
meaning that a Digipass User account will not be created, and the selected Digipass will not be<br />
assigned to the User.<br />
In the RADIUS Client Simulator:<br />
9. Click on any port in the Simulated NAS Ports group to display the Manual Simulation<br />
window.<br />
10. Enter the User ID for the RADIUS Server User account you created earlier (step 7) in<br />
the User ID field.<br />
11. Enter the Serial Number for the Digipass, the Separator, the RADIUS Server User's<br />
Password, a Server PIN (if required) and a One Time Password from the Digipass into<br />
the Password field. eg. 98765432|password12340098787 (see the Login<br />
Permutations topic in the Administrator Reference for more information).<br />
12. Click on the Login button.<br />
The Status information field will indicate the success or failure of your logon.<br />
Check Test Results<br />
To check whether a Digipass User account has been created for the User when Active Directory<br />
is your data store:<br />
© 2006 VASCO Data Security Inc. 25
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Test Management Features<br />
13. Open the Active Directory Users and Computers Snap-In.<br />
14. Find the User account record and right-click on it.<br />
15. Select Properties from the list.<br />
The User property sheet will be displayed.<br />
16. Click on the Digipass User Account tab.<br />
If the Created On field is blank, a Digipass User account does not exist for the User.<br />
If an ODBC or Embedded Database is your data store, simply search for the User account<br />
record in the Administration MMC Interface.<br />
Modify Settings<br />
17. Modify the Authentication Server Component to use the VM3 RADIUS Self-<br />
Assignment Policy.<br />
18. If Active Directory is used as the data store, stop and start the Digipass Authentication<br />
Server service.<br />
Test Self-Assignment - 2<br />
In the following test, both Dynamic User Registration and Self-Assignment should succeed,<br />
meaning that a Digipass User account will be created, and the intended Digipass will be<br />
assigned to the User.<br />
In the RADIUS Client Simulator:<br />
19. Click on any port in the Simulated NAS Ports group to display the Manual Simulation<br />
window.<br />
20. Enter the User ID for the RADIUS Server User account you created earlier (step 7) in<br />
the User ID field.<br />
21. Enter the Serial Number for the Digipass, the Separator, the RADIUS Server User's<br />
Password, a Server PIN (if required) and a One Time Password from the Digipass into<br />
the Password field. eg. 98765432|password12340098787 (see the Login<br />
Permutations topic in the Administrator Reference for more information).<br />
22. Click on the Login button.<br />
The Status information field will indicate the success or failure of your logon.<br />
Check Test Results<br />
To check whether a Digipass User account has been created for the User when Active Directory<br />
is your data store:<br />
23. Open the Active Directory Users and Computers Snap-In.<br />
24. Find the User account record and right-click on it.<br />
25. Select Properties from the list.<br />
The User property sheet will be displayed.<br />
26. Click on the Digipass User Account tab.<br />
If the Created On field is not blank, a Digipass User account exists for the User.<br />
© 2006 VASCO Data Security Inc. 26
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Test Management Features<br />
If an ODBC or Embedded Database is your data store, simply search for the User account<br />
record in the Administration MMC Interface.<br />
To check whether the Digipass has been assigned to the User:<br />
27. Click on the Digipass Assignment tab.<br />
28. If the Digipass is listed under this tab, it has been assigned to the Digipass User<br />
account.<br />
Check Grace Period<br />
29. Check that a Grace Period has not been set.<br />
Password login<br />
30. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's<br />
User ID and password only. This should fail, as a Grace Period is not set for a Self-<br />
Assignment.<br />
OTP login<br />
31. Using the RADIUS Client Simulator, attempt a login using the RADIUS Server User's<br />
User ID and One Time Password. This should be successful.<br />
© 2006 VASCO Data Security Inc. 27
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Demo Tokens<br />
6 Demo Tokens<br />
6.1 Obtaining a Demo Digipass<br />
If you do not have a demo Digipass, you can use a simulated DP300 at<br />
http://demotoken.vasco.com/<br />
The DPX files for the Demo DP300 and Demo Go 1/Go 3 are located in the DPX folder under<br />
the <strong>VACMAN</strong> <strong>Middleware</strong> installation directory.<br />
6.2 Using the Demo Go 1 or Go 3<br />
This topic explains the activation and use of the demonstration Go 1 or Go 3<br />
Note<br />
The Demo Go 1 and Go 3, and other Go 1/Go 3 tokens, only produce a timebased<br />
One Time Password - referred to as a ‘Response’ . This is referred to as<br />
the ‘Response Only’ authentication method. The Go 1 and Go 3 tokens are<br />
used with a PIN, which is entered before the Response.<br />
6.2.1 Activating the Demo Go 1/Go 3<br />
To turn on the Demo Go 1, slide the Go 1 apart to reveal the LCD screen.<br />
To turn on the Demo Go 3, press the button on the token.<br />
All Go 1/Go 3 tokens have an auto-off function, meaning that they automatically turn<br />
themselves off after short periods of inactivity.<br />
6.2.2 Obtaining a One Time Password<br />
Whenever the Demo Go 1/Go 3 is activated, it produces a 6-digit number on its LCD screen.<br />
This response number is generated based on the secret code stored within the token, and the<br />
current time.<br />
At logon, the Users' Server PIN and the One Time Password from the Go 1/Go 3 should be<br />
entered as into the appropriate password field in the logon screen or web page. The Server<br />
PIN is initially 1234.<br />
For example, if the One Time Password generated by the Demo Go 1/Go 3 was 235761,<br />
1234235761 should be entered in the login screen.<br />
© 2006 VASCO Data Security Inc. 28
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Demo Tokens<br />
6.2.3 Changing the Demo Go 1/Go 3 Server PIN<br />
The Demo Go 1/Go 3 Server PIN (1234) can be changed during the authentication process.<br />
To change the Demo Go 1/Go 3 Server PIN:<br />
1. Go to the login page or screen.<br />
2. In the user ID field, enter the User ID for the account you are using for testing.<br />
3. In the password field, enter the current Server PIN (1234) for the Demo Go 1/Go 3.<br />
4. Activate the Demo Digipass and enter the One Time Password generated in the<br />
response field directly after the Server PIN.<br />
5. Next, enter the new PIN for the Demo Go 1/Go 3 after the response in the Response<br />
field, then enter it again to confirm it.<br />
6. Submit your login to issue the new Server PIN information to the Authentication Server.<br />
Example<br />
To change the Server PIN for a Demo Digipass from 1234 to 5678, where the OTP generated<br />
was 111111, enter:<br />
123411111156785678<br />
in the password field and login.<br />
Any time you login using the Demo or another Go 1/Go 3, you may use this method to change<br />
your PIN, except for RADIUS authentications where any form of CHAP is in use (E.g., CHAP,<br />
MS-CHAP, MS-CHAP2). This is because the information is one-way hashed and cannot be<br />
retrieved from the packet.<br />
If CHAP protocols are used, refer to the User Self-Management Web Site Guide for more<br />
information about alternative web based methods for PIN change (eg. using your intranet).<br />
6.3 Using the Demo DP300<br />
This topic explains the activation and use of the demonstration DP300.<br />
6.3.1 Activate the Demo DP300<br />
The Demo DP300 is turned on with the < button.<br />
Each time the Demo DP300 is activated it will request a 4-digit PIN number (displayed on the<br />
LCD screen). The PIN for Demo DP300s is initially set to 1234.<br />
The Demo Digipass will then prompt you to indicate the application you wish to use:<br />
Application 1 : Response only<br />
When you press 1 on the keypad, the demo DP300 will produce a 6-digit number. This<br />
response number is generated based on the secret code stored within the token, and the<br />
current time.<br />
© 2006 VASCO Data Security Inc. 29
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Demo Tokens<br />
The One Time Password displayed should be entered into the appropriate password field in the<br />
logon screen or web page.<br />
Application 2 : Digital Signature<br />
When you press 2 on the keypad, you will be prompted for 3 numbers (typically from an online<br />
transaction) comprising up to 5 digits each. When all three numbers required have been<br />
entered, a 6-digit number is generated (displayed on the LCD screen). This number is the<br />
digital signature for the transaction. This needs to be entered into the appropriate field in the<br />
digital signature web page or screen.<br />
Note<br />
Digital signatures are not currently in use with the Authentication Server.<br />
Application 3: Challenge / Response<br />
When you press 3 on the keypad, the Digipass will present you with four dashes (- - - -) to<br />
indicate that a ‘challenge’ must be entered.<br />
You may have the option of holding the optical reader to the middle of the flash sequence (the<br />
white flashing panels) on the logon web page if one is presented.<br />
Alternatively, if the challenge number is shown on the screen, you can key it in directly into<br />
the keypad.<br />
The demo DP300 will then calculate and display a One Time Password based on the challenge<br />
and the secret code stored in the DP300. The One Time Password displayed should be entered<br />
into the appropriate password field in the logon screen or web page.<br />
6.3.2 Change the PIN<br />
Turn on the Demo DP300 and enter the current PIN to activate the token. Then hold down the<br />
On (
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Demo Tokens<br />
The Administration MMC Interface allows Digipass to be unlocked using the Unlock option. See<br />
the Help in the Administration MMC Interface for more information.<br />
© 2006 VASCO Data Security Inc. 31
<strong>VACMAN</strong> <strong>Middleware</strong> <strong>Getting</strong> <strong>Started</strong> Set up Live System<br />
7 Set up Live System<br />
7.1 Checklist<br />
Set up RADIUS Server<br />
Set up your RADIUS Server with the necessary User accounts and RADIUS<br />
attributes.<br />
Modify RADIUS Client Configuration<br />
Configure the RADIUS Clients to send authentication requests to the Authentication<br />
Server.<br />
Import More Digipass<br />
Import all required Digipass records<br />
Create Digipass User Accounts<br />
If required, manually create Digipass User accounts. Alternatively, enable Dynamic<br />
User Registration in <strong>VACMAN</strong> <strong>Middleware</strong>.<br />
Create New Policy<br />
Create the necessary Policies in the Administration MMC Interface for login<br />
authentications requested by the RADIUS Clients.<br />
Create Component Records for the RADIUS Clients<br />
Create a Component record for the RADIUS Clients in the Administration MMC<br />
Interface, linking them to the correct Policies. You may wish to use the default<br />
RADIUS Client for some or all RADIUS Clients instead.<br />
Test Digipass Logins<br />
Test Digipass logins through the RADIUS Clients, using One Time Passwords.<br />
© 2006 VASCO Data Security Inc. 32