Identikey Server Getting Started Guide - Vasco
Identikey Server Getting Started Guide - Vasco
Identikey Server Getting Started Guide - Vasco
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Identikey</strong> <strong>Server</strong><br />
<strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
3.1
Disclaimer of Warranties and Limitations of Liabilities<br />
Disclaimer of Warranties and Limitations of Liabilities<br />
The Product is provided on an 'as is' basis, without any other warranties, or conditions, express or implied,<br />
including but not limited to warranties of merchantable quality, merchantability of fitness for a particular purpose,<br />
or those arising by law, statute, usage of trade or course of dealing. The entire risk as to the results and<br />
performance of the product is assumed by you. Neither we nor our dealers or suppliers shall have any liability to<br />
you or any other person or entity for any indirect, incidental, special or consequential damages whatsoever,<br />
including but not limited to loss of revenue or profit, lost or damaged data of other commercial or economic loss,<br />
even if we have been advised of the possibility of such damages or they are foreseeable; or for claims by a third<br />
party. Our maximum aggregate liability to you, and that of our dealers and suppliers shall not exceed the amount<br />
paid by you for the Product. The limitations in this section shall apply whether or not the alleged breach or default<br />
is a breach of a fundamental condition or term, or a fundamental breach. Some states/countries do not allow the<br />
exclusion or limitation or liability for consequential or incidental damages so the above limitation may not apply to<br />
you.<br />
Copyright<br />
Copyright © 2009 VASCO Data Security, Inc., VASCO Data Security International GmbH. All rights reserved.<br />
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any<br />
means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of<br />
VASCO Data Security Inc.<br />
RADIUS Documentation Disclaimer<br />
The RADIUS documentation featured in this manual is focused on supplying required information pertaining to the<br />
RADIUS server and its operation in the <strong>Identikey</strong> <strong>Server</strong> environment. It is recommended that further information be<br />
gathered from your NAS/RAS vendor for information on the use of RADIUS.<br />
Trademarks<br />
VASCO®, Vacman®, IDENTIKEY®, aXs GUARD, DIGIPASS®, and ® are registered or unregistered<br />
trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other<br />
countries.<br />
Document Version: 1.1
Table of Contents<br />
Table of Contents<br />
1 Introduction.................................................................................................................................................... 4<br />
1.1 <strong>Identikey</strong> <strong>Server</strong> Implementation.......................................................................................................................... 4<br />
1.2 <strong>Identikey</strong> <strong>Server</strong> Testing...................................................................................................................................... 4<br />
1.3 Topics Not Included............................................................................................................................................. 4<br />
1.4 What You Need to Know/Have before Starting...................................................................................................... 4<br />
1.5 Available <strong>Guide</strong>s.................................................................................................................................................. 5<br />
2 Install and Setup............................................................................................................................................. 6<br />
2.1 Basic Setup Procedure......................................................................................................................................... 6<br />
2.2 Install the RADIUS Client Simulator...................................................................................................................... 6<br />
2.3 Install <strong>Identikey</strong> <strong>Server</strong>......................................................................................................................................... 7<br />
2.4 Configure <strong>Identikey</strong> <strong>Server</strong>................................................................................................................................... 7<br />
2.5 Set Up Auditing.................................................................................................................................................. 10<br />
3 Testing......................................................................................................................................................... 11<br />
3.1 Test Local Authentication................................................................................................................................... 12<br />
3.2 Test Windows Back-End Authentication............................................................................................................. 14<br />
3.3 Test RADIUS Back-End Authentication............................................................................................................... 17<br />
3.4 Test Management Features............................................................................................................................... 21<br />
4 Demo Tokens............................................................................................................................................... 26<br />
4.1 Using the Demo DP300...................................................................................................................................... 26<br />
4.2 Using the Demo Go 1 or Go 3............................................................................................................................. 27<br />
5 Set up Live System....................................................................................................................................... 29<br />
5.1 Checklist........................................................................................................................................................... 29<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 3
1 Introduction<br />
Introduction<br />
This <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> will introduce you to <strong>Identikey</strong> <strong>Server</strong>. It will help you set up a basic installation of<br />
<strong>Identikey</strong> <strong>Server</strong> and get to know the product and the tools it includes. It covers only basic information and the<br />
most common configuration requirements. Other options and more in-depth instructions are covered in other<br />
manuals.<br />
1.1 <strong>Identikey</strong> <strong>Server</strong> Implementation<br />
This guide covers a basic Windows implementation of <strong>Identikey</strong> <strong>Server</strong>, suitable for an evaluation or simple setup:<br />
<strong>Identikey</strong> <strong>Server</strong> installed with standard configuration<br />
Embedded PostgreSQL database as data store<br />
RADIUS environment<br />
Administration Web Interface<br />
It includes information on configuration of <strong>Identikey</strong> <strong>Server</strong> for specific management scenarios.<br />
1.2 <strong>Identikey</strong> <strong>Server</strong> Testing<br />
This guide will lead you through testing of management features, such as setting up auto-assignment of Digipass<br />
to Digipass Users.<br />
1.3 Topics Not Included<br />
This guide does not cover topics such as:<br />
Installation instructions<br />
Detailed introduction to <strong>Identikey</strong> <strong>Server</strong>, its features and components<br />
Detailed instructions on the use of <strong>Identikey</strong> <strong>Server</strong><br />
Additional components<br />
Virtual Digipass<br />
Backup and recovery<br />
1.4 What You Need to Know/Have before Starting<br />
The encrypted DPX file provided with Digipass (unless you will only use the provided demo Digipass files)<br />
Transport Key for the DPX file (if using your own file)<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 4
Installation disk or executable<br />
Installation <strong>Guide</strong><br />
1.5 Available <strong>Guide</strong>s<br />
The following <strong>Identikey</strong> <strong>Server</strong> guides are available:<br />
Product <strong>Guide</strong><br />
Introduction<br />
The Product <strong>Guide</strong> will introduce you to the features and concepts of <strong>Identikey</strong> <strong>Server</strong> and the various options you<br />
have for using it.<br />
<strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
The <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> will lead you through a standard setup and testing of key <strong>Identikey</strong> <strong>Server</strong> features.<br />
Windows Installation <strong>Guide</strong><br />
Use this guide when planning and working through an installation of <strong>Identikey</strong> <strong>Server</strong> in a Windows environment.<br />
Linux Installation <strong>Guide</strong><br />
Use this guide when planning and working through an installation of <strong>Identikey</strong> <strong>Server</strong> in a Linux environment.<br />
Administrator Reference<br />
In-depth information required for administration of <strong>Identikey</strong> <strong>Server</strong>. This includes references such as data attribute<br />
lists, backup and recovery and utility commands.<br />
Performance and Deployment <strong>Guide</strong><br />
Contains information on common deployment models and performance statistics.<br />
Help Files<br />
Context-sensitive help accompanies the Administration Web Interface and Digipass Extension for Active Directory<br />
Users and Computers.<br />
<strong>Identikey</strong> <strong>Server</strong> SDK Programmers <strong>Guide</strong><br />
In-depth information required to develop using the SDK.<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 5
2 Install and Setup<br />
2.1 Basic Setup Procedure<br />
Install and Setup<br />
The diagram below illustrates the basic procedure which this <strong>Guide</strong> will take you through in the initial setup for<br />
<strong>Identikey</strong> <strong>Server</strong>.<br />
Image 1: Basic Setup Procedure<br />
2.2 Install the RADIUS Client Simulator<br />
The RADIUS Client Simulator (RCS) is a program that simulates RADIUS Authentication and Accounting processing<br />
in a similar fashion to RADIUS enabled Network Access <strong>Server</strong> and Firewall devices. The RCS can be used to test<br />
User authentication, Digipass authentication, estimate RADIUS <strong>Server</strong> performance or test system overload.<br />
Install the RADIUS Client Simulator on a machine in the required Domain:<br />
1. Locate and run radius-simulator_4_0_0.msi.<br />
2. Follow the prompts until the installation is complete.<br />
If you chose the default install location, the Simulator will be installed to the C:\Program Files\VASCO\<br />
RADIUS Client Simulator directory.<br />
3. Launch the Simulator from the Start menu.<br />
Note<br />
The RADIUS Client Simulator uses the port 1812 for authentication requests and port 1813 for<br />
accounting requests, by default.<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 6
2.3 Install <strong>Identikey</strong> <strong>Server</strong><br />
Install <strong>Identikey</strong> <strong>Server</strong> according to the Basic Installation instructions in the Windows Installation <strong>Guide</strong>.<br />
RADIUS Topology<br />
When prompted to select a RADIUS topology, select either:<br />
<strong>Identikey</strong> <strong>Server</strong> as standalone RADIUS <strong>Server</strong> (this will require you to skip the RADIUS Back-End<br />
Authentication topic)<br />
<strong>Identikey</strong> <strong>Server</strong> in front of RADIUS <strong>Server</strong><br />
SSL Certificate Password<br />
Install and Setup<br />
When prompted for a certificate password, note the password you enter. This will be used later in the <strong>Getting</strong><br />
<strong>Started</strong> process.<br />
Automatic Settings<br />
Some settings which are created automatically for the <strong>Identikey</strong> <strong>Server</strong> are:<br />
Example Policies<br />
A Component record for the <strong>Identikey</strong> <strong>Server</strong>, which will point to a default Policy<br />
A default RADIUS Client Component record<br />
Auditing<br />
The Audit Viewer will be installed with <strong>Identikey</strong> <strong>Server</strong>.<br />
2.4 Configure <strong>Identikey</strong> <strong>Server</strong><br />
The Administration Web Interface is the main administration tool available. It can be used to administer Digipass<br />
User and Digipass records, and to configure various settings and connections. See the Product <strong>Guide</strong> for more<br />
information.<br />
1. Open the Administration Web Interface.<br />
2. Enter your User ID and password.<br />
3. Click on Log in.<br />
2.4.1 Create a Test Policy<br />
To create the required Test Policy:<br />
1. Open the Administration Web Interface.<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 7
2. Click on Policies -> Create.<br />
3. Enter the required information:<br />
a. Policy ID: Test<br />
b. Inherits from: IK3 Local Authentication<br />
4. Enter a description if desired.<br />
5. Click on Create.<br />
2.4.2 Set Up Client Record<br />
Default RADIUS Client<br />
Configure the default RADIUS Client record to use the Test Policy created in 2.4.1<br />
RADIUS Client Simulator will use this Component record.<br />
Note<br />
Install and Setup<br />
Create a Test Policy.<br />
The<br />
The Shared Secret for the default RADIUS Client record, and the RADIUS Client Simulator, is set<br />
to default.<br />
2.4.3 Create a Test User record<br />
1. Open the Administration Web Interface.<br />
2. Click on Users -> Create.<br />
3. Enter the required information. A User ID of 'Test User' may make the record easier to find.<br />
4. Click on Create.<br />
2.4.4 Import Digipass Records<br />
Before a Digipass may be assigned to a Digipass User, a record for it must be imported into the data store. This<br />
record includes all important information about the Digipass, including its serial number, Applications, and<br />
programming information. This information is transported to you in the form of a .dpx file.<br />
Demo Digipass may be used for the testing and familiarisation tasks in this guide. The .dpx file for these is located<br />
in \dpx.<br />
To import Digipass records:<br />
1. Open the Administration Web Interface.<br />
2. Click on Digipass -> Import<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 8
3. Enter or browse for the import path and filename for the DPX file.<br />
Install and Setup<br />
4. Enter the transport key – this is 11111111111111111111111111111111 for the installed demo Digipass<br />
DPX files (press the 1 key 32 times).<br />
5. Click on Upload.<br />
6. Click on Next.<br />
7. Click on Import.<br />
8. Click on Finish.<br />
2.4.5 Assign Digipass to Test User<br />
Before a User can use a Digipass to login, the Digipass must be assigned to their User account within the data<br />
store.<br />
To assign a Digipass record to the Test User account:<br />
1. Open the Administration Web Interface.<br />
2. Click on Users -> Assign Digpass.<br />
3. Search for the Test User using the criteria on the Search User tab.<br />
4. Click Search.<br />
5. Select the Test User from the list.<br />
6. Click Next.<br />
7. Search for Digipass using the criteria on the Search Digipass tab.<br />
8. Select Search Now to select a specific Digipass to assign.<br />
9. Select Digipass from list if more than one is found.<br />
10. Click Next.<br />
11. Click Assign.<br />
12. Click on Finish.<br />
2.4.6 Configure the RADIUS Client Simulator<br />
Configure the RADIUS Client Simulator with the details for the <strong>Identikey</strong> <strong>Server</strong>:<br />
IP address<br />
Shared Secret (if modified from the default)<br />
Accounting and Authentication Port numbers (if modified from the defaults)<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 9
2.5 Set Up Auditing<br />
1. Open the Audit Viewer (Start Menu -> Programs -> VASCO -> <strong>Identikey</strong> <strong>Server</strong> -> Audit Viewer).<br />
2. Expand the <strong>Server</strong>s item in the navigation pane.<br />
3. Click on Local <strong>Server</strong>.<br />
4. Enter the User ID and password for an administrator account in <strong>Identikey</strong> <strong>Server</strong>.<br />
5. Click on OK.<br />
A live audit connection will be established.<br />
Install and Setup<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 10
3 Testing<br />
Testing<br />
This section will guide you through testing direct logins to <strong>Identikey</strong> <strong>Server</strong> and a back-end RADIUS server, testing<br />
Back-End Authentication, testing various management features, and the configuration or administration changes<br />
required.<br />
At various points in the process, test logins are recommended to ensure that the previous steps have not caused<br />
unexpected problems. This also helps in troubleshooting, as it helps to pinpoint where in the process a problem<br />
occurred.<br />
The diagram below illustrates the basic testing procedure.<br />
Test Pre-requisites<br />
If you are going to test all types of login methods and authentication options available, you will need:<br />
A Digipass User account with:<br />
A corresponding Windows User account<br />
A stored static password which is the same as the Windows account's password<br />
A Digipass or Demo Digipass with Response Only and Challenge/Response Applications, assigned to the<br />
Digipass User account.<br />
A new Policy named 'Test'.<br />
Modifying the Test Policy<br />
Each scenario will require modification of the Test Policy created in 2.4.1<br />
instructions to edit the Test Policy:<br />
1. Open the Administration Web Interface.<br />
2. Click on Policies -> List.<br />
Create a Test Policy.<br />
Use these<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 11
3. Find and click on the Test Policy.<br />
4. Click on the required tab:<br />
Local Authentication and Back-End Authentication settings can be found under the Policy tab<br />
5. Click on Edit.<br />
Testing<br />
Dynamic User Registration, Password Autolearn and Stored Password Proxy settings can be found under<br />
the User tab.<br />
Application Type, Assignment Mode, Grace Period, Serial Number Separator and Search Upwards in Org.<br />
Unit Hierarchy settings can be found under the Digipass tab.<br />
Challenge/Response settings can be found under the Challenge tab.<br />
6. Make the required changes.<br />
7. Click on Save.<br />
Testing a Login via the RADIUS Client Simulator<br />
In each scenario, you will need to attempt a login, using the RADIUS Client Simulator. Once it is configured<br />
correctly, simply follow the directions below to try a login:<br />
1. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window.<br />
2. Enter the User ID for the User account you are using for test logins in the User ID field.<br />
3. Enter the password for the User account and (if required) an OTP from the Digipass in the Password field.<br />
4. Click on the Login button.<br />
5. The Status information field will indicate the success or failure of your login.<br />
3.1 Test Local Authentication<br />
This topic covers testing logins handled by the <strong>Identikey</strong> <strong>Server</strong>, with no back-end authentication enabled. Three<br />
login methods will be covered:<br />
3.1.1 Static Password<br />
Static password (does not require a Digipass)<br />
Response Only (requires a Digipass with a Response Only application)<br />
Challenge/Response (requires a Digipass with a Challenge/Response application)<br />
Modify Test Policy<br />
Make these changes to the Test Policy (see Modifying the Test Policy for instructions):<br />
Set Local Auth. to Digipass/Password.<br />
Set Back-End Auth. to None.<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 12
Set Password Autolearn to Yes.<br />
Check Grace Period<br />
Testing<br />
Check the record for the Digipass being used for testing. The grace period should be set for a time in the future. If<br />
it is not, the static password login will fail.<br />
Test Login<br />
Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for<br />
instructions), using the Digipass User ID and static stored password.<br />
3.1.2 Response Only<br />
Modify Test Policy<br />
Make these changes to the Test Policy (see Modifying the Test Policy for instructions):<br />
Set Application Type to Response Only.<br />
Set Local Auth. to Digipass/Password.<br />
Set Back-End Auth. to None.<br />
Test Login<br />
Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for<br />
instructions), using the Digipass User ID and the OTP from your Digipass.<br />
3.1.3 Challenge/Response<br />
Modify Test Policy<br />
Make these changes to the Test Policy (see Modifying the Test Policy for instructions):<br />
Set Application Type to Challenge/Response.<br />
Set 2-step Challenge/Response Request Method to Keyword.<br />
Set Keyword to 2StepCR.<br />
Set Local Auth. to Digipass/Password.<br />
Set Back-End Auth. to None.<br />
Test Login<br />
Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for<br />
instructions), using the Digipass User ID and the keyword (2StepCR). Enter the Challenge provided by the RCS into<br />
your Digipass. Enter the same Digipass User ID and the Response provided by your Digipass.<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 13
3.2 Test Windows Back-End Authentication<br />
Testing<br />
This topic covers testing the <strong>Identikey</strong> <strong>Server</strong>'s use of Windows for back-end authentication. First, we test <strong>Identikey</strong><br />
<strong>Server</strong> using only back-end authentication, then a combination of local and back-end authentication.<br />
Three login methods will be covered:<br />
Static password (does not require a Digipass)<br />
Response Only (requires a Digipass with a Response Only application)<br />
Challenge/Response (requires a Digipass with a Challenge/Response application)<br />
3.2.1 Back-End Authentication Only<br />
3.2.1.1 Static Password<br />
Modify Test Policy<br />
Make these changes to the Test Policy (see Modifying the Test Policy for instructions):<br />
Set Local Auth. to None.<br />
Set Back-End Auth. to Always.<br />
Set Back-End Protocol to Windows.<br />
Check Grace Period<br />
Check the record for the Digipass being used for testing. The grace period should be set for a time in the future. If<br />
it is not, the static password login will fail.<br />
Test Login<br />
Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for<br />
instructions), using the Digipass User ID and static stored password.<br />
3.2.2 Local and Back-End Authentication<br />
3.2.2.1 Static Password<br />
Modify Test Policy<br />
Make these changes to the Test Policy (see Modifying the Test Policy for instructions):<br />
Set Local Auth. to Digipass/Password.<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 14
Set Back-End Auth. to Always.<br />
Set Back-End Protocol to Windows.<br />
Test Login<br />
Testing<br />
Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for<br />
instructions), using the Digipass User ID and static stored password.<br />
3.2.2.2 Response Only<br />
Modify Test Policy<br />
Make these changes to the Test Policy (see Modifying the Test Policy for instructions):<br />
Set Application Type to Response Only.<br />
Set Local Auth. to Digipass/Password.<br />
Set Back-End Auth. to Always.<br />
Set Back-End Protocol to Windows.<br />
Set Stored Password Proxy to Yes.<br />
Test Login<br />
Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for<br />
instructions), using the Digipass User ID and the OTP from your Digipass.<br />
3.2.2.3 Challenge/Response<br />
Modify Test Policy<br />
Make these changes to the Test Policy (see Modifying the Test Policy for instructions):<br />
Set Application Type to Challenge/Response.<br />
Set 2-step Challenge/Response Request Method to Keyword.<br />
Set Keyword to 2StepCR.<br />
Set Local Auth. to Digipass/Password.<br />
Set Back-End Auth. to Always.<br />
Set Back-End Protocol to Windows.<br />
Set Stored Password Proxy to Yes.<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 15
Test Login<br />
Testing<br />
Run a test login using the RADIUS Client Simulator (see Testing a Login via the RADIUS Client Simulator for<br />
instructions), using the Digipass User ID and the keyword (2StepCR). Enter the Challenge provided by the RCS into<br />
your Digipass. Enter the same Digipass User ID and the Response provided by your Digipass.<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 16
3.3 Test RADIUS Back-End Authentication<br />
Testing<br />
In this topic, you will be guided through configuring the <strong>Identikey</strong> <strong>Server</strong> to use a RADIUS Back-End <strong>Server</strong>, and<br />
testing Back-End Authentication using that Back-End <strong>Server</strong>.<br />
3.3.1 Set up Back-End RADIUS <strong>Server</strong><br />
There are some steps you will need to follow in order to set up the RADIUS <strong>Server</strong> to be used for Back-End<br />
Authentication:<br />
The diagram below shows the basic process involved. For help in completing each of these steps, see the relevant<br />
sub-section.<br />
Image 2: RADIUS <strong>Server</strong> Setup<br />
Requirements<br />
To complete the recommended steps, you will need:<br />
An installed RADIUS <strong>Server</strong>.<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 17
An administrator login for the RADIUS server.<br />
Create RADIUS Client records<br />
Testing<br />
Create a RADIUS Client record within the RADIUS <strong>Server</strong> for the machine on which the RADIUS Client Simulator will<br />
be running and the machine on which the <strong>Identikey</strong> <strong>Server</strong> is installed.<br />
Create a User account<br />
Create a User account in the RADIUS <strong>Server</strong>, or identify an existing account that can be used if preferred. Make<br />
sure this account has the necessary permissions so that a RADIUS Access-Request from both the RADIUS Client<br />
Simulator and from the <strong>Identikey</strong> <strong>Server</strong> will be accepted (given the correct password of course). Also make sure<br />
this account has some RADIUS 'reply attributes'.<br />
Enable Tracing<br />
Depending on the RADIUS <strong>Server</strong> product, some facilities will be available for tracing. This may be referred to as<br />
“logging” or “debugging” instead. If this is enabled, it will help to find out what is happening if the observed<br />
behaviour is not as expected.<br />
3.3.2 Test Direct Login to RADIUS <strong>Server</strong><br />
Once the RADIUS <strong>Server</strong> has been set up, attempt a direct login using the RADIUS Client Simulator and the User<br />
account created for testing.<br />
1. Open the RADIUS Client Simulator.<br />
2. Enter the IP address of the RADIUS <strong>Server</strong>.<br />
3. Enter Authentication and Accounting port numbers if they vary from the default.<br />
4. Enter the Shared Secret you entered for the RADIUS Client created earlier.<br />
5. Select a protocol to use.<br />
6. Click on any port icon to attempt a login.<br />
7. Enter the User ID and password and click on Login.<br />
8. The 'reply attributes' set up for that User account should be displayed in the RADIUS Client Simulator.<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 18
3.3.3 Configure <strong>Identikey</strong> <strong>Server</strong> for RADIUS Back-End Authentication<br />
3.3.3.1 Local and Back-End Authentication<br />
Testing<br />
Local and back-end authentication means that both the <strong>Identikey</strong> <strong>Server</strong> and the RADIUS <strong>Server</strong> will authenticate a<br />
login. This allows RADIUS reply attributes to be retrieved from the RADIUS <strong>Server</strong>.<br />
In this scenario, it is normal to use the Password Autolearn and Stored Password Proxy features. With these<br />
features enabled, the <strong>Identikey</strong> <strong>Server</strong> will learn the user's RADIUS <strong>Server</strong> password, so that the user does not<br />
need to log in with both their password and Digipass One Time Password at each login. However, the first time that<br />
the user logs in, they will need to provide their RADIUS <strong>Server</strong> password so that the <strong>Identikey</strong> <strong>Server</strong> can learn it. In<br />
subsequent logins, they can just log in with their One Time Password and the <strong>Identikey</strong> <strong>Server</strong> will send the stored<br />
password to the RADIUS <strong>Server</strong>.<br />
Make these changes to the Test Policy (see Modifying the Test Policy for instructions):<br />
Set Local Auth. to Digipass/Password.<br />
Set Back-End Auth. to Always.<br />
Set Back-End Protocol to RADIUS.<br />
Set Password Autolearn to Yes.<br />
Set Stored Password Proxy to Yes.<br />
3.3.3.2 Create Back-End <strong>Server</strong> Record<br />
The <strong>Identikey</strong> <strong>Server</strong> needs to be able to locate the RADIUS <strong>Server</strong>. This requires a Back-End <strong>Server</strong> record in the<br />
data store. To create a new Back-End <strong>Server</strong> record:<br />
1. Open the Administration Web Interface.<br />
2. Click on Back-End -> Register RADIUS Back-End.<br />
3. Enter a display name for the Back-End <strong>Server</strong> in the Back-End <strong>Server</strong> ID field.<br />
4. Enter the Authentication and Accounting IP Address and Port values.<br />
5. Enter the Shared Secret that was configured in the RADIUS Client record in the RADIUS <strong>Server</strong> for <strong>Identikey</strong><br />
<strong>Server</strong>.<br />
6. Enter a suitable Timeout and No. of Retries.<br />
7. Click Create to create the record.<br />
3.3.4 Test Logins with Local and Back-End Authentication<br />
1. Configure the Test Policy for the login method to be tested – eg. Response-Only, Challenge/Response.<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 19
2. Ensure that the RADIUS Client Simulator client record is using the configured Policy.<br />
In the RADIUS Client Simulator:<br />
3. Enter the IP address of the <strong>Identikey</strong> <strong>Server</strong>.<br />
4. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window.<br />
5. Enter the User ID for the User account you are using for test logins in the User ID field.<br />
Testing<br />
6. Enter the User account's RADIUS <strong>Server</strong> password followed by an OTP from the Digipass in the Password<br />
field. There should be no spaces between the password and the OTP.<br />
7. Click on the Login button.<br />
8. The Status information field will indicate the success or failure of your logon. Below you should see the<br />
RADIUS reply attributes from the RADIUS <strong>Server</strong>.<br />
9. Enter a new OTP from the Digipass into the Password field, without the RADIUS <strong>Server</strong> password in front.<br />
10. Click on the Login button.<br />
11. The Status information field will indicate the success or failure of your logon. Below you should see the<br />
RADIUS reply attributes from the RADIUS <strong>Server</strong>.<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 20
3.4 Test Management Features<br />
In this topic, you will be guided through the testing of basic management features in <strong>Identikey</strong> <strong>Server</strong>.<br />
3.4.1 Auto-Assignment<br />
Initial Setup<br />
1. Open the Administration Web Interface.<br />
2. Click on Clients -> List.<br />
3. Click on the client record for the RADIUS Client Simulator.<br />
4. Ensure that the Test Policy is selected in the Policy drop down list.<br />
5. Click on OK.<br />
6. Make these changes to the Test Policy (see Modifying the Test Policy for instructions):<br />
Set Local Auth. to Digipass/Password.<br />
Set Back-End Auth. to Always.<br />
Set Back-End Protocol to RADIUS.<br />
Set Password Autolearn to Yes.<br />
Set Stored Password Proxy to Yes.<br />
Set Dynamic User Registration to No.<br />
Set Assignment Mode to Neither.<br />
Set Application Type to No Restriction.<br />
Set Search Upwards in Organizational Unit hierarchy to Yes.<br />
Set Grace Period – 7 days is the standard time period used.<br />
Testing<br />
7. Create or use a User account in the RADIUS <strong>Server</strong> which does not currently have a corresponding Digipass<br />
User account.<br />
8. Check that at least one unassigned Digipass is available in the Digipass Container.<br />
Test Auto-Assignment - 1<br />
In the following test, both Dynamic User Registration and Auto-Assignment should fail, meaning that a Digipass<br />
User account will not be created, and a Digipass will not be assigned to the User. This shows that the <strong>Identikey</strong><br />
<strong>Server</strong> record has been configured successfully.<br />
In the RADIUS Client Simulator:<br />
9. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window.<br />
10. Enter the User ID for the RADIUS <strong>Server</strong> User account you created earlier (step 7) in the User ID field.<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 21
11. Enter the password for the RADIUS <strong>Server</strong> User account.<br />
12. Click on the Login button.<br />
The Status information field will indicate the success or failure of your logon.<br />
Check Test Results<br />
Testing<br />
To check whether a Digipass User account has been created for the User, search for the User account record in<br />
the Administration Web Interface. If it does not exist, the test has been successful.<br />
Modify Settings<br />
13. Make these changes to the Test Policy (see Modifying the Test Policy for instructions):<br />
Set Dynamic User Registration to Yes.<br />
Set Assignment Mode to Auto-Assignment.<br />
Test Auto-Assignment - 2<br />
In the following test, both Dynamic User Registration and Auto-Assignment should succeed, meaning that a<br />
Digipass User account will be created, and an available Digipass will be assigned to the User.<br />
In the RADIUS Client Simulator:<br />
14. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window.<br />
15. Enter the User ID for the RADIUS <strong>Server</strong> User account you created earlier (step 7) in the User ID field.<br />
16. Enter the password for the User account.<br />
17. Click on the Login button.<br />
The Status information field will indicate the success or failure of your logon.<br />
Check Test Results<br />
To check whether a Digipass User account has been created for the User, search for the User account record in<br />
the Administration Web Interface.<br />
To check whether a Digipass has been assigned to the User:<br />
18. Click on Assigned Digipass.<br />
19. If a Digipass is listed, the User has been assigned the listed Digipass.<br />
20. Check the Grace Period End field to see that a Grace Period of the correct length (7 days by default) has<br />
been set.<br />
Check Grace Period<br />
Password login<br />
21. Using the RADIUS Client Simulator, attempt a login using the RADIUS <strong>Server</strong> User's User ID and password<br />
only. If the Grace Period is still effective, this should be successful.<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 22
OTP login<br />
Testing<br />
22. Using the RADIUS Client Simulator, attempt a login using the RADIUS <strong>Server</strong> User's User ID and One Time<br />
Password. This should be successful.<br />
Password login<br />
23. Using the RADIUS Client Simulator, attempt a login using the RADIUS <strong>Server</strong> User's User ID and password<br />
only. As the OTP login from the previous step should have ended the Grace Period for the Digipass, this<br />
login should fail.<br />
24. Check the Grace Period End in the User record. It should contain today's date.<br />
3.4.2 Self-Assignment<br />
To complete this test, you will need to have a Digipass physically available, and free to be assigned to a test User<br />
account.<br />
Initial Setup<br />
1. Make these changes to the Test Policy (see Modifying the Test Policy for instructions):<br />
Set Dynamic User Registration to No.<br />
Set Assignment Mode to Neither.<br />
Set Search Upwards in Organizational Unit hierarchy to Yes.<br />
Set Serial Number Separator to :.<br />
2. Create or use a User account in the RADIUS <strong>Server</strong> which does not currently have a corresponding Digipass<br />
User account.<br />
3. Check that the desired Digipass is in the Digipass Container and unassigned.<br />
Test Self-Assignment - 1<br />
In the following test, both Dynamic User Registration and Self-Assignment should fail, meaning that a Digipass<br />
User account will not be created, and the selected Digipass will not be assigned to the User.<br />
In the RADIUS Client Simulator:<br />
1. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window.<br />
2. Enter the User ID for the RADIUS <strong>Server</strong> User account you created earlier (step 7) in the User ID field.<br />
3. Enter the Serial Number for the Digipass, the Separator, the RADIUS <strong>Server</strong> User's Password, a <strong>Server</strong> PIN (if<br />
required) and a One Time Password from the Digipass into the Password field. eg. 98765432|<br />
password12340098787 (see the Login Permutations topic in the Administrator Reference for more<br />
information).<br />
4. Click on the Login button.<br />
The Status information field will indicate the success or failure of your logon.<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 23
Check Test Results<br />
A successful test should result in a failed login and no new Digipass User account created.<br />
Testing<br />
To check whether a Digipass User account has been created for the User, search for the User account record in<br />
the Administration Web Interface.<br />
Modify Settings<br />
5. Make these changes to the Test Policy (see Modifying the Test Policy for instructions):<br />
Set Dynamic User Registration to Yes.<br />
Set Assignment Mode to Self-Assignment.<br />
Test Self-Assignment - 2<br />
In the following test, both Dynamic User Registration and Self-Assignment should succeed, meaning that a<br />
Digipass User account will be created, and the intended Digipass will be assigned to the User.<br />
In the RADIUS Client Simulator:<br />
6. Click on any port in the Simulated NAS Ports group to display the Manual Simulation window.<br />
7. Enter the User ID for the RADIUS <strong>Server</strong> User account you created earlier (step 7) in the User ID field.<br />
8. Enter the Serial Number for the Digipass, the Separator, the RADIUS <strong>Server</strong> User's Password, a <strong>Server</strong> PIN (if<br />
required) and a One Time Password from the Digipass into the Password field. eg. 98765432|<br />
password12340098787 (see the Login Permutations topic in the Administrator Reference for more<br />
information).<br />
9. Click on the Login button.<br />
The Status information field will indicate the success or failure of your logon.<br />
Check Test Results<br />
To check whether a Digipass User account has been created for the User, search for the User account record in<br />
the Administration Web Interface.<br />
To check whether the Digipass has been assigned to the User:<br />
10. Click on Digipass Assignment.<br />
11. If the Digipass is listed under this tab, it has been assigned to the Digipass User account.<br />
Check Grace Period<br />
12. Check that a Grace Period has not been set.<br />
Password login<br />
13. Using the RADIUS Client Simulator, attempt a login using the RADIUS <strong>Server</strong> User's User ID and password<br />
only. This should fail, as a Grace Period is not set for a Self-Assignment.<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 24
OTP login<br />
Testing<br />
14. Using the RADIUS Client Simulator, attempt a login using the RADIUS <strong>Server</strong> User's User ID and One Time<br />
Password. This should be successful.<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 25
4 Demo Tokens<br />
4.1 Using the Demo DP300<br />
This topic explains the activation and use of the demonstration DP300.<br />
4.1.1 Activate the Demo DP300<br />
The Demo DP300 is turned on with the < button.<br />
Demo Tokens<br />
Each time the Demo DP300 is activated it will request a 4-digit PIN number (displayed on the LCD screen). The<br />
PIN for Demo DP300s is initially set to 1234.<br />
The Demo Digipass will then prompt you to indicate the application you wish to use:<br />
Application 1 : Response only<br />
When you press 1 on the keypad, the demo DP300 will produce a 6-digit number. This response number is<br />
generated based on the secret code stored within the token, and the current time.<br />
The One Time Password displayed should be entered into the appropriate password field in the logon screen or<br />
web page.<br />
Application 2 : Digital Signature<br />
When you press 2 on the keypad, you will be prompted for 3 numbers (typically from an online transaction)<br />
comprising up to 5 digits each. When all three numbers required have been entered, a 6-digit number is generated<br />
(displayed on the LCD screen). This number is the digital signature for the transaction. This needs to be entered<br />
into the appropriate field in the digital signature web page or screen.<br />
Application 3: Challenge / Response<br />
When you press 3 on the keypad, the Digipass will present you with four dashes (- - - -) to indicate that a<br />
‘challenge’ must be entered.<br />
You may have the option of holding the optical reader to the middle of the flash sequence (the white flashing<br />
panels) on the logon web page if one is presented.<br />
Alternatively, if the challenge number is shown on the screen, you can key it in directly into the keypad.<br />
The demo DP300 will then calculate and display a One Time Password based on the challenge and the secret code<br />
stored in the DP300. The One Time Password displayed should be entered into the appropriate password field in<br />
the logon screen or web page.<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 26
4.1.2 Change the PIN<br />
Demo Tokens<br />
Turn on the Demo DP300 and enter the current PIN to activate the token. Then hold down the On (
4.2.2 Obtaining a One Time Password<br />
Whenever the Demo Go 1/Go 3 is activated, it produces a 6-digit number on its LCD screen.<br />
Demo Tokens<br />
This response number is generated based on the secret code stored within the token, and the current time.<br />
At logon, the Users' <strong>Server</strong> PIN and the One Time Password from the Go 1/Go 3 should be entered as into the<br />
appropriate password field in the logon screen or web page. The <strong>Server</strong> PIN is initially 1234.<br />
For example, if the One Time Password generated by the Demo Go 1/Go 3 was 235761, 1234235761 should be<br />
entered in the login screen.<br />
4.2.3 Changing the Demo Go 1/Go 3 <strong>Server</strong> PIN<br />
The Demo Go 1/Go 3 <strong>Server</strong> PIN (1234) can be changed during the authentication process.<br />
To change the Demo Go 1/Go 3 <strong>Server</strong> PIN:<br />
1. Go to the login page or screen.<br />
2. In the user ID field, enter the User ID for the account you are using for testing.<br />
3. In the password field, enter the current <strong>Server</strong> PIN (1234) for the Demo Go 1/Go 3.<br />
4. Activate the Demo Digipass and enter the One Time Password generated in the response field directly after<br />
the <strong>Server</strong> PIN.<br />
5. Next, enter the new PIN for the Demo Go 1/Go 3 after the response in the Response field, then enter it again<br />
to confirm it.<br />
6. Submit your login to issue the new <strong>Server</strong> PIN information to the <strong>Identikey</strong> <strong>Server</strong>.<br />
Example<br />
To change the <strong>Server</strong> PIN for a Demo Digipass from 1234 to 5678, where the OTP generated was 111111, enter:<br />
123411111156785678<br />
in the password field and login.<br />
Any time you login using the Demo or another Go 1/Go 3, you may use this method to change your PIN, except for<br />
RADIUS authentications where any form of CHAP is in use (E.g., CHAP, MS-CHAP, MS-CHAP2). This is because<br />
the information is one-way hashed and cannot be retrieved from the packet.<br />
If CHAP protocols are used, refer to the User Self-Management Web Site <strong>Guide</strong> for more information about<br />
alternative web based methods for PIN change (eg. using your intranet).<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 28
5 Set up Live System<br />
5.1 Checklist<br />
� Set up RADIUS <strong>Server</strong><br />
Set up your RADIUS <strong>Server</strong> with the necessary User accounts and RADIUS attributes.<br />
� Modify RADIUS Client Configuration<br />
Configure the RADIUS Clients to send authentication requests to the <strong>Identikey</strong> <strong>Server</strong>.<br />
� Import More Digipass<br />
Import all required Digipass records<br />
Set up Live System<br />
� Create Digipass User Accounts<br />
If required, manually create Digipass User accounts. Alternatively, enable Dynamic User Registration in<br />
<strong>Identikey</strong> <strong>Server</strong>.<br />
� Create New Policy<br />
Create the necessary Policies in the Administration Web Interface for login authentications requested<br />
by the RADIUS Clients.<br />
� Create Component Records for the RADIUS Clients<br />
Create a Component record for the RADIUS Clients in the Administration Web Interface, linking them to<br />
the correct Policies. You may wish to use the default RADIUS Client for some or all RADIUS Clients<br />
instead.<br />
� Test Digipass Logins<br />
Test Digipass logins through the RADIUS Clients, using One Time Passwords.<br />
<strong>Identikey</strong> <strong>Server</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong> 29