Product Guide. Digipass Plug-In for IAS. IAS Plug-In. Digipass Extension for Active Directory Users and Computers. Administration MMC Interface IAS

Size: px

Start display at page:

Download "Product Guide. Digipass Plug-In for IAS. IAS Plug-In. Digipass Extension for Active Directory Users and Computers. Administration MMC Interface IAS"

Melina Cain
5 years ago
Views:

1 Digipass Plug-In for IAS IAS Plug-In Digipass Extension for Active Directory Users and Computers Administration MMC Interface IAS Microsoft's Internet Authentication Service Product Guide

2 Disclaimer of Warranties and Limitations of Liabilities Disclaimer of Warranties and Limitations of Liabilities The Product is provided on an 'as is' basis, without any other warranties, or conditions, express or implied, including but not limited to warranties of merchantable quality, merchantability of fitness for a particular purpose, or those arising by law, statute, usage of trade or course of dealing. The entire risk as to the results and performance of the product is assumed by you. Neither we nor our dealers or suppliers shall have any liability to you or any other person or entity for any indirect, incidental, special or consequential damages whatsoever, including but not limited to loss of revenue or profit, lost or damaged data of other commercial or economic loss, even if we have been advised of the possibility of such damages or they are foreseeable; or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers and suppliers shall not exceed the amount paid by you for the Product. The limitations in this section shall apply whether or not the alleged breach or default is a breach of a fundamental condition or term, or a fundamental breach. Some states/countries do not allow the exclusion or limitation or liability for consequential or incidental damages so the above limitation may not apply to you. RADIUS Documentation Disclaimer The RADIUS documentation featured in this manual is focused on supplying required information pertaining to the RADIUS server and its operation in the VACMAN Middleware environment. It is recommended that further information be gathered from your NAS/RAS vendor for information on the use of RADIUS. Copyright All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc. Trademarks VACMAN and Digipass are registered trademarks of VASCO Data Security International Inc. Microsoft and Windows are registered trademarks of Microsoft Corporation. All other trademarks are the property of their respective holders. ii

3 Table of Contents Table of Contents 1 Overview Digipass Plug-In for IAS Digipass Introduction What is a Digipass? Logging in with a Digipass Types of Digipass Software Components Required Components Optional Components Extra Utilities Authentication Process Local and Back-End Authentication Policies Digipass User Account Features Active Directory Integration User Management Digipass Management Supported Protocols Unsupported by Digipass Plug-In for IAS Windows 2000 Limitations Other Unsupported Protocols IAS Remote Access Policy Limitations Digipass User Account Settings...15 Static Passwords...16 Available Reference Guides Digipass Types of Digipass Hardware Digipass Software Digipass Virtual Digipass How do Digipass Work? Digipass Applications Virtual Digipass Differences Digipass Programming Virtual Digipass Login Process How Does a User Request an OTP?...25 Digipass PIN Time/Event-based Digipass Applications OTP Length...26 Challenge Length...26 Digipass Record Settings Time/Event-based Settings Response Length Server PIN...28 Backup Virtual Digipass iii

4 2.3 Digipass Records Location of Digipass Records Typical Digipass Location Models Search for Digipass Records Digipass Record Functions Reset Application Set Event Counter Reset PIN Force PIN Change Set PIN Unlock Digipass Reset Application Lock Test a Digipass Application Assigning Digipass to Users Digipass Assignment Options Self-Assignment Auto-Assignment Manual Assignment Security Levels Virtual Digipass Implementation Considerations Digipass Assignment Options Cost Security Convenience Gateway and account Limiting Usage of Virtual Digipass Table of Contents Backup Virtual Digipass Usage Guidelines Resetting Virtual Digipass Restrictions Virtual Digipass Login options Location of OTP Request Site Digipass User Accounts User Account Identification Digipass User Account Creation Manual Creation User Self-Management Web Site Dynamic User Registration Changes to Stored Static Password Password Autolearn...43 User Self-Management Web Site...43 Logging in with a Digipass Login Processes Multiple Digipass or Digipass Applications Password Field Information Administration Privileges Authenticating Users Authentication Settings iv

5 3.5.2 Local Authentication Back-End Authentication User Account Locking Windows Group Check What are Policies? How Do They Work? Policy Settings Multiple Policies Inheritance Show Effective Settings Pre-Loaded Policies Differences from VACMAN Middleware Authenticator Setting Components What is a Component Record? No Component Record Exists for a RADIUS Client Policy Selection Pre-loaded Component Licensing Active Directory Integration What is Stored in Active Directory? Schema Extensions Permissions Needed by the IAS Plug-In Sensitive Data Encryption Administrative Permissions Active Directory Command Line Utility Administration Interfaces Digipass Extension for Active Directory Users & Computers Administration MMC Interface Licensing Overview Obtaining a License Key File Linking User Accounts Windows Group Check Process Policies Table of Contents Digipass Plug-In Activation Page Auditing and Tracing Auditing Audit System Audit message types Audit messages location Active Directory Auditing Tracing User Self Management Web Site...68 v

6 Table of Contents 10.1 Customizing the User Self Management Web Site OTP Request Site Message Delivery Component Configuration...71 Alphabetical Index vi

7 Table of Contents Index of Tables Table 1: Login static password Requirements Table 2: Backup Virtual Digipass Policy/Digipass Settings Table 3: Summary of Digipass Record Location Options Table 4: Digipass Options Table 5: Backup Virtual Digipass Example Guidelines Table 6: User Account Identification Methods Table 7: VACMAN Middleware and IAS Plug-In Authentication Settings Table 8: DPADadmin tasks Table 9: Audit message types Index of Images Image 1: Digipass Plug-In for IAS Overview... 9 Image 2: Login Method Processes Image 3: Authentication Process Image 4: GO Image 5: GO Image 6: DP Image 7: DP Image 8: DP Image 9: GO Image 10: DP Image 11: Digipass for Pocket PC Image 12: Digipass for SIM Image 13: Digipass for Palm Image 14: Virtual Digipass Login Image 15: Digipass Record Locations - Digipass Pool Image 16: Digipass Record Locations - Parent Organizational Unit Image 17: Digipass Record Locations - Individual Organizational Units Image 18: Assignment Method Processes Image 19: Dynamic User Registration Image 20: Login Method Processes Image 21: Windows Group Check Process Image 22: Policy Selection Image 23: Policy Inheritance Image 24: Component Overview Image 25: Component Use by IAS Plug-In vii

8 Table of Contents Image 26: OTP Request Site viii

9 Overview 1 Overview 1.1 Digipass Plug-In for IAS The main purpose of the Digipass Plug-In for IAS is to improve your network security by adding two-factor authentication to Microsoft's Internet Authentication Service (IAS). It consists of two main parts The IAS Plug-In is an Authentication Module for IAS which enables two-factor authentication using Digipass. Digipass are devices used to generate a One Time Password. The IAS Plug-In interacts with IAS by performing the authentication check when IAS passes the Access-Request to it. When this occurs depends on the Authentication Policies defined in IAS. The IAS Plug-In does not perform any authorization checks, however if authentication is successful, it can instruct IAS to use a specific RADIUS Profile. The User logs in through the usual channel, using their Digipass to generate a One Time Password. The IAS Plug-In checks the User details and, if correct, passes the authentication request on to IAS. Image 1: Digipass Plug-In for IAS Overview What is Two-Factor Authentication? Methods of identifying an individual can be separated into three main categories Something they have (eg ID card) Something they know (eg static password) Something they are (eg thumbprint) Standard authentication is usually based on a UserID and a static password, and relies on only one factor of identification - something the User knows. In contrast, Digipass authentication relies on two factors of identification something the User has (the Digipass) and something the User knows (a static PIN or password). This is commonly referred to as two-factor authentication. What is a One Time Password? A One Time Password (OTP) is a dynamic password created by a Digipass. It is either timebased (valid for a specific time interval) or event-based (valid for a specific usage count of the Digipass). 9

10 Overview 1.2 Digipass Introduction What is a Digipass? A Digipass is a device for providing a One Time Password to a User. The Digipass is provided to each person whom a company wishes to be able to log into their system using One Time Passwords. The User obtains a One Time Password from the Digipass to use instead of, or as well as, a static password when logging in. Virtual Digipass is a mechanism where an OTP is generated by the server and sent by text message to the User's mobile phone. In this case, a physical Digipass is not needed Logging in with a Digipass The diagram below shows a typical login process for the three basic login methods supported by the IAS Plug-In. The actual details entered by the User may vary, depending on Policy settings. Image 2: Login Method Processes 10

11 Overview Types of Digipass There are three basic types of Digipass: Hardware Digipass Hardware Digipass are devices specifically designed for creation of One Time Passwords. Depending on the model supplied, they may be used for Response Only, Challenge/Response and Digital Signature (not supported by the IAS Plug-In) methods. Software Digipass Software Digipass may be installed on a PDA or other mobile device. The User then accesses a Digipass program to obtain a One Time Password. They typically support Response Only, Challenge/Response and Digital Signature (not supported by the IAS Plug-In) methods. Virtual Digipass Virtual Digipass can be used instead of hardware Digipass tokens, or as a backup mechanism when a User has mislaid their hardware Digipass. Using Virtual Digipass means that a User may receive a One Time Password on their mobile phone via text message. 11

12 Overview 1.3 Software Components The Digipass Plug-In for IAS consists of various components, some required and some optional: Required Components IAS Plug-In This module is an addition to Microsoft's Internet Authentication Service which permits an increase in IAS security by adding two-factor authentication. Versions 5.0 of IAS and later are supported. Data Store Additional User account information, Digipass records and other required Digipass-related settings are stored in Active Directory. Administration Interfaces Digipass Extension for Active Directory Users and Computers VASCO Extension to the Active Directory Users and Computers interface. Allows integrated administration of additional User settings and Digipass records. Administration MMC Interface This interface allows easy administration of Digipass Configuration data Optional Components User Self Management Web Site Allows Users to make appropriate changes to their own Digipass settings, including PIN changes. Virtual Digipass The VASCO components used for Virtual Digipass are: Message Delivery Component Sends a One Time Password through a text message HTTP gateway to a User s mobile phone. OTP Request Site Allows a User to specifically request an OTP to be sent to their mobile phone Extra Utilities These extra utilities may be used with the Digipass Plug-In for IAS, but require separate installations. Data Migration Tool The VASCO Data Migration Tool is a utility which allows you to migrate your data from one VASCO product to another. 12

13 Overview RADIUS Client Simulator The RADIUS Client Simulator is a program that simulates RADIUS Authentication and Accounting processing in a similar fashion to RADIUS enabled Network Access Server and Firewall devices. The RCS can be used to test User authentication, Digipass authentication, estimate RADIUS Server performance, test system overload, and assist in detection of resource (memory, handle, etc.) leakage. 13

Overview 1.4 Authentication Process The authentication process used by the IAS Plug-In will vary depending on settings in the applicable Policy and Digipass User account.

14 Overview 1.4 Authentication Process The authentication process used by the IAS Plug-In will vary depending on settings in the applicable Policy and Digipass User account. The diagram below shows the basic process followed by the IAS Plug-In when authenticating a Digipass User login. Image 3: Authentication Process Local and Back-End Authentication The IAS Plug-In authenticates logins in two basic ways: Using information from its data store ('local' authentication) Asking Windows for verification of information ('back-end' authentication) 'Local' Authentication The IAS Plug-In checks the details given in the authentication request against the details in its data store. This is when a Digipass User's One Time Password is checked. See Local Authentication for more information. 'Back-End' Authentication The IAS Plug-In checks the details given in the authentication request User ID and domain with Windows. The User's static password is also checked, and may be retrieved from the stored static password or from the authentication request, depending on Policy settings. See Back-End Authentication for more information. 14

15 Overview Policies Policies specify various login settings which can affect how a User must log in. The Policy used for a specific authentication request is decided based on the RADIUS Client that transmitted the request or based on the IAS Plug-In component that handles the request. Some policy settings include: Whether Local and/or Back-End Authentication should be used Whether various automatic management features should be used The Digipass Application types required for login Backup Virtual Digipass settings Digipass User Account A Digipass User account is attached to an Active Directory User account, by including additional attributes. These attributes are stored in an auxiliary class attached to the User object class. The account is created to hold authentication settings for the IAS Plug-In. It includes settings such as Digipass assignment and authentication overrides. The Digipass User account contains some login settings that affect how a User must log in. These settings can be used to override equivalent settings in the relevant Policy. A Digipass User account is created as required for a User record in Active Directory for example when a Digipass must be assigned or Digipass User account settings modified. When Auto-Assignment is enabled (see later), creation of the account via Dynamic User Registration is the trigger for a Digipass to be automatically assigned to the User Digipass User Account Settings Stored Static Password This may be used when local authentication is enabled and back-end authentication disabled, to avoid using the Windows static password for remote network access. It can be used for authenticating a User when a Digipass has not been assigned, or the assigned Digipass is still in the grace period. It can also be used for the Virtual Digipass feature, which requires a static password to be used in addition to the transmitted OTP. Local Authentication See Local and Back-End Authentication. The Digipass User account setting overrides the Policy setting of the same name. Back-End Authentication See Local and Back-End Authentication. The Digipass User account setting overrides the Policy setting of the same name. Disabled Specifies whether the Active Directory User account has been disabled. If so, the User will be rejected by the IAS Plug-In. Locked If a Digipass User account is locked, the User will be unable to log in until it is unlocked by an administrator. 15

16 Overview User Account Link Link to another Active Directory User account utilized by the same person. This may be used where an administrator needs to use their Digipass to log in via two different accounts. RADIUS Profiles Provides an authorisation link to IAS by selecting a RADIUS Profile. Record Creation Time The time and date when the Digipass User account was created. This is significant because it is used as an indicator of whether a given Active Directory User has a Digipass User account Static Passwords When a static password is required for a login through the IAS Plug-In, which static password is checked depends on the settings in the relevant Policy. It will be either: Stored (local) static password in the Digipass User account If back-end authentication is in use, this will be a copy of the Windows static password this is not typically required for the IAS Plug-In. Otherwise it will be a static password unrelated to the Windows static password. Windows static password Common Scenarios The table below shows common scenarios and the static password that the User would be required to enter on login. Scenario Password Required Local Authentication enabled and Back-End Authentication disabled Stored static password Dynamic User Registration enabled and needed for the login Windows static password Virtual Digipass login with Back-End Authentication enabled Windows static password Challenge/Response login with Back-End Authentication enabled 1 Windows static password Table 1: Login static password Requirements 1 If static password is required to request a Challenge/Response login 16

17 Overview 1.5 Features The IAS Plug-In includes many features to make administration simple and easy. These include integration with your current User Management system and automated processes for Digipass and User management Active Directory Integration The Digipass Plug-In for IAS uses Active Directory to store VASCO-specific User attributes, Digipass records and Digipass Configuration information (eg Policies) User Management These features help your administrators streamline their User management: Dynamic User Registration (DUR) A Digipass User Account can be automatically created for a User new to the IAS Plug-In upon successful login through IAS. This allows the User to be assigned a Digipass, and the IAS Plug-In to process their future logins. Windows Group Check The IAS Plug-In can be configured to only authenticate Users belonging to specific Windows Groups. See Windows Group Check for more information Digipass Management These features will assist your administrators by automating the main Digipass management tasks required: Self-Assignment Your company might decide to distribute all of the Digipass to your Users, then require each User to self-assign their Digipass. On their first login, the User must enter a password combination which includes the Digipass serial number, to inform the IAS Plug-In of the assignment. The User account is then linked with the relevant Digipass record. Auto-Assignment A Digipass may be automatically assigned to a User upon creation of a Digipass User account, when Dynamic User Registration is used. Grace Period The Grace Period supplies a User with a set amount of time (eg. 7 days) between assignment of a Digipass and the User being required to log in for the first time using an OTP from their Digipass. 17

18 Overview 1.6 Supported Protocols The following protocols are supported by the Digipass Plug-In for IAS: PAP CHAP MS-CHAP with MPPE (Microsoft Point-to-Point Encryption) MS-CHAP2 with MPPE EAP-MD5 1.7 Unsupported by Digipass Plug-In for IAS Windows 2000 Limitations These are not supported with Windows 2000: EAP-MD5 Challenge/Response Other Unsupported Protocols These protocols are not supported by the Digipass Plug-In for IAS: Other EAP types PEAP EAP-TTLS Various EAP types IAS Remote Access Policy Limitations Windows Server 2003 Remote Access Policy Conditions may be set based the password protocol being used for an authentication request, using the Authentication-Type option. When the IAS Plug-In authenticates a login, the Authentication-Type is recorded within IAS as "Extension", regardless of the actual password protocol used. Therefore, any Remote Access Policy Conditions limiting the password protocol being used will not work with the IAS Plug-In. Example Authentication-Type is set to PAP, meaning that any authentication requests which do not use the PAP password protocol will be rejected. If the IAS Plug-In is configured to use the PAP protocol, the Authentication-Type recognised when it makes an authentication request will be 'Extension' (meaning that IAS has recognised it as an IAS extension). The request will be failed by IAS because the password protocol being used by the Plug-In was only registered as 'Extension', not as 'PAP'. 18

19 Overview 1.8 Available Reference Guides Reference Guides are included with every VASCO product: Product Guide The Product Guide will introduce you to the features of this product and the various options you have for using it. Installation Guide Use this guide when planning and working through an installation of the product. Getting Started To get you up and running quickly with a simple installation and setup of the product. Administrator Reference In-depth information required for administration of the product. This includes references such as data attribute lists, backup and recovery and utility commands. Data Migration Tool Guide Takes you through a data migration from one VASCO product to another, using the VASCO Data Migration Tool. Help Files Context-sensitive help accompanies the administration interfaces. 19

Digipass 2 Digipass This section contains information specific to Digipass, their setup and

These are the simplest type of Digipass.

open which causes a One Time Password to be generated.

20 Digipass 2 Digipass This section contains information specific to Digipass, their setup and management on your network. 2.1 Types of Digipass Hardware Digipass The three basic types of hardware Digipass are: Digipass without keypads These are the simplest type of Digipass. They have a triggering mechanism - typically a button or action, such as pulling the Digipass open which causes a One Time Password to be generated. They have only one Application, which is Response Only. Image 4: GO 1 Image 5: GO 3 Digipass with keypads These are typically capable of supporting more than one Application, and can be programmed so that a PIN must be entered before a One Time Password may be accessed. Image 6: DP 300 Image 7: DP 585 Image 8: DP

Digipass Smartcard reader Digipass These provide two-factor authentication based on smartcard technology. Image 9: GO 2 Image 10

2 Software Digipass Image 11: Digipass for Pocket PC Image 12: Digipass for SIM Image 13: Digipass for Palm Digipass for Pocket PC Digipass for Pocket PC

Digipass for Palm Like Digipass for Pocket PC, Digipass for Palm allows generation of One Time Passwords and Digital Signatures from Palm Pilots and other

21 Digipass Smartcard reader Digipass These provide two-factor authentication based on smartcard technology. Image 9: GO 2 Image 10: DP Software Digipass Image 11: Digipass for Pocket PC Image 12: Digipass for SIM Image 13: Digipass for Palm Digipass for Pocket PC Digipass for Pocket PC turns Pocket PCs and smart phones into a personal hardware security device to provide One Time Passwords and Digital Signatures. Digipass for Palm Like Digipass for Pocket PC, Digipass for Palm allows generation of One Time Passwords and Digital Signatures from Palm Pilots and other devices utilising the Palm technology. Digipass for SIM Digipass for SIM allows a GSM mobile phone SIM card to be used to generate One Time Passwords. Digipass for Windows Digipass for Windows can be installed directly onto a PC. One Time Passwords and Digital Signatures can be generated on your computer and pasted into the required login window. 21

22 Digipass Virtual Digipass There are two forms of Virtual Digipass available: Primary Virtual Digipass are treated by the IAS Plug-In almost identically to hardware Digipass a record of each Primary Virtual Digipass must be imported into the data store, and may then be assigned to a User automatically or manually. The User will typically log in with their User ID and static password, have a text message sent to their mobile phone, and then enter the One Time Password from the text message in the second stage of their login. The Backup Virtual Digipass feature allows a User to request a One Time Password sent to their mobile phone if they do not have their usual Digipass at hand. It may be limited by number of uses or days of use eg. a User may be limited to 2 days' usage, after which they will again need to use their usual Digipass to log in. 22

23 Digipass 2.2 How do Digipass Work? Digipass Applications Each Digipass is programmed with at least one Digipass Application, and a unique algorithm. The Digipass uses this unique algorithm when generating One Time Passwords. Each type of Digipass Application generates One Time Passwords from different data, and in slightly different ways: Response Only Creates a One Time Password based on the date and time, or on the number of uses (events). Challenge/Response Creates a One Time Password (also referred to as a 'Response' in this context) based on a numerical challenge given on a login page. This may be either a challenge custom-created for the specific Digipass, or a randomly created challenge. The One Time Password may also be based on the date and time. Digital Signature Digital Signature Digipass Applications are typically used in online banking. The Digipass generates a unique code - referred to as a 'Digital Signature' - based on a number of factors entered, plus (optionally) the date and time, or number of uses (events). In an online banking environment, the factors used to generate the Digital Signature during a funds transfer might be the debit account number, the destination account number and the amount of money being transferred. Digital Signatures are not currently in use with the Digipass Plug-In for IAS Virtual Digipass Differences The IAS Plug-In treats Primary Virtual Digipass slightly differently to other Digipass. The two main differences are: Grace Period A Primary Virtual Digipass cannot be used until its grace period has expired, if the method of requesting an OTP is the static password. This is to ensure that text messages are only sent when needed avoiding unnecessary cost to the company and/or Users. However, in this case the OTP Request Site or User Self Management Web Site may be used to prematurely end the grace period. Backup Virtual Digipass The Backup Virtual Digipass feature cannot be enabled for a Primary Virtual Digipass. 23

2.2.2.1 Digipass Virtual Digipass Login Process The diagram below shows the basic process

24 Digipass Virtual Digipass Login Process The diagram below shows the basic process that occurs when a User logs in with a Virtual Digipass: Image 14: Virtual Digipass Login 24

25 Digipass How Does a User Request an OTP? There are three ways a User might request a One Time Password to be delivered with either a Primary or Backup Virtual Digipass: 2-step Login Two login prompts are used to provide an easy-to-use login interface for Users with Virtual Digipass. The first prompt is used to request an OTP, the second to enter the received OTP. This can be used with applications which support 2-step logins eg. Citrix Web Interface, RADIUS with support for Challenge/Response. Two 1-step Logins The User must attempt two logins, the first of which will fail but will initiate the sending of an OTP to the User s mobile. This is used when the 2-step login process is not supported eg. RADIUS without support for Challenge/Response. OTP Request Site Alternatively especially if a more user-friendly option than the previous is needed - Users can go to the OTP Request site when they need an OTP sent to their mobile phone, then login normally at the usual login screen Digipass Programming A Digipass is programmed using a Digipass Programmer and the necessary software. This may be done by your company or by your supplier. Common settings which may affect your administration tasks are explained below Digipass PIN A Digipass PIN may be required for a Digipass. If set, the PIN must be entered into the Digipass before obtaining a One Time Password. This means that just possessing the Digipass is not enough to log in to a network the person logging in must also know the Digipass PIN. Digipass PIN settings include: An Initial PIN can be set for a Digipass. The PIN must then be sent to the User of the Digipass, typically separate from the Digipass delivery. First Use PIN Modification allows a Digipass to require a PIN change from the User upon first use. PIN Change allows a User to change their PIN as desired. The PIN Length can be set for a Digipass. Digipass Lock sets the number of consecutive faulty PIN entries allowed before the Digipass is locked Time/Event-based Digipass Applications Response Only Response Only Digipass Applications can be either time-based or event-based: 25

26 Digipass Time-based A time-based Application will change the OTP to be displayed based on the current time. The common time step used is 36 seconds and means that the OTP to be displayed will change every 36 seconds, whether or not an OTP has been requested from the Digipass. Event-based An event-based Digipass Application will display a new OTP each time a request for an OTP is made. Challenge/Response Challenge/Response Digipass Applications can be either time-based or non-time-based: Time-based A time-based Challenge/Response Digipass Application will generate an OTP based on the Challenge given and the current time. The common time step used is 9 hours ('slow challenge'). This would mean that if the exact same Challenge were given to a Digipass within a 9 hour period, the Digipass Application will generate the same OTP. However, Challenges are very rarely repeated within such a time period. Non-time-based A non-time-based Challenge/Response Digipass Application will generate an OTP based only on the Challenge given OTP Length The length of the OTP (excluding check digit) generated by the Digipass for Response Only and Challenge/Response Digipass Applications. Check Digit A check digit may be added to each OTP. This is generated from the response and allows for faster invalidation of incorrect OTPs Challenge Length The length of the Challenge (excluding check digit) which should be expected by the Digipass. This is used by the Challenge/Response Digipass Application. Check Digit A check digit may be expected with each Challenge. This is generated by the server from the Challenge and allows the Digipass to reject most invalid Challenges. 26

27 Digipass Digipass Record Settings These settings are kept in the record for a Digipass Application, and affect which OTP is expected by the IAS Plug-In Time/Event-based Settings Time Based Specifies whether the algorithm for the Digipass application is time-based (see Time/Eventbased Digipass Applications for more information). Time Step Used The time step used by the Digipass Application (see Time/Event-based Digipass Applications for more information). Last Time Shift Time Shift records any misalignments between the time recorded on the Digipass and the time recorded on the server, each time a User logs in. This ensures that if either clock drifts from the correct time, an allowance can be made by the IAS Plug-In and the User will still be able to log in. If the time drift goes beyond the allowable time window between User logins, the Digipass record will have to be reset (this allows for recalculation of the time drift). Example Time window may be 5 steps in either direction. This means that 11 OTPs would be considered valid the exact OTP for that time, and the OTPs for the 5 time steps either side of the exact time. If the OTP given is for a different time step, the time shift for that Digipass will be recorded. The next time the User logs in, the expected OTP will be calculated based on that time shift. Last Event Value The current number of uses of the Digipass Application, according to the Digipass. This can get out of sync with the number of uses recorded by the IAS Plug-In when: login failures occur for other reasons than incorrect OTP the Digipass has been used without a login (eg. children have been playing with it) The Digipass is being used to log in to two separate systems The purpose of this setting is much the same as the Last Time Shift setting it allows the IAS Plug-In to track any shifts between the event count recorded by itself and the Digipass Response Length This setting determines the length of the OTP (excluding check digit) expected by the server from the Digipass Application. 27

28 Digipass Response Check Digit Whether a check digit may be expected with each OTP from the Digipass Application. This is generated from the response and allows for faster invalidation of incorrect OTPs Server PIN The term 'Server PIN' is used to mean a PIN that the user enters into the login password field in front of the OTP displayed on the Digipass. It is checked by the authenticating server. The 'Digipass PIN' referred to earlier indicates a PIN entered into a keypad on the Digipass. That is checked by the device itself, and is never transmitted to the server. There are a number of Server settings regulating Server PINs: PIN Supported Whether a PIN must be included in a User's login. PIN Change On Is a User allowed to change their Server PIN for this Digipass? Force PIN Change Must the User change their Server PIN the next time they log in? PIN Length The length of the current Server PIN. PIN Minimum Length The minimum PIN length required by the Server Backup Virtual Digipass Policy and Digipass settings Several settings dictate how a User may utilize the Backup Virtual Digipass feature. settings are: These Enable or disable Backup Virtual Digipass and enable method (eg. Required). Time limit/expiry (applies to Time Limited enable only) Maximum number of times a User may make use of the Backup Virtual Digipass. The above settings may be set both at the Policy level and at the Digipass record level. Individual settings override Policy settings for an individual Digipass, but some Policy settings (see below) may be used to automatically set Digipass settings which are blank when the Backup Virtual Digipass is first utilized by the User. Time Limit and Max. Uses/User Server Setting User Setting Time Limit Enabled Until Max. Uses/User Uses Remaining Table 2: Backup Virtual Digipass Policy/Digipass Settings 28

29 Digipass If Backup Virtual Digipass is enabled for a Digipass and set to Time Limited, and the Enabled Until field in the Digipass property sheet is blank on their first use of the Backup Virtual Digipass, their time limit will begin on their first use of the feature. The expiry date (today s date + Time Limit) will then be displayed in the Enabled Until field. If a Max. Uses/User is set for the relevant Policy and a Digipass record's Uses Remaining field in their User property sheet is blank on their first use of the Backup Virtual Digipass, a number (Max Uses/User) will be automatically entered into their Uses Remaining field and immediately decremented by 1. Note If a User has Backup Virtual Digipass enabled with Enabled Until date set and their Uses Remaining has been set (automatically or manually), whichever of these expires first will disable Backup Virtual Digipass for the User. eg. Backup Virtual Digipass is enabled for a User as Time Limited, and the server Time Limit setting is 3 days. The Max. Uses/User Policy setting is 5. When the User first makes use of the Backup Virtual Digipass, their Enabled Until is set to a date 3 days hence and their Uses Remaining to 4. During the next 48 hours, they log in 4 more times. Although the User s time limit does not run out for another 24 hours, their Uses Remaining is now 0 and Backup Virtual Digipass is disabled. 29

30 Digipass 2.3 Digipass Records Location of Digipass Records When a Digipass is assigned to a User, it is moved to the same location as the Digipass User account it is assigned to. This makes it easier to set up the permissions necessary for delegated administration. Note A Digipass record will not automatically be moved when the User account to which it is assigned is moved to another location. When moving User accounts within Active Directory, ensure that the records of any assigned Digipass are manually moved to the same location. Unassigned Digipass records may be stored in various places in the domain: Digipass Pool During installation, a container is created in the Domain called Digipass-Pool. This is intended as a general store for unassigned Digipass, regardless of which administrator is performing assignment. Organizational Units Digipass can be loaded or moved either into the exact Organizational Units where the User accounts to which they will be assigned are located, or into a few key Organizational Units in the hierarchy where they may be assigned to Users in lower level Organizational Units. Users Container Digipass can be loaded into the Users container, so they are available for Users in that container. However, it is not recommended to use the Users container for either User accounts or Digipass. Note The IAS Plug-In will always find or assign the closest available Digipass record to the selected User record(s). When looking for an available Digipass to assign to a User, the IAS Plug-In will first look in the same location as the specific User account. The Search Upwards in Organizational Unit hierarchy option, when enabled, allows the IAS Plug-In to search in parent Organizational Units and the Digipass Pool container. This option may be set at the Policy level for system searches (eg. Auto-Assignment and Self-Assignment) or at the time of the search for manual assignment. If the assignment is manual (performed by an administrator), it will only find and successfully assign Digipass from locations where the administrator has the correct permissions. The administrator must have read permission for Digipass objects in the location to find a Digipass record, and if it needs to be moved to the User's location, they must have delete permission for Digipass objects to successfully assign the Digipass. If the administrator has sufficient 30

31 Digipass permissions to view a Digipass record but not to assign it, the assignment will fail. Record Location Pros Cons Digipass Pool Only administrators with access to the Digipass Pool may view or modify records for unassigned Digipass. This also means that only those administrators may manually assign Digipass. An extra permission must be assigned all administrators who should be able to assign Digipass (if they are not Domain Admins). It is not possible to strictly subdivide the unassigned Digipass among the Organizational Units according to quotas. Organizational Unit Digipass may be portioned out to various Organizational Units. This is particularly useful where a company is contracted to provide authentication services to multiple companies, or where various departments have different Digipass quota. If an Organizational Unit runs out of Digipass to assign its Users, more Digipass records must be manually moved to the right location. Users Container Digipass can be assigned to any User in the Users container. Digipass in the Users container are only available to User accounts stored there. Table 3: Summary of Digipass Record Location Options 31

Digipass 2.3.2 Typical Digipass Location Models Digipass Pool A centralised point of access and importation can be implemented by using the Digipass Pool to hold unassigned Digipass records.

32 Digipass Typical Digipass Location Models Digipass Pool A centralised point of access and importation can be implemented by using the Digipass Pool to hold unassigned Digipass records. This option requires less calculation and high-level administration, as Digipass records are all imported into one area and there is no need to manually move records or calculate the exact number of Digipass required for each Organizational Unit or group of Units. However, permissions will need to be set up to permit delegated administrators access to move the Digipass out of the container upon assignment. The Digipass Pool is treated as the Domain Root by the IAS Plug-In, as Digipass records may not be saved in the Domain Root. Image 15: Digipass Record Locations - Digipass Pool In the diagram above, Administrator 1 has delegated administrator permissions for the Organizational Unit B and its child Organizational Units. They must also have read and delete permissions for Digipass objects in the Digipass Pool container. The Search Upwards in Organizational Unit hierarchy option must be enabled for this model to function correctly. 32

Digipass Parent Organizational Units Unassigned Digipass can be kept in key Organizational Units, and made available to their lower level Organizational Units.

33 Digipass Parent Organizational Units Unassigned Digipass can be kept in key Organizational Units, and made available to their lower level Organizational Units. This requires a delegated administrator to have permissions not only for the Organizational Unit in which the User accounts are stored, but also read, write and delete permissions for Digipass objects in the Organizational Unit in which the Digipass are stored. Image 16: Digipass Record Locations - Parent Organizational Unit In the diagram above, Administrator 1 has full admin permissions for Organizational Unit B and its child Organizational Units. She does not require any other permissions to assign Digipass from Organizational Unit B to a User in Organizational Unit B1. Administrator 2 has full admin permissions for Organizational Unit A2 only. He has read and delete permissions for Digipass objects in Organizational Unit A in order to assign Digipass from Organizational Unit A to a User in Organizational Unit A2. The Search Upwards in Organizational Unit hierarchy option must be enabled for this model to function correctly. 33

34 Digipass Individual Organizational Units Digipass can be loaded or moved into each Organizational Unit where and when they are required. It is then easy to set up permissions for delegated administrators to assign them only within their scope of control. If all Digipass in the Organizational Unit are assigned, more Digipass will need to be moved in manually by a Domain Admin before they can be assigned by a delegated administrator. Image 17: Digipass Record Locations - Individual Organizational Units In the diagram above, each delegated administrator only requires permissions within their specific Organizational Unit(s), as unassigned Digipass are stored in the Organizational Units in which they will be assigned. The Search Upwards in Organizational Unit hierarchy option does not need to be enabled for this model. Combination of models Digipass may be stored in the Digipass Pool as well as some or all Organizational Units. If no unassigned Digipass records are found in the Organizational Unit, and the Search Upwards in Organization Unit hierarchy option is enabled, the IAS Plug-In will search upwards to the Domain Root and search in the Digipass Pool for an available, unassigned Digipass record. 34

35 Digipass Search for Digipass Records The Digipass Extension for Active Directory Users and Computers allows you to search for specific Digipass records, or Digipass records meeting set criteria. This functionality can be useful when you have Digipass records in various places throughout Active Directory. 35

36 Digipass 2.4 Digipass Record Functions A number of functions are available in the Digipass Extension for Active Directory Users and Computers to administer Digipass records. These are typically required for maintenance eg. a User has forgotten their Server PIN, or a Digipass has been locked Reset Application A Digipass Application may need to be reset if the time difference between it and the server needs to be recalculated. This would typically be for time-based Response Only Digipass after a very long period of inactivity. The 'reset' widens the allowable time window for the next login, allowing the User to log in and the IAS Plug-In to calculate the current time shift Set Event Counter If the event count for an event-based application has become unsynchronised between the Digipass and the server, this function can be used to set the server event count to the event count on the Digipass Reset PIN If a User s Server PIN needs to be changed usually because the User has forgotten it then it can be reset, and the User can create a new Server PIN when they next log in. This may be done when unassigning or re-assigning a Digipass Force PIN Change This function can be used when an administrator wants a User to change their Server PIN on their next login. This may be desirable as a security measure Set PIN A User s Server PIN can be set to a specific value and communicated to the User Unlock Digipass If a User incorrectly enters their Digipass PIN into their Digipass a predetermined number of times, the Digipass will become locked. Once locked, the assistance of an administrator will be required to unlock it. This function allows an administrator to provide the User with an Unlock Code to enter into their Digipass Reset Application Lock If a User has attempted to log in with incorrect details too many times, the Digipass Application used may be locked, depending on Policy settings. This function can be used to set the record for the Digipass Application to the status of unlocked. This differs from User locking, as the User may still log in with a different Digipass Test a Digipass Application Use this function to check that a Digipass Application is working as expected. There is also a function to test the Backup Virtual Digipass functionality. 36

37 Digipass 2.5 Assigning Digipass to Users Digipass may be assigned to Users in a number of ways, depending on the requirements of your company. For example, a company with only a few User accounts may use Manual Assignment. A larger company needing to distribute large numbers of Digipass may find it easier to simply distribute the Digipass and require each User to go through Self-Assignment. Note Digipass records must be imported into Active Directory before being assigned to Users. They may be imported into a general-purpose 'Digipass Pool' or into the specific Organizational Units where they are needed. They must be in the same domain as the User to whom they are being assigned Digipass Assignment Options The diagram below shows the basic assignment process used for the three main assignment methods which may be set in a Policy. Image 18: Assignment Method Processes 37

38 Digipass Self-Assignment A Digipass may be assigned to a User by their own action. The User must log in and include the serial number, Windows static password and One Time Password. This informs the IAS Plug-In of the assignment, and provided that the User enters the details correctly, a link will be made between the Digipass record and the User account. A grace period is not used for this method Auto-Assignment The IAS Plug-In can automatically assign an available Digipass when a Digipass User account is created using Dynamic User Registration (DUR). The correct Digipass must then be delivered to the User. A grace period is typically set, which allows a number of days in which the User may still log in using only their static password Manual Assignment A selected Digipass is manually assigned to a specific Digipass User account. The Digipass must then be sent out to the User. A grace period is typically set, during which the User may still log in using only their static password. 2.6 Security Levels The following will affect the security level of your setup for the IAS Plug-In: Using the Windows Static Password instead of a Server PIN You can configure the authentication process so that a User is required to use their Windows static password in place of a Server PIN when logging on through a remote access server. This is a valid two-factor authentication combination, but it is important to consider the security of the machines from which the User will log in. If there is a risk of key logging for example, it would still not be possible for the hacker to log in, but they would have captured the Windows static password of the User. If a PIN was used, they would only have captured the PIN. This has to be balanced against the need for a User to learn and remember an additional item, the Server PIN. 38

39 Digipass 2.7 Virtual Digipass Implementation Considerations Digipass Assignment Options With the introduction of Virtual Digipass, there are several different assignment combinations that can be used. The first option in the table below does not utilize Virtual Digipass. The others include a Virtual Digipass in either a backup or primary mode. Primary Backup Digipass None User must log in using a Digipass. Digipass Backup Virtual Digipass User usually logs in using a Digipass, but may utilize the Backup Virtual Digipass feature where required. Usage of the feature may be limited. Digipass (temporarily disallowed) Backup Virtual Digipass User must log in using the Backup Virtual Digipass feature. This might be used while a User s Digipass is lost, until the Digipass is recovered. Primary Virtual Digipass N/A User is assigned a Virtual Digipass and must log in using it. Table 4: Digipass Options Cost Your company will probably need to pay an amount for each text message sent. In some countries, mobile phone owners might need to pay an amount for each text message received on their mobile phone. This will need to be taken into consideration when deciding how to implement Virtual Digipass functionality Security Hardware Digipass devices provide the highest level of security. Virtual Digipass provides a lower, although still high, level of security. This needs to be weighed against other considerations before deciding whether your company will implement Virtual Digipass, and if so, how it will be implemented Convenience Virtual Digipass is more convenient than a hardware Digipass for many Users. Only one s usual mobile phone is required: there are no extra devices to carry around. Users who do not habitually carry their mobile phone with them, though, are likely to find a GO 3 or GO 1 easier to transport. For Users with the Backup Virtual Digipass enabled, it might be the difference between going to work to pick up a forgotten Digipass and getting important work done at home Gateway and account Your company will need the use of an text message gateway and an account with the gateway. The Message Delivery Component will need configuration information for the gateway and the Username and static password for the account. Your VASCO supplier can assist with this process. 39

40 Digipass Limiting Usage of Virtual Digipass Use of Virtual Digipass may be limited by: Using Backup Virtual Digipass only. Minimizing the number of Users assigned a Primary Virtual Digipass. A User s Primary Virtual Digipass use cannot be limited. The Backup Virtual Digipass feature may be enabled as an emergency backup for Users who have left their primary Digipass at home, or for other reasons do not have access to their primary Digipass. Use of this feature can be limited for each User by: Time period Set a time period in which a User may access the Backup Virtual Digipass. After this period has expired, any Virtual Digipass requests from the User will be rejected. If the User is still unable to use their Digipass, the time period must then be extended by an administrator. Once they have started using their Digipass again, the administrator must reset the time period if the User is to be allowed to use Backup Virtual Digipass again. Number of Uses Set a maximum number of times a User may request an OTP using the Backup Virtual Digipass feature. When the User has reached this number of uses, any further OTP requests from the User will be rejected. This must be reset by an administrator if further use of the Backup Virtual Digipass is required for the User. Global and Individual Backup Virtual Digipass settings Backup Virtual Digipass options can be set globally or individually, to allow a standard policy for all Digipass with exceptions made where necessary. Global settings will affect all Digipass whose individual option is set to 'Default'. Global options are defined in the Policy that controls authentication. Therefore, by using multiple Policies, you have some additional flexibility Backup Virtual Digipass Usage Guidelines Some questions which will need to be answered before arriving at a Backup Virtual Digipass usage guidelines are: Will any users have access to Backup Virtual Digipass? If so, will all users have access to Backup Virtual Digipass? Will usage of Backup Virtual Digipass be limited? If so, how? Time-limited Limited number of uses 40

41 Digipass Some Possible Guidelines Guideline Pro Con Backup Virtual Digipass disabled for all - enabled for individual Users as required. Low text message costs Manual enable for each User and circumstance. Possible heavy administration load. Backup Virtual Digipass enabled for all - either time/number of usage limit set. Predictable text message costs Administrator may need to reset limits frequently medium administration load. Backup Virtual Digipass enabled for all - no limits set. Lighter administration load Possible high text message costs. Table 5: Backup Virtual Digipass Example Guidelines Resetting Virtual Digipass Restrictions When a User has reached their limit of Virtual Digipass use, an administrator must reset their limit Virtual Digipass Login options A decision must be made as to how Users will log in using Virtual Digipass. In particular, Users with a hardware Digipass and the Backup Virtual Digipass enabled must be able to request an OTP to be sent to their mobile when required, but to login using the hardware Digipass at other times. The simplest method for the User is to allow a 2-step login process, where the User enters their User ID and static password only, triggering an OTP Request, and are redirected to a second login page to enter the OTP sent to them. To use this method, though, your system must be set up to allow 2-step logins. Check with your system administrator if unsure. Alternatives to the 2-step login are a sequence of two 1-step logins or the use of the OTP Request Site. See the Administrator Reference for information on possible login permutation Location of OTP Request Site If the OTP Request Site is to be used, its location must be decided. You may choose to install the Web Site onto any web server, bearing the following in mind: If the Web Site is installed onto a web server in the DMZ, you need to permit TCP/IP access from the web server to the IAS Plug-In on port This is the recommended option. The Web Site can be used on the Internet, however it would be essential to provide SSL (or TLS) encryption for access to it. Otherwise, an attacker could discover static passwords and PINs. The other point to take into consideration is that publishing the Web Site on the Internet would allow anyone in the world to send requests to the IAS Plug-In this would provide the potential for denial of service and brute force attacks. It would be strongly advised to protect the Web Site from general use in some way. If the Web Site is installed onto a web server that communicates over a WAN link to the IAS Server(s), the WAN link must be encrypted. For example, an IPSEC-based VPN connection would be sufficient. 41

42 Digipass User Accounts 3 Digipass User Accounts 3.1 User Account Identification The IAS Plug-In requires a User ID (SAM-Account-Name) and domain (Fully Qualified Domain Name) for each User logging in through it. These are collected in various ways, depending on the information entered by the User. If the User enters: Format Example Method Used to Identify User Account UPN user@domain.com The Global Catalog is utilized to translate this into User ID and domain. * Windows NT format DOMAIN\user The Global Catalog is utilized to translate this into User ID and domain. * User ID User IAS Plug-In will use the default domain set in the applicable Policy if defined, otherwise it will use the Configuration Domain set in the configuration file for the Plug-In. Table 6: User Account Identification Methods * Access to a Global Catalog is therefore required by the Plug-In. 3.2 Digipass User Account Creation A Digipass User account can be created in a number of ways: Manual Creation A Digipass User Account can be created manually for a User account in Active Directory User Self-Management Web Site Enabling Dynamic User Registration on a system which includes the User Self-Management Web Site will allow Users to create their own Digipass User Account via the web site Dynamic User Registration When the IAS Plug-In receives an authentication request for a User without a Digipass User account, it can check the credentials with Windows. If the authentication is successful with Windows, the IAS Plug-In can create a Digipass User account automatically for the User. This process is called Dynamic User Registration (DUR) and can be enabled via the Administration MMC Interface. This feature is commonly used in conjunction with Auto-Assignment, so that the new account is immediately assigned a Digipass. 42

43 Digipass User Accounts Image 19: Dynamic User Registration Changes to Stored Static Password Any changes to a User's stored static password need to be communicated to the IAS Plug-In if Stored Password Proxy is enabled. There are two ways to do this: Password Autolearn If Password Autolearn is enabled, a User may directly log in with their new static password. If it does not match the static password stored by the IAS Plug-In, it can be verified with Windows. If correct, the IAS Plug-In will store the new static password for future use and authenticate the User User Self-Management Web Site When the User Self Management Web Site is utilized, the User may modify the IAS Plug-In's record of their stored static password. They must be able to log in according to current settings 43

44 Digipass User Accounts to do this, and the Password Autolearn feature must be enabled. 44

Digipass User Accounts 3.3 Logging in with a Digipass This topic explains the basic steps required to log in using the three available authentication methods.

45 Digipass User Accounts 3.3 Logging in with a Digipass This topic explains the basic steps required to log in using the three available authentication methods. Depending on your settings, a User may be required to enter other information in the password field during login (see Password Field Information) Login Processes The diagram below shows a typical login process for the three basic login methods supported by the IAS Plug-In. The actual details entered by the User may vary, depending on Policy settings. Image 20: Login Method Processes 45

46 Digipass User Accounts Multiple Digipass or Digipass Applications A User may have multiple Digipass assigned to their User account, and/or multiple Applications enabled for a Digipass. If so, the IAS Plug-In will need to know which Digipass and Digipass Application will be used for a particular login for the User. The Digipass and Digipass Application required for a login is selected by the Policy applicable to the login scenario. Policy settings may determine the Application Names, Application Type, and/or Digipass Types to be used. Once the Policy settings are taken into account, there may still be more than one Digipass Application that could be used. In that case, the IAS Plug-In will check each one Password Field Information Information which may be required to be entered into the password field during login: Static Password The static password may be entered to: authenticate the User if they do not have a Digipass assigned (or if all Digipass assigned to the User are in the grace period). request a challenge or Virtual Digipass OTP be passed on to Windows during back-end authentication (Stored Password Proxy off). inform the IAS Plug-In of a change to the User's Windows static password (Password Autolearn and Stored Password Proxy on). Serial Number The serial number for a User's assigned Digipass will be required if: this is the first time the User has logged in using a Digipass, AND the User is required to Self-Assign the Digipass using the login process (as opposed to the User Self Management Web Site) Server PIN If a Server PIN is required for the User's Digipass, this must be entered every time the User logs in. The User can change their PIN by providing the new PIN twice after the OTP (unless CHAP, MS-CHAP or EAP-MD5 is being used). Request Keyword A Keyword can be used to indicate a request to the IAS Plug-In for an OTP to be sent to the User's mobile phone, or for a 2-step Challenge/Response login. A keyword may be used in conjunction with the static password or just on its own. However, if the keyword is used on its own to request a Virtual Digipass OTP, the static password must be entered in the second login step as well as the OTP. One Time Password A One Time Password is typically required to login via the IAS Plug-In. 46

47 Digipass User Accounts 3.4 Administration Privileges The IAS Plug-In will allow access to Digipass User accounts and Digipass records based on a User's Active Directory privileges. Extra privileges may be granted via the Active Directory Users and Computers console. See the Administrator Reference for more information. 47

48 Digipass User Accounts 3.5 Authenticating Users Authentication settings may be applied to an individual User account, although typically these will be set by the Policy Authentication Settings Digipass User account and Policy settings control the authentication process as follows: The authentication settings for a Digipass User account override a Policy setting. The relevant Policy is referred to if the authentication setting for a Digipass User account is Default or if a Digipass User account does not exist for the login Local Authentication 'Local' authentication is a term used to describe the IAS Plug-In authenticating a login based on information in its data store and the One Time Password entered during the login. The Local Authentication setting specifies whether the IAS Plug-In will authenticate a login based on an OTP or stored static password. Back-end authentication may also be utilized in the latter two options, an authentication request will only be checked with the back-end authenticator if it passes authentication by the IAS Plug-In. None The IAS Plug-In will not authenticate the User's credentials the request will typically be checked with the back-end authenticator. Digipass/Password The IAS Plug-In will always process authentication requests. If a User has had a Digipass assigned, they must use an OTP during login, unless a Grace Period is still active for the Digipass. If a User does not have a Digipass assigned, they can use their static password to log in. The static password entered will be checked against the stored static password or if Back-End Authentication is used, the Windows static password. Digipass Only The IAS Plug-In will always process authentication requests. Users must login using an OTP. Users without Digipass will not be able to log in Back-End Authentication 'Back-end' authentication applies to the IAS Plug-In checking login details (User ID and static password) with another system Windows. This is used by the IAS Plug-In mostly for the Dynamic User Registration and Self-Assignment processes. Back-end authentication settings specify whether the IAS Plug-In will pass on an authentication request to Windows. The User's static password is required for this step, and is retrieved from either the login, or the stored static password in the Digipass User Account. None The IAS Plug-In will not utilize back-end authentication. 48

49 Digipass User Accounts Always The IAS Plug-In will send an authentication request to a back-end authenticator, using the protocol set for the Policy (Windows only at this stage). If Needed Back-end authentication will be used in situations where local authentication is not sufficient: Dynamic User Registration Self-Assignment Password Autolearn Requesting a challenge or Virtual Digipass OTP, when the Request Method includes a static password Static password authentication, when verifying a Virtual Digipass static password-otp combination or during the Grace Period Protocol The IAS Plug-In needs to know the protocol to use in requesting authentication of a User's information. Windows is currently the only option User Account Locking A Digipass User account may be locked if the User has attempted, and failed, to log in a particular number of times. This number can be set in the Policy. Once the account is locked, an administrator must manually unlock it. Until it is unlocked, the User will be unable to log in Windows Group Check Specific Windows Groups can be selected for authentication by the IAS Plug-In. This feature might be used when: Deploying Digipass in stages, using Dynamic User Registration and Auto-Assignment. Two-factor authentication is needed only for access to sensitive data, which has been granted to certain Users (for example, administrators). Only this group of people will require Digipass, and will be authenticated by the IAS Plug-In. Other Users will be authenticated only by IAS using another authentication method. Most Users will have Digipass and be permitted to log in to the system, but some Users should not be authenticated under any circumstances. The Group Check can work in one of two ways: Authenticate listed groups, pass others through Only process authentication requests for users in a group in the Group List; let requests for other users pass through unmodified to IAS for authentication. Authenticate listed groups, reject others Only permit access for users belonging to a group in the Group List; reject access for other users. 49

50 Digipass User Accounts The group check is typically used with these settings: Dynamic User Registration enabled Auto-Assignment enabled Windows Group Check Process The diagram below shows the basic process involved in a Windows Group Check, when DUR and Auto-Assignment are enabled. It occurs during the User authentication process (see Image 21: Windows Group Check Process for an overview). Image 21: Windows Group Check Process 50

51 Digipass User Accounts Linking User Accounts If a User has more than one Active Directory user account, for example an administrative account and a 'normal user' account, the two Digipass User accounts can be linked together. This provides the ability for the two accounts to share a Digipass. The Digipass is assigned to one of the accounts, then the other account is linked to it. 51

52 Policies 4 Policies 4.1 What are Policies? Policies allow you comprehensive control over the authentication process. At least one Policy is required to determine whether various features are enabled, and how logins should be handled by the IAS Plug-In. A number of example Policies are included when the Digipass Plug-In for IAS is installed. 4.2 How Do They Work? The principle of Policies is that a single Policy is applied to an authentication request. The choice of Policy is made by the Component (eg. IAS Plug-In or RADIUS Client). All login requests for a particular Component are handled according to the settings of its chosen Policy. In the case of the Digipass Plug-In for IAS, a Component must be present for the IAS Plug-In. This Component will identify the Policy to be used as a default for any requests that it handles. However, if you wish to apply a different Policy according to the RADIUS Client (eg. NAS, VPN appliance), you are allowed to create additional Component records that will specify the preferred Policies for those cases. User attempts to log into RADIUS Client RADIUS Client sends authentication request to IAS IAS Plug-In checks if there is a Component record for the RADIUS Client If there is no RADIUS Client Component record, the IAS Plug-In looks up its own Component record IAS Plug-In selects the Policy set for the Component IAS Plug-In handles authentication request according to Policy settings Image 22: Policy Selection 52

53 Policies 4.3 Policy Settings Settings controlled by Policies include the following groupings. Note The IAS service must be restarted before Policy setting changes will become effective. Local and/or Back-end Authentication Whether the IAS Plug-In should authenticate logins, and whether logins authenticated with information held by the IAS Plug-In should be checked with another system (eg. Windows). See these topics for more information: Local Authentication Back-End Authentication User Accounts Determines how the IAS Plug-In will handle Digipass User account creation, logins and passwords. See these topics for more information: Dynamic User Registration User Account Locking Password Autolearn Windows Group Check Windows Group checks allow regulation of the local and back-end authentication for Users belonging to specified Windows Groups. See Windows Group Check for more information. Digipass Assignment The method for assignment of Digipass to Users, and settings relevant to Digipass assignment. See these topics for more information: Digipass Assignment Options Digipass Settings Specifies the Digipass Applications, Types and actions allowed. information: See these topics for more 2.1 Types of Digipass Digipass Applications 1-Step Challenge/Response Whether 1-Step Challenge/Response is enabled, and settings relevant to it. 53

54 Policies Note 1-Step Challenge/Response is not supported for use with RADIUS, but the settings are included for compatibility with other products. 2-Step Challenge/Response How Digipass Users may request a 2-Step Challenge/Response login. Processes for more information. See Login Primary Virtual Digipass How Digipass Users may request a Primary Virtual Digipass login if multiple Digipass, including a Primary Virtual Digipass, are assigned to them. See Virtual Digipass Login options for more information. Backup Virtual Digipass Whether the Backup Virtual Digipass feature is enabled, and how it may be used. See Backup Virtual Digipass for more information. Digipass Control Parameters Settings which control how the IAS Plug-In handles the OTP provided by a Digipass, such as the time shift allowed, and how many days the Digipass may be inactive (not used for logins through this plug-in) before being flagged as inactive. See Digipass Record Settings for more information. 54

55 Policies 4.4 Multiple Policies Multiple Policies can be created. The Policy selected for use by the IAS Plug-In will depend on the Component making the authentication request, as illustrated above Inheritance Policies may be set up in a hierarchy, where one Policy will inherit most of its attributes from a parent Policy, but with some modifications for a slightly different scenario. Image 23: Policy Inheritance In the example above, all attributes are inherited from the parent Policy, except those explicitly set. 55

56 Policies Show Effective Settings As the various levels of settings in Policy inheritance can get confusing, functionality is available which allows you to view the settings effective for a selected Policy, taking inherited settings into account. The text below shows the effective settings for the IAS Windows SelfAssignment Policy: Effective Policy Settings [Local/Back-End Authentication] : Local Authentication : Digipass/Password Back-End Authentication : If Needed Back-End Protocol : Windows : [User Accounts] : Dynamic User Registration : Yes Password Autolearn : No Stored Password Proxy : No Default Domain : User Lock Threshold : 0 [Windows Group Check] : Group Check Option : No Check Group List : [Digipass Assignment] : Assignment Mode : Self-Assignment Grace Period (days) : 0 Serial No. Separator : Search up Organizational Unit Hierarchy : Yes [Digipass Settings] : Application Names : Application Type : No Restriction Digipass Types : PIN Changed Allowed : Yes [1-Step Challenge Response] : Enabled : No Challenge Length : 0 Challenge Check Digit : No [2-Step Challenge Response] : Request Method : Keyword Request Keyword : [Primary Virtual Digipass] : Request Method : None Request Keyword : [Backup Virtual Digipass] : Enabled : No Maximum Days : 0 Maximum Uses : 0 Request Method : KeywordPassword Request Keyword : otp [Digipass Control Parameters] : Identification Time Window : 20 Signature Time Window : 24 Event Window : 20 Initial Time Window : 6 Identification Threshold : 0 Signature Threshold : 0 Check Challenge Flag : 1 Level of Online Signature : 0 Allowed Inactive Days : 0 You will note that the settings listed above include those set in Policies from which the IAS Windows Self-Assignment Policy inherit. 56

57 Policies 4.5 Pre-Loaded Policies These Policies are created for the IAS Plug-In on installation of the Digipass Plug-In for IAS. They provide an example for setting up Policies in a typical environment. Policy Name Base Policy Parent Policy - Description Globally applicable settings. In general, all other Policies should inherit from this, directly or indirectly. Non-Default Settings User Lock Threshold = 3, PIN Change Allowed = Yes Challenge Request Method = Keyword (Note: the keyword is blank though) PVDP Request Method = Password BVDP Request Method = KeywordPassword BVDP Keyword = otp ITimeWindow = 100, EventWindow = 100 SyncWindow = 6, IThreshold = 0 IAS Base Policy Base Policy Settings applicable to all IAS Local Authentication = Digipass/Password Plug-In Policies, including local authentication. In general, all other IAS policies should inherit from this, directly or indirectly. IAS Windows AutoAssignment IAS Base Policy IAS Plug-In model for AutoAssignment with Dynamic User Registration, using Windows back-end authentication and a Windows group check. Back-End Authentication = If Needed Back-End Protocol = Windows Dynamic User Registration = Yes Assignment Mode = Auto-Assignment Search up OU Path = Yes Grace Period = 7 Group Check Mode = Passthrough Group List = Digipass Users IAS Windows SelfAssignment IAS Base Policy IAS Plug-In model for SelfAssignment with Dynamic User Registration, using Windows back-end authentication. Back-End Authentication = If Needed Back-End Protocol = Windows Dynamic User Registration = Yes Assignment Mode = Self-Assignment Search up OU Path = Yes Serial No. Separator = 57

58 Policies 4.6 Differences from VACMAN Middleware 2.3 Some settings used in VACMAN Middleware have been modified in the IAS Plug-In. Server settings are found in Policies. Most Authenticator Setting The Authenticator field from VACMAN Middleware has been split into several fields in the plugins: Local Auth Back-End Authentication Back-End Protocol Disabled (User setting) The correspondence of the other fields is different for (VM) RADIUS and Web: VACMAN Middleware Setting IAS Plug-In Settings Local Auth setting Back-End Auth setting Back-End Protocol Disabled setting checkbox RADIUS Local Server Digipass/Password None <blank> No Local and Proxy <not applicable to plug-ins> Proxy Server <not applicable to plug-ins> Local and Windows Digipass/Password Always Windows No Windows None Always Windows No Disabled <pre-disabled setting> <pre-disabled setting> <pre-disabled setting> Yes Local Server Digipass/Password None <blank> No Local and Proxy Digipass/Password If Needed Windows No Proxy Server None If Needed Windows No Local and Windows Digipass/Password If Needed Windows No Windows None If Needed Windows No Disabled <pre-disabled setting> <pre-disabled setting> <pre-disabled setting> Yes Web Table 7: VACMAN Middleware and IAS Plug-In Authentication Settings 58

Components 5 Components 5.1 What is a Component Record? A Component record should exist when a special authentication settings are required for logins from a particular server.

59 Components 5 Components 5.1 What is a Component Record? A Component record should exist when a special authentication settings are required for logins from a particular server. For example, a company may have Users logging in via a NAS, a VPN appliance or the User Self-Management Web Site. A standard remote access Policy may be used for logins via the NAS, but some options may need to be disabled when the VPN appliance is used, or extra options enabled for the User Self-Management Web Site. Image 24: Component Overview 59

60 Components No Component Record Exists for a RADIUS Client Any RADIUS Client which does not have an explicit Component record will be handled using the default IAS Plug-In Component. 60

Components 5.1.2 Policy Selection Each Component record will have a Policy selected for use in processing its authentication requests. Image 25: Component Use by IAS Plug-In 5.

61 Components Policy Selection Each Component record will have a Policy selected for use in processing its authentication requests. Image 25: Component Use by IAS Plug-In 5.2 Pre-loaded Component A IAS Plug-In Component is created on installation of the Digipass Plug-In for IAS. The IAS Base Policy is set as its Policy. Unless other Components are created or the Policy for the IAS Plug-In Component is modified, all authentication requests handled by the IAS Plug-In will use the settings for the IAS Base Policy. 5.3 Licensing The Digipass Plug-In for IAS is licensed per IAS Plug-In Component. The License Key provided upon licensing of the product is loaded into the Component record itself, and details of the license may be viewed via the Component property sheet. 61

62 Active Directory Integration 6 Active Directory Integration 6.1 What is Stored in Active Directory? The following information is stored in Active Directory: Digipass User accounts Digipass and Digipass Application records Digipass configuration records (Policies, Components) 6.2 Schema Extensions User attributes vasco-userext class Extra VASCO attributes are added to an Active Directory User record via an 'auxiliary class' vasco-userext on the User class. Digipass and Digipass Application records The vasco-dptoken class is used to store Digipass attributes. It is also a container, in which vasco-dpapplication records for that Digipass are stored. Upon assignment to a User, the Digipass record is stored in the same location as the User. Policies and Components Policy and Component records are stored in vasco-policy and vasco-component objects. They are located in a single Digipass-Configuration container in a single Domain. As the data model is shared with other Digipass Plug-In and Digipass Pack products, the schema will also include the vasco-backendserver class. However, this is not used in Digipass Plug-In for IAS. 6.3 Permissions Needed by the IAS Plug-In The installation process will ensure that the IAS Plug-In has sufficient permissions. This is achieved by assigning permissions in the domain to the in-built RAS and IAS Servers group. It is necessary to make sure that the IAS server is added to that group. 6.4 Sensitive Data Encryption Sensitive data is encrypted by the IAS Plug-In using an embedded key. If needed, this encryption may be strengthened by including a custom encryption key. See the Administrator Reference for more information. 62

63 Active Directory Integration 6.5 Administrative Permissions Administrative permissions for the IAS Plug-In administrators are controlled using Active Directory security properties. See the Permissions Needed by Administrators topic in the Administrator Reference for more information. Domain Administrators may view and edit all Digipass and Digipass User information in their domain, plus Digipass Configuration information if the Digipass Configuration Container is located in their domain. No permissions setup is required for them. Delegated Administrators may view and edit all Digipass and Digipass User information within their administrative scope of control. It is necessary to grant them full control, create and delete permissions over the Digipass and Digipass Application objects within their scope. Reduced Rights Administrators may perform a subset of the administration tasks. 'Property sets' are defined with the directory which can be used to enable or limit them in various Digipass administration tasks (eg. Access to the Digipass blob). 6.6 Active Directory Command Line Utility This utility has to perform several tasks that are needed at various times during installation and upgrade if Active Directory is selected, or afterwards for maintenance. Some of the commands are run automatically by the installation program, while others are run manually. The commands that are run automatically can be run manually also, for example to troubleshoot why the installation is not succeeding. Command Description addschema Extend the Active Directory schema. checkschema Check that the schema extensions are all present. setupdomain Sets up the Digipass Configuration Container in the specified domain. setupaccess Assign permissions to a Windows group including: Full read access to everything in the domain Full control over vasco-dptoken objects Full control over vasco-dpapplication objects Ability to create and delete vasco-dptoken objects Full write access to extension attributes on user objects This command can optionally be used to also add a machine to the group. Table 8: DPADadmin tasks 63

Computers allows administration of Digipass User accounts and Digipass records within the Active Directory Users and

64 Administration Interfaces 7 Administration Interfaces 7.1 Digipass Extension for Active Directory Users & Computers The Digipass Extension for Active Directory Users and Computers allows administration of Digipass User accounts and Digipass records within the Active Directory Users and Computers interface. 7.2 Administration MMC Interface The Administration MMC Interface allows administration of Policies and Components in the Digipass Configuration Container. 64

65 Licensing 8 Licensing 8.1 Overview VASCO products are licensed per Component record in the Digipass Configuration container. The licensing relies upon a License Key which is checked when the IAS Plug-In starts. This License Key is tied to the location (usually IP address) where the IAS Plug-In is installed, and stored in the Component for the plug-in. The IAS Plug-In will not function without a correct License Key. Evaluation Licenses If you have downloaded the Digipass Plug-In for IAS from the VASCO website, you will note that it comes with an evaluation license. This means that you can use its full functionality until the evaluation period runs out. At the end of this period, you will need to either uninstall the product or buy a permanent license. Contact your distributor or the appropriate VASCO Reseller representative to acquire the licences you will need. 8.2 Obtaining a License Key File The installation process will guide you through the process of requesting and loading a License Key. However, if for some reason it is not possible to complete the licensing at installation time, the Administration MMC Interface can be used to obtain and load a License Key for a Component. This process must be completed for each IAS Plug-In, and requires an active internet connection to open the Digipass Plug-In Activation Page Digipass Plug-In Activation Page 65

66 Auditing and Tracing 9 Auditing and Tracing 9.1 Auditing Audit System The VASCO Audit System records audit messages generated by the IAS Plug-In. The level of audit messages generated may be configured using the Administration MMC Interface. Audit messages are generated by: IAS Plug-In (using default settings) Administration MMC Interface (when enabled) Digipass Extension for Active Directory Users and Computers (when enabled) Audit messages may be recorded to and viewed in: Windows Event Log Text file Audit message types Type Description Error The message contains details about a system, configuration, licensing or some internal error. Errors do not include normal processing events such as failed logins. Warning Warning messages contain details about potential problems within the system. This could include details such as a failed connection attempt to a Domain Controller. Information Informational messages provide details about events within the system that need to be recorded but do not indicate errors or potential errors. An example of this may be a re-connection to Active Directory for load-balancing reasons. Success Success messages contain details about processing events that were correctly processed. This may include successful authentications or successful administration commands. Failure Failure messages contain details about processing events that failed. This may include rejected authentications, or administration actions that failed. Table 9: Audit message types Audit messages location Default The default auditing configuration is: All messages recorded to a text file Error messages also recorded to Windows Events log If a message was not recorded successfully to text file, it will be recorded to the Windows Event Log 66

67 Auditing and Tracing Custom Auditing may be configured to suit your company's needs. For example, all messages might be recorded to the Windows Event Log, as this can be searched and filtered more easily than a simple text file. It also allows you to view audit messages as they are generated Active Directory Auditing Active Directory auditing may be enabled and configured to record access and modifications to Digipass related data used by the IAS Plug-In. See the Active Directory Auditing topic in the Administrator Reference for more information. 9.2 Tracing The level of tracing for the IAS Plug-In can be configured using the IAS Plug-In Configuration utility. Tracing messages will be recorded to a text file. Basic Tracing Basic Tracing will record: Critical error/warning messages [CRITC] Major error/warning messages [MAJOR] Minor error/warning messages [MINOR] Configuration messages [CONFG] Full Tracing Full tracing will record: Critical error/warning messages [CRITC] Major error/warning messages [MAJOR] Minor error/warning messages [MINOR] Configuration messages [CONFG] Informational messages [INFO] and [VINFO] (verbose) Data tracing messages [DATA] Debugging messages (useful for support purposes) [DEBUG] Security messages, messages that may contain security sensitive data [SECUR] 67

User Self Management Web Site 10 User Self Management Web Site The User Self Management Web Site allows Users to perform functions which are unavailable during a usual login either because the

68 User Self Management Web Site 10 User Self Management Web Site The User Self Management Web Site allows Users to perform functions which are unavailable during a usual login either because the functionality is disabled within the IAS Plug-In configuration, or because CHAP or another protocol is in use which does not allow the functionality: User Registration and Auto-Assignment Self-Assignment Password Synchronization PIN Change Login Test 68

69 User Self Management Web Site The site can also be used to help Users get started with their Digipass while they are still in the office and help is available Customizing the User Self Management Web Site It is anticipated that you may want to customize the web pages that are provided by default. You may wish to: change the colors and graphics to match your corporate colors/logos. integrate the pages into a larger web site. translate or customize the text The web site is designed to permit extensive customization, provided that you post the correct data to the CGI program. This section provides the instructions and reference material that you require to customize the site. It is assumed that the reader has some web development knowledge. You can change any cosmetic part of the web pages. You can even write completely new web pages, provided that you provide the correct posted form fields to the CGI program, and interpret the query string variables correctly. You do not need to use plain HTML pages server scripting languages such as PHP or ASP, or any other way of generating HTML, can be used. 69

70 OTP Request Site 11 OTP Request Site The OTP Request site provides a method for Users to request an OTP to be sent to their mobile, for use in logging in. Image 26: OTP Request Site The OTP Request Site is designed to customized in a similar way to the User Self Management Web Site. 70

Modify these field values (right-click and select Fields) to change text throughout the document:

Modify these field values (right-click and select Fields) to change text throughout the document: NOTE: Diagrams may appear or disappear depending on these field settings so BE CAREFUL adding and removing