Modify these field values (right-click and select Fields) to change text throughout the document:

Transcription

1 Modify these field values (right-click and select Fields) to change text throughout the document: NOTE: Diagrams may appear or disappear depending on these field settings so BE CAREFUL adding and removing diagrams, as you may be stuffing up formatting. ADDITIONAL NOTE: Be careful adding and removing text, too. Just because you see something in the document that looks like it shouldn't be there, doesn't mean removing it is a smart idea. Do a print preview to check if it will show up in the final document before you do anything. (the field values are currently just (relatively) rubbish values modified at times to check that text conditions are working correctly) sbr Digipass Plug-In for SBR SBR Plug-In Steel-Belted RADIUS SBR ODBCAD SBR Plug-In Steel-Belted RADIUS SBR Digipass Plug-In for SBR ODBCAD Product G uide

2 Disclaimer of Warranties and Limitations of Liabilities Disclaimer of Warranties and Limitations of Liabilities The Product is provided on an 'as is' basis, without any other warranties, or conditions, express or implied, including but not limited to warranties of merchantable quality, merchantability of fitness for a particular purpose, or those arising by law, statute, usage of trade or course of dealing. The entire risk as to the results and performance of the product is assumed by you. Neither we nor our dealers or suppliers shall have any liability to you or any other person or entity for any indirect, incidental, special or consequential damages whatsoever, including but not limited to loss of revenue or profit, lost or damaged data of other commercial or economic loss, even if we have been advised of the possibility of such damages or they are foreseeable; or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers and suppliers shall not exceed the amount paid by you for the Product. The limitations in this section shall apply whether or not the alleged breach or default is a breach of a fundamental condition or term, or a fundamental breach. Some states/countries do not allow the exclusion or limitation or liability for consequential or incidental damages so the above limitation may not apply to you. RADIUS Documentation Disclaimer The RADIUS documentation featured in this manual is focused on supplying required information pertaining to the RADIUS server and its operation in the VACMAN Middleware environment. It is recommended that further information be gathered from your NAS/RAS vendor for information on the use of RADIUS. Copyright All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc. Trademarks VACMAN and Digipass are registered trademarks of VASCO Data Security International Inc. Microsoft and Windows are registered trademarks of Microsoft Corporation. All other trademarks are the property of their respective holders. 2

3 Table of Contents Table of Contents 1 Overview What is Digipass Plug-In for SBR? What is a Digipass? Types of Digipass Hardware Digipass Software Digipass Virtual Digipass Software Components Required Components Optional Components Extra Utilities Digipass Plug-In for SBR Data Model Digipass record Digipass User account record Component record Policy record Domain record Organizational Unit record Available Guides Authentication Process Logging in with a Digipass Authentication Process Overview Identifying the Policy RADIUS Client Policy Lookup Digipass User Account Lookup and Checks User ID and Domain Resolution Windows Name Resolution Simple Name Resolution (ODBC/embedded database only) Default Domain Active Directory User Account Summary: Active Directory Summary: ODBC or Embedded Database Windows Group Check (optional) 'Pass Back' Mode 'Reject' Mode 'Back-End' Mode Digipass User Account Lookup Dynamic User Registration Local Authentication Digipass Lookup No Digipass User Account Policy Restrictions Linked User Accounts Authentication with Digipass Server PIN...31 Grace Period Challenge Generation Virtual Digipass OTP Generation Requesting a Virtual Digipass OTP User Perspective

4 Table of Contents Request Method and Keyword Multiple Digipass or Digipass Applications Authentication without Digipass Static Password Verification Self-Assignment Back-End Authentication Stored Static Password Stored Password Proxy Password Autolearn RADIUS Attributes RADIUS Attribute Settings RADIUS Attributes Process Multiple SBR Plug-Ins Supported RADIUS Password Protocols Unsupported by Digipass Plug-In for SBR Limitations of RADIUS Password Protocols Unsupported RADIUS Password Protocols Administration Interfaces Administration MMC Interface Active Directory ODBC or Embedded Database Digipass Extension for Active Directory Users & Computers Context Menu Extensions Tree Pane Context Menu Extensions User Records Property Sheet Extensions User Records Digipass Record Administration SBR Plug-In Configuration Digipass TCL Command-Line Administration Digipass User Accounts Digipass User Account Creation Manual Creation Dynamic User Registration User Self-Management Web Site Changes to Stored Static Password Password Autolearn User Self-Management Web Site Administration Privileges Digipass Digipass Record Functions Reset Application Set Event Counter Reset PIN Force PIN Change Set PIN Unlock Digipass Reset Application Lock Test a Digipass Application

5 Table of Contents 5.2 Digipass Programming Digipass PIN Time/Event-based Digipass Applications OTP Length Challenge Length Digipass Record Settings Time/Event-based Settings Response Length Server PIN Backup Virtual Digipass Assigning Digipass to Users Self-Assignment Auto-Assignment Manual Assignment Virtual Digipass Implementation Considerations Digipass Assignment Options Cost Security Convenience Gateway and account Limiting Usage of Virtual Digipass Backup Virtual Digipass Usage Guidelines Resetting Virtual Digipass Restrictions Virtual Digipass Login options Location of OTP Request Site Components Pre-loaded Components Licensing Policies Policy Inheritance Show Effective Settings Pre-Loaded Policies Differences from VACMAN Middleware Authenticator Setting Database Integration Active Directory What is Stored in Active Directory? Schema Extensions Digipass Records Location of Digipass Records Delegated Administration in Active Directory Typical Digipass Location Models Search for Digipass Records... Permissions Needed by the SBR Plug-In... Administrative Permissions... Active Directory Command Line Utility ODBC or Embedded Database

6 Table of Contents What is Stored in the Data Store? Domains and Organizational Units Location of Digipass Records Typical Digipass Location Models Permissions Needed by the SBR Plug-In... Database Command Line Utility... Additional ODBC Databases... Multiple SBR Plug-Ins Sensitive Data Encryption Licensing Overview Obtaining and Loading a License Key Auditing and Tracing Audit System Configure Auditing Output Audit Viewer Audit message types Active Directory Auditing Tracing User Self Management Web Site What is the User Self Management Web Site? Customizing the User Self Management Web Site OTP Request Site What is the OTP Request Site? Customizing the OTP Request Site Message Delivery Component What is the Message Delivery Component? Configuration Alphabetical Index

7 Table of Contents Illustration Index Image 1: GO Image 2: GO Image 3: DP Image 4: DP Image 5: DP Image 6: GO Image 7: DP Image 8: Digipass for Pocket PC Image 9: Digipass for SIM Image 10: Digipass for Palm Image 11: Digipass Plug-In for SBR Components Image 11: Login Method Processes Image 12: Authentication Process Image 13: RADIUS Client Policy Lookup Image 14: Name Resolution Active Directory Image 15: Name Resolution ODBC/Embedded Database Image 16: Dynamic User Registration Process Image 17: User Account Link Image 18: Virtual Digipass login Image 19: Multiple Digipass Assignment Image 20: RADIUS Attribute Settings in SBR Plug-In Configuration Image 21: RADIUS Attribute Settings in Digipass User Properties Image 22: Set RADIUS Attributes Process Image 23: Multiple SBR Plug-Ins Using Same User Attributes Image 24: Multiple SBR Plug-Ins Using Different User Attributes Image 25: Administration MMC Interface Image 26: Digipass Extension for Active Directory Users and Computers Image 27: Self-Assignment Process Image 28: Auto-Assignment Process Image 29: Manual Assignment Process Image 30: Component Overview Image 31: Policy Inheritance Image 32: Digipass Record Locations - Digipass Pool Image 33: Digipass Record Locations - Parent Organizational Unit Image 34: Digipass Record Locations - Individual Organizational Units Image 35: Digipass Search window

8 Table of Contents Image 36: Domain and Organizational Unit Overview Image 37: Digipass Record Locations Domain Root Image 38: Digipass Record Locations - Parent Organizational Unit Image 39: Digipass Record Locations - Individual Organizational Units Image 40: Additional ODBC databases Image 41: Multiple Plug-Ins Using Single Database Image 42: OTP Request Site

9 Overview 1 Overview 1.1 What is Digipass Plug-In for SBR? Digipass Plug-In for SBR is a suite of components that work together to add Digipass twofactor authentication to Steel-Belted RADIUS. 1.2 What is a Digipass? A Digipass is a device for providing a One Time Password to a User. A Digipass is provided to each person whom a company wishes to be able to log into their system using One Time Passwords. The User obtains a One Time Password (OTP) from the Digipass to use instead of, or as well as, a static password when logging in. Virtual Digipass is a mechanism where an OTP is generated by the server and sent by text message to the User's mobile phone. In this case, a physical Digipass device is not needed. 1.3 Types of Digipass Each Digipass is programmed with at least one Digipass Application, and a unique algorithm. The Digipass uses this unique algorithm when generating One Time Passwords. Each type of Digipass Application generates One Time Passwords from different data, and in slightly different ways: Response Only Creates a One Time Password based on the date and time, or on the number of uses (events). Challenge/Response Creates a One Time Password (also referred to as a 'Response' in this context) based on a numerical challenge given on a login page. This may be either a challenge custom-created for the specific Digipass, or a randomly created challenge. The One Time Password may also be based on the date and time. Digital Signature Digital Signature Digipass Applications are typically used in online banking. The Digipass generates a unique code - referred to as a 'Digital Signature' - based on a number of factors entered, plus (optionally) the date and time, or number of uses (events). In an online banking environment, the factors used to generate the Digital Signature during a funds transfer might be the debit account number, the destination account number and the amount of money being transferred. Digital Signatures are not currently in use with the Digipass Plug-In for SBR Hardware Digipass Hardware Digipass are devices specifically designed for creation of One Time Passwords. Depending on the model supplied, they may be used for Response Only, Challenge/Response and Digital Signature methods. The three basic types of hardware Digipass are: 9

10 Overview Digipass without keypads These are the simplest type of Digipass. They have a triggering mechanism - typically a button or action, such as pulling the Digipass open which causes a One Time Password to be generated. They have only one Application, which is Response Only. Image 1: GO 1 Image 2: GO 3 Digipass with keypads These are typically capable of supporting more than one Application, and can be programmed so that a PIN must be entered before a One Time Password may be accessed. Image 3: DP 300 Image 4: DP 585 Image 5: DP 260 Smartcard reader Digipass These provide two-factor authentication based on smartcard technology. Image 6: GO 2 Image 7: DP Software Digipass Software Digipass may be installed on a PDA or other mobile device. The User then accesses a Digipass program to obtain a One Time Password. They typically support Response Only, Challenge/Response and Digital Signature (not supported by Digipass Plug-In for SBR) methods. 10

11 Image 8: Digipass for Pocket PC Overview Image 9: Digipass for SIM Image 10: Digipass for Palm Digipass for Pocket PC Digipass for Pocket PC turns Pocket PCs and smart phones into a personal hardware security device to provide One Time Passwords and Digital Signatures. Digipass for Palm Like Digipass for Pocket PC, Digipass for Palm allows generation of One Time Passwords and Digital Signatures from Palm Pilots and other devices utilising the Palm technology. Digipass for SIM Digipass for SIM allows a GSM mobile phone SIM card to be used to generate One Time Passwords. Digipass for Windows Digipass for Windows can be installed directly onto a PC. One Time Passwords and Digital Signatures can be generated on your computer and pasted into the required login window Virtual Digipass Virtual Digipass can be used instead of hardware Digipass tokens, or as a backup mechanism when a User has mislaid their hardware Digipass. Using Virtual Digipass means that a User may receive a One Time Password on their mobile phone via text message. There are two forms of Virtual Digipass available: Primary Virtual Digipass are treated by Digipass Plug-In for SBR almost identically to hardware and software Digipass a record of each Primary Virtual Digipass must be imported into the data store, and may then be assigned to a User automatically or manually. The User will typically log in with their User ID and static password, have a text message sent to their mobile phone, and then enter the One Time Password from the text message in the second stage of their login. The Backup Virtual Digipass feature allows a User to request a One Time Password sent to their mobile phone if they do not have their usual Digipass at hand. It may be limited by number of uses or days of use eg. a User may be limited to 2 days' usage, after which they will again need to use their usual Digipass to log in. 11

12 Overview 1.4 Software Components Digipass Plug-In for SBR consists of various components, some necessary and some optional. The diagram below shows an overview of the components, and how they interact. Image 11: Digipass Plug-In for SBR Components Required Components SBR Plug-In This is a Plug-In for SBR that performs the authentication processing. It can receive authentication requests from SBR and return an Access-Accept (with attributes if available) or Access-Reject. Data Store All information required by Digipass Plug-In for SBR is stored in Active Directory or an ODBC 12

13 Overview compliant database. An embedded PostgreSQL database option is provided with Digipass PlugIn for SBR. The data store to be used is selected during installation. Administration MMC Interface This interface is used in slightly different ways, depending on the data store used by Digipass Plug-In for SBR. Active Directory If Active Directory is used as the data store, the Administration MMC Interface will be used for administration of Policy, Component and Back-End Server records. ODBC Database (including embedded database) If an ODBC database is used as the data store, the Administration MMC Interface will be used for administration of all VASCO data. Regardless of the data store used, administration is carried out by direct connection to the data store. Active Directory Users and Computers Extension A VASCO Extension to the Active Directory Users and Computers interface allows administration of additional User settings and Digipass records integrated with standard Active Directory User administration. This is only available when Active Directory is used as the data store for Digipass Plug-In for SBR. Audit System The SBR Plug-In provides a comprehensive audit trail of significant processing events such as successful and failed authentication attempts. The audit messages can be written to text files, the Windows Event Log and/or an ODBC-compliant database Optional Components Audit Viewer The Audit Viewer is a Windows application that can display and filter audit messages from the SBR Plug-In. It can read the data from text files and ODBC databases, or receive a live feed from the SBR Plug-In. Virtual Digipass The VASCO components used for Virtual Digipass are: Message Delivery Component This is a Service that is responsible for delivering One Time Passwords through a text message HTTP gateway to a User s mobile phone. OTP Request Site This is a miniature web site that allows a User to request a Virtual Digipass OTP to be sent to their mobile phone. User Self Management Web Site This is a miniature web site that allows Users to make appropriate changes to their own Digipass settings, such as PIN changes. This is used in a RADIUS environment, when the normal authentication requests are made using a CHAP-based protocol and therefore PIN 13

14 Overview changes and other 'self-management' features are not possible. Digipass TCL Command-Line Administration Administration may also be carried out using Digipass TCL Command-Line Administration Utility, which allows interactive command-line and scripted administration of Digipass Plug-In for SBR data Extra Utilities These extra utilities may be used with installations. Digipass Plug-In for SBR, but require separate Data Migration Tool The VASCO Data Migration Tool is a general-purpose utility that allows you to migrate your data from one VASCO product to another. RADIUS Client Simulator The RADIUS Client Simulator is a program that simulates RADIUS Authentication and Accounting processing in a similar fashion to 'real' RADIUS clients. The RADIUS Client Simulator can be used to test Digipass authentication or to estimate performance. 14

15 Overview 1.5 Digipass Plug-In for SBR Data Model The following kinds of record are stored in the Digipass Plug-In for SBR data store: Digipass record A Digipass record must exist in the data store for each Digipass in use. This record contains: Information about the Digipass (eg. serial number and model) The names and programming parameters of Applications in the Digipass The status of various options (eg. Digipass lock) Some of the information in this record is encrypted together in what is called the 'Digipass blob'. There is one 'blob' per Application. See 5 Digipass for more information Digipass User account record Each User who will be logging in using Digipass authentication will require a Digipass User account. The Digipass User account record contains extra information needed by Digipass PlugIn for SBR, such as authentication settings. A Digipass must be assigned to a Digipass User account before it can be used for authentication. Using Active Directory, a Digipass User account is attached to an Active Directory user account (as an 'auxiliary class'). It is not possible to create a Digipass User account without an Active Directory user account. A Digipass User account is not required for administration, as administrative work is carried out using native Active Directory permissions. Using a database, Digipass User accounts are stored in a standard database table. They are not linked to any external user accounts. Administrative privileges are assigned to Digipass User accounts and therefore a Digipass User account is needed for each administrator. See 4 Digipass User Accounts for more information Component record Component records are created to represent: SBR Plug-Ins Authentication client components RADIUS Clients, IIS Modules (not required for Digipass Plug-In for SBR) Administration client components (not required for Digipass Plug-In for SBR) They are used for the following main purposes: For authentication clients, to indicate that it is permitted to process an authentication request from that client, and to specify an authentication Policy (see below) to be used For RADIUS Clients, to hold the Shared Secret To holding a license key for SBR Plug-Ins and IIS Modules See 6 Components for more information. 15

16 Overview Policy record Policies specify various settings that affect the User authentication process. Each authentication request is handled according to a Policy that is identified by the applicable Component record. There are many Policy settings including the following examples: Whether Windows or RADIUS authentication should be used Whether various automatic management features should be used The Digipass Application types required Backup Virtual Digipass settings See 7 Policies for more information Domain record Domains are handled differently by used: Digipass Plug-In for SBR depending on the data store Active Directory Digipass Plug-In for SBR operates within the pre-existing Active Directory domain and Organizational Unit structure. Each Digipass User and Digipass must belong to a domain in Active Directory. User IDs must be unique within a domain, but may be repeated between domains. While Digipass User account and Digipass records can belong to any domain, a single domain is identified during installation as the Digipass Configuration Domain. This domain is used to store the Component, Policy and Back-End Server records. It is also used as a default domain for user lookup, when no domain is specified. ODBC or Embedded Database Domains are included to: mirror the data structure used in Active Directory (approximately) allocate unassigned Digipass records to different Domains, for example to mirror the geographic location of the devices Domains are created manually using the Administration MMC Interface. Each Digipass User and Digipass must belong to a domain. One domain is identified as the Master Domain this will be the default domain when none is specified. In addition, administrators in the Master Domain can be given rights to access data in all domains, where other administrators are limited to data in their own domain. User IDs must be unique within a domain, but may be repeated between domains. Digipass serial numbers must be unique in the database Organizational Unit record Organizational Units are also handled differently by Digipass Plug-In for SBR depending on the data store used: 16

17 Overview Active Directory Digipass User accounts and Digipass records are normally stored in Organizational Units or the Users container. A special container called Digipass-Pool is created during installation to hold unassigned Digipass, although they can be located in Organizational Units instead. Administration duties may be assigned to administrators per Organizational Unit, in the same way that regular user administration is delegated at that level. ODBC or Embedded Database Organizational Units are included to: mirror the data structure used in Active Directory (approximately) allocate unassigned Digipass records to different Organizational Units, for example to mirror the geographic location of the devices Digipass User accounts and Digipass records may belong to an Organizational Unit, but this is not mandatory. 1.6 Available Guides The following guides are available: Product Guide The Product Guide will introduce you to the features and concepts of Digipass Plug-In for SBR and the various options you have for using it. Installation Guide Use this guide when planning and working through an installation of Digipass Plug-In for SBR. Getting Started To get you up and running quickly with a simple installation and setup of Digipass Plug-In for SBR. Administrator Reference In-depth information required for administration of Digipass Plug-In for SBR. This includes references such as data attribute lists, backup and recovery and utility commands. Data Migration Tool Guide Takes you through a data migration from one VASCO product to another, using the VASCO Data Migration Tool. Help Files Context-sensitive help accompanies the administration interfaces. 17

18 Authentication Process 2 Authentication Process 2.1 Logging in with a Digipass The diagram below shows a typical login process for the three basic login methods supported by Digipass Plug-In for SBR. Image 11: Login Method Processes 18

19 Authentication Process 2.2 Authentication Process Overview SBR Plug-In authenticates logins in two basic ways: Using information from its data store ('local' authentication) Asking a RADIUS server or Windows for verification of information ('back-end' authentication) The diagram below shows the basic process followed by the SBR Plug-In when authenticating a Digipass User login. Image 12: Authentication Process 19

20 Authentication Process 2.3 Identifying the Policy The SBR Plug-In identifies the Policy that will direct the remainder of the authentication process directly after the component check. It also checks that the Policy is valid. Normally, the Component record identified in the component check is used to select the Policy. However, this is not always the case RADIUS Client Policy Lookup A RADIUS Client may be a RADIUS server that proxies requests from other sources. If so, you may wish to specify different Policies according to the original sources. This can be done by creating additional RADIUS Client Component records, using the NAS-IP-Address values corresponding to the original sources. For a source that does not include the NAS-IP-Address, the NAS-Identifier value should be used instead. There is no need to set a Shared Secret in these RADIUS Client Component records, as they are there simply to select a Policy and not to authorize requests that come directly from that location. The lookup process to identify the Policy for a RADIUS authentication request is shown below. Image 13: RADIUS Client Policy Lookup 20

21 Authentication Process 2.4 Digipass User Account Lookup and Checks The SBR Plug-In performs a number of checks before proceeding to local authentication User ID and Domain Resolution In Digipass Plug-In for SBR, Digipass User accounts are identified using a User ID and a Domain, not just a User ID. There are a few ways to do this: Windows Name Resolution In Windows environments, there are a few ways to provide these details when logging in: Using NT4-style domain qualification in front of the User ID: DOMAIN\userid Using the User-Principal-Name as the User ID: user@suffix (note that this is only usable in Active Directory, not NT4 Domains) With separate User ID and Domain fields (this is not possible using RADIUS) When Digipass User accounts correspond to Windows user accounts, the Windows Name Resolution feature can be used to support these three login formats. If Active Directory is the data store, this is done automatically. With ODBC or an embedded database, it is optional whether to user Windows Name Resolution or not. However, if the Windows Name Resolution process is enabled and fails, the login is rejected. Therefore, a login with a User ID that does not correspond to a Windows user account will be rejected. With this feature enabled, Windows is used to resolve the NT4-style and User-Principal-Name User ID formats. In addition, if an Active Directory Domain name is passed as a separate parameter in short form (eg. VASCO instead of vasco.com), Windows is used to resolve to the Fully Qualified Domain Name (eg. vasco.com). Otherwise, Windows resolution does not occur. For ODBC/embedded database, Windows Name Resolution is enabled using the Authentication Server Configuration program. Click the Configure Advanced Settings button on the ODBC Connection tab to get the Advanced Settings dialog; check the Use Windows User Name Resolution checkbox Simple Name Resolution (ODBC/embedded database only) When Windows Name Resolution is not used, the following formats are available: Using a similar format to User-Principal-Name: user@domain With separate User ID and Domain fields (this is not possible using RADIUS) If the user@domain format is used for the User ID, the SBR Plug-In will look for a Domain record with the name given after If the Domain is found, part will be stripped from the User ID before the authentication process continues. If it is not found, the User ID will be left as user@domain, and no Domain will be identified. In that case, the Default Domain processing will be used, as described next Default Domain Using either Windows or Simple Name Resolution, if none of the above formats are used, only the User ID is given, with no Domain qualification. It is still necessary to identify the Domain in order to look up the Digipass User account. The Default Domain can be configured in the following ways: 21

22 Authentication Process In the Policy record, the Default Domain field can be set. If this is set, it will be used when no Domain has been identified by the Windows or Simple Name Resolution. Using Active Directory as the data store, when the Policy has no Default Domain set, the Digipass Configuration Domain will be used. Using an ODBC or embedded database as the data store, when the Policy has no Default Domain set, the Master Domain will be used Active Directory User Account When Active Directory is used as the data store, Digipass User accounts are always attached to Active Directory User accounts. Therefore, if an authentication request is received for a User who does not have an account in Active Directory, the request is rejected. This is not mandatory for an ODBC or embedded database. 22

23 Authentication Process Summary: Active Directory The full process of User ID and Domain name resolution is illustrated in the following diagram, for the case where Active Directory is the data store: Image 14: Name Resolution Active Directory 23

24 Authentication Process Summary: ODBC or Embedded Database The full process of User ID and Domain name resolution is illustrated in the following diagram, for the case where an ODBC or embedded database is the data store: Image 15: Name Resolution ODBC/Embedded Database 24

25 Authentication Process Windows Group Check (optional) Specific Windows Groups can be selected for authentication by the SBR Plug-In. This Windows Group Check feature might be used when: Deploying Digipass in stages. Users are not required to log in using a Digipass until they are put into a Windows group. They can be put into the group in manageable stages. Two-factor authentication is needed only for access to sensitive data, which has been granted to certain Users (for example, administrators). Only this group of people will require Digipass, and will be authenticated by the SBR Plug-In. Other Users will be authenticated by another authentication method. Most Users will have Digipass and be permitted to log in to the system, but some Users should not be authenticated under any circumstances. Authentication is needed for the live Audit Viewer connection to the SBR Plug-In, when using Active Directory as the data store. The Group Check can be used to limit which users are allowed to connect, for example to the Domain Admins group. When the Group Check is active, Users who are in one of the defined groups go through the full authentication process. However, there are a few Group Check Modes that control the outcome for Users who are not in one of the groups. The Group Check Mode is defined in the Policy. One or more Windows Group names must be defined in a Group List in the Policy. Group membership is checked within the User's own domain only, therefore these Groups must exist in each domain where there are Users who need to be included in a Group. Note It is important to note that when the Group Check is used, if the Group Check fails, the login will fail. This will occur for a user who is unknown to Windows. The following Group Check Modes are available: 'Pass Back' Mode The full name in the Policy property sheet for this mode is: Pass requests for users not in listed groups back to host system The SBR Plug-In does not handle authentication for Users who are not in one of the defined groups. These Users are handled by Steel-Belted RADIUS. In effect, this means that they do not need to have Digipass User accounts and they do not need to use a Digipass to log on. As soon as the Group Check indicates that the User is not to be handled, authentication processing stops and the 'not handled' result is returned. This mode is suitable for staged deployment of Digipass and for the case where only certain Users need strong (Digipass) authentication 'Reject' Mode The full name in the Policy property sheet for this mode is: Reject requests for users not in listed groups The SBR Plug-In rejects authentication immediately for Users who are not in one of the defined groups. 25

26 Authentication Process This mode is suitable for restricting which Users are permitted to log in 'Back-End' Mode The full name in the Policy property sheet for this mode is: Use only Back-End Authentication for users not in listed groups This mode can be used when Back-End Authentication is set up (see 2.6 Back-End Authentication). The SBR Plug-In will just use Back-End Authentication for Users who are not in one of the defined groups. Back-End Authentication will be used for the out-of-group Users even if the Policy Back-End Authentication is set to None. In that case, the in-group Users authenticated only by Local Authentication, while the out-of-group Users authenticated only by Back-End Authentication. However, it is necessary to define End Protocol Policy setting. setting for would be would be the Back- This mode is suitable for staged deployment of Digipass and for the case where only certain Users need strong (Digipass) authentication. 26

27 Authentication Process Digipass User Account Lookup The SBR Plug-In checks that the User attempting to log in has a Digipass User account in the Digipass Plug-In for SBR data store. The User ID and Domain Resolution performed earlier determines the search criteria to look up the Digipass User account. If a Digipass User account is found, the Disabled and Locked indicators are checked. If either is set to Yes, the authentication request is rejected immediately. If no Digipass User account is found, then Policy settings will determine whether the SBR PlugIn continues processing or rejects the authentication request: If Local Authentication is required, a Digipass User account must exist. It is only possible to proceed if the Dynamic User Registration feature is enabled. This is explained further below. If Local Authentication is not required, authentication processing can proceed without a Digipass User account. If the Local Authentication Policy setting is None, no Local Authentication is required. If it is set to Digipass/Password or Digipass Only, Local Authentication is required Dynamic User Registration Dynamic User Registration (DUR) allows Digipass User accounts to be created automatically when their credentials are validated by Back-End Authentication (ie. by Windows or a RADIUS server). The correct static password will be sufficient to permit a Digipass User account to be created. DUR saves the administrative work of manually creating or importing Digipass User accounts. It is typically used in conjunction with: the Digipass Auto-Assignment feature, which will assign the next available Digipass to the new Digipass User account as it is created, or the Digipass Self-Assignment feature, which will allow the new User to assign a Digipass to their account as part of their login process For more details on these Digipass assigment features, see 5 Digipass. In order to control the creation of new accounts, DUR can be used with: the Windows Name Resolution feature (this is mandatory for Active Directory); this will prevent more than one Digipass User account being created for the same Windows User account, when they use different User ID formats to log in the Windows Group Check feature, so that a staged creation of Digipass User accounts and assignment of Digipass is achieved A typical DUR process using Auto-Assignment and the Windows Group Check is illustrated below. 27

28 Authentication Process Image 16: Dynamic User Registration Process 28

29 Authentication Process 2.5 Local Authentication Local Authentication is a term used to describe the SBR Plug-In authenticating a User based on information in its data store. Typically the Digipass One Time Password is required, but in other cases a static password may be sufficient. The Local Authentication Policy setting indicates whether to perform Local Authentication, and if so, whether a static password is permitted. This setting is overridden by the same setting in the Digipass User account, unless that has the value Default. However, this setting in the Digipass User account would typically be used only for rare special case Users. Using the Windows Group Check in Back-End Mode, this setting can be overridden. If a User is not in the list of groups, no Local Authentication will be performed. The possible values for the Local Authentication setting are as follows: None No Local Authentication will take place. Digipass/Password A Digipass One Time Password or static password may be verified. As a general rule, until a User starts to use a Digipass, they may continue to authenticate with their static password. Digipass Only A Digipass One Time Password must be verified. Users without Digipass will not be able to log in. However, Self-Assignment is still possible, as an OTP is used as part of the process Digipass Lookup The first step of Local Authentication is to search for Digipass records applicable to the login. Normally, this is a simple search for all Digipass assigned to the Digipass User account. However, there are exceptions: No Digipass User Account If there is no Digipass User account, no search will be done. This can occur if Dynamic User Registration is enabled Policy Restrictions The Policy can specify restrictions on which types of Digipass and/or Digipass Applications may be used. Any combination of the following restrictions can be defined: Application Names a list of named Applications. Only Digipass that have one or more of the named Applications will be usable. Application Type either Response Only or Challenge/Response (Signatures are not currently supported in Digipass Plug-In for SBR). Only Digipass with that Application Type will be usable. Digipass Type a list of models such as DPGO3, DP260. Only Digipass from the listed models will be usable. Therefore, it is possible that a Digipass User account that has a Digipass assigned is not able to use that Digipass to log in, when a certain Policy applies. They will be regarded as a User 29

30 Authentication Process without a Digipass in that case. In a different kind of login, a different Policy may apply, with no restrictions. Then they would be treated as a User with a Digipass. For example, a company has Go 3 Digipass (DPGO3) and Primary Virtual Digipass (DPVTL). The Outlook Web Access login permits both, so its Policy does not restrict Digipass Types. However the RADIUS VPN login requires the Go 3, so its Policy specifies Digipass Type = DPGO Linked User Accounts If a person has two Digipass User accounts, for example an administrative account and a 'normal user' account, the two accounts can be linked together. This provides the ability for the two accounts to share a Digipass. The Digipass is assigned to one of the accounts, then the other account is linked to it. Image 17: User Account Link When an authenticating Digipass user account is linked to another, the search for Digipass will be done for the other account. In the example above, Digipass User account 2 is linked to Digipass User account 1. The Digipass is assigned to Digipass User account 1. When Digipass User account 1 logs in, the Digipass search is for that account. When Digipass User account 2 logs in however, the Digipass search is for Digipass User account 1. 30

31 Authentication Process Authentication with Digipass When the Digipass lookup returns at least one Digipass record, authentication processing requires a valid One Time Password to succeed, unless: All Digipass found are within a Grace Period. This feature is described below. The User successfully requests a Challenge for Challenge/Response (see below). The User successfully requests a Virtual Digipass One Time Password (see below) Server PIN A Server PIN may be required in addition to the One Time Password. The Server PIN is entered during login with the OTP instead of a Digipass PIN, which is entered into the Digipass device. In some cases a new Server PIN may need to be set. This gives the following permutations: OTP the normal login where a Server PIN is not required. PINOTP the normal login where a Server PIN is required. PINOTPnewpinnewpin to change the Server PIN, the new PIN is put twice after the OTP. OTPnewpinnewpin to set the Server PIN on first use, when no initial PIN was programmed, the new PIN is put twice after the OTP. This is also necessary after an administrative PIN reset Grace Period Each Digipass may be given a Grace Period when it is assigned to a Digipass User account. The Grace Period is there to allow some time before the User receives the Digipass and learns how to use it. The first time that the User logs in successfully with their Digipass, the Grace Period is ended. After that, they have to continue to use the Digipass. The Grace Period is time limited, so that the User is not able to delay too long before they start to use the Digipass. The Grace Period can be set during manual administrative assignment of Digipass as well as during Auto-Assignment. However, it is not applicable to Self-Assignment, because the User must use the Digipass to complete the Self-Assignment process. The Grace Period cannot apply when the Local Authentication setting is Digipass Only. During the Grace Period, if OTP validation fails, the static password is checked. If the static password is valid, Local Authentication succeeds (but note that Back-End Authentication, if used, can subsequently still cause the overall login to fail). The password is compared against the Digipass User account's password value. However, if the Digipass User account does not have a password set, the password has to be verified with Back-End Authentication. If there is no Back-End Authentication and no password in the Digipass User account, Grace Period password logins will not work. If the passwords do not match and Back-End Authentication is enabled, the password will be verified with Back-End Authentication. 31

32 Authentication Process Challenge Generation There are two modes of Challenge generation for Challenge/Response: 2-Step Challenge/Response This is the only mode possible for RADIUS but it can also be used for Web authentication, where Challenge/Response is supported (IIS6 form-based authentication). In this mode, the authentication process takes place in two steps. First, the User requests a Challenge to be generated for them. The Policy defines how this request should be made, with the Request Method and Request Keyword settings (see below for more details on Request Methods). The Challenge is generated specifically for their Digipass, according to its programming. Assuming that the request for the Challenge is accepted and a Challenge is returned, the User submits a second step login with the Response to the Challenge as their OTP. This second step goes through the whole authentication process again to verify the Response. 1-Step Challenge/Response This mode is possible for Web authentication, where Challenge/Response is supported (IIS6 form-based authentication). In this mode, the User sees only one logon step. This mode is suitable for time-based Challenge/Response, but is less secure for non-time based Challenge/Response. If an attacker manages to capture some valid Responses, they can repeatedly request new Challenges until one they know comes up again. A random Challenge is requested automatically by the IIS Module and presented to the User on the login page. A general-purpose Challenge is generated, without reference to any particular Digipass' programming. The User logs in with their Response to the Challenge as their OTP Virtual Digipass OTP Generation Using Virtual Digipass, the authentication process takes place in two steps. First, the User requests an OTP to be generated and delivered to them. The Policy defines how this request should be made, with the Request Method and Request Keyword settings (see below for more details on Request Methods). The OTP is generated specifically for their Digipass, according to its programming. It is sent to their mobile phone number, as recorded in the Digpass User account. Backup Virtual Digipass has additional restrictions on usage, to keep the cost of text messages down. These are verified before an OTP will be generated. These restrictions are described in 5 Digipass. Assuming that the request for the OTP is accepted and an OTP is generated and delivered successfully, the User submits a second step login with the OTP. This second step goes through the whole authentication process again to verify the OTP. This process is illustrated below: 32

33 Authentication Process Image 18: Virtual Digipass login Requesting a Virtual Digipass OTP User Perspective There are three ways a User might request a One Time Password to be delivered with either a Primary or Backup Virtual Digipass: 2-step Login Two login prompts are used to provide an easy-to-use login interface for Users with Virtual Digipass. The first prompt is used to request an OTP, the second to enter the received OTP. This can be used with applications which support 2-step logins eg. Citrix Web Interface, RADIUS with support for Challenge/Response. Two 1-step Logins The User must attempt two logins, the first of which will fail but will initiate the sending of an OTP to the User s mobile. This is used when the 2-step login process is not supported eg. RADIUS without support for Challenge/Response, Web HTTP Basic Authentication. OTP Request Site Alternatively especially if a more user-friendly option than the previous is needed - Users can go to the OTP Request site when they need an OTP sent to their mobile phone, then login normally at the usual login screen. 33

34 Authentication Process Request Method and Keyword For 2-Step Challenge/Response and Virtual Digipass, the method of requesting a Challenge or OTP respectively can be defined in the Policy. The methods for Primary Virtual Digipass and Backup Virtual Digipass are defined separately. The request methods are: Password the static password. Keyword a fixed keyword, which can be blank. PasswordKeyword the static password followed by a fixed keyword, with no whitespace or separating characters inbetween. KeywordPassword a fixed keyword followed by the static password, with no whitespace or separating characters inbetween. None no method, the feature is disabled. The static password in the request method is compared against the Digipass User account's password value. However, if the Digipass User account does not have a password set, the password has to be verified with Back-End Authentication. If there is no Back-End Authentication and no password in the Digipass User account, the request methods that use a password will not work. If the passwords do not match and Back-End Authentication is enabled, the password will be verified with Back-End Authentication. The methods of requesting these three login processes can be the same. When it recognizes a request, the SBR Plug-In will verify that there is a Digipass capable of that login process. If there is not, it will ignore the request. For example, say that the request methods for Primary and Backup Virtual Digipass are both defined as keyword otp. A User has a Go 3 with Backup Virtual Digipass enabled. When they login with the keyword otp, the SBR Plug-In will produce a Backup Virtual Digipass OTP, because the User does not have a Primary Virtual Digipass. 34

35 Authentication Process Multiple Digipass or Digipass Applications A Digipass User may have multiple Digipass assigned to their User account, and/or multiple Applications enabled for a Digipass. If so, the SBR Plug-In will need to know which Digipass and Digipass Application will be used for a particular login for the User. Image 19: Multiple Digipass Assignment Once the Policy restrictions on Applications and Digipass Types are taken into account, there may still be more than one Digipass Application that could be used. In that case, the SBR PlugIn will check the OTP with each one. Any one of them can validate the OTP. A Grace Period may be applied to each Digipass assigned to a Digipass User. Because an applied Policy might restrict which Digipass can be used during a login, the Grace Period on each Digipass is independent of other Digipass. This means that if a User is assigned two Digipass, each with a Grace Period of seven days, the User may log in using one Digipass within the seven-day period (ending the Grace Period for that Digipass) without affecting the Grace Period for the other Digipass. Example The company has set up Policies which require a Response Only login via the local area network, and a Challenge/Response login via the internet limited to certain employees. John has two Digipass assigned to him a DP300 with the Challenge/Response application enabled, and a Go 3 with a Response Only application. The Digipass are both assigned on Tuesday. John receives his Go 3 on Friday, and immediately uses an OTP to login. His grace period for the Go 3 ends at that time in future he must use the Go 3 when logging into the intranet from the LAN. Over the weekend, John needs to access the company intranet from home. Because a Challenge/Response login is required via the internet and he does not yet have his DP300, he uses only his User ID and static password to log in. As he is still within the grace period for the DP300, the login is valid. 35

36 Authentication Process Authentication without Digipass When the Digipass lookup does not return a Digipass record, authentication processing requires a static password check to succeed. In addition, Self-Assignment is possible when the Digipass lookup does not return any Digipass Static Password Verification The password is compared against the Digipass User account's password value. If the static password is valid, Local Authentication succeeds (but note that Back-End Authentication, if used, can subsequently still cause the overall login to fail). However, if the Digipass User account does not have a password set, the password has to be verified with Back-End Authentication. If there is no Back-End Authentication and no password in the Digipass User account, authentication without Digipass cannot work. Similarly, during Dynamic User Registration, where there is no Digipass User account yet, the password has to be verified with Back-End Authentication. If the passwords do not match and Back-End Authentication is enabled, the password will be verified with Back-End Authentication. If the Local Authentication setting is Digipass Only, static password verification on its own is not permitted. An OTP must be used during login. This is possible using Self-Assignment Self-Assignment A User is able to assign a Digipass to their Digipass User account using the Self-Assignment mechanism, when permitted by the Policy settings. The Assignment Mode setting must be Self-Assignment. In order for Self-Assignment to succeed, the User needs to provide the following: A static password, validated by Back-End Authentication. The Serial Number of an available Digipass record. A valid OTP for the Digipass. A new Server PIN, if required. The Self-Assignment process is possible during Dynamic User Registration. It is also possible when the Local Authentication setting is Digipass Only. Response Only For a Digipass that supports Response Only, the User needs to enter the following in the password login field, depending on whether a Server PIN is needed or not: SERIALNUMBERpasswordOTP where a Server PIN is not required. SERIALNUMBERpasswordPINOTP where a Server PIN is required. SERIALNUMBERpasswordOTPnewpinnewpin where a Server PIN is required and no initial PIN was set. 36

37 Authentication Process Challenge/Response For a Digipass that supports only Challenge/Response, this process requires two steps. In the first step, the static password and Serial Number are given. This results in a Challenge being returned. If the correct Response is given to the Challenge, the Self-Assignment is successful. Step 1: SERIALNUMBERpassword Step 2: OTP Serial Number Format The SERIALNUMBER may be entered in one of two formats, depending on the Serial No. Separator Policy setting. No separator specified the full 10 digit Serial Number must be entered, with no dashes (-) or spaces, for example Separator value specified the Serial Number can be entered as written on the back of the Digipass, for example

38 Authentication Process 2.6 Back-End Authentication Back-End Authentication is a term used to describe the process of checking User credentials with another system in this case, Windows. It is used for various purposes, including: Password Replacement allowing the User to log in with just a One Time Password, in an environment where the Windows password is required Enabling automatic management features such as Dynamic User Registration and Self-Assignment Static password verification for Users who do not have a Digipass and for Virtual Digipass The Back-End Authentication Policy setting indicates whether to perform Back-End Authentication, and if so, when to do it. This setting is overridden by the same setting in the Digipass User account, unless that has the value Default. However, this setting in the Digipass User account would typically be used only for rare special case Users. Using the Windows Group Check in Back-End Mode, this setting can be overridden. If a User is not in the list of groups, Back-End Authentication will be performed whether it is enabled or not. The Back-End Protocol setting indicates whether Back-End Authentication uses Windows or RADIUS (not supported in Digipass Plug-In for SBR). The possible values for the Back-End Authentication setting are as follows: None The SBR Plug-In will not utilize Back-End Authentication. Always The SBR Plug-In will use Back-End Authentication for every authentication request. This is necessary if you require RADIUS attributes for each login. If Needed Back-End Authentication will only be used in situations where Local Authentication is not sufficient and to support certain features: Dynamic User Registration Self-Assignment Password Autolearn (see below) Requesting a Challenge or Virtual Digipass OTP, when the Request Method includes a Password Static password authentication, when verifying a Virtual Digipass password-otp combination or during the Grace Period 38

39 Authentication Process Stored Static Password The Digipass User account has a Stored Authentication is used, this field can be used: Static Password field. When Back-End To store the static password required for Back-End Authentication. This means that the User does not need to type in the static password at each login, they only need enter the OTP. The SBR Plug-In can retrieve the Stored Static Password from the Digipass User account and use it for Back-End Authentication. To support Password Replacement. Back-End Authentication is used to learn the static password so that it can be replayed to the host system (eg. Outlook Web Access) when a successful OTP is given. Two product features are used to support this usage of the Stored Static Password: Stored Password Proxy and Password Autolearn Stored Password Proxy When the Stored Password Proxy setting is enabled in the Policy, the SBR Plug-In will retrieve the Stored Static Password from the Digipass User account. If Back-End Authentication is required for a login, the Stored Static Password will be used. If there is a host system (eg. Outlook Web Access), the Stored Static Password will be returned to it, for it to complete its login process. However, if the User enters a static password in front of their OTP, the static password they enter will take precedence over Stored Static Password. In that case, the Stored Static Password will not be used at all for that login. When the Stored Password Proxy setting is not enabled in the Policy, the Stored Static Password will not be used for Back-End Authentication. If Back-End Authentication is required for a login, the User will have to enter the static password. This is done in front of the OTP if an OTP is also used. Similarly, if there is a host system that requires a static password to be returned, the User will have to enter the static password Password Autolearn When the Password Autolearn feature is enabled in the Policy, the SBR Plug-In will automatically store the static password when it is verified by Back-End Authentication. This can happen at any time from Dynamic User Registration onwards. If the User's static password has changed in the Back-End Authentication system (Windows or the RADIUS server), they need to provide the new static password during their next login. This is done in front of the OTP if an OTP is used. When the SBR Plug-In sees that the User has entered a static password, if it does not match the Stored Static Password already, Back-End Authentication will occur to verify the new password. If it is verified, the Stored Static Password will be updated. 2.7 RADIUS Attributes If RADIUS attributes are required for User logins, the SBR Plug-In can support this in two ways: RADIUS Profile An SBR RADIUS Profile can be set for default usage (all Policies), or for individual User 39

40 Authentication Process accounts. The SBR Plug-In will return the name of the required RADIUS Profile to SBR during the authentication. This is the most common method of supporting RADIUS attributes with the SBR Plug-In. If the configured RADIUS Profile is not found in SBR, the authentication request will fail. User Attributes Individual User attributes may be set for a Digipass User account. This may be in place of, or in addition to, setting a RADIUS profile. The SBR Plug-In will return to SBR the name and value of any attributes set for a Digipass User during authentication. These conditions must be met: The attribute(s) set for the Digipass User account must exist in the loaded dictionaries in SBR The value set for each attribute must be a valid (eg. must match required data type) If these conditions are not met, SBR will fail the login RADIUS Attribute Settings Image 20: RADIUS Attribute Settings in SBR Plug-In Configuration Attribute Group An Attribute Group is specified in the configuration of a SBR Plug-In. When multiple SBR PlugIns are in use, the specified Attribute Group ensures that only attributes required by the specific SBR Plug-In are used. Default Profile The Default Profile is the name of an existing SBR Profile. It is used where specific user attributes or a Profile have not been set for the User being authenticated. Profile Attribute Name A Profile Attribute Name is specified in the configuration of a SBR Plug-In. When multiple SBR Plug-Ins are in use, the specified Profile Attribute Name ensures that only Profiles required by the specific SBR Plug-In are used. 40

41 Authentication Process Image 21: RADIUS Attribute Settings in Digipass User Properties Usage Three options are available for attribute Usage: A Check attribute is used to ensure that an attribute supplied by SBR contains the expected value. A Return attribute is passed back to SBR when the result of an authentication is returned by the SBR Plug-In. Profile indicates that the value entered is the name of a Profile existing in SBR. Value The Value set for an attribute will be the required value of the named attribute. For a Profile, the Value will be the name of the Profile in SBR. Example In the two screenshots above, where the SBR Plug-In is configured to use the Attribute Group RADIUS and the Profile Attribute Name SBR1, the following user attributes would be used because they were created in the RADIUS Attribute Group: Callback-Number Login-IP-Host The VASCOGETTINGSTARTED Profile would be used, because its Profile Attribute Name is set to SBR1. The VPN Profile setting would be ignored by the SBR Plug-In because it uses a different Profile Attribute Name than the SBR Plug-In is configured to look for. 41

42 Authentication Process RADIUS Attributes Process Image 22: Set RADIUS Attributes Process 42

43 Authentication Process Multiple SBR Plug-Ins Where multiple SBR Plug-Ins are in use, you may need to use different RADIUS attributes for each. There are two basic scenarios that may be applicable: Use Different RADIUS Profiles but User Attributes are Identical In this scenario, each SBR Plug-In needs to use a different RADIUS Profile, but individual user attributes are the same across all SBR Plug-Ins. Or, no user attributes are required. Configure each SBR Plug-In to use the same Attribute Group, but different Profile Attribute Names. Image 23: Multiple SBR Plug-Ins Using Same User Attributes 43

44 Authentication Process Use Different User Attributes In this scenario, each SBR Plug-In needs to use different user attributes. Configure different Attribute Groups for each SBR Plug-In and, if required, configure different Profile Attribute Names to use in specifying Profiles. Image 24: Multiple SBR Plug-Ins Using Different User Attributes 44

45 Authentication Process 2.8 Supported RADIUS Password Protocols The following protocols are supported by Digipass Plug-In for SBR: PAP CHAP MS-CHAP with MPPE (Microsoft Point-to-Point Encryption) MS-CHAP2 with MPPE Various EAP types Some protocols do not support all authentication features of Digipass Plug-In for SBR. See 2.9 Unsupported by Digipass Plug-In for SBR and the Login Permutations section of the Administrator Reference for more information. EAP Any EAP type which SBR translates to one of the above password protocols can be supported. This includes PEAP and EAP-TTLS. These steps must be followed to configure the 'Digipass Authentication' Authentication Method: Enable the 'Handle via Auto-EAP first' option. Enable the required EAP types. Support for the following have been specifically tested: MD5-Challenge Microsoft PEAP using EAP-MS-CHAP2 Cisco PEAP using EAP-Generic-Token 2.9 Unsupported by Digipass Plug-In for SBR Limitations of RADIUS Password Protocols Some features of the SBR Plug-In are not supported with CHAP or MS-CHAP. These protocols hash login data together, making separation of various entries impossible. The unsupported features are outlined below: Self-Assignment of Digipass cannot be performed. The Server PIN cannot be changed. Challenge/Response is not supported. Windows Back-End Authentication is not supported unless the User ID and Windows password are manually stored, and Stored Password Proxy is enabled. Password Autolearn is not supported, as clear text passwords cannot be identified. The User Self-Management Web Site, when utilized, can circumvent many of these problems by allowing Users to manage their account and Digipass. It uses RADIUS with the PAP password protocol. Users can: Perform Self-Assignment Change their Server PIN 45

46 Authentication Process Change their own Stored Static Password Unsupported RADIUS Password Protocols MS-CHAP with LM Hash The password change mechanism for MS-CHAP and MS-CHAP2 46

47 Administration Interfaces 3 Administration Interfaces The main user interfaces available for administration of Digipass Plug-In for SBR are introduced in this section. 3.1 Administration MMC Interface The Administration MMC Interface allows administration of Policy and Component records. When an ODBC or embedded database is used as the data store, it is also used to administer Digipass, Digipass User account, Domain and Organizational Unit records. The following screen includes these additional objects (when using Active Directory, you will not see them). Image 25: Administration MMC Interface To open the Administration MMC Interface, click on the Start Button and select Programs -> VASCO -> Digipass Plug-In for SBR3 -> Administration MMC Interface. It can also be added to any Microsoft Management Console using the File -> Add/Remove Snap-in... menu and adding the Digipass Administration snap-in. The differences between the Active Directory and database versions are outlined below Active Directory In the tree pane, a Domain node is needed to define the Digipass Configuration Domain 47

48 Administration Interfaces (the Fully Qualified Domain Name is required). This is configured for you by the installation when the SBR Plug-In is on the same machine as the Administration MMC Interface. To log in, right-click on the Domain node and select the Connect... menu option. No logon screen is presented - an implicit logon to Active Directory will be carried out using your current Windows user context. The Administration MMC Interface will make an LDAP connection to Active Directory. Administration does not take place via the SBR Plug-In. Your administrative permissions will depend on the permissions that your Active Directory user account has within Active Directory. When do new settings take effect? For Active Directory, when settings are changed with this program, the new values will not always take effect immediately. This is because the SBR Plug-In keeps Policy and Component records in memory caches. The SBR Plug-In will periodically re-read the records (by default, every 15 minutes) so that updates do take effect eventually. However, you need to take into account the delay of Active Directory Replication, if the administration change is made using a different Domain Controller to the one used by the SBR Plug-In (especially when there are multiple SBR Plug-Ins in different sites). An SBR Plug-In cannot update its cache with new settings until Active Directory Replication has updated them on its local Domain Controller. Restarting the SBR Plug-In forces it to re-load its caches, so that settings changes take effect immediately (assuming that Active Directory Replication is not needed or has completed) ODBC or Embedded Database In the tree pane, an SBR Plug-In node is needed to specify the location (IP address and port) of the SBR Plug-In. This is configured for you by the installation when the SBR Plug-In is on the same machine as the Administration MMC Interface. To log in, right-click on the SBR Plug-In node and select the Connect... menu option. A logon screen is presented log in using your Digipass User account User ID and password. Once your Digipass User account has a Digipass, you will need to use it to log into the Administration MMC Interface. However, like all authentication processing, the administration logon process is subject to Policy settings. You may decide to change the settings in the default VM3 Administration Logon Policy, or even select a different Policy. The Administration MMC Interface will make an encrypted TCP/IP connection to the SBR PlugIn. It will then make an administrative logon request using this connection. If the logon is successful an administrative session will be established. Your administrative permissions within this session will depend on the Administrative Privileges of your Digipass User account (see 4 Digipass User Accounts). When do new settings take effect? For an ODBC or embedded database, when settings are changed with this program, the new values will always take effect immediately. The changes are made through the SBR Plug-In, so it will update its caches immediately. When multiple SBR Plug-Ins are used with Digipass Plug-In for SBR Replication, all SBR PlugIns' caches will be updated by the Replication process. 48

49 Administration Interfaces 3.2 Digipass Extension for Active Directory Users & Computers The Digipass Extension for Active Directory Users and Computers allows administration of Digipass User accounts and Digipass records within the Active Directory Users and Computers interface. Note The Digipass Extension for Active Directory Users and Computers is only used when Active Directory is utilized as the data store. The extension adds context menu options, User property sheet tabs and a property sheet for the Digipass records, as outlined below. To open the Active Directory Users and Computers, a shortcut is provided in the Start Menu. Click on the Start Button and select Programs -> VASCO -> Digipass Plug-In for SBR 3 -> Active Directory Users and Computers. On Windows XP and Windows Server 2003, where the Saved Queries feature is available, the console file reached from this Start Menu shortcut has several Saved Queries pre-loaded. However, you can run Active Directory Users and Computers from the usual Administrative Tools shortcut or any other saved Microsoft Management Console. In that case, you will need to import the Saved Queries into that console if you wish to use them. No logon screen is presented by the extension - an implicit logon to Active Directory will be carried out using your current Windows user context. It will connect to the same Domain Controller as the Active Directory Users and Computers connection. The extension will make its own LDAP connection to Active Directory. Administration does not take place via the SBR Plug-In. Your administrative permissions will depend on the permissions that your Active Directory user account has within Active Directory. When do new settings take effect? When settings are changed with the extension, the new values may not always take effect immediately. You need to take into account the delay of Active Directory Replication, if the administration change is made using a different Domain Controller to the one used by the SBR Plug-In (especially when there are multiple SBR Plug-Ins in different sites). An SBR Plug-In cannot read new settings until Active Directory Replication has updated them on its local Domain Controller Context Menu Extensions Tree Pane Additional context menu options are available on the following containers in the tree pane: The Users container All Organizational Units The Digipass-Pool, Digipass-Reserve and Digipass-Configuration containers The main menu option that is useful in this context is the Import Digipass... option. This is used to import Digipass records into the selected container. Other options are for showing version information, configuring encryption settings and enabling tracing Context Menu Extensions User Records Additional context menu options are available when right-clicking on one or more User records 49

50 Administration Interfaces in the result pane: Assign Digipass... for single or bulk assignment of Digipass Unassign Digipass to unassign all Digipass from the selected User(s) Property Sheet Extensions User Records Additional tabs are available when viewing the property sheet of a User record: The Digipass User Account tab contains extra information about the Digipass User account required by Digipass Plug-In for SBR. This includes settings such as authentication policy overrides, and the date and time that a Digipass User account was created. The Digipass Assignment tab contains information on all Digipass assigned to the Digipass User. These Digipass can be administered from this tab, including unassignment or enabling Backup Virtual Digipass. Digipass may also be assigned to the Digipass User from this tab. Image 26: Digipass Extension for Active Directory Users and Computers Digipass Record Administration Digipass information may be viewed via the property sheet of its assigned User, or by turning on Advanced Features. This allows you to see Digipass records wherever they are located in Active Directory (typically in the Digipass-Pool container if unassigned), view properties and 50

51 Administration Interfaces use a number of context menu actions. For more details on these actions, see 5 Digipass. The context menu of the Digipass record contains options for bulk management: Assign and unassign the Digipass Reset, activate, inactivate and delete the Applications Reset the PIN and force a PIN change Move the Digipass to another Organizational Unit or container The property sheet for the Digipass record shows full details of the Digipass and all its Applications and enables all administration tasks for the record. 3.3 SBR Plug-In Configuration The SBR Plug-In uses a local XML text file for various configurations settings. This can be administered using a graphical user interface referred to as SBR Plug-In Configuration. To run it, click on the Start Button and select Programs -> VASCO -> Digipass Plug-In for SBR -> Digipass Plug-In for SBR Configuration. When settings are changed with this program, the SBR Plug-In must be restarted before the new values take effect. On exiting, the program can do this for you. The following groups of settings are configured using SBR Plug-In Configuration. For more detail, see the Administrator Reference, Configuration Settings section. Various IP addresses and port numbers Administration session control settings Tracing settings Active Directory connection settings (if applicable) ODBC or embedded database connection settings (if applicable) For ODBC or embedded database, some important settings that control User ID and Domain resolution: User ID Case Conversion, Windows User Name Resolution and the choice of Master Domain Audit settings Replication settings 3.4 Digipass TCL Command-Line Administration Digipass TCL Command-Line Administration allows interactive command-line and scripted administration of Digipass related data. It has a number of possible uses: Interactive command-line administration Scripted administration Complex bulk administration tasks Reporting on the data in the data store It is an extension of the TCL 8.4 scripting language, and administrators will require a basic 51

52 Administration Interfaces competence in TCL in order to use the command-line utility. See the Digipass TCL CommandLine Administration topic in the Administrator Reference for more information. 52

53 Digipass User Accounts 4 Digipass User Accounts 4.1 Digipass User Account Creation A Digipass User account can be created in a number of ways: Manual Creation A Digipass User Account can be created manually by an administrator Dynamic User Registration When the SBR Plug-In receives an authentication request for a User without a Digipass User account, it can check the credentials with the back-end authenticator (eg. Windows). If the authentication is successful with the back-end authenticator, the SBR Plug-In can create a Digipass User account automatically for the User. This process is called Dynamic User Registration (DUR) and can be enabled via the Administration MMC Interface. This feature is commonly used in conjunction with Auto-Assignment, so that the new account is immediately assigned a Digipass. Note ODBC Database (including embedded database): If the data store is casesensitive and the SBR Plug-In has not been configured to convert User IDs and Domains to upper or lower case, the potential exists for multiple Digipass User accounts to be created for a single User. For example, if a User logs in with 'jsmith' on one occasion, and JSmith on another, two Digipass User accounts may be created jsmith and JSmith. This can be avoided by: Enabling Windows Name Resolution in the SBR Plug-In Configuration GUI, if the underlying user accounts are Windows user accounts. See the ODBC Connection and Domains and Organizational Units topics in the Administrator Reference for more information. This is highly recommended. Configuring the SBR Plug-In to convert all User IDs and domains to upper or lower case. See the Encoding and Case-Sensitivity topic in the Administrator Reference for more information User Self-Management Web Site Enabling Dynamic User Registration on a system which includes the User Self-Management Web Site will allow Users to create their own Digipass User Account via the web site. 4.2 Changes to Stored Static Password Any changes to a User's Windows or RADIUS server password need to be communicated to the SBR Plug-In if Stored Password Proxy is enabled. There are two ways to do this: Password Autolearn If Password Autolearn is enabled, a User may directly log in with their new static password in front of their OTP. If it does not match the static password stored by the SBR Plug-In, it can be verified with the back-end authenticator (Windows). If correct, the SBR Plug-In will store 53

54 Digipass User Accounts the new static password for future use and authenticate the User User Self-Management Web Site When the User Self Management Web Site is utilized, the User may modify the SBR Plug-In's record of their stored static password. They must be able to log in according to current settings to do this, and the Password Autolearn feature must be enabled. 4.3 Administration Privileges Active Directory Access is given to administer Digipass-related records based on a User's Active Directory privileges. Extra privileges may be granted via the Active Directory Users and Computers console. An administrator may be assigned permissions based on: Type of permission (eg. Read, Create) Type of object (eg. Digipass, Policy) An administrator may be restricted by Domain or Organizational Unit. See the Administrator Reference for more information. ODBC or Embedded Database Administration of data in an ODBC database is performed through the Authentication Server to control the administrator's access to data. An administrator may be assigned permissions based on: Type of permission (eg. Read, Create) Type of object (eg. Digipass, Policy) The Domain and Organizational Unit in which the administrator account is located will determine their range of administration access: If the account belongs to an Organizational Unit, the administrator will be able to administer User accounts and Digipass belonging to that Organizational Unit. If the account does not belong to an Organizational Unit, the administrator will be able to administer all Digipass and User accounts in the Domain to which they belong. If the account belongs to the Master Domain, the administrator will be able to administer all Digipass and User accounts in the database. See the Administrator Reference for more information. 54

55 Digipass 5 Digipass This section contains information specific to Digipass, their setup and management on your network. 5.1 Digipass Record Functions A number of functions are available to administer Digipass records. These are typically required for maintenance eg. a User has forgotten their Server PIN, or a Digipass has been locked Reset Application A Digipass Application may need to be reset if the time difference between it and the server needs to be recalculated. This would typically be for time-based Response Only Digipass after a very long period of inactivity. The 'reset' widens the allowable time window for the next login, allowing the User to log in and the SBR Plug-In to calculate the current time shift Set Event Counter If the event count for an event-based application has become unsynchronised between the Digipass and the server, this function can be used to set the server event count to the event count on the Digipass Reset PIN If a User s Server PIN needs to be changed usually because the User has forgotten it then it can be reset, and the User can create a new Server PIN when they next log in. This may be done when unassigning or re-assigning a Digipass Force PIN Change This function can be used when an administrator wants a User to change their Server PIN on their next login. This may be desirable as a security measure Set PIN A User s Server PIN can be set to a specific value and communicated to the User Unlock Digipass If a User incorrectly enters their Digipass PIN into their Digipass a predetermined number of times, the Digipass will become locked. Once locked, the assistance of an administrator will be required to unlock it. This function allows an administrator to provide the User with an Unlock Code to enter into their Digipass Reset Application Lock If a User has attempted to log in with incorrect details too many times, the Digipass Application used may be locked, depending on Policy settings. This function can be used to set the record for the Digipass Application to the status of unlocked. This differs from User locking, as the User may still log in with a different Digipass. 55

56 Digipass Test a Digipass Application Use this function to check that a Digipass Application is working as expected. There is also a function to test the Backup Virtual Digipass functionality. 5.2 Digipass Programming A Digipass is programmed using a Digipass Programmer and the necessary software. This may be done by your company or by your supplier. Common settings which may affect your administration tasks are explained below Digipass PIN A Digipass PIN may be required for a Digipass. If set, the PIN must be entered into the Digipass before obtaining a One Time Password. This means that just possessing the Digipass is not enough to log in to a network the person logging in must also know the Digipass PIN. Digipass PIN settings include: An Initial PIN can be set for a Digipass. The PIN must then be sent to the User of the Digipass, typically separate from the Digipass delivery. First Use PIN Modification allows a Digipass to require a PIN change from the User upon first use. PIN Change allows a User to change their PIN as desired. The PIN Length can be set for a Digipass. Digipass Lock sets the number of consecutive faulty PIN entries allowed before the Digipass is locked Time/Event-based Digipass Applications Response Only Response Only Digipass Applications can be either time-based or event-based: Time-based A time-based Application will change the OTP to be displayed based on the current time. The common time step used is 36 seconds and means that the OTP to be displayed will change every 36 seconds, whether or not an OTP has been requested from the Digipass. Event-based An event-based Digipass Application will display a new OTP each time a request for an OTP is made. Challenge/Response Challenge/Response Digipass Applications can be either time-based or non-time-based: Time-based A time-based Challenge/Response Digipass Application will generate an OTP based on the Challenge given and the current time. The common time step used is 9 hours ('slow challenge'). This would mean that if the exact same Challenge were given to a Digipass within a 9 hour period, the Digipass Application will generate the same OTP. However, Challenges are very rarely repeated within such a time period. 56

57 Digipass Non-time-based A non-time-based Challenge/Response Digipass Application will generate an OTP based only on the Challenge given OTP Length The length of the OTP (excluding check digit) generated by the Digipass for Response Only and Challenge/Response Digipass Applications. Check Digit A check digit may be added to each OTP. This is generated from the response and allows for faster invalidation of incorrect OTPs Challenge Length The length of the Challenge (excluding check digit) which should be expected by the Digipass. This is used by the Challenge/Response Digipass Application. Check Digit A check digit may be expected with each Challenge. This is generated by the server from the Challenge and allows the Digipass to reject most invalid Challenges. 5.3 Digipass Record Settings These settings are kept in the record for a Digipass Application, and affect which OTP is expected by the SBR Plug-In Time/Event-based Settings Time Based Specifies whether the algorithm for the Digipass application is time-based (see Time/Eventbased Digipass Applications for more information). Time Step Used The time step used by the Digipass Application (see Time/Event-based Digipass Applications for more information). Last Time Shift Time Shift records any misalignments between the time recorded on the Digipass and the time recorded on the server, each time a User logs in. This ensures that if either clock drifts from the correct time, an allowance can be made by the SBR Plug-In and the User will still be able to log in. If the time drift goes beyond the allowable time window between User logins, the Digipass record will have to be reset (this allows for recalculation of the time drift). Example Time window may be 5 steps in either direction. This means that 11 OTPs would be considered valid the exact OTP for that time, and the OTPs for the 5 time steps either side of the exact time. If the OTP given is for a different time step, the time shift for that Digipass will be recorded. The next time the User logs in, the expected OTP will be calculated based on that time shift. 57

58 Digipass Last Event Value The current number of uses of the Digipass Application, according to the Digipass. This can get out of sync with the number of uses recorded by the SBR Plug-In when: login failures occur for other reasons than incorrect OTP the Digipass has been used without a login (eg. children have been playing with it) The Digipass is being used to log in to two separate systems The purpose of this setting is much the same as the Last Time Shift setting it allows the SBR Plug-In to track any shifts between the event count recorded by itself and the Digipass Response Length This setting determines the length of the OTP (excluding check digit) expected by the server from the Digipass Application. Response Check Digit Whether a check digit may be expected with each OTP from the Digipass Application. This is generated from the response and allows for faster invalidation of incorrect OTPs Server PIN The term 'Server PIN' is used to mean a PIN that the user enters into the login password field in front of the OTP displayed on the Digipass. It is checked by the authenticating server. The 'Digipass PIN' referred to earlier indicates a PIN entered into a keypad on the Digipass. That is checked by the device itself, and is never transmitted to the server. There are a number of Server settings regulating Server PINs: PIN Supported Whether a PIN must be included in a User's login. PIN Change On Is a User allowed to change their Server PIN for this Digipass? Force PIN Change Must the User change their Server PIN the next time they log in? PIN Length The length of the current Server PIN. PIN Minimum Length The minimum PIN length required by the Server Backup Virtual Digipass Policy and Digipass settings Several settings dictate how a User may utilize the Backup Virtual Digipass feature. settings are: These Enable or disable Backup Virtual Digipass and enable method (eg. Required). Time limit/expiry (applies to Time Limited enable only) Maximum number of times a User may make use of the Backup Virtual Digipass. 58

59 Digipass The above settings may be set both at the Policy level and at the Digipass record level. Individual settings override Policy settings for an individual Digipass, but some Policy settings (see below) may be used to automatically set Digipass settings which are blank when the Backup Virtual Digipass is first utilized by the User. Time Limit and Max. Uses/User Policy Setting Digipass Setting Time Limit Enabled Until Max. Uses/User Uses Remaining Table 1: Backup Virtual Digipass Policy/Digipass Settings If Backup Virtual Digipass is enabled for a Digipass and set to Time Limited, and the Enabled Until field in the Digipass property sheet is blank on their first use of the Backup Virtual Digipass, their time limit will begin on their first use of the feature. The expiry date (today s date + Time Limit) will then be displayed in the Enabled Until field. If a Max. Uses/User is set for the relevant Policy and a Digipass record's Uses Remaining field in their User property sheet is blank on their first use of the Backup Virtual Digipass, a number (Max Uses/User) will be automatically entered into their Uses Remaining field and immediately decremented by 1. Note If a User has Backup Virtual Digipass enabled with Enabled Until date set and their Uses Remaining has been set (automatically or manually), whichever of these expires first will disable Backup Virtual Digipass for the User. eg. Backup Virtual Digipass is enabled for a User as Time Limited, and the server Time Limit setting is 3 days. The Max. Uses/User Policy setting is 5. When the User first makes use of the Backup Virtual Digipass, their Enabled Until is set to a date 3 days hence and their Uses Remaining to 4. During the next 48 hours, they log in 4 more times. Although the User s time limit does not run out for another 24 hours, their Uses Remaining is now 0 and Backup Virtual Digipass is disabled. 59

60 Digipass 5.4 Assigning Digipass to Users Digipass may be assigned to Users in a number of ways, depending on the requirements of your company. For example, a company with only a few User accounts may use Manual Assignment. A larger company needing to distribute large numbers of Digipass may find it easier to simply distribute the Digipass and require each User to go through Self-Assignment. Note Digipass records must be imported into the data store before being assigned to Users Self-Assignment A Digipass may be assigned to a User by their own action. The User must log in and include the serial number, Windows static password and One Time Password. This informs the SBR Plug-In of the assignment, and provided that the User enters the details correctly, a link will be made between the Digipass record and the User account. A grace period is not used for this method. Image 27: Self-Assignment Process 60

61 Digipass Auto-Assignment The SBR Plug-In can automatically assign an available Digipass when a Digipass User account is created using Dynamic User Registration (DUR). The correct Digipass must then be delivered to the User. A grace period is typically set, which allows a number of days in which the User may still log in using only their static password. Image 28: Auto-Assignment Process 61

62 Digipass Manual Assignment A selected Digipass is manually assigned to a specific Digipass User account. The Digipass must then be sent out to the User. A grace period is typically set, during which the User may still log in using only their static password. Image 29: Manual Assignment Process 62

63 Digipass 5.5 Virtual Digipass Implementation Considerations Digipass Assignment Options With the introduction of Virtual Digipass, there are several different assignment combinations that can be used. The first option in the table below does not utilize Virtual Digipass. The others include a Virtual Digipass in either a backup or primary mode. Primary Backup Digipass None User must log in using a Digipass. Digipass Backup Virtual Digipass User usually logs in using a Digipass, but may utilize the Backup Virtual Digipass feature where required. Usage of the feature may be limited. Digipass (temporarily disallowed) Backup Virtual Digipass User must log in using the Backup Virtual Digipass feature. This might be used while a User s Digipass is lost, until the Digipass is recovered. Primary Virtual Digipass N/A User is assigned a Virtual Digipass and must log in using it. Table 2: Digipass Options Cost Your company will probably need to pay an amount for each text message sent. In some countries, mobile phone owners might need to pay an amount for each text message received on their mobile phone. This will need to be taken into consideration when deciding how to implement Virtual Digipass functionality Security Hardware Digipass devices provide the highest level of security. Virtual Digipass provides a lower, although still high, level of security. This needs to be weighed against other considerations before deciding whether your company will implement Virtual Digipass, and if so, how it will be implemented Convenience Virtual Digipass is more convenient than a hardware Digipass for many Users. Only one s usual mobile phone is required: there are no extra devices to carry around. Users who do not habitually carry their mobile phone with them, though, are likely to find a GO 3 or GO 1 easier to transport. For Users with the Backup Virtual Digipass enabled, it might be the difference between going to work to pick up a forgotten Digipass and getting important work done at home Gateway and account Your company will need the use of an text message gateway and an account with the gateway. The Message Delivery Component will need configuration information for the gateway and the Username and password for the account. Your VASCO supplier can assist with this process Limiting Usage of Virtual Digipass Use of Virtual Digipass may be limited by: Using Backup Virtual Digipass only. Minimizing the number of Users assigned a Primary Virtual Digipass. 63

64 Digipass A User s Primary Virtual Digipass use cannot be limited. The Backup Virtual Digipass feature may be enabled as an emergency backup for Users who have left their primary Digipass at home, or for other reasons do not have access to their primary Digipass. Use of this feature can be limited for each Digipass by: Time period Set a time period in which a User may access the Backup Virtual Digipass. After this period has expired, any Virtual Digipass requests from the User will be rejected. If the User is still unable to use their Digipass, the time period must then be extended by an administrator. Once they have started using their Digipass again, the administrator must reset the time period if the User is to be allowed to use Backup Virtual Digipass again. Number of Uses Set a maximum number of times a User may request an OTP using the Backup Virtual Digipass feature. When the User has reached this number of uses, any further OTP requests from the User will be rejected. This must be reset by an administrator if further use of the Backup Virtual Digipass is required for the User. Global and Individual Backup Virtual Digipass settings Backup Virtual Digipass options can be set globally or individually, to allow a standard policy for all Digipass with exceptions made where necessary. Global settings will affect all Digipass whose individual option is set to 'Default'. Global options are defined in the Policy that controls authentication. Therefore, by using multiple Policies, you have some additional flexibility Backup Virtual Digipass Usage Guidelines Some questions which will need to be answered before arriving at a Backup Virtual Digipass usage guidelines are: Will any users have access to Backup Virtual Digipass? If so, will all users have access to Backup Virtual Digipass? Will usage of Backup Virtual Digipass be limited? If so, how? Time-limited Limited number of uses Some Possible Guidelines Guideline Pro Con Backup Virtual Digipass disabled for all - enabled for individual Users as required. Low text message costs Manual enable for each User and circumstance. Possible heavy administration load. Backup Virtual Digipass enabled for all - either time/number of usage limit set. Predictable text message costs Administrator may need to reset limits frequently medium administration load. Backup Virtual Digipass enabled for all - no limits set. Lighter administration load Possible high text message costs. Table 3: Backup Virtual Digipass Example Guidelines 64

65 Digipass Resetting Virtual Digipass Restrictions When a User has reached their limit of Virtual Digipass use, an administrator must reset their limit Virtual Digipass Login options A decision must be made as to how Users will log in using Virtual Digipass. In particular, Users with a hardware Digipass and the Backup Virtual Digipass enabled must be able to request an OTP to be sent to their mobile when required, but to login using the hardware Digipass at other times. The simplest method for the User is to allow a 2-step login process, where the User enters their User ID and password only, triggering an OTP Request, and are redirected to a second login page to enter the OTP sent to them. To use this method, though, your system must be set up to allow 2-step logins. Check with your system administrator if unsure. Alternatives to the 2-step login are a sequence of two 1-step logins or the use of the OTP Request Site. See the Administrator Reference for information on possible login permutation Location of OTP Request Site If the OTP Request Site is to be used, its location must be decided. You may choose to install the Web Site onto any web server, bearing the following in mind: If the Web Site is installed onto a web server in the DMZ, you need to permit TCP/IP access from the web server to the SBR Plug-In on port This is the recommended option. The Web Site can be used on the Internet, however it would be essential to provide SSL (or TLS) encryption for access to it. Otherwise, an attacker could discover static passwords and PINs. The other point to take into consideration is that publishing the Web Site on the Internet would allow anyone in the world to send requests to the SBR Plug-In this would provide the potential for denial of service and brute force attacks. It would be strongly advised to protect the Web Site from general use in some way. If the Web Site is installed onto a web server that communicates over a WAN link to the SBR Server(s), the WAN link must be encrypted. For example, an IPSEC-based VPN connection would be sufficient. 65

66 Components 6 Components The following diagram illustrates how Component records are used to apply different Policies to different authentication scenarios: Image 30: Component Overview 6.1 Pre-loaded Components One Component record is created during the installation of Digipass Plug-In for SBR: SBR Plug-In Component A Component is created for the SBR Plug-In, to hold its License Key and provide a default Component for Policy selection. The SBR Base Policy is set as the Policy. This Component will be checked each time the SBR Plug-In is started, to verify the License Key. If the License Key is missing, invalid or expired, all authentication except for administration logons will be refused. 6.2 Licensing Each SBR Plug-In needs a license. The License Key is loaded into the corresponding Component record, and details of the License Key may be viewed via the Component list context menu or property sheet. 66

67 Policies 7 Policies 7.1 Policy Inheritance Policies may be set up in a hierarchy, where one Policy will inherit most of its attributes from a parent Policy, but with some modifications for a slightly different scenario. Image 31: Policy Inheritance In the example above, all attributes are inherited from the parent Policy, except those explicitly set. 67

68 Policies Show Effective Settings As the various levels of settings in Policy inheritance can get confusing, functionality is available which allows you to view the settings effective for a selected Policy, taking inherited settings into account. The text below shows the effective settings for the SBR Windows SelfAssignment Policy: Effective Policy Settings [Local/Back-End Authentication] : Local Authentication : Digipass/Password Back-End Authentication : If Needed Back-End Protocol : Windows : [User Accounts] : Dynamic User Registration : Yes Password Autolearn : No Stored Password Proxy : No Default Domain : User Lock Threshold : 3 [Windows Group Check] : Group Check Option : No Check Group List : [Digipass Assignment] : Assignment Mode : Self-Assignment Grace Period (days) : 0 Serial No. Separator : Search up Organizational Unit Hierarchy : Yes [Digipass Settings] : Application Names : Application Type : No Restriction Digipass Types : PIN Changed Allowed : Yes [1-Step Challenge Response] : Enabled : No Challenge Length : 0 Challenge Check Digit : No [2-Step Challenge Response] : Request Method : Keyword Request Keyword : [Primary Virtual Digipass] : Request Method : None Request Keyword : [Backup Virtual Digipass] : Enabled : No Maximum Days : 0 Maximum Uses : 0 Request Method : KeywordPassword Request Keyword : otp [Digipass Control Parameters] : Identification Time Window : 20 Signature Time Window : 24 Event Window : 20 Initial Time Window : 6 Identification Threshold : 0 Signature Threshold : 0 Check Challenge Flag : 1 Level of Online Signature : 0 Allowed Inactive Days : 0 You will note that the settings listed above include those set in Policies from which the SBR Windows Self-Assignment Policy inherit. 68

69 Policies 7.2 Pre-Loaded Policies These Policies are created for the SBR Plug-In on installation of the Digipass Plug-In for SBR. They provide an example for setting up Policies in a typical environment. Table 4: Pre-Loaded Policies Policy Name Parent Policy Description Non-Default Settings Base Policy - Globally applicable settings. In general, all other Policies should inherit from this, directly or indirectly. User Lock Threshold=3 PIN Change Allowed=Yes Challenge Request Method=Keyword Primary VDP Request Method=Password Backup VDP Request Method=KeywordPassword Backup VDP Request Keyword=otp Identification Time Window=20 Event Window=20 Initial Time Window=6 Identification Threshold=0 Local Authentication=None Back-End Authentication=None DUR=No Password Autolearn=No Stored Password Proxy=No Group Check Mode=No Check Assignment Mode=Neither Search Up OU Path=No Application Types=No Restriction 1-Step Challenge/Response=No 1-Step Challenge Check Digit=No Backup VDP Enabled=No SBR Base Policy Base Policy Settings applicable to all SBR Plug-In Policies, including local authentication. In general, all other SBR policies should inherit from this, directly or indirectly. Local Authentication = Digipass/Password SBR Windows Auto- SBR Base Policy SBR Plug-In model for AutoAssignment Assignment with Dynamic User Registration, using Windows back-end authentication and a Windows group check. Back-End Authentication = If Needed Back-End Protocol = Windows Dynamic User Registration = Yes Assignment Mode = Auto-Assignment Search up OU Path = Yes Grace Period = 7 Group Check Mode = Passthrough Group List = Digipass Users SBR Windows SelfAssignment Back-End Authentication = If Needed Back-End Protocol = Windows Dynamic User Registration = Yes Assignment Mode = Self-Assignment Search up OU Path = Yes Serial No. Separator = SBR Base Policy SBR Plug-In model for SelfAssignment with Dynamic User Registration, using Windows back-end authentication. 69

70 Policies 7.3 Differences from VACMAN Middleware 2.3 Some settings used in VACMAN Middleware 2.3 have been modified in Digipass Plug-In for SBR. Most Server settings are found in Policies Authenticator Setting The Authenticator field from VACMAN Middleware 2.3 has been split into several fields in Digipass Plug-In for SBR: Local Authentication Back-End Authentication Back-End Protocol Disabled (User setting) The correspondence of the other fields is different for (VM) RADIUS and Web: VACMAN Digipass Plug-In for SBR Settings Middleware 2.3 Local Auth setting Back-End Auth Back-End Protocol Disabled Setting setting setting checkbox RADIUS Local Server Digipass/Password None <blank> No Local and Proxy Digipass/Password Always RADIUS No Proxy Server None Always RADIUS No Local and Windows Digipass/Password Always Windows No Windows None Always Windows No Disabled <pre-disabled setting> <pre-disabled setting> <pre-disabled setting> Yes Local Server Digipass/Password None <blank> No Local and Proxy Digipass/Password If Needed Windows No Proxy Server None If Needed Windows No Local and Windows Digipass/Password If Needed Windows No Windows None If Needed Windows No Disabled <pre-disabled setting> <pre-disabled setting> <pre-disabled setting> Yes Web Table 5: VACMAN Middleware 2.3 and Digipass Plug-In for SBR Authentication Settings 70

71 Database Integration 8 Database Integration 8.1 Active Directory What is Stored in Active Directory? The following information is stored in Active Directory: Digipass User accounts Digipass and Digipass Application records Digipass configuration records (Policies, Components and Back-End Servers) Schema Extensions User attributes vasco-userext class Extra VASCO attributes are added to an Active Directory User record via an 'auxiliary class' vasco-userext on the User class. Digipass and Digipass Application records The vasco-dptoken class is used to store Digipass attributes. It is also a container, in which vasco-dpapplication records for that Digipass are stored. Upon assignment to a User, the Digipass record is stored in the same location as the User. Policies, Components and Back-End Servers Policy, Component and Back-End Server records are stored in vasco-policy, vasco-component and vasco-backendserver objects respectively. They are located in a single DigipassConfiguration container in a single Domain Digipass Records Location of Digipass Records When a Digipass is assigned to a User, it is moved to the same location as the Digipass User account it is assigned to. This makes it easier to set up the permissions necessary for delegated administration. Note A Digipass record will not automatically be moved when the User account to which it is assigned is moved to another location. When moving User accounts within Active Directory, ensure that the records of any assigned Digipass are manually moved to the same location. Unassigned Digipass records may be stored in various places in the data store: Digipass Pool A container called Digipass-Pool is created during installation. This is intended as a general store for unassigned Digipass. Organizational Units If an Organizational Unit structure is used in the data store, Digipass can be loaded or moved 71

72 Database Integration either into the exact Organizational Units where the User accounts to which they will be assigned are located, or into a few key Organizational Units in the hierarchy where they may be assigned to Users in lower level Organizational Units. Users Container When Active Directory is used as the data store, Digipass can be loaded into the Users container so they are available for Users in that container. However, it is not recommended to use the Users container for either User accounts or Digipass. When looking for an available Digipass to assign to a User, the SBR Plug-In will first look in the same Organizational Unit as the specific User account. The Search Upwards in Organizational Unit hierarchy option, when enabled, allows the SBR Plug-In to search in parent Organizational Units and the Digipass Pool container. This option may be set at the Policy level for system searches (eg. Auto-Assignment and Self-Assignment) or at the time of the search for manual assignment. Note The SBR Plug-In will always find or assign the closest available Digipass record to the selected User record(s) Delegated Administration in Active Directory If the assignment is manual (performed by an administrator), it will only find and successfully assign Digipass from locations where the administrator has the correct permissions. The administrator must have read permission for Digipass objects in the location to find a Digipass record, and if it needs to be moved to the User's location, they must have delete permission for Digipass objects to successfully assign the Digipass. If the administrator has sufficient permissions to view a Digipass record but not to assign it, the assignment will fail. Record Location Pros Cons Digipass Pool Digipass are available to be assigned to all Users, regardless of the Organizational Unit structure. Only administrators with access to the Digipass Pool may view or modify records for unassigned Digipass. This also means that only those administrators may manually assign Digipass. An extra permission must be assigned all administrators who should be able to assign Digipass (if they are not Domain Admins). It is not possible to strictly subdivide the unassigned Digipass among the Organizational Units according to quotas. Organizational Unit Digipass may be portioned out to various Organizational Units. This is particularly useful where a company is contracted to provide authentication services to multiple companies, or where various departments have different Digipass quota. If an Organizational Unit runs out of Digipass to assign its Users, more Digipass records must be manually moved to the right location. Users Container Digipass can be assigned to any User in the Users container. Digipass in the Users container are only available to User accounts stored there. Table 6: Summary of Digipass Record Location Options 72

73 Database Integration Typical Digipass Location Models Digipass Pool A centralised point of access and importation can be implemented by using the Digipass Pool to hold unassigned Digipass records. This option requires less calculation and high-level administration, as Digipass records are all imported into one area and there is no need to manually move records or calculate the exact number of Digipass required for each Organizational Unit or group of Units. However, permissions will need to be set up to permit delegated administrators access to move the Digipass out of the container upon assignment. The Digipass Pool is treated as the Domain Root by the SBR Plug-In, as Digipass records may not be saved in the Domain Root. Image 32: Digipass Record Locations - Digipass Pool In the diagram above, the SBR Plug-In is shown searching upwards through the Organizational Unit structure for available Digipass to assign to a Digipass User in the Organizational Unit B1. Because no available Digipass are found in B1, it searches in B, then in the Digipass Pool. Administrator 1 needs delegated administrator permissions for the Organizational Unit B and its child Organizational Units. They must also have read and delete permissions for Digipass objects in the Digipass Pool container. Note The Search Upwards in Organizational Unit hierarchy option must be enabled for this model to function correctly. 73

74 Database Integration Parent Organizational Units Unassigned Digipass can be kept in key Organizational Units, and made available to their lower level Organizational Units. This requires a delegated administrator to have permissions not only for the Organizational Unit in which the User accounts are stored, but also read, write and delete permissions for Digipass objects in the Organizational Unit in which the Digipass are stored. Image 33: Digipass Record Locations - Parent Organizational Unit In the diagram above, the SBR Plug-In can search in the parent Organizational Unit for available Digipass. The delegated administratration permissions can be set up in two basic ways: Administrator 1 has full admin permissions for Organizational Unit B and its child Organizational Units. She does not require any other permissions to assign Digipass from Organizational Unit B to a User in Organizational Unit B1. Administrator 2 has full admin permissions for Organizational Unit A2 only. He has read and delete permissions for Digipass objects in Organizational Unit A in order to assign Digipass from Organizational Unit A to a User in Organizational Unit A2. Note The Search Upwards in Organizational Unit hierarchy option must be enabled for this model to function correctly. 74

75 Database Integration Individual Organizational Units Digipass can be loaded or moved into each Organizational Unit where and when they are required. It is then easy to set up permissions for delegated administrators to assign them only within their scope of control. If all Digipass in the Organizational Unit are assigned, more Digipass will need to be moved in manually by a Domain Admin before they can be assigned by a delegated administrator. Image 34: Digipass Record Locations - Individual Organizational Units In the diagram above, unassigned Digipass are stored in the exact Organizational Units in which they will be assigned. Each delegated administrator only requires permissions within their specific Organizational Unit(s). Note The Search Upwards in Organizational Unit hierarchy option does not need to be enabled for this model. Combination of models Digipass may be stored in the Digipass Pool as well as some or all Organizational Units. If no unassigned Digipass records are found in the Organizational Unit, and the Search Upwards in Organization Unit hierarchy option is enabled, the SBR Plug-In will search upwards to the Domain Root and search in the Digipass Pool for an available, unassigned Digipass record. 75

76 Database Integration Search for Digipass Records The Digipass Extension for Active Directory Users and Computers allows you to search for specific Digipass records, or Digipass records meeting set criteria. This functionality can be useful when you have Digipass records in various places throughout Active Directory. Image 35: Digipass Search window Permissions Needed by the SBR Plug-In The installation process will ensure that the SBR Plug-In has sufficient permissions. This is achieved by assigning permissions in the domain to the in-built RAS and IAS Servers group. It is necessary to make sure that the SBR Plug-In is added to that group Administrative Permissions Administrative permissions for SBR Plug-In administrators are controlled using Active Directory security properties. See the Permissions Needed by Administrators topic in the Administrator Reference for more information. Domain Administrators may view and edit all Digipass and Digipass User information in their domain, plus Digipass Configuration information if the Digipass Configuration Container is located in their domain. No permissions setup is required for them. Delegated Administrators may view and edit all Digipass and Digipass User information within their administrative scope of control. It is necessary to grant them full control, create 76

77 Database Integration and delete permissions over the Digipass and Digipass Application objects within their scope. Reduced Rights Administrators may perform a subset of the administration tasks. 'Property sets' are defined with the directory which can be used to enable or limit them in various Digipass administration tasks (eg. Access to the Digipass blob) Active Directory Command Line Utility This utility has to perform several tasks that are needed at various times during installation and upgrade if Active Directory is selected, or afterwards for maintenance. Some of the commands are run automatically by the installation program, while others are run manually. The commands that are run automatically can be run manually also, for example to troubleshoot why the installation is not succeeding. Command Description addschema Extend the Active Directory schema. checkschema Check that the schema extensions are all present. setupdomain Sets up the Digipass Configuration Container in the specified domain. setupaccess Assign permissions to a Windows group including: Full read access to everything in the domain Full control over vasco-dptoken objects Full control over vasco-dpapplication objects Ability to create and delete vasco-dptoken objects Full write access to extension attributes on user objects This command can optionally be used to also add a machine to the group. Table 7: DPADadmin tasks 77

78 Database Integration 8.2 ODBC or Embedded Database What is Stored in the Data Store? The following information is stored in the data store: Digipass User accounts Digipass and Digipass Application records Digipass configuration records (Policies, Components, Back-End Servers) Domains and Organizational Units Domains and Organizational Units are included in the ODBC database in a way that mirrors the data structure used by Active Directory. Image 36: Domain and Organizational Unit Overview Organizational Units are designed to hold User accounts and Digipass records. They allow grouping of Users according to department, job function, or other criteria. They also allow Digipass to be allocated for Auto-Assignment to single or multiple groups of Users. Both Domains and Organizational Units can be used to limit administrators to a group of Users and/or Digipass Location of Digipass Records When a Digipass is assigned to a User, it is moved to the same Organizational Unit as the Digipass User account to which it is assigned. Note When a User account is moved to an Organizational Unit, all Digipass records assigned to it will also be moved. A Digipass record assigned to a User cannot be moved - the User account must be moved. Unassigned Digipass records may be allocated to various places in the Organizational Unit structure: Master Domain During installation, a default domain is created. Digipass are imported to the Master Domain, 78

79 Database Integration and may then be moved to other domains and Organizational Units. Organizational Units If an Organizational Unit structure is used in the database, Digipass can be moved either into the exact Organizational Units where the User accounts to which they will be assigned are located, or into a few key Organizational Units in the hierarchy where they may be assigned to Users in lower level Organizational Units. When looking for an available Digipass to assign to a User, the SBR Plug-In will first look in the same Organizational Unit as the specific User account, if the User account belongs to an Organizational Unit. The Search Upwards in Organizational Unit hierarchy option, when enabled, allows the SBR Plug-In to search in parent Organizational Units and the Digipass Pool container. This option may be set at the Policy level for system searches (eg. Auto-Assignment and Self-Assignment) or at the time of the search for manual assignment. Note The SBR Plug-In will always find or assign the closest available Digipass record to the selected User record(s). If the User account being assigned a Digipass does not belong to an Organizational Unit, the SBR Plug-In will look for an available Digipass in the domain which does not belong to an Organizational Unit. 79

80 Database Integration Typical Digipass Location Models Domain Root Digipass records may be stored in the Domain Root while unassigned. This option allows a centralised point of access for assignment of Digipass. It also requires less calculation and high-level administration - Digipass records are all stored in one area and there is no need to manually move records or calculate the exact number of Digipass required for each Organizational Unit or group of Units. Administrators must belong to the Domain only (not an Organizational Unit) to assign Digipass from the Domain Root. Image 37: Digipass Record Locations Domain Root In the diagram above, the SBR Plug-In searches upwards through the Organizational Unit structure for available Digipass to assign to a Digipass User in the Organizational Unit B1. Because no available Digipass are found in B1, it searches in B, then in the Domain root. The administrator account must be located in the domain root (no Organizational Unit) in order for this model to work successfully. Note The Search Upwards in Organizational Unit hierarchy option must be enabled for this model to function correctly. This option is simplified if an Organizational Unit structure is not used in the database. User accounts and Digipass records may all be stored in the Master Domain. The Search Upwards in Organizational Unit hierarchy option does not need to be enabled in this case. 80

81 Database Integration Parent Organizational Units Unassigned Digipass can be kept in key Organizational Units, and made available to their lower level Organizational Units. Image 38: Digipass Record Locations - Parent Organizational Unit In the diagram above, the SBR Plug-In can search in the parent Organizational Unit for available Digipass. Administrators will need to belong to the parent Organizational Unit. Note The Search Upwards in Organizational Unit hierarchy option must be enabled for this model to function correctly. 81

82 Database Integration Individual Organizational Units Digipass can be loaded or moved into each Organizational Unit where and when they are required. If all Digipass in the Organizational Unit are assigned, more Digipass will need to be moved in manually by a Domain Admin before they can be assigned. Image 39: Digipass Record Locations - Individual Organizational Units In the diagram above, unassigned Digipass are stored in the exact Organizational Units in which they will be assigned. Administrator accounts belonging to the Organizational Units A1 and A2 have administration privileges in their own Organizational Unit only. Note The Search Upwards in Organizational Unit hierarchy option does not need to be enabled for this model. Combination of models Digipass may be stored in the Master Domain as well as some or all Organizational Units. If no unassigned Digipass records are found in the Organizational Unit, and the Search Upwards in Organization Unit hierarchy option is enabled, the SBR Plug-In will search upwards to the Domain Root and search in the Digipass Pool for an available, unassigned Digipass record Permissions Needed by the SBR Plug-In The SBR Plug-In will require either: a database administrator account for the database, ownership of the VASCO tables, or permissions to insert, remove, read and modify rows in VASCO tables. See the Administrator Reference for more information. This is set up automatically in the case of the embedded database option. 82

83 Database Integration Database Command Line Utility This utility has to perform several tasks that are needed at various times during installation and upgrade, or afterwards for maintenance. Some of the commands are run automatically by the installation program, while others are run manually. The commands that are run automatically can be run manually also, for example to troubleshoot why the installation is not succeeding. Command Description addschema Modify the database structure to create the required VASCO tables. checkschema Check that the required database modifications and/or table name remappings have been completed. dropschema Remove all database schema modifications from the database. Table 8: DPDBadmin commands Additional ODBC Databases A synchronized backup database may be set up for the SBR Plug-In. This helps to ensure continuous service if the main database fails. The synchronization can be a shadow database, a mirror or a replicated copy. The required synchronization must be set up according to the instructions provided by the database vendor. It is strongly recommended to minimize the synchronization delay. Once the database and any synchronization is set up, create a Data Source Name for the new database and add it to the SBR Plug-In Configuration GUI. Image 40: Additional ODBC databases See the Database Connection Handling topic in the Administrator Reference for more information. 83

84 Database Integration Multiple SBR Plug-Ins If more than one SBR Plug-In are installed on the system, some additional setup may be required. Multiple SBR Plug-Ins Using Same Database If more than one SBR Plug-In is using the one ODBC database, no additional setup steps are required. However, use of a backup database should be considered. Image 41: Multiple Plug-Ins Using Single Database Multiple SBR Plug-Ins Using Own Database If each SBR Plug-In is using its own ODBC database as a data store, replication should be performed between SBR Plug-Ins to ensure that each database is kept up to date and to guard against data loss. 8.3 Sensitive Data Encryption Sensitive data is encrypted by the Digipass Plug-In for SBR using an embedded key. If needed, this encryption may be strengthened by including a custom encryption key. See the Administrator Reference for more information. 84

85 Licensing 9 Licensing 9.1 Overview VASCO products are licensed per Component record in the data store. The licensing relies upon a License Key which is checked when the SBR Plug-In starts. This License Key is tied to the location (IP address) where the SBR Plug-In is installed, and stored in the Component record for the SBR Plug-In. The SBR Plug-In will not authenticate a user without a correct License Key. Evaluation Licenses An evaluation license means that you can use its full functionality until the evaluation period runs out. At the end of this period, you will need to either uninstall the product or buy a permanent license. Contact your distributor or the appropriate VASCO Reseller representative to acquire the licences you will need. For your convenience, the evaluation serial number is embedded in the installation program. You will still need to obtain and load a license key. Client module licenses can also be evaluation (time-limited) licenses. 9.2 Obtaining and Loading a License Key The Digipass Plug-In for SBR installation process will guide you through the process of requesting and loading a License Key. However, if for some reason it is not possible to complete the licensing at installation time, the Administration MMC Interface can be used to obtain and load a License Key for a Component. This process must be completed for each SBR Plug-In, and requires an active internet connection to open the Digipass Activation Page. 85

86 Auditing and Tracing 10 Auditing and Tracing 10.1 Audit System The VASCO Audit System consists of a number of auditing modules which save audit messages to a specific format (eg. text file) and an Audit Viewer which can open, display and filter audit messages from various sources. Audit messages are primarily generated by the SBR Plug-In. They may be recorded by a number of different methods: Windows Event Log (to be viewed in the Event Log Viewer) Text file ODBC-compliant database Audit messages may also be passed directly to an Audit Viewer as a live feed Configure Auditing Output Auditing output from the SBR Plug-In can be configured using the SBR Plug-In Configuration. See the Configuration section of the Administrator Reference for more information. 86

87 Auditing and Tracing Audit Viewer The Audit Viewer can retrieve messages from several different sources and display audit messages from each in separate windows. Audit messages may be filtered by message type, date and time, or the contents of specific fields. 87

88 Auditing and Tracing Audit message types Type Description Error The message contains details about a system, configuration, licensing or some internal error. Errors do not include normal processing events such as failed logins. Warning Warning messages contain details about potential problems within the system. This could include details such as a failed connection attempt to a Domain Controller. Information Informational messages provide details about events within the system that need to be recorded but do not indicate errors or potential errors. An example of this may be a re-connection to Active Directory for load-balancing reasons. Success Success messages contain details about processing events that were correctly processed. This may include successful authentications or successful administration commands. Failure Failure messages contain details about processing events that failed. This may include rejected authentications, or administration actions that failed. Table 9: Audit message types Active Directory Auditing Active Directory auditing may be enabled and configured to record access and modifications to Digipass-related data used by the SBR Plug-In. See the Active Directory Auditing topic in the Administrator Reference for more information Tracing The level of tracing for the SBR Plug-In can be configured using the SBR Plug-In Configuration utility. Tracing messages will be recorded to a text file. See the Tracing section in the Administrator Reference for more information, and instructions on configuring tracing for the SBR Plug-In. 88

89 User Self Management Web Site 11 User Self Management Web Site 11.1 What is the User Self Management Web Site? The User Self Management Web Site allows Users to perform functions which are unavailable during a usual login either because the functionality is disabled within the SBR Plug-In configuration, or because CHAP or another protocol is in use which does not allow the functionality: User Registration and Auto-Assignment Self-Assignment Password Synchronization PIN Change Login Test The site can also be used to help Users get started with their Digipass while they are still in the office and help is available. 89

90 User Self Management Web Site Important Note The User Self Management Web Site is intended for RADIUS environments, and uses the RADIUS protocol to communicate with the SBR Plug-In. If the SBR Plug-In is not licensed for RADIUS, you will not be able to use the User Self Management Web Site Customizing the User Self Management Web Site The User Self Management Web Site can be customized by modifying the pages provided with the installation. You may wish to: change the colors and graphics to match your corporate colors/logos. integrate the pages into a larger web site. translate or customize the text Any cosmetic part of the web pages may be modified. Completely new web pages may be used, provided that the correct form fields are posted to the CGI program, and query string variables are interpreted correctly. Server scripting languages such as PHP or ASP, or any other way of generating HTML, can be used. See the Web Sites section of the Administrator Reference for more information. 90

91 OTP Request Site 12 OTP Request Site 12.1 What is the OTP Request Site? The OTP Request site provides a method for Users to request an OTP to be sent to their mobile, for use in logging in. Image 42: OTP Request Site Important Note The OTP Request Site is intended for RADIUS environments, and uses the RADIUS protocol to communicate with the SBR Plug-In. If the SBR Plug-In is not licensed for RADIUS, you will not be able to use the OTP Request Site Customizing the OTP Request Site The OTP Request Site is designed to customized in a similar way to the User Self Management Web Site. See the Web Sites section of the Administrator Reference for more information. 91