DIGIPASS Authentication for Check Point VPN-1

Transcription

1 DIGIPASS Authentication for Check Point VPN-1 With Vasco VACMAN Middleware Integration VASCO Data Security. Guideline All rights reserved. Page 1 of 51

2 Disclaimer Disclaimer of Warranties and Limitations of Liabilities This Report is provided on an 'as is' basis, without any other warranties, or conditions. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security. Trademarks DIGIPASS & VACMAN are registered trademarks of VASCO Data Security. All trademarks or trade names are the property of their respective owners. VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use. Copyright 2007 VASCO Data Security. All rights reserved VASCO Data Security. All rights reserved. Page 2 of 51

3 Table of Contents DIGIPASS Authentication for Check Point VPN Disclaimer... 2 Table of Contents Overview Problem Description Solution Technical Concept General overview Check Point VPN-1 prerequisites VACMAN Middleware Prerequisites VPN-1 Configuration General configuration RADIUS Configuration User Configuration Usergroup Configuration Change Server Configuration VPN Authentication Firewall Authentication Apply Changes VACMAN Middleware Policy configuration Component configuration User configuration ODBC installation User creation Import DIGIPASS VASCO Data Security. All rights reserved. Page 3 of 51

4 7.1.3 DIGIPASS Assignment Active Directory installation User creation Import DIGIPASS DIGIPASS assignment VPN-1 test SSL/VPN Authentication Response Only Challenge / Response Firewall Authentication Response Only Challenge / Response VACMAN Middleware features Installation Support for Windows 2000, 2003, IIS5 and IIS Support for ODBC databases and Active Directory Deployment Dynamic User Registration (DUR) Autolearn Passwords Stored Password Proxy Authentication Methods Policies DIGIPASS Self Assign DIGIPASS Auto Assign Grace Period Virtual DIGIPASS Administration Active Directory Users and Computers Extensions Administration MMC Interface VASCO Data Security. All rights reserved. Page 4 of 51

5 9.3.3 User Self Management Web Site Delegated administration Granular access rights About VASCO Data Security VASCO Data Security. All rights reserved. Page 5 of 51

6 1 Overview The purpose of this document is to demonstrate how to configure VACMAN Middleware 3.0 (VM) to work with Check Point VPN-1 based devices. Authentication is arranged on one central place where it can be used in a regular VPN or SSL/VPN connection or through the firewall rules that can request user authentication. 2 Problem Description The basic working of VPN-1 is based on authentication to an existing media (LDAP, RADIUS, local authentication ). To use the VACMAN Middleware with VPN-1, the external authentication settings need to be changed or added manually. 3 Solution After configuring VACMAN Middleware and VPN-1 in the right way, you eliminate the weakest link in any security infrastructure the use of static passwords that are easily stolen guessed, reused or shared. In this integration guide we will make use of a VPN-1 UTM installation. This combines a firewall, an IPSec or SSL/VPN and a UTM suite in one. For authentication, we focused on the SSL/VPN and the firewall part. VACMAN Middleware IP: Port: 1812 Shared Secret: vasco Check Point VPN-1 UTM External Host: checkpoint.vpn-1.utm External IP: Internal IP: / /24 Domain Controller DNS server Active Directory Domain: labs.vasco.com IP: Web Server IP: URL: cp.labs.vasco.com Figure 1: Solution 2007 VASCO Data Security. All rights reserved. Page 6 of 51

7 4 Technical Concept 4.1 General overview The main goal of the VPN-1 is to perform authentication to secure all kind of VPN and firewall connections. As the VPN-1 can perform authentication to an external service using the RADIUS protocol, we will place the VACMAN Middleware as back-end service, to secure the authentication with our proven VACMAN Middleware software. 4.2 Check Point VPN-1 prerequisites Please make sure you have a working setup of a VPN-1. It is very important this is working correctly before you start implementing the authentication to the VM. At this time this is a list of products that are supported to use authentication and can be managed with SmartCenter: VPN-1 UTM VPN-1 UTM Power VPN-1 Power VPN-1 Power VSX VPN-1 UTM Edge Safe@Office These have also a stand-alone management tool. The products mentioned above are each available for different platforms. The SmartCenter is available for Windows 98/ME/2000/XP/2003 and Solaris. 4.3 VACMAN Middleware Prerequisites In this guide we assume you already have VACMAN Middleware 3.0 (VM) installed and working. If this is not the case, make sure you get VM working before installing any other features VASCO Data Security. All rights reserved. Page 7 of 51

8 5 VPN-1 Configuration 5.1 General configuration In this chapter you will learn how to configure an external RADIUS authentication server, our VACMAN Middleware. This server will then be used in different applications. When talking about the tabs in the left window, we refer to this tab bar. Network objects Services Recources Servers - OPSEC Users VPN Communities RADIUS Configuration Let s start with creating the RADIUS configuration in the SmartDashboard. Open SmartDashboard and on the tabs in the left window select the Servers and OPSEC Applications tab. Right-click Servers and select RADIUS Figure 2: RADIUS Configuration (1) 2007 VASCO Data Security. All rights reserved. Page 8 of 51

9 We will create an external RADIUS server. To do that, we will first create a host where the VACMAN Middleware is located. Click the New button behind the Host field. Figure 3: RADIUS Configuration (2) Type in a name and the IP address where the VACMAN Middleware is installed. If you type in a resolvable hostname (FQDN or Netbios) you can click the Get address button to resolve the hostname to the IP address. When done, click OK. Figure 4: RADIUS Configuration (3) 2007 VASCO Data Security. All rights reserved. Page 9 of 51

10 Back in the first screen, your host will now be filled in automatically with the one you just created. Enter a Name and Shared Secret. RADIUS version 2.0 is necessary to enable all features for VACMAN Middleware. e.g. PIN change = passwords larger than 16 characters = Password+PIN+OTP+NewPIN+NewPIN Passwords larger than 16 characters are cut off after the 16 th character if RADIUS version 1.0 is used. As Service it depends on which port you installed VACMAN Middleware = NEW-RADIUS 1645 = RADIUS Figure 5: RADIUS Configuration (4) Click OK when finished. You will now see the RADIUS server in the list. You can still edit this server by right-clicking the object and selecting Edit. The host you created can be found in the Network Objects tab, under Nodes VASCO Data Security. All rights reserved. Page 10 of 51

11 5.1.2 User Configuration We will now create a method so users will be authenticated through the newly created RADIUS server. Go to the Users tab and right click External User Profiles and select New External User Profile Match all users. Figure 6: User Configuration (1) On the Authentication tab, select RADIUS as Authentication Scheme. As a RADIUS server select the newly created RADIUS server pointing to VACMAN Middleware. Figure 7: User Configuration (2) Figure 8: User Configuration (3) 2007 VASCO Data Security. All rights reserved. Page 11 of 51

12 5.1.3 Usergroup Configuration We will now create a group for the generic* RADIUS user to work with. Only groups can be used in the rules to allow access. In the same user tab, right-click User Groups New Group. Figure 9: Usergroup Configuration (1) Fill in the RADIUS Group Name and move the generic* RADIUS user to the In Group list. Figure 10: Usergroup Configuration (2) 2007 VASCO Data Security. All rights reserved. Page 12 of 51

13 5.1.4 Change Server Configuration To make sure the VPN-1 server is configured correctly for RADIUS authentication we will check it s general configuration in the following chapter. Go to the Network Objects tab and select your VPN-1 server from the Check Point list. Right-click your server and select Edit Figure 11: Change Server Configuration (1) In this case we only want to allow users to make a VPN connection when they verify themselves with a One Time Password to our VACMAN Middleware. Go to the Remote Access Office Mode and select Offer office mode to group: and select your RADIUS group you recently created. Figure 12: Change Server Configuration (2) 2007 VASCO Data Security. All rights reserved. Page 13 of 51

14 5.2 VPN Authentication In this chapter we will show you how to use the RADIUS authentication to make an SSL/VPN connection. Go to the VPN Communities tab and right-click the Remote Access RemoteAccess and select Edit Figure 13: VPN Authentication (1) Select the Participant User Group and add the RADIUS group to this list. Figure 14: VPN Authentication (2) 2007 VASCO Data Security. All rights reserved. Page 14 of 51

15 5.3 Firewall Authentication In this chapter we will show you how to protect a firewall rule by using the external RADIUS server and so require the use of OTP s. First, make sure you are in the Firewall (Security) tab (1). Select one of the rules you see in the list. Then, click the button to add a firewall rule below the current one.(2) A new rule will appear, with an empty Name-field. Double click the empty Namefield. 1 2 Figure 15: Firewall Authentication (1) Give the new rule a Name and click OK. Figure 16: Firewall Authentication (2) 2007 VASCO Data Security. All rights reserved. Page 15 of 51

16 In the Source field, we will enter the group that has access to the website we will be publishing. Right-click this field and choose Add User Access Figure 17: Firewall Authentication (3) Select the RADIUS group you created earlier, check the No restriction option and click OK. Figure 18: Firewall Authentication (4) 2007 VASCO Data Security. All rights reserved. Page 16 of 51

17 For the Destination, right-click the field and choose Add Figure 19: Firewall Authentication (5) If the server that hosts your website is not in the list, click the New button and select Node Host Figure 20: Firewall Authentication (6) 2007 VASCO Data Security. All rights reserved. Page 17 of 51

18 Fill in the Name and the IP Address. If the Name is an FQDN or Netbios host, you can click the Get address button to resolve the IP Address. When done, click OK. Figure 21: Firewall Authentication (7) You will now find the newly created host in the list, select it and click OK. Figure 22: Firewall Authentication (8) 2007 VASCO Data Security. All rights reserved. Page 18 of 51

19 There are only three services supported for user authentication: HTTP, FTP and Telnet. In this firewall rule we only want to allow HTTP traffic. Right-click the Service field and select Add Figure 23: Firewall Authentication (9) Choose http from the list and click OK. Figure 24: Firewall Authentication (10) 2007 VASCO Data Security. All rights reserved. Page 19 of 51

20 To request user authentication, right-click the Action field and select Client Auth from the list. Figure 25: Firewall Authentication (11) Instead of Client Authentication there are 2 other possibilities, a little more information about this field type: User Authentication: User authentication grants access on a per-user basis. This method can only be used for telnet, ftp, rlogin, http and https, and requires separate authentication for each connection. User Authentication is secure, because the authentication is valid only for one connection, but intrusive, because each connection requires another authentication. For example, accessing a single web page could display several dozen User Authentication windows, as different components are loaded. Session Authentication: Session Authentication is not like user authentication because it requires authentication for each session, and can be used with any service. Session authentication is secure, but requires a session authentication agent to be running on the authentication client, or on another machine in the network. Session authentication can be used to authenticate any service on a per-session basis. After the user initiates a connection directly to the server, the security gateway - located between the user and the destination - intercepts the connection. The gateway recognizes that user-level authentication is required, and initiates a connection with a session authentication agent. The session authentication agent is a utility provided with VPN-1 NGX, and must be installed on any object running session authentication. The Agent performs required authentication, which allows connections to continue to the requested server, if permitted VASCO Data Security. All rights reserved. Page 20 of 51

21 Client Authentication: Client authentication grants access on a per-host basis. Client authentication allows connections from a specific IP address, after successful authentication. it can be used for any service, for any number of connections and the authentication is valid for the length of time specified by the administrator. It is slightly less secure than user authentication, because it allows any user access from the IP address or host, but is also less intrusive than session authentication. Client authentication is best used when the client is a single - user machine, such as a pc. It is best practice to enable "specific sign on" in the properties of the client authentication method. If specified, only connections that match the original connection are allowed without additional authentication. If a rule specifies more than one service or host, the user on the client must re-authenticate for each service or host. Specific Sign On is useful if you want to limit access to services and target hosts. If you choose Manual, you have to authenticate by making a telnet connection to the firewall on port 259 or by browsing to VASCO Data Security. All rights reserved. Page 21 of 51

22 Finally, to change the authentication settings, right-click the Client Auth field and select Edit Properties Figure 26: Firewall Authentication (12) In the Source box, select ignore user database. As Required Sign On select Standard and change the Sign On Method to Fully automatic. Click OK to continue. Figure 27: Firewall Authentication (13) We now created a firewall rule allowing the firewall to request user authentication before accessing a website. We also changed the VPN settings sending the user credentials to the external RADIUS server. Both ways will make use of the VACMAN Middleware to perform authentication, allowing you to make use of DIGIPASS One Time Passwords VASCO Data Security. All rights reserved. Page 22 of 51

23 5.4 Apply Changes The SmartCenter is only a dashboard to show the configuration of the VPN-1 software. We still have to save all changes we made to the back-end. Click Policy Install to deploy all the changes to the VPN-1 back-end. Figure 28: Apply Changes (1) You will receive the question to which Check Point target you want to deploy the changes. In our case, member is the name of our VPN-1 server. Select the correct Installation Target and click OK. Figure 29: Apply Changes (2) 2007 VASCO Data Security. All rights reserved. Page 23 of 51

24 Once the installation of the policy has finished, click Close. Figure 30: Apply Changes (3) We have now configured the VPN-1 in such a way, the SSL/VPN and a firewall rule will be protected by our VACMAN Middleware. This allows you to make use of OTP s in different places of the VPN-1. We will now show how VACMAN Middleware has to be configured. Next we will look into the end-users experience when using a DIGIPASS to logon VASCO Data Security. All rights reserved. Page 24 of 51

25 6 VACMAN Middleware 6.1 Policy configuration Setting up the VM only requires you to set up a policy to go to the right back-end and to add an extra Radius component pointing to the ISA server. To add a new policy, right-click Policies and choose New Policy. Figure 31: VM configuration (1) There are a few policies available by default. You can also create new policies to suit your needs. Those can be independent policies, inherit or copy their settings from default or other policies. Fill in a policy name and choose the option most suitable in your situation. If you want the policy to inherit setting from another policy, choose the inherit option. If you want to copy an existing policy, choose the copy option and if you want to make a new one, choose the create option. Figure 32: VM configuration (2) We chose to create a new policy and specify all details about the authentication policy VASCO Data Security. All rights reserved. Page 25 of 51

26 In the policy properties configure it to use the right back-end server. This could be the local database, but also Windows (Active Directory) or another radius server (RADIUS). This could the same authentication service as you were previously using in the ISA server. Main Settings tab o Local auth.: Digipass/Password o Back-End Auth.: If Needed o Back-End Protocol: Windows User Settings tab o Dynamic User Registration: Yes o Password Autolearn: Yes o Stored Password Proxy: Yes o Windows Group Check: No Check Challenge Settings tab o 2-Step Challenge Response None o Primary Virtual DIGIPASS None After configuring this Policy, the authentication will happen, if needed (when it does not know the user locally), in the back-end to Active Directory. User credentials are passed through to the VM, it will check these credentials with the AD and will answer to the ISA server with an Access-Accept or Access-Reject RADIUS message. Figure 33: VM configuration (3) Figure 34: VM configuration (4) Figure 35: VM configuration (5) 2007 VASCO Data Security. All rights reserved. Page 26 of 51

27 6.2 Component configuration For testing purposes you can change the existing RADIUS Client (default RADIUS client that listens for all connections) by right-clicking and choose Properties. If you already use the default RADIUS client, it would be better to create a new RADIUS component. Figure 36: VM configuration (6) In the policy field you should find your newly created policy. Fill in the shared secret you entered also in the RADIUS server properties on the ISA server. Click Create. Figure 37: VM configuration (7) All configuration is done by now. The next chapter shows you how to add a user manually. In our policy we enabled the Dynamic User Recognition (DUR). So users who get verified through the Active Directory, and are not known in the local database, are automatically added. It also shows how to assign a DIGIPASS to a user VASCO Data Security. All rights reserved. Page 27 of 51

28 7 User configuration The user creation steps you will find in this chapter are optional when you didn t activate the option Dynamic User Registration (DUR) and/or Password Autolearn in your policy settings. The assignment of a DIGIPASS can happen manually as explained in the steps below. The user creation and DIGIPASS assignment steps depend on which database backend you installed VACMAN Middleware. Either you installed it with an ODBC back-end or with an Active Directory back-end. 7.1 ODBC installation User creation User creation, while using an ODBC back-end, will happen in the DIGIPASS Administration MMC. Right-click the Users folder and select New User... Figure 38: ODBC User Creation (1) 2007 VASCO Data Security. All rights reserved. Page 28 of 51

29 Fill in the username and password fields. Optionally choose the right domain and Organizational Unit and click the Create button. Figure 39: ODBC User Creation (2) The user will now show up in the Users list of you DIGIPASS Administration MMC. At this point it will be exactly the same as when Dynamic User Recognition (DUR) was enabled. Figure 40: ODBC User Creation (3) 2007 VASCO Data Security. All rights reserved. Page 29 of 51

30 7.1.2 Import DIGIPASS Right-click the DIGIPASS folder and select Import DIGIPASS.... Figure 41: Import DIGIPASS (1) Browse for your *.DPX file, fill in the Transport Key and look at your available applications by pushing the Show Applications button. You can either import all applications or only the ones you selected, by the Import buttons above and below the Show Applications button. Figure 42: Import DIGIPASS (2) 2007 VASCO Data Security. All rights reserved. Page 30 of 51

31 When the DIGIPASS is imported successfully you will receive a confirmation message. Figure 43: Import DIGIPASS (3) 2007 VASCO Data Security. All rights reserved. Page 31 of 51

32 7.1.3 DIGIPASS Assignment There are two possible ways to assign a DIGIPASS to a user. You can search for a DIGIPASS and assign it to a user or you can search for a user and assign it to a DIGIPASS. You can see the difference in the following two figures. Right-click a user and select Assign DIGIPASS... or... Figure 44: DIGIPASS assignment (1) you can right-click a DIGIPASS and select Assign. Figure 45: DIGIPASS assignment (2) 2007 VASCO Data Security. All rights reserved. Page 32 of 51

33 If you leave the User ID blank and press the Find button, you will get a list of all the available users in the same domain as the DIGIPASS. The usernames are partly searchable too. Notice: If no users show up, make sure the domains of the DIGIPASS and the user match. Figure 46: DIGIPASS assignment (3) When assigning a DIGIPASS to a user the same procedure will be applicable. You can either select the desired option to search for a DIGIPASS or search through serial number. Leaving all options blank will show all possibilities in the same domain. When the DIGIPASS gets successfully added to your user you will get a confirmation message. Figure 47: DIGIPASS assignment (4) 2007 VASCO Data Security. All rights reserved. Page 33 of 51

34 7.2 Active Directory installation User creation User creation, while using an Active Directory back-end, will happen in the Active Directory Users and Computers MMC. Right-click a user and select Properties. This can happen automatically when the Dynamic User Registration (DUR) option in the policy settings is active. Figure 48: Active Directory User Creation (1) 2007 VASCO Data Security. All rights reserved. Page 34 of 51

35 In the DIGIPASS User Account tab you will see a field to manually add a password. This can also be automatically filled by enabling the Password Autolearn option in the policy settings. Figure 49: Active Directory User Creation (2) After clicking the Apply button you will see the Update History fields being filled with the current date and time. When these fields are filled it means the DIGIPASS account exists and can be used. Figure 50: Active Directory User Creation (3) 2007 VASCO Data Security. All rights reserved. Page 35 of 51

36 7.2.2 Import DIGIPASS To make sure you can see the DIGIPASS folders in the MMC, go to View and select the Advanced Features. This way you will see the DIGIPASS folders. Figure 51: Import DIGIPASS (1) Right-click the DIGIPASS-Pool folder and select Import DIGIPASS. Figure 52: Import DIGIPASS (1) 2007 VASCO Data Security. All rights reserved. Page 36 of 51

37 Browse for your *.DPX file, fill in the Transport Key and look at your available applications by pushing the Show Applications button. You can either import all applications or only the ones you selected, by the Import buttons above and below the Show Applications button. Figure 53: Import DIGIPASS (1) When the DIGIPASS is imported successfully you will receive a confirmation message. Figure 54: Import DIGIPASS (1) 2007 VASCO Data Security. All rights reserved. Page 37 of 51

38 7.2.3 DIGIPASS assignment There are two possible ways to assign a user to a DIGIPASS. You can search for a DIGIPASS and assign it to a user or you can search for a user and assign it to a DIGIPASS. You can see the difference in the following two figures. Right-click a User and select Assign DIGIPASS... or... Figure 55: DIGIPASS Assignment (1) right-click a DIGIPASS and select Assign DIGIPASS. Figure 56: DIGIPASS Assignment (2) 2007 VASCO Data Security. All rights reserved. Page 38 of 51

39 If you leave the User ID blank and press the Find button, you will get a list of all the available users in the same domain as the DIGIPASS. The usernames are partly searchable too. Figure 57: DIGIPASS Assignment (4) When assigning a DIGIPASS to a user the same procedure will be applicable. You can either select the desired option to search for a DIGIPASS or through serial number. Leaving all options blank will show you all possibilities. Remember to check the Search upwards checkbox VASCO Data Security. All rights reserved. Page 39 of 51

40 8 VPN-1 test 8.1 SSL/VPN Authentication First we will test the SSL/VPN functionality, with Response Only and Challenge/Response Response Only Going to server>, will show you an SSL/VPN login screen. Enter your Username, in the Password-field enter the DIGIPASS OTP and click OK. In our case the url was Figure 58: SSL/VPN Authentication Response Only (1) After verifying the credentials successfully, we are authenticated to start the SSL/VPN connection. Figure 59: SSL/VPN Authentication Response Only (2) 2007 VASCO Data Security. All rights reserved. Page 40 of 51

41 8.1.2 Challenge / Response Now let s take a look at the challenge/response method. Type in a username and password (or keyword) to trigger the challenge code and click OK. Figure 60: SSL/VPN Authentication Challenge / Response (1) Now, on top of the screen, you will see a DP300 Challenge code. Use this challenge to generate a response using a DIGIPASS with challenge/response functionality. Fill in the generated response in the corresponding box and click OK to authenticate. Figure 61: SSL/VPN Authentication Challenge / Response (2) When using the challenge/response method, you will receive a message box stating you authenticated by RADIUS authentication. Click OK to continue. Figure 62: SSL/VPN Authentication Challenge / Response (3) 2007 VASCO Data Security. All rights reserved. Page 41 of 51

42 Then again you will receive the connection window with all details about your VPN connection. Figure 63: SSL/VPN Authentication Challenge / Response (4) 2007 VASCO Data Security. All rights reserved. Page 42 of 51

43 8.2 Firewall Authentication We will now take a look at the firewall authentication part. We try to reach the initial web page from IIS on the DC server Response Only We have two options to perform our authentication. We could make a telnet connection to the firewall on port 259 or we browse to We choose to make use of the web-service to authenticate. Browse to and enter your username. Click Submit. In our case this is Figure 64: Firewall Authentication Response Only (1) 2007 VASCO Data Security. All rights reserved. Page 43 of 51

44 Enter your password (One Time Password) and click Submit. Figure 65: Firewall Authentication Response Only (2) The method depends on the selection you made in the properties of the client authentication. We selected Standard Sign-on, so we select this option and click Submit. Figure 66: Firewall Authentication Response Only (3) 2007 VASCO Data Security. All rights reserved. Page 44 of 51

45 If the authentication succeeds you will receive a confirmation message on screen. Figure 67: Firewall Authentication Response Only (4) We will now be authorized to browse to the specified page we initially wanted to secure: And indeed, we are shown the initial page from IIS. Figure 68: Firewall Authentication Response Only (5) 2007 VASCO Data Security. All rights reserved. Page 45 of 51

46 8.2.2 Challenge / Response The method for challenge/response is exactly the same as above. You will only receive one screen extra after entering your static password in the password field. The screen with the challenge shown on the screen and an extra input field to enter your response. Figure 69 Firewall Authentication Challenge/Response (1) 2007 VASCO Data Security. All rights reserved. Page 46 of 51

47 9 VACMAN Middleware features 9.1 Installation The VACMAN Middleware (VM) installation is very easy and straightforward. VM runs on Windows platforms, supports a variety of databases and uses an online registration. Different authentication methods allow a seamless integration into existing environments Support for Windows 2000, 2003, IIS5 and IIS6 VM can be installed on Windows 2000 and Windows Web modules exist for IIS5 and IIS 6 to protect Citrix Web Interface, Citrix Secure Gateway, Citrix Secure Access Manager (Form-based authentication), Citrix Access Gateway and Microsoft Outlook Web Access 2000 and 2003 (Basic Authentication and Form-Based Authentication) Support for ODBC databases and Active Directory Any ODBC compliant database can be used instead of the default PostgreSQL database (MS SQL Server, Oracle). Since Version 2.3 of VACMAN Middleware, AD is not only intended for storage of DIGIPASS anymore, but configuration and management of your DIGIPASS infrastructure is now also full integrated into the AD management tools. This option requires an AD schema update. 9.2 Deployment Several VACMAN Middleware features exist to facilitate deployment. Combining these features provides different deployment scenarios from manual to fully automatic Dynamic User Registration (DUR) This feature allows VM to check a username and password not in the database with a back-end RADIUS server or a Windows domain controller and, if username and password are valid, to create the username in the VM database Autolearn Passwords Saves administrators time and effort by allowing them to change a user s password in one location only. If a user tries to log in with a password that does not match the password stored in the VM database, VM can verify it with the back-end RADIUS server or the Windows domain controller and, if correct, store it for future use Stored Password Proxy Allows VM to save a user s RADIUS server password or Windows domain controller password in the database (static password). User s can then log in with only username and dynamic one-time password (OTP). If this feature is disabled, users must log in with username and static password immediately followed by the OTP Authentication Methods Different authentication methods can be set on server level and on user level: local authentication (VM only), Back-End authentication (Windows or RADIUS). On top of that a combination of local and back-end can be configured. The additional parameters always, if needed and never offers you additional customization of the back-end authentication process VASCO Data Security. All rights reserved. Page 47 of 51

48 The configuration of authentication methods is done within the policy (policies) Policies Policies specify various settings that affect the User authentication process. Each authentication request is handled according to a Policy that is identified by the applicable Component record. Components can be radius clients, authentication servers or Citrix web interfaces DIGIPASS Self Assign Allows users to assign DIGIPASS to themselves by providing the serial number of the DIGIPASS, the static password and the OTP DIGIPASS Auto Assign Allows automatic assignment of the first available DIGIPASS to a user on user creation Grace Period Supplies a user with a certain amount of time (7 days by default) between assignment of a DIGIPASS and the user being required to log in using the OTP. The Grace Period will expire automatically on first successful use of the DIGIPASS Virtual DIGIPASS Virtual DIGIPASS uses a text message to deliver a One Time Password to a User s mobile phone. The User then logs in to the system using this One Time Password. Primary Virtual DIGIPASS A Primary Virtual DIGIPASS is handled similarly to a standard physical DIGIPASS. It is imported into the VACMAN Middleware database, assigned to a User, and treated by the VACMAN Middleware database as any other kind of DIGIPASS. Backup Virtual DIGIPASS The Backup Virtual DIGIPASS feature simply allows a User to request an OTP to be sent to their mobile phone. It is not treated as a discrete object by VACMAN Middleware, and is not assigned to Users, only enabled or disabled. It can be enabled for Users with another type of DIGIPASS already assigned, and used when the User does not have their DIGIPASS available VASCO Data Security. All rights reserved. Page 48 of 51

49 9.3 Administration Active Directory Users and Computers Extensions Since VACMAN Middleware version 2.3, Managing the users and DIGIPASS can be done within the Active Directory Users and Computers section. Selecting the properties of a user, offers complete User-DIGIPASS management. Figure 70: VM Features (1) Administration MMC Interface A highly intuitive Microsoft Management Console (MMC) exists to administer the product. An Audit Console is available to give an instant view on all actions being performed on the VM. Both can be installed on the VM server itself or on a separate PC. Figure 71: VM Features (2) 2007 VASCO Data Security. All rights reserved. Page 49 of 51

50 9.3.3 User Self Management Web Site A web site running on IIS has been developed to allow users to register themselves to the VM with their username and back-end (RADIUS or Windows) password, to do a DIGIPASS self assign, to update their back-end password stored in the VM database, to do a change PIN (Go-1/Go-3 DIGIPASS), to do a DIGIPASS test. Figure 72: VM Features (3) Delegated administration Administration can be delegated by appointing different administrators per organizational unit (OU). These administrators can only see the DIGIPASS and users that were added to his OU Granular access rights It is possible in VACMAN Middleware to setup different permission per user. This can be in function of a domain or an organizational unit. Administrators belonging to the Master Domain may be assigned administration privileges for all domains in the database, or just their own domain. Administrators belonging to any other Domain will have the assigned administration privileges for that Domain only. It s possible to set different operator access levels. E.g. A user can be created that only has the rights to unlock a DIGIPASS. Figure 73: VM Features (4) 2007 VASCO Data Security. All rights reserved. Page 50 of 51

51 10 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication products for e-business and e-commerce. VASCO s User Authentication software is carried by the end user on its DIGIPASS products which are small calculator hardware devices, or in a software format on mobile phones, other portable devices, and PC s. At the server side, VASCO s VACMAN products guarantee that only the designated DIGIPASS user gets access to the application. VASCO s target markets are the applications and their several hundred million users that utilize fixed password as security. VASCO s time-based system generates a one-time password that changes with every use, and is virtually impossible to hack or break. VASCO designs, develops, markets and supports patented user authentication products for the financial world, remote access, e-business and e-commerce. VASCO s user authentication software is delivered via its DIGIPASS hardware and software security products. With over 25 million DIGIPASS products sold and delivered, VASCO has established itself as a world-leader for strong User Authentication with over 500 international financial institutions and almost 3000 blue-chip corporations and governments located in more than 100 countries VASCO Data Security. All rights reserved. Page 51 of 51