- DL manuals
- Vasco
- Gateway
- Personal aXsGUARD
- Product Manual
Vasco Personal aXsGUARD Product Manual
Summary of Personal aXsGUARD
Page 1
Product guide axsguard axsguard configurationtool 0 2009 product guide axsguard identifier axsguard identifier axsguard identifier digipass configurationtool v1.5 0.1 3.0.2.0 axsguard identifier product guide.
Page 2
Axsguard identifier 3.0.2.0 product guide v1.5 legal notice vasco products vasco data security, inc. And/or vasco data security international gmbh are referred to in this document as ‘vasco’. Vasco products comprise hardware, software, services and documentation. This document addresses potential an...
Page 3: Table Of Contents
Axsguard identifier 3.0.2.0 product guide v1.5 table of contents table of contents introduction section.............................................................................................................................. 13 1 introduction........................................................
Page 4
Axsguard identifier 3.0.2.0 product guide v1.5 table of contents 3.5.1 overview..........................................................................................................................................................32 3.5.2 local authentication policy setting..........................
Page 5
Axsguard identifier 3.0.2.0 product guide v1.5 table of contents configuration tool section................................................................................................................... 62 5 installation configurations................................................................
Page 6
Axsguard identifier 3.0.2.0 product guide v1.5 table of contents 10.3 audit message types...........................................................................................................................................76 10.4 audit filter.......................................................
Page 7
Axsguard identifier 3.0.2.0 product guide v1.5 table of contents 15.5.3 multiple changes to a single data record.........................................................................................................98 15.5.4 connection handling.........................................................
Page 8
Axsguard identifier 3.0.2.0 product guide v1.5 table of contents 17.4.4 digipass assignment limitations...................................................................................................................116 17.5 virtual digipass............................................................
Page 9
Axsguard identifier 3.0.2.0 product guide v1.5 table of contents 22 reporting................................................................................................................................................... 137 22.1 overview.............................................................
Page 10: Illustration Index
Axsguard identifier 3.0.2.0 product guide v1.5 table of contents illustration index image 1: vasco's authentication solution.................................................................................................................................................................... 17 image 2:...
Page 11
Axsguard identifier 3.0.2.0 product guide v1.5 table of contents image 35: replication between a first, second, and disaster recovery axsguard identifier.......................................................................................... 96 image 36: 'system' tab in the administration web inte...
Page 12
Axsguard identifier 3.0.2.0 product guide v1.5 table of contents index of tables table 1: values for local authentication setting....................................................................................................................................... 32 table 2: values for back-end aut...
Page 13
Axsguard identifier 3.0.2.0 product guide v1.5 introduction section introduction............................................................. 1 axsguard identifier................................................. 2 © 2009 vasco data security 13.
Page 14: Introduction
Axsguard identifier 3.0.2.0 product guide v1.5 introduction 1 introduction 1.1 audience and purpose of this document this axsguard ® identifier product guide is part of a set of guides on the axsguard identifier. It is intended for technical experts interested in learning about the axsguard identifi...
Page 15: 1.2
Axsguard identifier 3.0.2.0 product guide v1.5 introduction 1.2 about vasco vasco is a leading supplier of strong authentication and electronic signature solutions and services specializing in internet security applications and transactions. Vasco has positioned itself as global software company for...
Page 16: Axsguard Identifier
Axsguard identifier 3.0.2.0 product guide v1.5 axsguard identifier 2 axsguard identifier 2.1 overview in this chapter, we introduce the products and concepts which together provide vasco's authentication solution with the axsguard identifier. Section 2.2 briefly describes vasco's authentication solu...
Page 17: 2.3
Axsguard identifier 3.0.2.0 product guide v1.5 axsguard identifier image 1: vasco's authentication solution application service providers assign digipass client devices to holders, based on the serial number of the digipass and the holder’s id. Each digipass device is delivered in a controlled way t...
Page 18: 2.4
Axsguard identifier 3.0.2.0 product guide v1.5 axsguard identifier 2.4 what is the identikey server? The identikey server supports the deployment, use and administration of vasco digipass technology. It is designed to be easily usable with online applications and has a web based administration inter...
Page 19: 2.6
Axsguard identifier 3.0.2.0 product guide v1.5 axsguard identifier digipass readers: products in this group include connected and unconnected models. Digipass readers combine secret values, which are stored in the smart cards, with digipass algorithms pre-programmed into the digipass reader, which a...
Page 20
Axsguard identifier 3.0.2.0 product guide v1.5 axsguard identifier we have already described the axsguard identifier convenience layer and the identikey in sections 2.3 and 2.4 respectively. The three user interfaces shown in image 2 are the axsguard identifier: configuration tool for system adminis...
Page 21: 2.7
Axsguard identifier 3.0.2.0 product guide v1.5 axsguard identifier 2.6.3 scenarios scenarios are the client applications and other functionalities supported by the axsguard identifier. They are shown with blue shading in image 2. Scenarios are enabled by default subject to support in the license. Sc...
Page 22: 2.8
Axsguard identifier 3.0.2.0 product guide v1.5 axsguard identifier 2.7.4 client component licensing certain client modules – such as the iis modules – also require a license key to be loaded into their client component record. Otherwise, the axsguard identifiers to which they connect reject their au...
Page 23: 2.9
Axsguard identifier 3.0.2.0 product guide v1.5 axsguard identifier 2.9 vasco service center image 3: connection between the axsguard identifier and vasco service center the vasco service center server handles registration, updating and remote support for the axsguard identifier. The connection betwe...
Page 24
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication section authentication process overview........................... 3.1 identifying the component record......................... 3.2 identifying a policy................................................ 3.3 digipass user account looku...
Page 25: User Authentication Process
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process 3 user authentication process 3.1 authentication process overview in this chapter we describe in detail the user authentication process. Axsguard identifier authenticates logins in two basic ways: local authentication, using ...
Page 26: 3.2
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process 3.2 identifying the component record a record must exist in the database for any client application sending an authentication request to the axsguard identifier. This client component is identified using: component type – a f...
Page 27
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process in the axsguard identifier, digipass user accounts are identified using a user id and a domain. This process is shown in the image below and explained here, cross-referencing the numbers in the image: 1. If entry fields for t...
Page 28
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process 3.4.3 digipass user account lookup the axsguard identifier checks that the user attempting to log in has a digipass user account in the axsguard identifier data store. The user id and domain resolution described above determi...
Page 29
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process image 6: dynamic user registration process © 2009 vasco data security 29.
Page 30: 3.5
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process 3.5 local authentication 3.5.1 overview local authentication is a term used to describe the axsguard identifier authenticating a user based on information in its data store. Typically the digipass one time password (otp) is r...
Page 31
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process the three possible requests mechanisms are: a response only one time password (otp: described in section 3.5.3.3 ) a challenge for challenge/response otp generation (described in section 3.5.3.4 ) a virtual digipass otp (desc...
Page 32
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process application type - either response only, challenge/response or multi-mode. Only digipass with the application type are usable, except multi-mode which matches all application types. Digipass type - a list of models such as dp...
Page 33
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process 3.5.3.3 response only the response only login and authentication process involves the following steps: the user generates an otp with their digipass device the user enters their user id and the otp in the login window the axs...
Page 34
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process for more information on time- or event-based challenge/response digipass authentication methods, please see section 17.2.4 . For more information on policies, please see section 20.2 . 1-step and 2-step login proceesses are e...
Page 35
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process image 9: 1-step (left) and 2-step (right) challenge/response login 3.5.3.5 virtual digipass login we explain here the authentication process with a virtual digipass. For more information on virtual digipass, see also section ...
Page 36
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process 1. Login step 1: the user logs in with a user id and password and/or keyword and requests an otp to be generated and delivered to them. (the policy defines how this request should be made, with the request method and request ...
Page 37
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process 3.5.3.6 request method and keyword for 2-step challenge/response and virtual digipass , the method of requesting a challenge or otp respectively can be defined in the policy. The methods for primary virtual digipass and backu...
Page 38
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process 3.5.4.1 static password verification static password verification calls on the static password defined in the digipass user account record. This password is also used for other purposes (see section 16.5 ). Static password au...
Page 39
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process image 11: static password authentication flow 3.5.4.2 self-assignment a user is able to assign a digipass device to their digipass user account using the self-assignment mechanism, if permitted by the policy settings. The sel...
Page 40: 3.6
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process 3.6 back-end authentication 3.6.1 overview back-end authentication is a term used to describe the process of checking user credentials with another system. With axsguard identifier this could mean a radius server or an ldap-b...
Page 41
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process table 2: values for back-end authentication setting setting explanation default back-end authentication is handled as configured in settings inherited from the parent policy. More information on policies and inheritance can b...
Page 42
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process 3.6.3.2 password autolearn a back-end server static password can be specified in addition to a digipass otp, during an authentication attempt. If the password autolearn option is enabled, the static password is automatically ...
Page 43
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process image 12: password replacement with an iis module 3.6.3.4 stored static password and radius attributes the purpose of this setup is to enforce digipass otp authentication to an existing radius client and server infrastructure...
Page 44
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process this setup is achieved by configuring the following policy options: local authentication: digipass or digipass/password back-end authentication: always back-end authentication protocol: radius password autolearn: on stored pa...
Page 45
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process the time between retries is a few minutes, i.E. Long enough to ensure that a temporary delayed response due to a peak load does not prevent a back-end server from being used. A consistent lack of response for the set number o...
Page 46
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process if back-end authentication succeeds, the user authentication on the axsguard identifier is successful. If back-end authentication fails, user authentication on the axsguard identifier fails. Image 14: back-end authentication ...
Page 47
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process 3.6.6 ldap back-end authentication axsguard identifier supports ldap back-end authentication. The directory services supported by axsguard identifier for ldap back-end authentication are: microsoft active directory novell e-d...
Page 48
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process authentication process image 15: back-end authentication process with microsoft active directory there are two steps (see image above) to back-end authentication with microsoft active directory : 1. First the back-end server ...
Page 49
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process limitations windows 2000 is not supported. The version of windows used with ldap back-end authentication must be windows 2003 or higher. Note: 1) the 'samaccountname' attribute is used by microsoft active directory to identif...
Page 50
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process 2. Secondly, the user account needs to be located for authentication. With an fqdn, sufficient information is already provided to find the user account for authentication. With an rdn, the principal name and password are used...
Page 51
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process image 16: back-end authentication process with novell e-directory 3.6.6.3 policies policies are included with axsguard identifier, which can be used to allow the use of active directory or novell e- directory. The policies ca...
Page 52: 3.7
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process 3.7 authorization profiles/attributes some iis modules, e.G. Iis module for basic authentication, utilize user attributes to allow a website to retrieve authorization information from local accounts following successful authe...
Page 53
Axsguard identifier 3.0.2.0 product guide v1.5 user authentication process 3.8.2 using a host code a digipass host code is computed as follows: 1. The digipass device generates a one time password, and splits it into two parts. The first part is used for end user authentication. The second part is t...
Page 54
Axsguard identifier 3.0.2.0 product guide v1.5 administrative interfaces section overview............................................................... 4.1 default administrative users.................................. 4.2 configuration tool................................................. 4.3 admi...
Page 55: Administration Interfaces
Axsguard identifier 3.0.2.0 product guide v1.5 administration interfaces 4 administration interfaces 4.1 overview in chapters 1 and 2 we introduced the vasco authentication solution and the structure and functionality of the axsguard identifier. In chapter 3, we have explained the authentication pro...
Page 56: 4.3
Axsguard identifier 3.0.2.0 product guide v1.5 administration interfaces 4.3 configuration tool the configuration tool interface supports installation and management of the axsguard identifier and is intended for use by system administrators. In section 2.3 , we introduced the concept of the conveni...
Page 57: 4.4
Axsguard identifier 3.0.2.0 product guide v1.5 administration interfaces 4.4 administration web interface the administration web interface supports the daily administration of the axsguard identifier and is intended for use by help desks and system administrators. This interface allows management of...
Page 58: 4.5
Axsguard identifier 3.0.2.0 product guide v1.5 administration interfaces note: please note that with a factory default axsguard identifier, only the system administrator with the name 'admin@master' has access to the administration web interface. By default there are two system administrators regist...
Page 59
Axsguard identifier 3.0.2.0 product guide v1.5 configuration tool section installation configurations........................................ 5 registration.............................................................. 6 updating.................................................................. 7 ba...
Page 60: Installation Configurations
Axsguard identifier 3.0.2.0 product guide v1.5 installation configurations 5 installation configurations 5.1 overview installation is the process of linking the axsguard identifier to your organization's network and configuring general settings. Installation and registration are both necessary to us...
Page 61: 5.3
Axsguard identifier 3.0.2.0 product guide v1.5 installation configurations 5.3 configuration wizard the configuration wizard is launched when a new axsguard identifier configuration tool is accessed. The configuration wizard must be completed to allow full access to the configuration tool, for manua...
Page 62: Registration
Axsguard identifier 3.0.2.0 product guide v1.5 registration 6 registration 6.1 overview registration is the process of identifying an issued axsguard identifier to the vasco service center for the issue of a license key to make the appliance fully operational. After installation, and before registra...
Page 63: 6.3
Axsguard identifier 3.0.2.0 product guide v1.5 registration 6.3 registration without on-site internet access an axsguard identifier is registered for a specific ip address. Without the license referencing the correct ip address, services such as authentication are not operational. Registration to ac...
Page 64: 6.7
Axsguard identifier 3.0.2.0 product guide v1.5 registration 6.7 change of customer information to change customer information in the axsguard identifier, administrators can initiate the re-registration wizard manually through the configuration tool, and make the necessary changes. Information alread...
Page 65: Updating
Axsguard identifier 3.0.2.0 product guide v1.5 updating 7 updating 7.1 overview vasco are constantly improving their products, to solve problems or to address new needs. These improvements are distributed to the axsguard identifier through the updating process. Updating is included in the axsguard i...
Page 66: Backup and Restore
Axsguard identifier 3.0.2.0 product guide v1.5 backup and restore 8 backup and restore 8.1 overview backup and restore functionality means that administrators can keep reserve appliances and upload configuration settings, which have previously been backed up to their network, onto a new axsguard ide...
Page 67: Logging
Axsguard identifier 3.0.2.0 product guide v1.5 logging 9 logging 9.1 overview there are two separate sources of information generated on the axsguard identifier: reporting and auditing: this is the information generated about events in the identikey component and includes amongst others, information...
Page 68: 9.3
Axsguard identifier 3.0.2.0 product guide v1.5 logging 9.3 local: live log viewer a live log viewer in the axsguard identifier configuration tool allows monitoring of convenience layer events. Live log views can be customized to present 'filtered data' using log levels and/or words (see below). Loca...
Page 69: 9.6
Axsguard identifier 3.0.2.0 product guide v1.5 logging table 8: log levels type description critical a system-critical warning that services may not be running. Please follow the support procedure in section 2.8 ) . Error error condition: action required, although services may still be running. Warn...
Page 70
Axsguard identifier 3.0.2.0 product guide v1.5 logging table 9: log filter fields type description date after click on the icon to select a date from the calendar. Only records after the date specified are displayed. Date before click on the icon to select a date from the calendar. Only records befo...
Page 71: Auditing
Axsguard identifier 3.0.2.0 product guide v1.5 auditing 10 auditing 10.1 overview there are two separate sources of information generated on the axsguard identifier from the convenience layer and from the identikey component. Information sourced from the convenience layer supports logging (explained...
Page 72: 10.4
Axsguard identifier 3.0.2.0 product guide v1.5 auditing table 10: audit message types type description error the message contains details about a system, configuration, licensing or some internal error. Errors do not include normal processing events such as failed logins. Warning warning messages co...
Page 73
Axsguard identifier 3.0.2.0 product guide v1.5 auditing table 11: audit filter fields type description date after click on the icon to select a date from the calendar. Only records after the date specified are displayed. Date before click on the icon to select a date from the calendar. Only records ...
Page 74: Statistics
Axsguard identifier 3.0.2.0 product guide v1.5 statistics 11 statistics 11.1 overview statistics present information in visual charts or graphs about the system usage over time. This information is available in the axsguard identifier configuration tool (see section 4 ). 11.2 system information avai...
Page 75: 11.3
Axsguard identifier 3.0.2.0 product guide v1.5 statistics cpu time image 24: cpu statistics interface image 25: interface statistics 11.3 statistics filtering filtering specific information from some of the statistics data is also possible. For example, the following two images demonstrate the cpu u...
Page 76
Axsguard identifier 3.0.2.0 product guide v1.5 statistics image 27: cpu time for administration web interface © 2009 vasco data security 76.
Page 77: Message Delivery Component
Axsguard identifier 3.0.2.0 product guide v1.5 message delivery component 12 message delivery component 12.1 overview the message delivery component (mdc) is necessary to support virtual digipass authentication. For more information on virtual digipass authentication, see section 17.2.4 . The mdc in...
Page 78: 12.2
Axsguard identifier 3.0.2.0 product guide v1.5 message delivery component 12.2 configuration to configure gateway settings you need to enter into the axsguard identifier configuration tool: the url, port and protocol to access the gateway server the required query string the query method (get or pos...
Page 79: Remote Support
Axsguard identifier 3.0.2.0 product guide v1.5 remote support 13 remote support 13.1 overview remote support allows vasco experts to connect to your axsguard identifier to resolve difficulties (see also section 2.8 on vasco's full support system). Remote support can be managed through the axsguard i...
Page 80: 13.4
Axsguard identifier 3.0.2.0 product guide v1.5 remote support 13.4 tracing tracing provides extra troubleshooting information for vasco experts. Tracing can be activated by system administrators or vasco experts using the axsguard identifier configuration tool. If a vasco expert cannot use the remot...
Page 81: Ldap User Synchronization
Axsguard identifier 3.0.2.0 product guide v1.5 ldap user synchronization 14 ldap user synchronization 14.1 overview ldap user synchronization can be configured in the configuration tool and supports automatic creation and updating of user accounts on the axsguard identifier from records stored on an...
Page 82: 14.3
Axsguard identifier 3.0.2.0 product guide v1.5 ldap user synchronization ldap synchronization profiles define: where the source ldap server is located which user accounts from the source need to be synchronized (filtering) whether existing user accounts on the axsguard identifier can be updated with...
Page 83: 14.4
Axsguard identifier 3.0.2.0 product guide v1.5 ldap user synchronization synchronization profiles can also be configured to update existing user accounts (i.E. User accounts which do not have the corresponding synchronization profile id). 14.4 creating and updating user accounts synchronization invo...
Page 84
Axsguard identifier 3.0.2.0 product guide v1.5 ldap user synchronization © 2009 vasco data security 84 image 30: ldap synchronization to create or update an axsguard identifier user account.
Page 85: 14.5
Axsguard identifier 3.0.2.0 product guide v1.5 ldap user synchronization notes: 1. Missing ldap attributes and ldap attributes with empty values initiate different synchronization behaviors. If a mapped attribute is missing on the ldap server, the axsguard identifier property is not updated (i.E. Th...
Page 86: 14.8
Axsguard identifier 3.0.2.0 product guide v1.5 ldap user synchronization had both values for the email address attribute. Retrieving accounts which have one or the other value therefore requires two profiles. 3. To help manage source and destination organizational hierarchies (see next section). Wit...
Page 87
Axsguard identifier 3.0.2.0 product guide v1.5 ldap user synchronization © 2009 vasco data security 87 image 31: possible source and destination hierarchy mapping with a single synchronization profile image 32: example source and destination hierarchy mapping with three synchronization profiles.
Page 88: 14.9
Axsguard identifier 3.0.2.0 product guide v1.5 ldap user synchronization 14.9 special cases special attention is required when: 1. A user account does not exist in the destination organizational unit specified for a synchronization, but exists within the same destination domain, without the synchron...
Page 89
Axsguard identifier 3.0.2.0 product guide v1.5 ldap user synchronization tip for troubleshooting, first consult the logging, which records errors such as a failed server connection or erroneous synchronization profile settings (see section 9). Logs relevant to the synchronization process can be filt...
Page 90: Replication
Axsguard identifier 3.0.2.0 product guide v1.5 replication 15 replication 15.1 overview multiple axsguard identifiers can be configured to synchronize by replicating data changes between them. This process is called replication, and can be set up using the replication wizard (explained below). Follo...
Page 91: 15.3
Axsguard identifier 3.0.2.0 product guide v1.5 replication 15.2.2 first, second and disaster recovery axsguard identifiers this scenario is often used when a company requires an off-site disaster recovery axsguard identifier and database. Image 35: replication between a first, second, and disaster r...
Page 92: 15.4
Axsguard identifier 3.0.2.0 product guide v1.5 replication caution: 1) creating a loop in the replication setup is not supported. An axsguard identifier already included in a replication setup cannot be configured as a replication target for another axsguard identifier. 2) a third axsguard identifie...
Page 93: 15.6
Axsguard identifier 3.0.2.0 product guide v1.5 replication 15.5.2 replication forwarding replication forwarding is required and activated automatically where more than two axsguard identifiers are replicating. The id of the source axsguard identifier and the target axsguard identifier(s) to which it...
Page 94
Axsguard identifier 3.0.2.0 product guide v1.5 replication 15.6.2 replication status the replication status (viewable under the 'system' tab in the administration web interface: see first image below) shows the current status of replication for an axsguard identifier and the number of entries curren...
Page 95
Axsguard identifier 3.0.2.0 product guide v1.5 web administration interface section digipass user accounts........................................ 16 digipass................................................................ 17 client components................................................. 18 serv...
Page 96: Digipass User Accounts
Axsguard identifier 3.0.2.0 product guide v1.5 digipass user accounts 16 digipass user accounts 16.1 overview all users requiring authentication with the axsguard identifier must have their records registered in the axsguard identifier for: digipass devices to be assigned to users user-specific para...
Page 97: 16.3
Axsguard identifier 3.0.2.0 product guide v1.5 digipass user accounts further management possibilities with user accounts are listed below. For explanations of the user property fields, please refer to the axsguard identifier administration reference guide. 16.2.2 importing user records multiple use...
Page 98: 16.4
Axsguard identifier 3.0.2.0 product guide v1.5 digipass user accounts image 38: user account link 16.4 user account settings user account settings which can be managed through the administration web interface include: the user id, the domain and possibly organizational unit they belong to are define...
Page 99: 16.6
Axsguard identifier 3.0.2.0 product guide v1.5 digipass user accounts during challenge/response authentication as request method (see section 3.5.3.6 ) during virtual digipass use as request method (see section 3.5.3.6 ) password replacement and autolearn (see section 3.6.3 ) back-end authentication...
Page 100: Digipass
Axsguard identifier 3.0.2.0 product guide v1.5 digipass 17 digipass 17.1 overview all digipass instances need to be registered in the axsguard identifier with relevant data for the axsguard identifier to support authentication requests which use one time passwords generated from the digipass. Some d...
Page 101
Axsguard identifier 3.0.2.0 product guide v1.5 digipass pin change allows a user to change their pin as desired. The pin length can be set for a digipass device. Digipass lock sets the number of consecutive faulty pin entries allowed before the digipass device is locked. 17.2.2 server pin the digipa...
Page 102
Axsguard identifier 3.0.2.0 product guide v1.5 digipass table 12: server settings regulating server pins setting explanation pin supported factory default built-in technology to support use of a server pin (only active if pin enabled). Pin enabled factory default setting forcing a server pin to be u...
Page 103: 17.3
Axsguard identifier 3.0.2.0 product guide v1.5 digipass challenge/response authentication can be: time-based, in which case the otp is based on a challenge and the current time. The common time step used is 9 hours ('slow challenge'). This means that if exactly the same challenge is given to a digip...
Page 104
Axsguard identifier 3.0.2.0 product guide v1.5 digipass these processes are described in section 17.4 . Digipass self- and auto-assignment methods can also be combined with dynamic user registration (see section 3.4.4 ). 17.3.3 searching for digipass records the administration web interface allows y...
Page 105
Axsguard identifier 3.0.2.0 product guide v1.5 digipass name explanation unlock digipass if a user incorrectly enters their digipass client pin into their digipass device a predetermined number of times, the digipass locks. Once locked, an administrator's help is required to unlock it. This function...
Page 106: 17.4
Axsguard identifier 3.0.2.0 product guide v1.5 digipass example time window may be 5 steps in either direction. This means that 11 otps would be considered valid – the exact otp for that time, and the otps for the 5 time steps either side of the exact time. If the otp given is for a different time s...
Page 107
Axsguard identifier 3.0.2.0 product guide v1.5 digipass 17.4.1 self-assignment 17.4.1.1 self-assignment process users may assign a digipass record for a device which has been supplied to them to their digipass user account. The user must log in and include the serial number, static password and one ...
Page 108
Axsguard identifier 3.0.2.0 product guide v1.5 digipass 17.4.1.2 self-assignment data certain settings and data entry are required for self-assignment: the assignment mode policy setting must be self-assignment . For self-assignment to succeed, the user needs to provide the following: a static passw...
Page 109
Axsguard identifier 3.0.2.0 product guide v1.5 digipass 17.4.2 auto-assignment the axsguard identifier can automatically assign an available digipass record when a digipass user account is created using dynamic user registration (dur). The correct digipass device must then be delivered to the user. ...
Page 110
Axsguard identifier 3.0.2.0 product guide v1.5 digipass 17.4.3 manual assignment a selected digipass record is manually assigned to a specific digipass user account. The digipass device must then be sent out to the user. A grace period is typically set, during which the user may still log in using o...
Page 111
Axsguard identifier 3.0.2.0 product guide v1.5 digipass 17.4.4 digipass assignment limitations digipass assignment limitations include: a digipass record can only be assigned to one user account (except when using linked user accounts, see section 16.3 ) . Multiple digipass records can be assigned t...
Page 112: 17.5
Axsguard identifier 3.0.2.0 product guide v1.5 digipass 17.5 virtual digipass 17.5.1 overview with virtual digipass login, the user requests an otp to be issued to their mobile phone, thus removing the need for a hardware or software digipass (see also section 2.5 ; for information on authentication...
Page 113
Axsguard identifier 3.0.2.0 product guide v1.5 digipass 17.5.4 implementation decision several factors need careful consideration before implementing a virtual digipass system: cost: your company will probably need to pay an amount for each text message sent. In some countries, mobile phone owners m...
Page 114
Axsguard identifier 3.0.2.0 product guide v1.5 digipass digipass device again, the administrator must reset the time period to allow re-use of the backup virtual digipass. Max. Uses/user: set a maximum number of times a user may request an otp using the backup virtual digipass. When the user has rea...
Page 115
Axsguard identifier 3.0.2.0 product guide v1.5 digipass 17.5.6 backup virtual digipass guidelines for use some questions to guide implementation of backup virtual digipass are: will any users have access to backup virtual digipass? If so, will all users have access to backup virtual digipass? Will u...
Page 116: Client Components
Axsguard identifier 3.0.2.0 product guide v1.5 client components 18 client components 18.1 overview each application in the network which needs to access axsguard identifier services, must be registered on the axsguard identifier as a client component for access to be allowed. Client component regis...
Page 117: 18.3
Axsguard identifier 3.0.2.0 product guide v1.5 client components caution modifying the ip address of the axsguard identifier in the configuration tool, results in the creation of a new administration program client component record. The older records can be erased: however, do not erase the client c...
Page 118: 18.4
Axsguard identifier 3.0.2.0 product guide v1.5 client components any radius client which does not have an explicit component record is handled using the “default” radius client component, if it exists. A default radius client component record is automatically created during installation of axsguard ...
Page 119: Server Components
Axsguard identifier 3.0.2.0 product guide v1.5 server components 19 server components 19.1 overview each axsguard identifier in your setup needs to be licensed to be operational. To verify whether a valid license is present, a server component needs to be registered for the axsguard identifier to wh...
Page 120: 19.3
Axsguard identifier 3.0.2.0 product guide v1.5 server components 19.3 licenses a server component holds the license key for a specific axsguard identifier. This component record is checked for a valid license when the axsguard identifier is started. If the license key is missing, invalid or expired,...
Page 121: Policies
Axsguard identifier 3.0.2.0 product guide v1.5 policies 20 policies 20.1 overview policies specify various settings that affect all request handling processes. Each request is handled according to a policy identified by the applicable client and server records (see also sections 18 and 19 on client ...
Page 122: 20.3
Axsguard identifier 3.0.2.0 product guide v1.5 policies 20.3 policy inheritance many policies are already provided in the axsguard identifier. Amongst these, the 'base policy' can be used as a starting template, from which to adapt certain settings for new policies. This concept is called policy inh...
Page 123
Axsguard identifier 3.0.2.0 product guide v1.5 policies effective policy settings [local/back-end authentication] local authentication : digipass/password back-end authentication : always back-end protocol : radius user accounts] dynamic user registration : yes password autolearn : yes stored passwo...
Page 124: Organization
Axsguard identifier 3.0.2.0 product guide v1.5 organization 21 organization 21.1 overview user accounts and digipass records can be grouped in the axsguard identifier using two structures: domains and organizational units, which are managed using the axsguard identifier administration web interface....
Page 125: 21.3
Axsguard identifier 3.0.2.0 product guide v1.5 organization however, there are two differences between domains and organizational units: all digipass user accounts and digipass records must belong to a domain. Digipass user accounts and digipass records do not have to belong to an organizational uni...
Page 126
Axsguard identifier 3.0.2.0 product guide v1.5 organization image 45: user id and domain resolution 21.3.2 practical use authentication requests require the user name to be resolved and the appropriate digipass user account to be located. Domain management is therefore required to support this proce...
Page 127: 21.4
Axsguard identifier 3.0.2.0 product guide v1.5 organization the first user id will not be resolved, since the digipass user account 'martin ' doesn't exist in the master domain (users were only added in the 'mycompany.Com' domain). The second user id will be resolved because the digipass user accoun...
Page 128: 21.5
Axsguard identifier 3.0.2.0 product guide v1.5 organization image 46: possibilities for moving user accounts and digipass (ou = organizational unit) note when a user account is moved to an organizational unit, all digipass records assigned to it are also moved. A digipass record assigned to a user c...
Page 129: 21.6
Axsguard identifier 3.0.2.0 product guide v1.5 organization 21.6 typical digipass location models domain root digipass records may be stored in the domain root while unassigned. This option allows a centralised point of access for assignment of digipass records. It also requires less calculation and...
Page 130
Axsguard identifier 3.0.2.0 product guide v1.5 organization parent organizational units unassigned digipass records can be kept in key organizational units, and made available to their lower level organizational units. Image 48: digipass record location – parent organizational unit in the diagram ab...
Page 131
Axsguard identifier 3.0.2.0 product guide v1.5 organization individual organizational units digipass records can be loaded or moved into each organizational unit when and where they are required. If all digipass in an organizational unit have been assigned, more digipass records need to be moved in ...
Page 132: Reporting
Axsguard identifier 3.0.2.0 product guide v1.5 reporting 22 reporting 22.1 overview there are two separate sources of information generated on the axsguard identifier from the convenience layer and from the identikey component. Information sourced from the convenience layer supports logging (explain...
Page 133: 22.3
Axsguard identifier 3.0.2.0 product guide v1.5 reporting the main uses for reports are: troubleshooting user troubleshooting: administrators can generate reports to enable them to troubleshoot authentication failures for specific users. System troubleshooting: system administrators can generate axsg...
Page 134
Axsguard identifier 3.0.2.0 product guide v1.5 reporting 22.3.2 report type there are four report types. List analysis report: lists all items that match the criteria specified in the report definition, e.G. A list of users with no digipass records assigned. Detailed analysis report: shows detail of...
Page 135
Axsguard identifier 3.0.2.0 product guide v1.5 reporting in the example below, the grouping level has been set to user: each user has an individual row on the report. Image 51: report grouping © 2009 vasco data security 135.
Page 136
Axsguard identifier 3.0.2.0 product guide v1.5 reporting 22.3.5 query queries specify the search criteria for extracting data to create a report. Queries consist of: a datafield, which is a field from the database. An operator, which is the operation to be performed on the datafield. A value, which ...
Page 137: 22.4
Axsguard identifier 3.0.2.0 product guide v1.5 reporting 22.3.7 formatting templates report data is always generated into xml, then an xslt transformation is applied to give the output. The xslt transformation requires a formatting template. Each report definition requires at least one template so t...
Page 138
Axsguard identifier 3.0.2.0 product guide v1.5 rescue tool section overview............................................................. 23.1 access................................................................ 23.2 options............................................................... 23.3 © 2009...
Page 139: Rescue Tool
Axsguard identifier 3.0.2.0 product guide v1.5 rescue tool 23 rescue tool 23.1 overview the rescue tool allows administrators to access a limited number of settings through a command line menu. Functionality available through the rescue tool is described below. Note: the rescue tool is not the digip...
Page 140
Axsguard identifier 3.0.2.0 product guide v1.5 rescue tool reboot or shut down the axsguard identifier. Image 53: start and network menus with the rescue tool. © 2009 vasco data security 140
Page 141: Alphabetical Index
Axsguard identifier 3.0.2.0 product guide v1.5 index alphabetical index accessing further reading...................................................................... 15 administration interfaces................................................................... 21, 58 administration web interface....
Page 142
Axsguard identifier 3.0.2.0 product guide v1.5 index domain......................................................................................... 60, 129 domain root........................................................................................ 134 dynamic user registration.................
Page 143
Axsguard identifier 3.0.2.0 product guide v1.5 index firewalls......................................................................................... 97 forwarding...................................................................................... 98 multiple changes................................