• No results found

Policy Property Sheet

In document A dm inistrator Reference (Page 37-44)

Note: Changes to Policy settings will not take effect until IAS is restarted.

Field Name in Administration

Interfaces

Description

Description This description can be entered to record the purpose of the Policy.

Inherits from Policy Contains the Name of the Policy from which settings will be inherited, referred to as the 'parent Policy'. Settings are inherited individually, depending on the value in the Policy field;

they inherit the parent Policy value in the following cases:

Choice lists/radio buttons – if the selected value is Default Text fields – if the field is blank

Numeric fields – if the field is blank (not 0) List fields – if the list is empty

The Show Effective Policy Settings... button can be used to display the result of inheriting settings combined with settings on the current Policy.

Local Authentication Specifies whether authentication requests using the Policy will be handled by the IAS Plug-In using Local Authentication (see the Authenticating Users section in the Product Guide for more details on Local Authentication and Back-End Authentication).

When Local Authentication is used, there are two factors that determine whether Digipass authentication is used – any Policy restrictions on Digipass Types and/or Applications that can be used and whether the Digipass User account has any assigned Digipass that meet the restrictions. For example, if the Policy requires a DP300 and the User just has a DP700, they cannot use Digipass authentication under that Policy.

Options:

Default Use the setting of the parent Policy.

None The IAS Plug-In will not carry out Local Authentication under this Policy. They may be handled using Back-End Authentication, or not handled at all by the IAS Plug-In.

Digipass/Password The IAS Plug-In will always carry out Local Authentication under this Policy, using Digipass authentication if possible, otherwise the static password. Back-End Authentication may also be utilized.

Digipass Only the IAS Plug-In will always carry out Local Authentication under this Policy, using Digipass authentication. If Digipass authentication is not possible, the user cannot log in. Back-End Authentication may also be utilized.

Digipass Plug-In for IAS Administrator Reference Field Listings

Specifies whether authentication requests using the Policy will be handled by the IAS Plug-In using Back-End Authentication (see the Authenticating Users section in the Product Guide for more details on Local Authentication and Back-End Authentication).

Options:

Default Use the setting of the parent Policy.

None Back-End Authentication will not be used.

If Needed The IAS Plug-In will utilize Back-End Authentication but only in certain cases:

Dynamic User Registration Self-Assignment

Password Autolearn

Requesting a Challenge or Virtual Digipass OTP, when the Request Method includes a Password

Static password authentication, when verifying a Virtual Digipass password-OTP combination or during the Grace Period Always The IAS Plug-In will utilize Back-End Authentication for every

authentication request.

Back-End Protocol Specifies the protocol to be used for Back-End Authentication.

There is currently only one option:

Windows Authentication using the Windows operating system.

Created On The date and time that the Policy was created. Read-only.

Last Modified On The date and time that the Policy was last modified. Read-only.

Dynamic User Registration

Specifies whether the Dynamic User Registration (DUR) feature is enabled for the Policy.

If this feature is used, when the IAS Plug-In receives an authentication request for a User for the first time and Back-End Authentication is successful, it will create a Digipass User account automatically. If DUR is used in conjunction with Auto-Assignment, a Digipass will be assigned to the new User account immediately.

Password Autolearn Specifies whether the Password Autolearn feature is enabled for the Policy. This feature enables the IAS Plug-In to update the password stored in the Digipass User account when Back-End Authentication is successful.

In Digipass Plug-In for IAS it is normally not necessary to store the password in the Digipass User account, so this feature is not typically used.

Stored Password Proxy Specifies whether the Stored Password Proxy feature is enabled for the Policy. This feature can be used in conjunction with the Back-End Authentication Always setting and the Password Autolearn feature, so that even though a Back-End Authentication check is done every login, it is done using the password stored in the Digipass User account, so the User does not have to enter it during their login unless it has just changed.

In Digipass Plug-In for IAS it is normally not necessary to perform a Back-End Authentication check at each login, so this feature is not typically used.

Default Domain The default Domain in which the IAS Plug-In should look for and create Digipass User accounts, if a Domain is not specified by the login credentials.

If the User logs in with the User-Principal-Name format (eg. [email protected]) or the NT4 style format (eg. VASCO\testuser), the Default Domain is not used. However, if they log in with just a UserId (eg. testuser), the Default Domain will be used if specified.

In the case that no Domain is implied by the login credentials and there is no Default Domain, the IAS Plug-In will search in its Configuration Domain.

Must be the fully qualified domain name.

Digipass Plug-In for IAS Administrator Reference Field Listings

Field Name in Administration

Interfaces

Description

User Lock Threshold This indicates the number of consecutive failed login attempts that will cause a Digipass User account to become Locked. For example, if the User Lock Threshold is 3, the account will become Locked on the third failed login attempt. Unlocking the account requires administrator action.

Note that not all kinds of login failure will result in locking. For example, if the UserId is incorrect or the account is Disabled, the failure would not count towards the lock threshold.

Locking is used mainly for incorrect OTPs and static passwords.

Windows Group Check (radio buttons)

Specifies whether and how the Windows Group Check feature is to be used. This feature is typically used for a staged deployment of Digipass when the Auto-Assignment method is used. It can also be used when only some Users are required to use Digipass or when only some Users will be permitted access and they have to use Digipass.

Options:

Default Use the setting of the parent Policy.

Authenticate all groups Do not use the Windows Group Check feature.

Authenticate listed groups, pass others through

Use the Windows Group Check so that any Users who are not in one of the listed groups are ignored by the IAS Plug-In.

Authenticate listed groups, reject others

Use the Windows Group Check so that any Users who are not in one of the listed groups are rejected by the IAS Plug-In.

Group List This lists the names of the Windows Groups to be checked according to the Windows Group Check radio button setting. There are some important limitations of this check:

Certain built-in Active Directory groups such as Domain Users and Everyone will not be checked. The check is intended to be used with a new group created specifically for this purpose.

Nested group membership will not be detected by the check.

There is no Domain qualifier for a group. The named group must be created in each Domain where User accounts exist that need to be added to the group.

Assignment Mode Specifies the method of automated Digipass Assignment that will be used for this Policy, if any. There are two methods, Auto-Assignment and Self-Assignment.

Auto-Assignment is used in conjunction with Dynamic User Registration (DUR). When DUR occurs, the next available Digipass is assigned to the new Digipass User account. A Grace Period is set for the Digipass according to the Grace Period setting in the Policy.

Self-Assignment is typically used with DUR also, but if the Digipass User accounts are created first by the administrator, DUR is not necessary. In the Self-Assignment mode, a User is able to assign themselves a Digipass by entering the Serial Number, a valid OTP from the Digipass and their static password. There is no Grace Period associated with Self-Assignment, because the User has to use the Digipass to perform Self-Assignment.

In both cases, any Applicable Digipass restrictions for the Policy apply. For example, it will not be permitted to self-assign a DP300 if the Policy restricts Digipass Types to DPGO3 and DPGO1. In addition, if the User already has a Digipass assigned that meets the Policy restrictions, they will not be able to self-assign another Digipass.

Options:

Default Use the setting of the parent Policy.

Auto-Assignment Use the Auto-Assignment method.

Self-Assignment Use the Self-Assignment method.

Neither Do not use either method of automated assignment.

Grace Period Default time period (in days) to give Users between Auto-Assignment of a Digipass and the date they must start using their Digipass to login. Before that time they can still use a static password (unless the Local Authentication setting is Digipass Only). However, the

Digipass Plug-In for IAS Administrator Reference Field Listings

Field Name in Administration

Interfaces

Description

Serial No. Separator The character (or short sequence of characters) that will be included at the end of the Digipass Serial Number during a Self-Assignment login. It allows the IAS Plug-In to easily recognise that a Self-Assignment attempt is being made and extract the Serial Number from the credentials.

Search Upwards in Org.

Unit hierarchy

This controls the search scope for an available Digipass for Auto-Assignment or for a specific Digipass for Self-Assignment.

This setting does not affect manual assignment by an administrator.

Options:

Default Use the setting of the parent Policy.

No The search scope is only the Organizational Unit in which the User account belongs.

Yes The search will start in the User account's Organizational Unit, but if necessary it will then move upwards through the Organizational Unit hierarchy until it reaches the top. At the top, the Digipass-Pool container will be searched. See the Location of Digipass Records topic in the Product Guide for more information.

Application Names The Policy can specify a restriction on which Digipass Applications may be used when it is effective. If the list is empty, there is no restriction. If there are one or more entries, they will indicate the Application Names that are permitted.

Application Type The Policy can restrict which Digipass Application Type (eg. Response Only, Challenge/Response) may be used when it is effective.

Options:

Default Use the setting of the parent Policy.

No Restriction Digipass Application Type is not restricted.

Response Only Only Digipass Applications of Type RO (Response Only) may be used.

Challenge/Response Only Digipass Applications of Type CR (Challenge/Response) may be used.

Digipass Types The Policy can specify a restriction on which Digipass Types may be used when it is effective. If the list is empty, there is no restriction. If there are one or more entries, they will indicate the Digipass Types that are permitted.

Allow PIN change Specifies whether Digipass Users will be allowed to change their Server PIN during logins to which the current Policy applies. Normally this setting is enabled, but it can be used to prevent PIN changes if required.

1-Step

Challenge/Response – Permitted

Controls whether 1-step Challenge/Response logins will be enabled for the current Policy and, if so, where the challenge should originate.

Note that 1-step Challenge/Response is not applicable in a RADIUS environment.

Options:

Default

No 1-step Challenge/Response may not be used.

Yes – Server Challenge

1-step Challenge/Response may be used provided that the authentication server that verifies the response generated the challenge.

Yes – Any Challenge 1-step Challenge/Response may be used with any random challenge.

1-Step

Challenge/Response – Challenge Length

Specifies the length of the challenge (excluding a check digit) which should be generated for 1-step Challenge/Response logins.

1-Step

Challenge/Response – Add Check Digit

A check digit may be added to the geneated challenge. This allows the Digipass to more quickly identify invalid Challenges.

Digipass Plug-In for IAS Administrator Reference Field Listings

The method by which a User has to request a 2-step Challenge/Response login.

This is the only mode of Challenge/Response available in a RADIUS environment.

The 'request' is made in the password field during login. The request will be ignored if the User does not have a Challenge/Response-capable Digipass assigned.

Options:

Default Use the setting of the parent Policy.

None Do not use 2-step Challenge/Response.

Keyword Use the Request Keyword. For Challenge/Response, this is

permitted to be blank.

Password Use the static password.

KeywordPassword Use the Request Keyword followed by the static password. No separator characters or whitespace should be between them.

PasswordKeyword Use the static password followed by the Request Keyword. No separator characters or whitespace should be between them.

2-Step

Challenge/Response – Request Keyword

Defines the Keyword that a User must enter to request a 2-step Challenge/Response login, if a method using a Keyword is selected in the Request Method.

For Challenge/Response, this is permitted to be blank.

Primary Virtual Digipass – Request Method

The method by which a User has to request a Primary Virtual Digipass login.

The 'request' is made in the password field during login. The request will be ignored if the User does not have a Primary Virtual Digipass assigned.

Options:

Default Use the setting of the parent Policy.

None Do not use Primary Virtual Digipass.

Keyword Use the Request Keyword. For Primary Virtual Digipass, this is not permitted to be blank.

Password Use the static password.

KeywordPassword Use the Request Keyword followed by the static password. No separator characters or whitespace should be between them.

PasswordKeyword Use the static password followed by the Request Keyword. No separator characters or whitespace should be between them.

Primary Virtual Digipass – Request Keyword

Defines the Keyword that a User must enter to request a Primary Virtual Digipass login, if a method using a Keyword is selected in the Request Method. For Primary Virtual Digipass, this is not permitted to be blank.

Backup Virtual Digipass – Enable Backup VDP

Specifies whether and how the Backup Virtual Digipass feature can be used when this Policy is effective. Note that in order for the Backup Virtual Digipass feature to function, it must also be activated in the DPX file for the Digipass.

Options:

Default Use the setting of the parent Policy.

No Backup Virtual Digipass is not permitted.

Yes - Permitted

Backup Virtual Digipass is permitted, but not mandatory.

The Time Limit is not applicable when using this option, but the Max.

Uses/User limit is.

Yes – Time Limited

Backup Virtual Digipass is permitted, but not mandatory.

Both the Time Limit and the Max. Uses/User limit will be in effect.

Yes - Required

Backup Virtual Digipass is mandatory.

The Time Limit is not applicable when using this option, but the Max.

Digipass Plug-In for IAS Administrator Reference Field Listings

When the Enable Backup VDP setting is Yes – Time Limited, the Time Limit setting indicates the number of days for which the Backup Virtual Digipass feature may be used by a User, once they start using it.

The Backup Virtual Digipass Enabled Until setting on the Digipass record will be set automatically the first time that the User requests a Backup Virtual Digipass OTP, using the Time Limit defined in the Policy. Once this date has expired, it requires administrator intervention either to extend it or to reset it to blank for the next time that the User needs to use Backup Virtual Digipass.

Note that if a User has more than one Digipass capable of Backup Virtual Digipass, they will have a separate limit for each one.

Backup Virtual Digipass – Max. Uses/User

The maximum number of uses of the Backup Virtual Digipass feature permitted for each User, if they do not have a specific limit set for them.

If the Backup Virtual Digipass Uses Remaining on the Digipass record is blank and there is a Max. Uses/User limit defined in the Policy, the Uses Remaining will be set automatically the first time that the User requests a Backup Virtual Digipass OTP.

Once the Uses Remaining has reached zero, Backup Virtual Digipass can no longer be used with this Digipass, unless the administrator increases it or resets it to blank.

Note that if a User has more than one Digipass capable of Backup Virtual Digipass, they will have a separate limit for each one.

Backup Virtual Digipass – Request Method

The method by which a User has to request a Backup Virtual Digipass login.

The 'request' is made in the password field during login. The request will be ignored if the User does not have a Digipass assigned that is activated for the Backup Virtual Digipass feature, or if other Policy or Digipass settings do not permit Backup Virtual Digipass use.

Options:

Default Use the setting of the parent Policy.

None Do not use Backup Virtual Digipass.

Keyword Use the Request Keyword. For Backup Virtual Digipass, this is not permitted to be blank.

Password Use the static password.

KeywordPassword Use the Request Keyword followed by the static password. No separator characters or whitespace should be between them.

PasswordKeyword Use the static password followed by the Request Keyword. No separator characters or whitespace should be between them.

Backup Virtual Digipass – Request Keyword

Defines the Keyword that a User must enter to request a Backup Virtual Digipass login, if a method using a Keyword is selected in the Request Method. For Backup Virtual Digipass, this is not permitted to be blank.

Identification Time Window

Controls the maximum number of time steps' variation allowable between a Digipass and the authentication server during login. This only applies to time-based Response Only and Challenge/Response Applications.

The Dynamic Time Window option may be used to allow more variation according to the length of time since the last successful login.

If this setting is not specified at all, there is an inbuilt default value of 20.

Signature Time Window Controls the maximum number of time steps' variation allowable between a Digipass and the authentication server during Digital Signature verification. This only applies to time-based Signature Applications.

If this setting is not specified at all, there is an inbuilt default value of 24.

Signature Applications are not currently used in RADIUS environments.

Digipass Plug-In for IAS Administrator Reference Field Listings

Field Name in Administration

Interfaces

Description

Initial Time Window Controls the maximum allowed time variation allowable between a Digipass and the

authentication server, the first time that the Digipass is used. The time is specified in hours.

authentication server, the first time that the Digipass is used. The time is specified in hours.

In document A dm inistrator Reference (Page 37-44)

Related documents