1
DIGIPASS Authentication for Microsoft Forefront
UAGDisclaimer of Warranties and Limitation of Liabilities
All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness.
In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document.
Copyright
Copyright © 2012 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO®, Vacman®, IDENTIKEY®, aXsGUARD™™, DIGIPASS® and ® logo
are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners.
2
DIGIPASS Authentication for Microsoft Forefront
UAGReference guide ... 3
1 Introduction... 4
2 setup ... 4
3 Basic Identikey configuration ... 5
3.1 IDENTIKEY Server ... 6
3.1.1 Policies ... 6
3.1.2 Client ... 7
3.1.3 User ... 7
3.1.4 DIGIPASS ... 8
3.2 Test the Solution ... 10
4 Challenge/Response ... 11
4.1 Architecture ... 11
4.2 [Solution Partner] ... 12
4.3 IDENTIKEY Authentication Server ... 12
4.3.1 Policy ... 12
4.3.2 User ... 12
4.4 Test the Solution ... 13
5 FAQ ... 14
3
DIGIPASS Authentication for Microsoft Forefront
UAG4
DIGIPASS Authentication for Microsoft Forefront
UAGThis is a general document which will help to configure your device in combination with Identikey Authentication Server over RADIUS.
RADIUS is a standard authentication protocol used in most security appliances and products. The Identikey Authentication Server is installed with RADIUS protocol enabled on the standard ports:
Authentication: 1812
Accounting: 1813
This can be changed in the Identikey configuration if necessary.
2
setup
Topology
To configure the source device please consult the device documentation for RADIUS authentication
Server configuration info:
IP address of source device [IP address of source device]
Shared Secret [Shared Secret]
Authentication Port 1812
Accounting Port 1813
In order to test the Identikey Authentication Server a test user needs to be created. That user needs to be added in the Identikey Authentication Server and linked to a Digipass.
User configuration info:
5
DIGIPASS Authentication for Microsoft Forefront
UAGPublishing applications with Microsoft Forefront UAG
Step 1 Configuring the radius server in UAG
http://technet.microsoft.com/en-us/library/dd857368.aspx
Step 2 Configuring Kerberos Constraint Delegation
6
DIGIPASS Authentication for Microsoft Forefront
UAG4.1 IDENTIKEY Server
There are lots of possibilities when using IDENTIKEY Server. We can authenticate with:
Local users (Defined in IDENTIKEY Server)
Active Directory (Windows)
In this whitepaper we will use Local users to authenticate.
4.1.1
Policies
In the Policy the behavior of the authentication is defined. It gives all the answers on: I have got a user and a password, what now?
Create a new Policy
Policy ID : Test
Inherits From: Base Policy
Inherits means: The new policy will have the same behavior as the policy from which he inherits, except when otherwise specified in the new policy.
Example:
Base
Policy
New
Policy
Behaviour
1 a
New policy will do a
2 b
New policy will do b
3 c
f
New policy will do f
4 d
New policy will do d
5 e
g
New policy will do g
The new policy is created, now we are going to edit it.7
DIGIPASS Authentication for Microsoft Forefront
UAG Local Authentication : Digipass/Password
Click Save
4.1.2
Client
In the clients we specify the location from which IDENTIKEY Server will accept requests and which protocol they use.
We are going to add a new RADIUS client.
Client Type : select Radius Client from “select from list”
Location : [IP address of source device]
Policy ID : Select the Policy that was created in Policies Protocol ID: RADIUS
Shared Secret: [Shared Secret]
Confirm Shared Secret: [Shared Secret]
Click Save
4.1.3
User
8
DIGIPASS Authentication for Microsoft Forefront
UAG User ID: [Test username]
4.1.4
DIGIPASS
The purpose of using IDENTIKEY Server, is to be able to log in using One Time Passwords (OTP). To make it possible to use OTP we need to assign a DIGIPASS to the user. The Digipass is a device that generates the OTP’s.
Open the user by clicking on its name
Select Assigned Digipass
Click ASSIGN
9
DIGIPASS Authentication for Microsoft Forefront
UAG Grace period: 0 Days
Grace period is the period that a user can log in with his static password. The first time the user uses his DIGIPASS the grace period will expire.
Click ASSIGN
10
DIGIPASS Authentication for Microsoft Forefront
UAGThe configuration can be tested by tying to login with [Test username] and an OTP from the assigned Digipass.
11
DIGIPASS Authentication for Microsoft Forefront
UAG5 Challenge/Response
The easiest way to test challenge/response is to use (Back-Up) Virtual Digipass. Virtual Digipass is a solution where an OTP is sent to your E-mail account or mobile phone, after it was triggered in a user authentication. The trigger mechanism is configured in the policy (see later).
Virtual Digipass is a Digipass that can be ordered like a Hardware Digipass
Back-Up Virtual Digipass is a feature that must be enabled while ordering other Digipass (Hardware, Digipass for mobile, Digipass for web or Digipass for windows)
Availability of Back-Up virtual Digipass can be checked in the IDENTIKEY web administration.
Select a Digipass>Click on the first application and scroll down.
For test purposes a demo DPX file with Virtual Digipass is delivered with every IDENTIKEY Authentication Server
5.1 Architecture
1: User ID Trigger 2: Challenge 3: SMS with OTP 4: OTP received by SMS MDCThis solution makes use of an sms-gateway (for sms’s or text messages) or SMTP-server (for mail). The first step is to configure one of the servers. This is done in the Message Delivery Component (MDC) configuration. For more information see the IDENTIKEY Authentication Server manuals.
12
DIGIPASS Authentication for Microsoft Forefront
UAGhttp://www.cm.nl
http://www.callfactory.com
5.2 [Solution Partner]
[Different steps that need to be taken, to change the setup in order support challenge/Response. A combination of screenshots and short explanations]
5.3 IDENTIKEY Authentication Server
5.3.1
Policy
The configuration virtual Digipass can be used is done in the policy. Select the policy created in Policies. This should be Test.
Select Test
Go to Virtual Digipass Click Edit
Delivery Method: SMS
BVDP Mode: Yes – Permitted
Request Method: KeywordOnly
Request Keyword: IwantOTP Click Save
The request method is the trigger to send the message. The trigger can be:
Static password: in IDENTIKEY Authentication Server
Keyword: a text message
5.3.2
User
IDENTIKEY Authentication Server needs to know, where to send the mail or SMS. Therefor User should be add.
Select a user: [Test username] Click User Info
13
DIGIPASS Authentication for Microsoft Forefront
UAG Mobile: +32… (for the sms)
Email Address: [email protected] (for mail) Click save
5.4 Test the Solution
[Screenshots of the solution test] Steps 1: [ Login with username: Demo Password: IwantOTP ] Step 2:
[What is the feedback message]
Step 3:
[enter the OTP received by mail or text message]
Step 4: [logon]
