Post on 07-Mar-2018
1 DIGIPASS Authentication for Microsoft Forefront UAG
DIGIPASS Authentication for Microsoft Forefront UAG
Disclaimer
Disclaimer of Warranties and Limitation of Liabilities
All information contained in this document is provided 'as is'; VASCO Data Security assumes no
responsibility for its accuracy and/or completeness.
In no event will VASCO Data Security be liable for damages arising directly or indirectly from any
use of the information contained in this document.
Copyright
Copyright © 2012 VASCO Data Security, Inc, VASCO Data Security International GmbH. All
rights reserved. VASCO®, Vacman®, IDENTIKEY®, aXsGUARD™™, DIGIPASS® and ® logo
are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data
Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc.
and/or VASCO Data Security International GmbH own or are licensed under al l title, rights and
interest in VASCO Products, updates and upgrades thereof, including copyrights, patent
rights, trade secret rights, mask work rights, database rights and all other intellectual and
industrial property rights in the U.S. and other countries. Microsoft and Windows are
trademarks or registered trademarks of Microsoft Corporation. Other names may be
trademarks of their respective owners.
2 DIGIPASS Authentication for Microsoft Forefront UAG
DIGIPASS Authentication for Microsoft Forefront UAG
Table of Contents
Reference guide ............................................................................................................. 3
1 Introduction.............................................................................................................. 4
2 setup ......................................................................................................................... 4
3 Basic Identikey configuration ................................................................................... 5
3.1 IDENTIKEY Server ................................................................................................. 6
3.1.1 Policies .......................................................................................................... 6
3.1.2 Client ............................................................................................................ 7
3.1.3 User .............................................................................................................. 7
3.1.4 DIGIPASS ...................................................................................................... 8
3.2 Test the Solution ................................................................................................. 10
4 Challenge/Response ............................................................................................... 11
4.1 Architecture ........................................................................................................ 11
4.2 [Solution Partner] ............................................................................................... 12
4.3 IDENTIKEY Authentication Server .......................................................................... 12
4.3.1 Policy .......................................................................................................... 12
4.3.2 User ............................................................................................................ 12
4.4 Test the Solution ................................................................................................. 13
5 FAQ ......................................................................................................................... 14
6 Appendix ................................................................................................................. 14
3 DIGIPASS Authentication for Microsoft Forefront UAG
DIGIPASS Authentication for Microsoft Forefront UAG
Reference guide
ID Title Author Publisher Date ISBN
4 DIGIPASS Authentication for Microsoft Forefront UAG
DIGIPASS Authentication for Microsoft Forefront UAG
1 Introduction This is a general document which will help to configure your device in combination with Identikey
Authentication Server over RADIUS.
RADIUS is a standard authentication protocol used in most security appliances and products. The
Identikey Authentication Server is installed with RADIUS protocol enabled on the standard ports:
Authentication: 1812
Accounting: 1813
This can be changed in the Identikey configuration if necessary.
2 setup Topology
To configure the source device please consult the device documentation for RADIUS
authentication
Server configuration info:
IP address of source device [IP address of source device]
Shared Secret [Shared Secret]
Authentication Port 1812
Accounting Port 1813
In order to test the Identikey Authentication Server a test user needs to be created. That user
needs to be added in the Identikey Authentication Server and linked to a Digipass.
User configuration info:
Username [Test username]
5 DIGIPASS Authentication for Microsoft Forefront UAG
DIGIPASS Authentication for Microsoft Forefront UAG
3 Partner configuration links
Publishing applications with Microsoft Forefront UAG
Step 1 Configuring the radius server in UAG
http://technet.microsoft.com/en-us/library/dd857368.aspx
Step 2 Configuring Kerberos Constraint Delegation
http://technet.microsoft.com/en-us/library/ee690462.aspx
6 DIGIPASS Authentication for Microsoft Forefront UAG
DIGIPASS Authentication for Microsoft Forefront UAG
4 Basic Identikey configuration 4.1 IDENTIKEY Server
There are lots of possibilities when using IDENTIKEY Server. We can authenticate with:
Local users (Defined in IDENTIKEY Server)
Active Directory (Windows)
In this whitepaper we will use Local users to authenticate.
4.1.1 Policies
In the Policy the behavior of the authentication is defined. It gives all the answers on: I have got
a user and a password, what now?
Create a new Policy
Policy ID : Test
Inherits From: Base Policy
Inherits means: The new policy will have the same behavior as the policy from which he
inherits, except when otherwise specified in the new policy.
Example:
Base Policy
New Policy Behaviour
1 a New policy will do a
2 b New policy will do b
3 c f New policy will do f
4 d New policy will do d
5 e g New policy will do g
The new policy is created, now we are going to edit it.
Click edit
7 DIGIPASS Authentication for Microsoft Forefront UAG
DIGIPASS Authentication for Microsoft Forefront UAG
Local Authentication : Digipass/Password
Click Save
4.1.2 Client
In the clients we specify the location from which IDENTIKEY Server will accept requests and
which protocol they use.
We are going to add a new RADIUS client.
Client Type : select Radius Client from “select from list”
Location : [IP address of source device]
Policy ID : Select the Policy that was created in Policies
Protocol ID: RADIUS
Shared Secret: [Shared Secret]
Confirm Shared Secret: [Shared Secret]
Click Save
4.1.3 User
We are going to create a user.
8 DIGIPASS Authentication for Microsoft Forefront UAG
DIGIPASS Authentication for Microsoft Forefront UAG
User ID: [Test username]
4.1.4 DIGIPASS
The purpose of using IDENTIKEY Server, is to be able to log in using One Time Passwords (OTP).
To make it possible to use OTP we need to assign a DIGIPASS to the user. The Digipass is a
device that generates the OTP’s.
Open the user by clicking on its name
Select Assigned Digipass
Click ASSIGN
Click Next
9 DIGIPASS Authentication for Microsoft Forefront UAG
DIGIPASS Authentication for Microsoft Forefront UAG
Grace period: 0 Days
Grace period is the period that a user can log in with his static password. The first time
the user uses his DIGIPASS the grace period will expire.
Click ASSIGN
Click Finish
10 DIGIPASS Authentication for Microsoft Forefront UAG
DIGIPASS Authentication for Microsoft Forefront UAG
4.2 Test the Solution The configuration can be tested by tying to login with [Test username] and an OTP from the
assigned Digipass.
11 DIGIPASS Authentication for Microsoft Forefront UAG
DIGIPASS Authentication for Microsoft Forefront UAG
5 Challenge/Response The easiest way to test challenge/response is to use (Back-Up) Virtual Digipass. Virtual Digipass
is a solution where an OTP is sent to your E-mail account or mobile phone, after it was triggered
in a user authentication. The trigger mechanism is configured in the policy (see later).
Virtual Digipass is a Digipass that can be ordered like a Hardware Digipass
Back-Up Virtual Digipass is a feature that must be enabled while ordering other
Digipass (Hardware, Digipass for mobile, Digipass for web or Digipass for
windows)
Availability of Back-Up virtual Digipass can be checked in the IDENTIKEY web
administration.
Select a Digipass>Click on the first application and scroll down.
For test purposes a demo DPX file with Virtual Digipass is delivered with every IDENTIKEY
Authentication Server
5.1 Architecture
1: User IDTrigger
2:Challenge
3: SMS with OTP
4:OTP received by SMS
MDC
This solution makes use of an sms-gateway (for sms’s or text messages) or SMTP-server
(for mail). The first step is to configure one of the servers. This is done in the Message
Delivery Component (MDC) configuration. For more information see the IDENTIKEY
Authentication Server manuals.
12 DIGIPASS Authentication for Microsoft Forefront UAG
DIGIPASS Authentication for Microsoft Forefront UAG
Popular SMS-gateways:
http://www.clickatell.com
http://www.cm.nl
http://www.callfactory.com
5.2 [Solution Partner]
[Different steps that need to be taken, to change the setup in order support challenge/Response.
A combination of screenshots and short explanations]
5.3 IDENTIKEY Authentication Server
5.3.1 Policy
The configuration virtual Digipass can be used is done in the policy.
Select the policy created in Policies. This should be Test.
Select Test
Go to Virtual Digipass
Click Edit
Delivery Method: SMS
BVDP Mode: Yes – Permitted
Request Method: KeywordOnly
Request Keyword: IwantOTP
Click Save
The request method is the trigger to send the message. The trigger can be:
Static password: in IDENTIKEY Authentication Server
Keyword: a text message
5.3.2 User
IDENTIKEY Authentication Server needs to know, where to send the mail or SMS. Therefor User
should be add.
Select a user: [Test username]
Click User Info
Click Edit
13 DIGIPASS Authentication for Microsoft Forefront UAG
DIGIPASS Authentication for Microsoft Forefront UAG
Mobile: +32… (for the sms)
Email Address: mail@server.com (for mail)
Click save
5.4 Test the Solution [Screenshots of the solution test]
Steps 1:
[
Login with
username: Demo
Password: IwantOTP
]
Step 2:
[What is the feedback message]
Step 3:
[enter the OTP received by mail or text message]
Step 4:
[logon]