manualshive.com logo in svg

Vasco Personal aXsGUARD, Product Manual

Share
Download
Vasco Personal aXsGUARD Product Manual Download Page 100

aXsGUARD Identifier 3.0.2.0 Product Guide v1.5

 

DIGIPASS

17

DIGIPASS

17.1

Overview

All  DIGIPASS  instances need to be registered in the  aXsGUARD Identifier  with relevant data for the  aXsGUARD
Identifier to support authentication requests which use One Time Passwords generated from the DIGIPASS. 

Some DIGIPASS settings are pre-programmed into the DIGIPASS devices during manufacture, some are assigned 
to DIGIPASS through policies and others can be assigned specifically to a DIGIPASS using the DIGIPASS records. 
Both policies and DIGIPASS records are configurable in the Administration Web Interface. 

The Administration Web interface supports DIGIPASS management including:

Importation of DIGIPASS records
Assignment of DIGIPASS records to User Accounts
Searching for DIGIPASS records
Various DIGIPASS actions, and viewing of runtime information

In this section, we introduce some key DIGIPASS properties, explain the DIGIPASS management possibilities, the 
DIGIPASS assignment options and finally, Backup Virtual DIGIPASS options.

We strongly recommend that you read section 

3

 first, to better understand DIGIPASS management.

17.2

DIGIPASS Properties

17.2.1

DIGIPASS Client PIN

A DIGIPASS (client) PIN is a digit-based secret, known by the User, which needs to be entered into the DIGIPASS 
device for a One Time Password (OTP) to be generated. This implies 2-factor authentication: the person logging in 
must be in possession of the DIGIPASS device (something you have) and know the DIGIPASS PIN (something you 
know) to generate an OTP.

This option requires a DIGIPASS device with a keypad for the PIN to be entered, and is therefore not possible with 
one-button  DIGIPASS  models. An alternative solution for 2-factor authentication with a one-button   DIGIPASS 
model is explained in the next section.

PIN change can be offered to users through pre-programmed PIN modification settings (see specific  DIGIPASS 
model User Guides):

An 

Initial PIN

 can be set for a DIGIPASS device. The PIN must then be sent to the User of the DIGIPASS, 

typically separate from the DIGIPASS delivery.

First Use PIN Modification

 requires PIN change from the User on first use of the DIGIPASS device.

 

©

 2009 VASCO Data Security

 

100 

Summary of Contents for Personal aXsGUARD

Page 1: ...uct Guide aXsGUARD AXSGuard ConfigurationTool 0 2009 Product Guide aXsGUARD Identifier aXsGUARD Identifier aXsGUARD Identifier DIGIPASS ConfigurationTool v1 5 0 1 3 0 2 0 aXsGUARD Identifier Product G...

Page 2: ...CIFICALLY REQUIRES LIABILITY DESPITE THE FOREGOING EXCLUSIONS AND LIMITATIONS Intellectual Property and Copyright VASCO Products contain proprietary and confidential information VASCO Data Security In...

Page 3: ...Overview 19 2 6 2 Communication Protocols 21 2 6 3 Scenarios 22 2 7 Licensing 22 2 7 1 Overview 22 2 7 2 Commercial Licensing 22 2 7 3 DEMO Licensing 22 2 7 4 Client Component Licensing 23 2 8 Suppor...

Page 4: ...red Password Proxy 44 3 6 3 2 Password Autolearn 45 3 6 3 3 Password Replacement IIS Modules 45 3 6 3 4 Stored Static Password and RADIUS Attributes 46 3 6 4 Back end Server Records 47 3 6 4 1 Fail ov...

Page 5: ...67 6 5 Upgrade from a DEMO to Commercial License 67 6 6 Replacement of aXsGUARD Identifier 68 6 7 Change of Customer Information 68 6 8 Restoring a backup from another aXsGUARD Identifier 68 7 Updati...

Page 6: ...P Synchronization Profiles 86 14 3 Synchronization Profile IDs 87 14 4 Creating and Updating User Accounts 88 14 5 Deleting User Accounts 90 14 6 Synchronization Frequency 90 14 7 Multiple Synchroniza...

Page 7: ...ount Settings 103 16 5 DIGIPASS User Account Static Password 103 16 6 Searching for User Accounts 104 16 7 Administration Privileges 104 17 DIGIPASS 105 17 1 Overview 105 17 2 DIGIPASS Properties 105...

Page 8: ...ification 122 18 3 1 RADIUS Client 122 18 3 2 IIS Module 123 18 4 Client Component Licensing 123 19 Server Components 124 19 1 Overview 124 19 2 Automatic Server Component Creation 124 19 2 1 Registra...

Page 9: ...2 3 Custom Reports 138 22 3 1 Overview 138 22 3 2 Report Type 139 22 3 3 Data Source 139 22 3 4 Grouping Level 139 22 3 5 Query 141 22 3 6 Permissions 141 22 3 7 Formatting Templates 142 22 4 Report G...

Page 10: ...ll e Directory 54 Image 17 Data Transmission from the Syslog Utility to the Live Log Viewer and Remote Syslog 72 Image 18 Example Screen Shot Showing the Live Log Viewer 73 Image 19 Log Filter Fields...

Page 11: ...GIPASS Record for a Specific User in the Administration Web Interface 116 Image 43 Policy Inheritance 127 Image 44 Domains and Organizational Units 129 Image 45 User ID and Domain Resolution 131 Image...

Page 12: ...50 Table 5 Novell e Directory User ID Formats for Back end Authentication 52 Table 6 User Attribute Settings 55 Table 7 Default Administrative User Credentials 58 Table 8 Log Levels 74 Table 9 Log Fil...

Page 13: ...aXsGUARD Identifier 3 0 2 0 Product Guide v1 5 Introduction Section Introduction 1 aXsGUARD Identifier 2 2009 VASCO Data Security 13...

Page 14: ...MDC remote support LDAP User Synchronization and replication Chapters 16 to 22 cover each of the main functionalities managed by the Administration Web Interface including user accounts DIGIPASS insta...

Page 15: ...tication technologies products and services are based on VASCO s one and unique core authentication platform VACMAN VASCO solutions comprise combinations of the VACMAN core authentication platform IDE...

Page 16: ...upport One Time Passwords to authenticate end users to the ASP to protect access to services and resources Host Codes to authenticate the ASP to end users Electronic Signatures to protect the integrit...

Page 17: ...GUARD Identifier The aXsGUARD Identifier secures internal and remote access to network applications and remote access to applications offered on line It is a stand alone authentication solution based...

Page 18: ...authorized to log on to their system using a One Time Password OTP The DIGIPASS holder obtains an OTP from the DIGIPASS to use instead of or in addition to a static password when logging on The DIGIP...

Page 19: ...o provides the user interface These products optimize investment in smart card technology by extending smartcard use to include One Time Passwords and Electronic Signatures For more information please...

Page 20: ...Authentication currently in development to be included in a future release RADIUS Authentication IIS Authentication SEAL DIGIPASS Software Provisioning SOAP currently in development to be included in...

Page 21: ...of loading License Keys for client components For more information on registration please see section 6 2 7 2 Commercial Licensing With the purchase of a commercial license the aXsGUARD Identifier ne...

Page 22: ...with a VASCO product please follow the steps below 1 Check if your problem has been resolved in the online Knowledge Base at http www vasco com support 2 If you are unable to solve your problem with...

Page 23: ...ur organization may prefer this port not to be permanently open for the automatic connection on boot up of the aXsGUARD Identifier to the VASCO Service Center see section 13 In this case the port need...

Page 24: ...ntication Process Overview 3 1 Identifying the Component Record 3 2 Identifying a Policy 3 3 DIGIPASS User Account Lookup and Checks 3 4 Local Authentication 3 5 Back end Authentication 3 6 Authorizat...

Page 25: ...on from its data store Back end Authentication asking a RADIUS server or LDAP back end system for verification of information The exact authentication process used by the aXsGUARD Identifier varies de...

Page 26: ...le server and client records see also sections 19 and 18 on Server and Client Components respectively For more information on Policies please see section 20 For a full listing of possible Policy setti...

Page 27: ...3 The aXsGUARD Identifier searches for a Domain record with the name given after the sign If the Domain record is found name resolution continues to step 4 Otherwise Default Domain Processing proceed...

Page 28: ...hentication is required More information on the different Local Authentication settings is available in section 3 5 3 4 4 Dynamic User Registration Dynamic User Registration DUR allows DIGIPASS User a...

Page 29: ...aXsGUARD Identifier 3 0 2 0 Product Guide v1 5 User Authentication Process Image 6 Dynamic User Registration Process 2009 VASCO Data Security 29...

Page 30: ...are shown in the table below Table 1 Values for Local Authentication Setting Setting Explanation Default Local Authentication is handled as configured in settings inherited from the parent policy More...

Page 31: ...Registration is enabled see section 3 4 When a DIGIPASS User Account is found the search for DIGIPASS records may be affected by policy restrictions linked user accounts and a DIGIPASS Grace Period as...

Page 32: ...DIGIPASS User account 1 When DIGIPASS User account 1 logs in the DIGIPASS search is for that account However when DIGIPASS User account 2 logs in the DIGIPASS search is also for DIGIPASS User account...

Page 33: ...s to access the client application 2 step login this is possible with applications which support two login screens e g Citrix Web Interface and RADIUS with support for Challenge Response The User firs...

Page 34: ...le for time based Challenge Response but is less secure for non time based Challenge Response If an attacker manages to capture some valid Responses they can repeatedly request new Challenges until on...

Page 35: ...ion on Virtual DIGIPASS see also section 17 5 Using a Virtual DIGIPASS requires two login steps requesting an OTP to be sent to the User s mobile phone entering the OTP 2 step login for OTP request an...

Page 36: ...ackup Virtual DIGIPASS see section 17 2 4 have additional restrictions on use to keep the cost of text messages down These restrictions are verified by the aXsGUARD Identifier before an OTP is generat...

Page 37: ...n the static password check during an authentication attempt see section 3 5 4 1 The methods of requesting these three login processes 2 step Challenge Response Primary and Backup Virtual OTP request...

Page 38: ...lability check in step 6 If local authentication is successful the request continues to the Policy check in step 4 4 If local authentication is successful and back end authentication is not mandatory...

Page 39: ...DIGIPASS device to their DIGIPASS User account using the Self Assignment mechanism if permitted by the Policy settings The Self Assignment process is possible during Dynamic User Registration It is a...

Page 40: ...the Windows password is required e g Outlook Web Access explained below First we introduce the back end server policy settings and then explain how a static password is used during back end authentic...

Page 41: ...ocess For more information on DIGIPASS User Accounts and static password handling please see section 16 5 3 6 3 1 Stored Password Proxy When the Stored Password Proxy setting is enabled in the Policy...

Page 42: ...hich is installed on the Microsoft IIS Server for example configured with Microsoft Outlook Web Access The IIS Module supports use of the DIGIPASS OTP for access to the Outlook Web service After insta...

Page 43: ...RD Identifier for the RADIUS server After these configurations the DIGIPASS OTP authentication requests from the RADIUS client are verified by the aXsGUARD Identifier After successful authentication o...

Page 44: ...aXsGUARD Identifier It is possible to create more than one back end server record for fail over purposes You can also allocate different back end servers for different user domains 3 6 4 1 Fail over...

Page 45: ...ack end server record contains connection information for the RADIUS server including location details and the RADIUS Shared Secret It also allows a Timeout and No of Retries to be configured User ID...

Page 46: ...AA RADIUS Authentication is supported by the aXsGUARD Identifier described above RADIUS Accounting is is supported by the aXsGUARD Identifier With a RADIUS back end server Accounting requests are forw...

Page 47: ...d in the following sections Tip For instructions on how to configure LDAP back end authentication please refer to the aXsGUARD Identifier Installation Guide 3 6 6 1 Microsoft Active Directory Back end...

Page 48: ...is not included or is included but does not exist and a default domain is specified in the policy for the client the back end server for the default domain is identified If the domain is not included...

Page 49: ...mple FqDN userid Fully Qualified Distinguished Name Geraard Administration Mechelen CORP RDN userid Relative Distinguished Name Geraard FqDN userid mydomain com Geraard Administration Mechelen CORP my...

Page 50: ...sion 8 7 or higher The base DN principal name and password need to be specified in the Configuration Tool see section 4 on the administration interfaces for binding see step 2 above to search for a RD...

Page 51: ...policies can be selected from the Policies tab of the aXsGUARD Identifier Administration Web interface see section 4 on the administration interfaces The LDAP back end authentication policies are IDEN...

Page 52: ...ndicates that the attribute is for use by the IIS Modules for Basic Authentication Value The Value set for an attribute is the required value of the named attribute 3 8 Host Code Generation 3 8 1 Conc...

Page 53: ...er verifies the One Time Password for end user authentication If valid the end user is authenticated to the server The server then computes the second part of the One Time Password i e the Host Code 4...

Page 54: ...tifier 3 0 2 0 Product Guide v1 5 Administrative Interfaces Section Overview 4 1 Default Administrative Users 4 2 Configuration Tool 4 3 Administration Web Interface 4 4 Rescue Tool 4 5 2009 VASCO Dat...

Page 55: ...nagement possibilities through these interfaces are also introduced Following this overview chapter the management possibilities through the interfaces are elaborated on in more detail in the subseque...

Page 56: ...procedure requires connection to the VSC Backup and Restore the purpose and procedures for backup and restore functionality are explained in section 8 Auditing and Logging information generated from...

Page 57: ...end authentication is the process of checking User credentials with another system With the aXsGUARD Identifier this could mean an LDAP Active Directory e Directory or RADIUS server It is used for var...

Page 58: ...w system administrator accounts in addition to the two default accounts User permissions are explained in section 16 7 4 5 Rescue Tool The Rescue Tool allows Administrators to access a limited number...

Page 59: ...uration Tool Section Installation Configurations 5 Registration 6 Updating 7 Backup and Restore 8 Logging 9 Auditing 10 Statistics 11 Message Delivery Component 12 Remote Support 13 LDAP User Synchron...

Page 60: ...is involves 1 Changing a client workstation IP address to within the specified IP address range for the aXsGUARD Identifier 2 Connecting the client workstation to the aXsGUARD Identifier with a cable...

Page 61: ...ing the Configuration Wizard but additional features also need to be configured including 1 Message Delivery Component to support Virtual DIGIPASS authentication see section 12 2 Replication for synch...

Page 62: ...ice Center server handles registration updating and remote support for the aXsGUARD Identifier The infrastructure and how to access the VASCO Service Center are explained in section 2 9 The registrati...

Page 63: ...IP address has changed and that the license is no longer valid A warning message is displayed in the Configuration Tool with a link to the re registration wizard In this case registration only require...

Page 64: ...estoring a backup from another aXsGUARD Identifier Restoring a backup created by the same appliance does not require re registration as the License is stored in the backup Restoring a backup created b...

Page 65: ...Update Wizard for an on or off line update the aXsGUARD Identifier automatically reboots During reboot services are temporarily unavailable After reboot the system administrator needs to log back int...

Page 66: ...mation The backup does not include audit and logging data Audit data can be backed up however using a replication setup in which case audit data is replicated to another aXsGUARD Identifier see sectio...

Page 67: ...ackup was created successfully We explain logging in this section Logging is based on the syslog utility which supports local and remote storage and processing of logs Settings can be configured in th...

Page 68: ...f storage space Image 18 Example Screen Shot Showing the Live Log Viewer 9 4 Remote Syslog Remote syslog must be activated in the aXsGUARD Identifier Configuration tool and requires configuration of t...

Page 69: ...action required Debug Information useful to debug the application Not useful during operations 9 6 Log Filter The log filter helps system administrators to search for relevant records Messages can be...

Page 70: ...of the facility types e g kern user or mail Only logs referencing this facilty are displayed Level at least Click on the drop down menu to select one of the levels e g error or warning Only logs refer...

Page 71: ...aged through the aXsGUARD Identifier Configuration Tool see section 4 on Administration Interfaces using the live audit viewer Auditing happens in real time allowing administrators to view a limited n...

Page 72: ...y include successful authentications or successful administration commands Failure Failure messages contain details about processing events that failed This may include rejected authentications or adm...

Page 73: ...Category contains Enter a category type e g Administration or Authentication Only records with a category matching the category entered in this field are displayed Code contains Enter an error code On...

Page 74: ...usage over time This information is available in the aXsGUARD Identifier Configuration Tool see section 4 11 2 System Information Available Statistics are available on the aXsGUARD Identifier the serv...

Page 75: ...e Statistics 11 3 Statistics Filtering Filtering specific information from some of the statistics data is also possible For example the following two images demonstrate the CPU usage for the Administr...

Page 76: ...aXsGUARD Identifier 3 0 2 0 Product Guide v1 5 Statistics Image 27 CPU Time for Administration Web Interface 2009 VASCO Data Security 76...

Page 77: ...s mobile phone The MDC acts as a service accepting messages from the aXsGUARD Identifier which are then forwarded to a text message gateway via the HTTP HTTPS protocol The diagram below illustrates th...

Page 78: ...ver the required query string the query method GET or POST required by the gateway the User name and password for the gateway account optionally your preference for more user friendly system messages...

Page 79: ...re https can be achieved in one of two ways The system administrator pro actively connects the aXsGUARD Identifier to the VASCO Service Center via the configuration tool This should only be done under...

Page 80: ...istrators or VASCO experts using the aXsGUARD Identifier Configuration Tool If a VASCO expert cannot use the remote support function the system administrator needs to activate the tracing option in th...

Page 81: ...see section 15 In the following sections we explain the concepts of Synchronization Profiles Synchronization Profile IDs Creating and updating User Accounts Deleting User Accounts Synchronization fre...

Page 82: ...ervers the LDAP User password attribute cannot be mapped to an aXsGUARD Identifier User Account password due to security settings on the LDAP Server Once the appropriate settings and mappings have bee...

Page 83: ...he same Synchronization Profile ID In this case the User Account is updated without the same Synchronization Profile ID In this case synchronization behavior depends on the Synchronization Profile Upd...

Page 84: ...aXsGUARD Identifier 3 0 2 0 Product Guide v1 5 LDAP User Synchronization 2009 VASCO Data Security 84 Image 30 LDAP Synchronization to create or update an aXsGUARD Identifier User Account...

Page 85: ...om the LDAP Server the User Account on the LDAP Server has been moved from the Search Base defined in the profile the User Account on the LDAP Server has been changed and no longer matches the profile...

Page 86: ...RD Identifier through separate definitions of Synchronization Profiles as shown in the example below Example Synchronization Profiles 1 and 2 in the image below are both configured to synchronize from...

Page 87: ...LDAP User Synchronization 2009 VASCO Data Security 87 Image 31 Possible source and destination hierarchy mapping with a single Synchronization Profile Image 32 Example source and destination hierarch...

Page 88: ...rganizational unit for a Synchronization Profile is changed to within the same domain User Accounts created or updated through earlier synchronizations i e with the same Synchronization Profile ID are...

Page 89: ...e section 9 Logs relevant to the synchronization process can be filtered using the name of the program which executes LDAP User Synchronization ldap2ikeyd For further help please refer to Auditing whi...

Page 90: ...up to date with the latest data changes In this chapter we provide examples of replication configurations introduce the Replication Wizard and describe the replication process and how it is monitored...

Page 91: ...th the target becoming a replication of the source aXsGUARD Identifier Following synchronization all services are identical on both aXsGUARD Identifiers with modified data replicated in both direction...

Page 92: ...Wizard These connections need to be permitted if replicating aXsGUARD Identifiers are separated by a company firewall For more information on the exact ports used please see the aXsGUARD Identifier A...

Page 93: ...started the aXsGUARD Identifier establishes a connection to each destination aXsGUARD Identifier configured for replication It keeps this connection open until the service is stopped or the connection...

Page 94: ...stration Web Interface see first image below shows the current status of replication for an aXsGUARD Identifier and the number of entries currently in the replication queue see second image below Imag...

Page 95: ...ier 3 0 2 0 Product Guide v1 5 Web Administration Interface Section DIGIPASS User Accounts 16 DIGIPASS 17 Client Components 18 Server Components 19 Policies 20 Organization 21 Reporting 22 2009 VASCO...

Page 96: ...2 Creating User Accounts A DIGIPASS User Account can be created using the Administration Web Interface in the following ways by creating User records manually using the Administration Web Interface b...

Page 97: ...User Account automatically for the User This process is called Dynamic User Registration DUR and can be enabled via the Administration Web Interface For more information on Dynamic User Registration s...

Page 98: ...specified whether the user has a linked User Account can be specified see section 16 3 DIGIPASS records can be assigned or unassigned to a user parameters such as a user s mobile phone number for usin...

Page 99: ...Administration Privileges Only DIGIPASS User Accounts with administrative permissions can use the Administration Web Interface to configure the aXsGUARD Identifier Administrative privileges are assig...

Page 100: ...lly Backup Virtual DIGIPASS options We strongly recommend that you read section 3 first to better understand DIGIPASS management 17 2 DIGIPASS Properties 17 2 1 DIGIPASS Client PIN A DIGIPASS client P...

Page 101: ...ly permits verification of the OTP if submitted with a valid Server PIN The additional Server PIN thus provides an extra layer of security a 2 factor security solution To authenticate the holder needs...

Page 102: ...o that the User is not able to delay too long before starting to use the DIGIPASS The Grace Period can be set during manual administrative assignment of DIGIPASS records as well as during Auto Assignm...

Page 103: ...he login pages is available in the appropriate IIS client module documentation Template login pages are included in the approppriate IIS module software packages 17 3 DIGIPASS Management 17 3 1 Import...

Page 104: ...SS Record Actions supported in the Administration Web Interface Name Explanation Reset Application A DIGIPASS Application may need to be reset if the time difference between it and the server needs to...

Page 105: ...s to assign or unassign a selected DIGIPASS record to or from a User Account Move Use this function to move a selected DIGIPASS records to another domain or organizational unit see section 21 4 Edit U...

Page 106: ...been playing with it the DIGIPASS device is being used to log in to two separate systems The purpose of this setting is much the same as the Last Time Shift setting it allows the aXsGUARD Identifier...

Page 107: ...r Account The User must log in and include the serial number static password and One Time Password This informs the aXsGUARD Identifier of the assignment and provided that the User enters the details...

Page 108: ...or not SERIALNUMBERpasswordOTP where a Server PIN is not required SERIALNUMBERpasswordPINOTP where a Server PIN is required SERIALNUMBERpasswordOTPnewpinnewpin where a Server PIN is required and no i...

Page 109: ...IPASS record when a DIGIPASS User Account is created using Dynamic User Registration DUR The correct DIGIPASS device must then be delivered to the User A Grace Period is typically set which allows a n...

Page 110: ...IGIPASS record is manually assigned to a specific DIGIPASS User Account The DIGIPASS device must then be sent out to the User A Grace Period is typically set during which the User may still log in usi...

Page 111: ...for manual assignment i e the reserved DIGIPASS record cannot be self or auto assigned see image below Image 42 Reserving a DIGIPASS Record for a Specific User in the Administration Web Interface Not...

Page 112: ...rs include a Virtual DIGIPASS in either a backup or primary mode Table 14 DIGIPASS Options Primary Backup DIGIPASS None User must log in using a DIGIPASS device DIGIPASS Backup Virtual DIGIPASS User u...

Page 113: ...SS enabled must be able to request an OTP to be sent to their mobile when required but to login using the hardware DIGIPASS at other times The simplest method for the User is to allow a 2 step login p...

Page 114: ...irst used by the User If Backup Virtual DIGIPASS is enabled for a DIGIPASS record and set to Time Limited and the Enabled Until field in the DIGIPASS property sheet is blank the time limit begins when...

Page 115: ...e possible guidelines Table 15 Backup Virtual DIGIPASS Example Guidelines Guideline Pro Con Backup Virtual DIGIPASS disabled for all enabled for individual Users as required Low text message costs Man...

Page 116: ...the administration program the RADIUS client and the IIS module We strongly recommend that you read section 3 first to better understand client component use 18 2 Standard Component Properties Four p...

Page 117: ...ction 3 6 5 RADIUS Accounting is is supported by the aXsGUARD Identifier With a RADIUS back end server Accounting requests are forwarded to the back end server and handled by proxy Without back end au...

Page 118: ...aXsGUARD Identifier The Component record is checked whenever the IIS Module sends an authentication request to the aXsGUARD Identifier For an IIS Module Component the following component checks are m...

Page 119: ...record including a valid license is automatically created Whenever the IP address is changed in the Configuration Tool a new registration is mandatory and a new server component is automatically creat...

Page 120: ...are accessible for configuration and management but no services such as authentication are available The following items need to be supported in the License Key for the authentication service to be av...

Page 121: ...through the Administration Web Interface General Policy settings such as whether local authentication requires an OTP generated from a DIGIPASS device or whether a password or both is required see sec...

Page 122: ...parent Policy except those explicitly set Image 43 Policy Inheritance As the various levels of settings in Policy inheritance can get confusing functionality is available which allows you to view the...

Page 123: ...Separator Search up Organizational Unit Hierarchy Yes DIGIPASS Settings Application Names Application Type No Restriction DIGIPASS Types PIN Changed Allowed Yes 1 Step Challenge Response Enabled No C...

Page 124: ...PASS User Accounts and location of DIGIPASS records Finally we illustrate some typical DIGIPASS location models 21 2 Domains and Organizational Units Image 44 Domains and Organizational Units Domains...

Page 125: ...tem administrators exist on the Master Domain one for system operation which should never be removed and one for the aXsGUARD Identifier system administrator see section 4 4 all DIGIPASS instances are...

Page 126: ...he system administrator has added a domain mycompany com and multiple users below this domain One of these users is the DIGIPASS User Account martin Imagine the following two user IDs being provided b...

Page 127: ...e information on policy inheritance Please see the aXsGUARD Identifier Installation Guide for a listing of the default settings required 21 4 Moving DIGIPASS User Accounts and DIGIPASS A domain must b...

Page 128: ...ganizational Unit The Search Upwards in Organizational Unit hierarchy option when enabled allows the aXsGUARD Identifier to search in parent Organizational Units and the DIGIPASS Pool container This o...

Page 129: ...hes upwards through the Organizational Unit structure for an available DIGIPASS record to assign to a DIGIPASS user in the Organizational Unit B1 Because no available DIGIPASS records are found in B1...

Page 130: ...GIPASS Record Location Parent Organizational Unit In the diagram above the aXsGUARD Identifier can search in the parent Organizational Unit for available DIGIPASS records The administrator account man...

Page 131: ...l Units in which they will be assigned Administrator accounts belonging to the Organizational Units A1 and A2 have administration privileges in their own Organizational Unit only Note The Search Upwar...

Page 132: ...ation Interfaces using the live audit viewer Auditing happens in real time allowing administrators to view a limited number of recent events Auditing is explained in section 10 Reporting provides stan...

Page 133: ...reports are provided in the aXsGUARD Identifier for the most common adminstration tasks For a list of the standard reports available please refer to the the aXsGUARD Identifier Administration Referenc...

Page 134: ...ata Source possibilities are as follows Users this generates a report based on the User information from the aXsGUARD Identifier Data Store Users Audit Data this generates a report based on the User i...

Page 135: ...Identifier 3 0 2 0 Product Guide v1 5 Reporting In the example below the Grouping Level has been set to User each User has an individual row on the report Image 51 Report Grouping 2009 VASCO Data Secu...

Page 136: ...eria for example Audit Message Authentication User Name User5 22 3 6 Permissions Each report definition has an owner The owner is usually the administrator who created the report but ownership can be...

Page 137: ...an one Formatting Template The template to be used can be selected when running the report 22 4 Report Generation Process Report generation relies on a number of components An SQL query must be define...

Page 138: ...aXsGUARD Identifier 3 0 2 0 Product Guide v1 5 Rescue Tool Section Overview 23 1 Access 23 2 Options 23 3 2009 VASCO Data Security 138...

Page 139: ...port on both devices This requires configuration specific to the operating system of the workstation or laptop computer For instructions on how to connect to the Rescue Tool please refer to the aXsGUA...

Page 140: ...aXsGUARD Identifier 3 0 2 0 Product Guide v1 5 Rescue Tool reboot or shut down the aXsGUARD Identifier Image 53 Start and Network Menus with the Rescue Tool 2009 VASCO Data Security 140...

Page 141: ...Restore 59 71 Backup Virtual DIGIPASS Guidelines for Use 120 Changing Customer Information 68 Citrix Web Interface 27 122 Client Component 27 60 Client Component License 123 Client Components 121 Com...

Page 142: ...site Internet Access 67 Server Components 125 Upgrade 67 Linked User Account 34 102 Local Authentication 29 32 Logging Live Log Viewer 73 Log Filter 74 Log Levels 73 Remote Syslog 73 Manual Configura...

Page 143: ...ord 59 61 144 Reset to Factory Default 61 Scenarios 22 SEAL 21 Server Components 60 124 Shut Down 59 145 Simple Name Resolution 28 SOAP 21 22 60 121 Software Provisioning 21 Static Password 40 43 44 6...

Reviews:

No comments

Brands by name

Popular brands

Load more brands