background image

aXsGUARD Identifier 3.0.2.0 Product Guide v1.5

 

DIGIPASS

Name

Explanation

Unlock DIGIPASS

If a User incorrectly enters their DIGIPASS Client PIN into their DIGIPASS device a 
predetermined number of times, the DIGIPASS locks. Once locked, an administrator's 
help is required to unlock it. This function allows an administrator to provide the User 
with an Unlock Code to enter into their DIGIPASS device.

Reset Application Lock

If a User has attempted to log in with incorrect details too many times, the DIGIPASS 
Application used may be locked, depending on Policy settings.  This function can be used 
to set the record for the DIGIPASS Application to the status of 

unlocked

.  This differs from 

User locking, as the User may still log in with a different DIGIPASS.

Test a DIGIPASS Application

Use this function to check that a DIGIPASS Application is working as expected. There is 
also a function to test the Backup Virtual DIGIPASS functionality.

Reset Activation

Use this function to reset the Event Counter, Activation time and Activation location on a 
DIGIPASS. This functionality will support Provisioning, which is currently under 
development and will be available in a future release of aXsGUARD Identifier.

Assign/Unassign

Use these functions to assign or unassign a selected DIGIPASS record to or from a User 
Account. 

Move

Use this function to move a selected DIGIPASS records to another domain or 
organizational unit (see section 

21.4

).

Edit

Use this function to edit (for example Backup Virtual DIGIPASS or Grace Period settings) 
for a single DIGIPASS record. 

Delete

Use this function to delete a selected DIGIPASS record(s).

17.3.5

Viewing DIGIPASS Runtime Information

Four types of (read only) runtime information are viewable in the Administration Web Interface:

PIN information
Virtual DIGIPASS information
Pre-programming, and
Usage information

Some examples are explained below.

PIN Supported (PIN information): 

indicates whether a DIGIPASS PIN is supported, Yes/No.

Virtual Token Supported (Virtual DIGIPASS information):

 indicates whether a Virtual DIGIPASS is supported, 

Yes/No.

Time Step Used (pre-programmed)

 this is the  time step used by the DIGIPASS Application.

Last Time Shift (usage information)

: the Time Shift records any misalignments between the time recorded 

on the DIGIPASS device and the time recorded on the server, each time a User logs in. This ensures that if 

either clock drifts from the correct time, an allowance can be made by the aXsGUARD Identifier and the User 
can still log in. If the time drift exceeds the allowable time window between User logins, the DIGIPASS record 

needs to be reset (this allows for recalculation of the time drift).

 

©

 2009 VASCO Data Security

 

105 

Содержание Personal aXsGUARD

Страница 1: ...uct Guide aXsGUARD AXSGuard ConfigurationTool 0 2009 Product Guide aXsGUARD Identifier aXsGUARD Identifier aXsGUARD Identifier DIGIPASS ConfigurationTool v1 5 0 1 3 0 2 0 aXsGUARD Identifier Product G...

Страница 2: ...CIFICALLY REQUIRES LIABILITY DESPITE THE FOREGOING EXCLUSIONS AND LIMITATIONS Intellectual Property and Copyright VASCO Products contain proprietary and confidential information VASCO Data Security In...

Страница 3: ...Overview 19 2 6 2 Communication Protocols 21 2 6 3 Scenarios 22 2 7 Licensing 22 2 7 1 Overview 22 2 7 2 Commercial Licensing 22 2 7 3 DEMO Licensing 22 2 7 4 Client Component Licensing 23 2 8 Suppor...

Страница 4: ...red Password Proxy 44 3 6 3 2 Password Autolearn 45 3 6 3 3 Password Replacement IIS Modules 45 3 6 3 4 Stored Static Password and RADIUS Attributes 46 3 6 4 Back end Server Records 47 3 6 4 1 Fail ov...

Страница 5: ...67 6 5 Upgrade from a DEMO to Commercial License 67 6 6 Replacement of aXsGUARD Identifier 68 6 7 Change of Customer Information 68 6 8 Restoring a backup from another aXsGUARD Identifier 68 7 Updati...

Страница 6: ...P Synchronization Profiles 86 14 3 Synchronization Profile IDs 87 14 4 Creating and Updating User Accounts 88 14 5 Deleting User Accounts 90 14 6 Synchronization Frequency 90 14 7 Multiple Synchroniza...

Страница 7: ...ount Settings 103 16 5 DIGIPASS User Account Static Password 103 16 6 Searching for User Accounts 104 16 7 Administration Privileges 104 17 DIGIPASS 105 17 1 Overview 105 17 2 DIGIPASS Properties 105...

Страница 8: ...ification 122 18 3 1 RADIUS Client 122 18 3 2 IIS Module 123 18 4 Client Component Licensing 123 19 Server Components 124 19 1 Overview 124 19 2 Automatic Server Component Creation 124 19 2 1 Registra...

Страница 9: ...2 3 Custom Reports 138 22 3 1 Overview 138 22 3 2 Report Type 139 22 3 3 Data Source 139 22 3 4 Grouping Level 139 22 3 5 Query 141 22 3 6 Permissions 141 22 3 7 Formatting Templates 142 22 4 Report G...

Страница 10: ...ll e Directory 54 Image 17 Data Transmission from the Syslog Utility to the Live Log Viewer and Remote Syslog 72 Image 18 Example Screen Shot Showing the Live Log Viewer 73 Image 19 Log Filter Fields...

Страница 11: ...GIPASS Record for a Specific User in the Administration Web Interface 116 Image 43 Policy Inheritance 127 Image 44 Domains and Organizational Units 129 Image 45 User ID and Domain Resolution 131 Image...

Страница 12: ...50 Table 5 Novell e Directory User ID Formats for Back end Authentication 52 Table 6 User Attribute Settings 55 Table 7 Default Administrative User Credentials 58 Table 8 Log Levels 74 Table 9 Log Fil...

Страница 13: ...aXsGUARD Identifier 3 0 2 0 Product Guide v1 5 Introduction Section Introduction 1 aXsGUARD Identifier 2 2009 VASCO Data Security 13...

Страница 14: ...MDC remote support LDAP User Synchronization and replication Chapters 16 to 22 cover each of the main functionalities managed by the Administration Web Interface including user accounts DIGIPASS insta...

Страница 15: ...tication technologies products and services are based on VASCO s one and unique core authentication platform VACMAN VASCO solutions comprise combinations of the VACMAN core authentication platform IDE...

Страница 16: ...upport One Time Passwords to authenticate end users to the ASP to protect access to services and resources Host Codes to authenticate the ASP to end users Electronic Signatures to protect the integrit...

Страница 17: ...GUARD Identifier The aXsGUARD Identifier secures internal and remote access to network applications and remote access to applications offered on line It is a stand alone authentication solution based...

Страница 18: ...authorized to log on to their system using a One Time Password OTP The DIGIPASS holder obtains an OTP from the DIGIPASS to use instead of or in addition to a static password when logging on The DIGIP...

Страница 19: ...o provides the user interface These products optimize investment in smart card technology by extending smartcard use to include One Time Passwords and Electronic Signatures For more information please...

Страница 20: ...Authentication currently in development to be included in a future release RADIUS Authentication IIS Authentication SEAL DIGIPASS Software Provisioning SOAP currently in development to be included in...

Страница 21: ...of loading License Keys for client components For more information on registration please see section 6 2 7 2 Commercial Licensing With the purchase of a commercial license the aXsGUARD Identifier ne...

Страница 22: ...with a VASCO product please follow the steps below 1 Check if your problem has been resolved in the online Knowledge Base at http www vasco com support 2 If you are unable to solve your problem with...

Страница 23: ...ur organization may prefer this port not to be permanently open for the automatic connection on boot up of the aXsGUARD Identifier to the VASCO Service Center see section 13 In this case the port need...

Страница 24: ...ntication Process Overview 3 1 Identifying the Component Record 3 2 Identifying a Policy 3 3 DIGIPASS User Account Lookup and Checks 3 4 Local Authentication 3 5 Back end Authentication 3 6 Authorizat...

Страница 25: ...on from its data store Back end Authentication asking a RADIUS server or LDAP back end system for verification of information The exact authentication process used by the aXsGUARD Identifier varies de...

Страница 26: ...le server and client records see also sections 19 and 18 on Server and Client Components respectively For more information on Policies please see section 20 For a full listing of possible Policy setti...

Страница 27: ...3 The aXsGUARD Identifier searches for a Domain record with the name given after the sign If the Domain record is found name resolution continues to step 4 Otherwise Default Domain Processing proceed...

Страница 28: ...hentication is required More information on the different Local Authentication settings is available in section 3 5 3 4 4 Dynamic User Registration Dynamic User Registration DUR allows DIGIPASS User a...

Страница 29: ...aXsGUARD Identifier 3 0 2 0 Product Guide v1 5 User Authentication Process Image 6 Dynamic User Registration Process 2009 VASCO Data Security 29...

Страница 30: ...are shown in the table below Table 1 Values for Local Authentication Setting Setting Explanation Default Local Authentication is handled as configured in settings inherited from the parent policy More...

Страница 31: ...Registration is enabled see section 3 4 When a DIGIPASS User Account is found the search for DIGIPASS records may be affected by policy restrictions linked user accounts and a DIGIPASS Grace Period as...

Страница 32: ...DIGIPASS User account 1 When DIGIPASS User account 1 logs in the DIGIPASS search is for that account However when DIGIPASS User account 2 logs in the DIGIPASS search is also for DIGIPASS User account...

Страница 33: ...s to access the client application 2 step login this is possible with applications which support two login screens e g Citrix Web Interface and RADIUS with support for Challenge Response The User firs...

Страница 34: ...le for time based Challenge Response but is less secure for non time based Challenge Response If an attacker manages to capture some valid Responses they can repeatedly request new Challenges until on...

Страница 35: ...ion on Virtual DIGIPASS see also section 17 5 Using a Virtual DIGIPASS requires two login steps requesting an OTP to be sent to the User s mobile phone entering the OTP 2 step login for OTP request an...

Страница 36: ...ackup Virtual DIGIPASS see section 17 2 4 have additional restrictions on use to keep the cost of text messages down These restrictions are verified by the aXsGUARD Identifier before an OTP is generat...

Страница 37: ...n the static password check during an authentication attempt see section 3 5 4 1 The methods of requesting these three login processes 2 step Challenge Response Primary and Backup Virtual OTP request...

Страница 38: ...lability check in step 6 If local authentication is successful the request continues to the Policy check in step 4 4 If local authentication is successful and back end authentication is not mandatory...

Страница 39: ...DIGIPASS device to their DIGIPASS User account using the Self Assignment mechanism if permitted by the Policy settings The Self Assignment process is possible during Dynamic User Registration It is a...

Страница 40: ...the Windows password is required e g Outlook Web Access explained below First we introduce the back end server policy settings and then explain how a static password is used during back end authentic...

Страница 41: ...ocess For more information on DIGIPASS User Accounts and static password handling please see section 16 5 3 6 3 1 Stored Password Proxy When the Stored Password Proxy setting is enabled in the Policy...

Страница 42: ...hich is installed on the Microsoft IIS Server for example configured with Microsoft Outlook Web Access The IIS Module supports use of the DIGIPASS OTP for access to the Outlook Web service After insta...

Страница 43: ...RD Identifier for the RADIUS server After these configurations the DIGIPASS OTP authentication requests from the RADIUS client are verified by the aXsGUARD Identifier After successful authentication o...

Страница 44: ...aXsGUARD Identifier It is possible to create more than one back end server record for fail over purposes You can also allocate different back end servers for different user domains 3 6 4 1 Fail over...

Страница 45: ...ack end server record contains connection information for the RADIUS server including location details and the RADIUS Shared Secret It also allows a Timeout and No of Retries to be configured User ID...

Страница 46: ...AA RADIUS Authentication is supported by the aXsGUARD Identifier described above RADIUS Accounting is is supported by the aXsGUARD Identifier With a RADIUS back end server Accounting requests are forw...

Страница 47: ...d in the following sections Tip For instructions on how to configure LDAP back end authentication please refer to the aXsGUARD Identifier Installation Guide 3 6 6 1 Microsoft Active Directory Back end...

Страница 48: ...is not included or is included but does not exist and a default domain is specified in the policy for the client the back end server for the default domain is identified If the domain is not included...

Страница 49: ...mple FqDN userid Fully Qualified Distinguished Name Geraard Administration Mechelen CORP RDN userid Relative Distinguished Name Geraard FqDN userid mydomain com Geraard Administration Mechelen CORP my...

Страница 50: ...sion 8 7 or higher The base DN principal name and password need to be specified in the Configuration Tool see section 4 on the administration interfaces for binding see step 2 above to search for a RD...

Страница 51: ...policies can be selected from the Policies tab of the aXsGUARD Identifier Administration Web interface see section 4 on the administration interfaces The LDAP back end authentication policies are IDEN...

Страница 52: ...ndicates that the attribute is for use by the IIS Modules for Basic Authentication Value The Value set for an attribute is the required value of the named attribute 3 8 Host Code Generation 3 8 1 Conc...

Страница 53: ...er verifies the One Time Password for end user authentication If valid the end user is authenticated to the server The server then computes the second part of the One Time Password i e the Host Code 4...

Страница 54: ...tifier 3 0 2 0 Product Guide v1 5 Administrative Interfaces Section Overview 4 1 Default Administrative Users 4 2 Configuration Tool 4 3 Administration Web Interface 4 4 Rescue Tool 4 5 2009 VASCO Dat...

Страница 55: ...nagement possibilities through these interfaces are also introduced Following this overview chapter the management possibilities through the interfaces are elaborated on in more detail in the subseque...

Страница 56: ...procedure requires connection to the VSC Backup and Restore the purpose and procedures for backup and restore functionality are explained in section 8 Auditing and Logging information generated from...

Страница 57: ...end authentication is the process of checking User credentials with another system With the aXsGUARD Identifier this could mean an LDAP Active Directory e Directory or RADIUS server It is used for var...

Страница 58: ...w system administrator accounts in addition to the two default accounts User permissions are explained in section 16 7 4 5 Rescue Tool The Rescue Tool allows Administrators to access a limited number...

Страница 59: ...uration Tool Section Installation Configurations 5 Registration 6 Updating 7 Backup and Restore 8 Logging 9 Auditing 10 Statistics 11 Message Delivery Component 12 Remote Support 13 LDAP User Synchron...

Страница 60: ...is involves 1 Changing a client workstation IP address to within the specified IP address range for the aXsGUARD Identifier 2 Connecting the client workstation to the aXsGUARD Identifier with a cable...

Страница 61: ...ing the Configuration Wizard but additional features also need to be configured including 1 Message Delivery Component to support Virtual DIGIPASS authentication see section 12 2 Replication for synch...

Страница 62: ...ice Center server handles registration updating and remote support for the aXsGUARD Identifier The infrastructure and how to access the VASCO Service Center are explained in section 2 9 The registrati...

Страница 63: ...IP address has changed and that the license is no longer valid A warning message is displayed in the Configuration Tool with a link to the re registration wizard In this case registration only require...

Страница 64: ...estoring a backup from another aXsGUARD Identifier Restoring a backup created by the same appliance does not require re registration as the License is stored in the backup Restoring a backup created b...

Страница 65: ...Update Wizard for an on or off line update the aXsGUARD Identifier automatically reboots During reboot services are temporarily unavailable After reboot the system administrator needs to log back int...

Страница 66: ...mation The backup does not include audit and logging data Audit data can be backed up however using a replication setup in which case audit data is replicated to another aXsGUARD Identifier see sectio...

Страница 67: ...ackup was created successfully We explain logging in this section Logging is based on the syslog utility which supports local and remote storage and processing of logs Settings can be configured in th...

Страница 68: ...f storage space Image 18 Example Screen Shot Showing the Live Log Viewer 9 4 Remote Syslog Remote syslog must be activated in the aXsGUARD Identifier Configuration tool and requires configuration of t...

Страница 69: ...action required Debug Information useful to debug the application Not useful during operations 9 6 Log Filter The log filter helps system administrators to search for relevant records Messages can be...

Страница 70: ...of the facility types e g kern user or mail Only logs referencing this facilty are displayed Level at least Click on the drop down menu to select one of the levels e g error or warning Only logs refer...

Страница 71: ...aged through the aXsGUARD Identifier Configuration Tool see section 4 on Administration Interfaces using the live audit viewer Auditing happens in real time allowing administrators to view a limited n...

Страница 72: ...y include successful authentications or successful administration commands Failure Failure messages contain details about processing events that failed This may include rejected authentications or adm...

Страница 73: ...Category contains Enter a category type e g Administration or Authentication Only records with a category matching the category entered in this field are displayed Code contains Enter an error code On...

Страница 74: ...usage over time This information is available in the aXsGUARD Identifier Configuration Tool see section 4 11 2 System Information Available Statistics are available on the aXsGUARD Identifier the serv...

Страница 75: ...e Statistics 11 3 Statistics Filtering Filtering specific information from some of the statistics data is also possible For example the following two images demonstrate the CPU usage for the Administr...

Страница 76: ...aXsGUARD Identifier 3 0 2 0 Product Guide v1 5 Statistics Image 27 CPU Time for Administration Web Interface 2009 VASCO Data Security 76...

Страница 77: ...s mobile phone The MDC acts as a service accepting messages from the aXsGUARD Identifier which are then forwarded to a text message gateway via the HTTP HTTPS protocol The diagram below illustrates th...

Страница 78: ...ver the required query string the query method GET or POST required by the gateway the User name and password for the gateway account optionally your preference for more user friendly system messages...

Страница 79: ...re https can be achieved in one of two ways The system administrator pro actively connects the aXsGUARD Identifier to the VASCO Service Center via the configuration tool This should only be done under...

Страница 80: ...istrators or VASCO experts using the aXsGUARD Identifier Configuration Tool If a VASCO expert cannot use the remote support function the system administrator needs to activate the tracing option in th...

Страница 81: ...see section 15 In the following sections we explain the concepts of Synchronization Profiles Synchronization Profile IDs Creating and updating User Accounts Deleting User Accounts Synchronization fre...

Страница 82: ...ervers the LDAP User password attribute cannot be mapped to an aXsGUARD Identifier User Account password due to security settings on the LDAP Server Once the appropriate settings and mappings have bee...

Страница 83: ...he same Synchronization Profile ID In this case the User Account is updated without the same Synchronization Profile ID In this case synchronization behavior depends on the Synchronization Profile Upd...

Страница 84: ...aXsGUARD Identifier 3 0 2 0 Product Guide v1 5 LDAP User Synchronization 2009 VASCO Data Security 84 Image 30 LDAP Synchronization to create or update an aXsGUARD Identifier User Account...

Страница 85: ...om the LDAP Server the User Account on the LDAP Server has been moved from the Search Base defined in the profile the User Account on the LDAP Server has been changed and no longer matches the profile...

Страница 86: ...RD Identifier through separate definitions of Synchronization Profiles as shown in the example below Example Synchronization Profiles 1 and 2 in the image below are both configured to synchronize from...

Страница 87: ...LDAP User Synchronization 2009 VASCO Data Security 87 Image 31 Possible source and destination hierarchy mapping with a single Synchronization Profile Image 32 Example source and destination hierarch...

Страница 88: ...rganizational unit for a Synchronization Profile is changed to within the same domain User Accounts created or updated through earlier synchronizations i e with the same Synchronization Profile ID are...

Страница 89: ...e section 9 Logs relevant to the synchronization process can be filtered using the name of the program which executes LDAP User Synchronization ldap2ikeyd For further help please refer to Auditing whi...

Страница 90: ...up to date with the latest data changes In this chapter we provide examples of replication configurations introduce the Replication Wizard and describe the replication process and how it is monitored...

Страница 91: ...th the target becoming a replication of the source aXsGUARD Identifier Following synchronization all services are identical on both aXsGUARD Identifiers with modified data replicated in both direction...

Страница 92: ...Wizard These connections need to be permitted if replicating aXsGUARD Identifiers are separated by a company firewall For more information on the exact ports used please see the aXsGUARD Identifier A...

Страница 93: ...started the aXsGUARD Identifier establishes a connection to each destination aXsGUARD Identifier configured for replication It keeps this connection open until the service is stopped or the connection...

Страница 94: ...stration Web Interface see first image below shows the current status of replication for an aXsGUARD Identifier and the number of entries currently in the replication queue see second image below Imag...

Страница 95: ...ier 3 0 2 0 Product Guide v1 5 Web Administration Interface Section DIGIPASS User Accounts 16 DIGIPASS 17 Client Components 18 Server Components 19 Policies 20 Organization 21 Reporting 22 2009 VASCO...

Страница 96: ...2 Creating User Accounts A DIGIPASS User Account can be created using the Administration Web Interface in the following ways by creating User records manually using the Administration Web Interface b...

Страница 97: ...User Account automatically for the User This process is called Dynamic User Registration DUR and can be enabled via the Administration Web Interface For more information on Dynamic User Registration s...

Страница 98: ...specified whether the user has a linked User Account can be specified see section 16 3 DIGIPASS records can be assigned or unassigned to a user parameters such as a user s mobile phone number for usin...

Страница 99: ...Administration Privileges Only DIGIPASS User Accounts with administrative permissions can use the Administration Web Interface to configure the aXsGUARD Identifier Administrative privileges are assig...

Страница 100: ...lly Backup Virtual DIGIPASS options We strongly recommend that you read section 3 first to better understand DIGIPASS management 17 2 DIGIPASS Properties 17 2 1 DIGIPASS Client PIN A DIGIPASS client P...

Страница 101: ...ly permits verification of the OTP if submitted with a valid Server PIN The additional Server PIN thus provides an extra layer of security a 2 factor security solution To authenticate the holder needs...

Страница 102: ...o that the User is not able to delay too long before starting to use the DIGIPASS The Grace Period can be set during manual administrative assignment of DIGIPASS records as well as during Auto Assignm...

Страница 103: ...he login pages is available in the appropriate IIS client module documentation Template login pages are included in the approppriate IIS module software packages 17 3 DIGIPASS Management 17 3 1 Import...

Страница 104: ...SS Record Actions supported in the Administration Web Interface Name Explanation Reset Application A DIGIPASS Application may need to be reset if the time difference between it and the server needs to...

Страница 105: ...s to assign or unassign a selected DIGIPASS record to or from a User Account Move Use this function to move a selected DIGIPASS records to another domain or organizational unit see section 21 4 Edit U...

Страница 106: ...been playing with it the DIGIPASS device is being used to log in to two separate systems The purpose of this setting is much the same as the Last Time Shift setting it allows the aXsGUARD Identifier...

Страница 107: ...r Account The User must log in and include the serial number static password and One Time Password This informs the aXsGUARD Identifier of the assignment and provided that the User enters the details...

Страница 108: ...or not SERIALNUMBERpasswordOTP where a Server PIN is not required SERIALNUMBERpasswordPINOTP where a Server PIN is required SERIALNUMBERpasswordOTPnewpinnewpin where a Server PIN is required and no i...

Страница 109: ...IPASS record when a DIGIPASS User Account is created using Dynamic User Registration DUR The correct DIGIPASS device must then be delivered to the User A Grace Period is typically set which allows a n...

Страница 110: ...IGIPASS record is manually assigned to a specific DIGIPASS User Account The DIGIPASS device must then be sent out to the User A Grace Period is typically set during which the User may still log in usi...

Страница 111: ...for manual assignment i e the reserved DIGIPASS record cannot be self or auto assigned see image below Image 42 Reserving a DIGIPASS Record for a Specific User in the Administration Web Interface Not...

Страница 112: ...rs include a Virtual DIGIPASS in either a backup or primary mode Table 14 DIGIPASS Options Primary Backup DIGIPASS None User must log in using a DIGIPASS device DIGIPASS Backup Virtual DIGIPASS User u...

Страница 113: ...SS enabled must be able to request an OTP to be sent to their mobile when required but to login using the hardware DIGIPASS at other times The simplest method for the User is to allow a 2 step login p...

Страница 114: ...irst used by the User If Backup Virtual DIGIPASS is enabled for a DIGIPASS record and set to Time Limited and the Enabled Until field in the DIGIPASS property sheet is blank the time limit begins when...

Страница 115: ...e possible guidelines Table 15 Backup Virtual DIGIPASS Example Guidelines Guideline Pro Con Backup Virtual DIGIPASS disabled for all enabled for individual Users as required Low text message costs Man...

Страница 116: ...the administration program the RADIUS client and the IIS module We strongly recommend that you read section 3 first to better understand client component use 18 2 Standard Component Properties Four p...

Страница 117: ...ction 3 6 5 RADIUS Accounting is is supported by the aXsGUARD Identifier With a RADIUS back end server Accounting requests are forwarded to the back end server and handled by proxy Without back end au...

Страница 118: ...aXsGUARD Identifier The Component record is checked whenever the IIS Module sends an authentication request to the aXsGUARD Identifier For an IIS Module Component the following component checks are m...

Страница 119: ...record including a valid license is automatically created Whenever the IP address is changed in the Configuration Tool a new registration is mandatory and a new server component is automatically creat...

Страница 120: ...are accessible for configuration and management but no services such as authentication are available The following items need to be supported in the License Key for the authentication service to be av...

Страница 121: ...through the Administration Web Interface General Policy settings such as whether local authentication requires an OTP generated from a DIGIPASS device or whether a password or both is required see sec...

Страница 122: ...parent Policy except those explicitly set Image 43 Policy Inheritance As the various levels of settings in Policy inheritance can get confusing functionality is available which allows you to view the...

Страница 123: ...Separator Search up Organizational Unit Hierarchy Yes DIGIPASS Settings Application Names Application Type No Restriction DIGIPASS Types PIN Changed Allowed Yes 1 Step Challenge Response Enabled No C...

Страница 124: ...PASS User Accounts and location of DIGIPASS records Finally we illustrate some typical DIGIPASS location models 21 2 Domains and Organizational Units Image 44 Domains and Organizational Units Domains...

Страница 125: ...tem administrators exist on the Master Domain one for system operation which should never be removed and one for the aXsGUARD Identifier system administrator see section 4 4 all DIGIPASS instances are...

Страница 126: ...he system administrator has added a domain mycompany com and multiple users below this domain One of these users is the DIGIPASS User Account martin Imagine the following two user IDs being provided b...

Страница 127: ...e information on policy inheritance Please see the aXsGUARD Identifier Installation Guide for a listing of the default settings required 21 4 Moving DIGIPASS User Accounts and DIGIPASS A domain must b...

Страница 128: ...ganizational Unit The Search Upwards in Organizational Unit hierarchy option when enabled allows the aXsGUARD Identifier to search in parent Organizational Units and the DIGIPASS Pool container This o...

Страница 129: ...hes upwards through the Organizational Unit structure for an available DIGIPASS record to assign to a DIGIPASS user in the Organizational Unit B1 Because no available DIGIPASS records are found in B1...

Страница 130: ...GIPASS Record Location Parent Organizational Unit In the diagram above the aXsGUARD Identifier can search in the parent Organizational Unit for available DIGIPASS records The administrator account man...

Страница 131: ...l Units in which they will be assigned Administrator accounts belonging to the Organizational Units A1 and A2 have administration privileges in their own Organizational Unit only Note The Search Upwar...

Страница 132: ...ation Interfaces using the live audit viewer Auditing happens in real time allowing administrators to view a limited number of recent events Auditing is explained in section 10 Reporting provides stan...

Страница 133: ...reports are provided in the aXsGUARD Identifier for the most common adminstration tasks For a list of the standard reports available please refer to the the aXsGUARD Identifier Administration Referenc...

Страница 134: ...ata Source possibilities are as follows Users this generates a report based on the User information from the aXsGUARD Identifier Data Store Users Audit Data this generates a report based on the User i...

Страница 135: ...Identifier 3 0 2 0 Product Guide v1 5 Reporting In the example below the Grouping Level has been set to User each User has an individual row on the report Image 51 Report Grouping 2009 VASCO Data Secu...

Страница 136: ...eria for example Audit Message Authentication User Name User5 22 3 6 Permissions Each report definition has an owner The owner is usually the administrator who created the report but ownership can be...

Страница 137: ...an one Formatting Template The template to be used can be selected when running the report 22 4 Report Generation Process Report generation relies on a number of components An SQL query must be define...

Страница 138: ...aXsGUARD Identifier 3 0 2 0 Product Guide v1 5 Rescue Tool Section Overview 23 1 Access 23 2 Options 23 3 2009 VASCO Data Security 138...

Страница 139: ...port on both devices This requires configuration specific to the operating system of the workstation or laptop computer For instructions on how to connect to the Rescue Tool please refer to the aXsGUA...

Страница 140: ...aXsGUARD Identifier 3 0 2 0 Product Guide v1 5 Rescue Tool reboot or shut down the aXsGUARD Identifier Image 53 Start and Network Menus with the Rescue Tool 2009 VASCO Data Security 140...

Страница 141: ...Restore 59 71 Backup Virtual DIGIPASS Guidelines for Use 120 Changing Customer Information 68 Citrix Web Interface 27 122 Client Component 27 60 Client Component License 123 Client Components 121 Com...

Страница 142: ...site Internet Access 67 Server Components 125 Upgrade 67 Linked User Account 34 102 Local Authentication 29 32 Logging Live Log Viewer 73 Log Filter 74 Log Levels 73 Remote Syslog 73 Manual Configura...

Страница 143: ...ord 59 61 144 Reset to Factory Default 61 Scenarios 22 SEAL 21 Server Components 60 124 Shut Down 59 145 Simple Name Resolution 28 SOAP 21 22 60 121 Software Provisioning 21 Static Password 40 43 44 6...

Отзывы: