OneSpan Authentication Server Exercises
Uploaded by
ahmed gaafarOneSpan Authentication Server Exercises
Uploaded by
ahmed gaafarOneSpan Authentication Server 3.
21
Professional - Exercises
We protect the world from digital fraud
Table of Contents
1 Introduction ...................................................................................................................................................................... 4
2 Terminology and Abbreviations ......................................................................................................................................... 4
3 Preparation........................................................................................................................................................................ 5
3.1 INTERNAL IP ADDRESS ................................................................................................................................................... 5
3.2 Domain details .............................................................................................................................................................. 5
3.3 VMWARE Environment .................................................................................................................................................... 5
3.3.1 OASPe010: Prepare Your VMware Lab Setup ............................................................................................................... 5
3.3.2 OASPe015: Deploy Your Lab Setup ............................................................................................................................ 8
3.4 AWS Environment ........................................................................................................................................................ 11
3.4.1 Discover your AWS domain topology ........................................................................................................................ 11
3.4.2 IP addresses ......................................................................................................................................................... 11
3.4.3 AWS related tips and tricks ..................................................................................................................................... 12
3.4.4 AWS related tips and tricks when working with AWS and RDP ...................................................................................... 12
3.4.5 OASPe016: Finalize Your AWS Lab Setup .................................................................................................................. 26
4 Exercises ......................................................................................................................................................................... 29
4.1 Built-in errors .............................................................................................................................................................. 29
4.2 OAS server address ...................................................................................................................................................... 29
4.1 OASPe020: Create a Windows Active Directory user ......................................................................................................... 30
4.2 OASPe050: Demo DIGIPASS ......................................................................................................................................... 32
4.3 OASPe060: Request a Trial License ................................................................................................................................ 34
4.4 OASEe100: Basic installation OAS with the embedded MariaDB data base .......................................................................... 38
4.5 OASEe105: Advanced Installation OAS with the ODBC data store ....................................................................................... 44
4.6 OASEe103: Set the session time out of the Web Admin .................................................................................................... 51
4.7 OASPe107: Install the OAS Radius Simulator ................................................................................................................... 54
4.8 OASEe109: Configure the OAS Radius Simulator .............................................................................................................. 55
4.9 OASEe120: Authentication Process: Client ...................................................................................................................... 56
4.10 OASEe140: Authentication Process: DIGIPASS User ......................................................................................................... 63
4.11 OASEe160: Authentication Process: Backend ................................................................................................................... 67
4.12 OASEe200: Authentication Elements: Client: RADIUS ....................................................................................................... 69
4.13 OASEe210: Authentication Elements: Client: SOAP .......................................................................................................... 74
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 2 of 212
4.14 OASEe280: Authentication Elements: User: Domains and organizations .............................................................................. 80
4.15 OASEe290: Authentication Elements: User: Domains and SOAP Auth & Sig ......................................................................... 90
4.16 OASEe300: Authentication Elements: User: Windows Name Resolution ............................................................................... 99
4.17 OASEe260: Authentication Elements: User: Group Check ................................................................................................ 106
4.18 OASEe220: Authentication Elements: User: Dynamic User Registration ............................................................................ 112
4.19 OASEe240: Authentication Elements: User: PASSWORD AUTO-LEARN, PASSWORD PROXY ................................................. 115
4.20 OASEe276: Authentication Elements: User: Expire Part 1 ............................................................................................... 119
4.21 OASEe265: Authentication Elements: User: RADIUS attributes ........................................................................................ 126
4.22 OASEe330: Authentication Elements: DIGIPASS: Unlock / Reset...................................................................................... 129
4.23 OASEe270: Authentication Elements: DIGIPASS: Link Users ........................................................................................... 130
4.24 OASEe320: Authentication Elements: DIGIPASS: Authentication local with SERVER PIN ..................................................... 134
4.25 OASEe360: Authentication Elements: BACK-END: RADIUS Server IAS / NAP / NPS ............................................................ 141
4.26 OASEe362: Authentication Elements: BACK-END: Server AD ........................................................................................... 149
4.27 OASEe364: Authentication Elements: BACK-END: Server AD with SSL.............................................................................. 156
4.28 OASEe520: Authentication Elements: DIGIPASS: OAS User Self-management Website ...................................................... 160
4.29 OASEe267: Authentication Elements: Virtual DIGIPASS: Backup virtual DIGIPASS ............................................................. 173
4.30 OASEe420: System: Restore policies with OAS Configuration Wizard ............................................................................... 180
4.31 OASEe390: System: Monitoring ................................................................................................................................... 181
4.32 OASEe380: System: Reporting .................................................................................................................................... 190
4.33 OASEe395: Authentication Elements: User: Expire Part 2 ............................................................................................... 192
4.34 OASEe400: System: Install OAS with the Active Directory as data store ........................................................................... 194
4.35 OASEe540: System: Relicense the IDENTIKEY server .................................................................................................... 206
4.36 OASEe560: System: Reconfigure the IDENTIKEY Web Admin and define a new IK server ................................................... 207
4.37 OASEe700: OAS Authentication Appliance Basic Install ................................................................................................... 208
5 Disclaimer ..................................................................................................................................................................... 212
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 3 of 212
1 Introduction
This document lists the exercises for the OneSpan Authentication Server training. The exercises in the training presentation material have
a unique number. This unique number is a reference to the exercises listed below.
We listed the exercises, in the sequence of and referenced to, the training presentation. We grouped the exercises as they appear in the
training agenda.
2 Terminology and Abbreviations
The table below lists the commonly used abbreviations in the exercise descriptions.
Abbreviation Description
ADUC Windows Active Directory Users and Computers
OADUC OAS snap-in for the ADUC
AIIA AWS INTERNAL IP ADDRESS
OAS OneSpan Authentication server
OKSC OAS Configuration tool
RST RADIUS Simulator Tool
WebAdmin OAS Server Web Administration
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 4 of 212
3 Preparation
3.1 INTERNAL IP ADDRESS
You can do the exercises in two environments:
1. Your own VMware setup.
You will use a VMware image. This image is setup with the internal IP address 10.10.200.75
Or
2. An AWS instance.
Each instance has a unique private IP address. In the exercise, “AIIA“ refers to the instance’s unique internal IP address. For AWS
details please go to the section 3.3 AWS Environment
3.2 Domain details
The domain name, DC's name, etc … are identical for the VM-ware setup and the AWS environment. The details are:
Domain name onespan.local
Compute Name onespan-dc1
UESERDOMAIN ONESPAN-AC
3.3 VMWARE Environment
3.3.1 OASPe010: Prepare Your VMware Lab Setup
OneSpan Authentication Server for Engineers VMware Preparation
Reference Number OASPe010
Title Prepare Your VMware Lab Setup
Est. time to complete 15 min
Type Mandatory
Purpose Prepare the virtual environment
Fast Track
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 5 of 212
In this exercise, you will prepare the virtual VM-ware environment.
Pre-requisite:
1. Make sure that your PC can run VT extensions for supporting virtual machines. You can find these settings the BIOS/UEFI.
2. Your computer must support a 64-bit operating system.
Download the latest VMware images, from our ftp, of the Windows Server used for the exercises, e.g., “Windows Server 2019 Essential
VMWARE - onespan-dc1.7z”.
Unpack this file with the Virtual Machine name like “WS2019Ess”.
This machine has the Windows name “vasco-dc1.vasco.local”
Windows 2019 Server Active Directory: “ONESPAN-DC1”
Verify the Virtual Network NAT settings in VMware
Subnet IP: 10.10.200.0 Mask: 255.255.255.0
Gateway IP: 10.10.200.254
Detailed Steps
1. Verify that your PC can run virtual machine. Check if VT extensions are enabled. You can find these settings the BIOS/UEFI.
2. Your computer must support a 64-bit operating system.
3. Download, from our ftp, the VMware image of the Windows Server used for the exercises, e.g., “Windows Server 2019 Essential.7z”.
4. Unpack the downloaded images using 7zip (You can find 7zip at http://www.7-zip.org/)
5. Setup the network parameters for VM-ware Workstation/Player
Option 1: start, as an admin, the “Virtual Network Editor” for VM-ware player.
• Open the Windows explorer and C:\Program Files (x86)\VMware\VMware Player.
• In the Windows explorer
o in the File Menu button, select the option “Open Command Prompt”
o then select “open Command Prompt as an administrator”
• In the command prompt, start the program vmnetcfg.exe.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 6 of 212
Option 2: If you do not have the vmnetcfg.exe, then you can download it from “Virtual Network Editor”
from https://github.com/buaabyl/vmnetcfg
• If {the executables from GitHub are NOT in C:\Program Files (x86)\VMware\VMware Player}
then copy them to VM-ware directory.
• Do the steps of Option 1 above.
In the Virtual Network Editor
• Check that VMnet0 is on the type is “NAT”
• Check that VMnet0 is on External Connection is on “Auto-Bridging”
• If you did changes to VMnet0, save them, and reboot your machine
6. Start the “Virtual Network Editor” for player use https://github.com/buaabyl/vmnetcfg
Select the network of type “NAT”
Subnet IP: 10.10.200.0 Mask: 255.255.255.0
Click “NAT Settings …” set Gateway IP: 10.10.200.254
Click “OK”
Click “OK”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 7 of 212
3.3.2 OASPe015: Deploy Your Lab Setup
OneSpan Authentication Server for Engineers Server Preparation on VMWARE
Reference Number OASPe015
Title Deploy Your Lab Setup
Est. time to complete 15 min
Type Mandatory
Purpose Deploy the virtual environment
Fast Track
Download the ISO image: “IDENTIKEY_Authentication_Server_3.21_WIN64.iso”
Mount the training “IDENTIKEY_Authentication_Server_3.21_WIN64.iso” image on the “ONESPAN-DC1” machine.
Start the “ONESPAN-DC1” VMware image and verify if the network settings are set to NAT and connected.
Username for “ONESPAN-DC1” is administrator
Password for “ONESPAN-DC1” is Test1234
Verify/Disable the IE Enhanced Security and the Windows Firewall, Windows Virus scanner
Other tools used are available on IDENTIKEY_Authentication_Server_3.15_Training_Tools.iso.
Detailed Steps
1. Download the ISO image: “IDENTIKEY_Authentication_Server_3.21_WIN64.iso”.
You can download this iso, and other materials, from ftp://IK35LAB:[email protected]. Use the windows explorer to get access
to the root directory. This iso can be found under the OAS directory.
2. Start the “VMware Player” or “VMware Workstation”
3. Open, but do not start, the VMware image “ONESPAN-DC1” of the VASCO training Domain Controller.
4. Verify if the Network adapter of VMware is connected to through NAT.
Click “VM – Settings” or “Player – Manage – Virtual Machine Settings”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 8 of 212
Select the device “Network Adapter”
Select NAT
Click OK
5. Mount the training “IDENTIKEY_Authentication_Server_3.21_WIN64.iso” image
Click “VM – Settings” or “Player – Manage – Virtual Machine Settings”, select the device “CD/DVD”, select Use ISO image file, and
find the ISO image.
Click OK
6. Verify if the physical memory is set to 4 GB (if your host configuration allows this)
Click “VM – Settings” or “Player – Manage – Virtual Machine Settings”
Select the device “Memory”
Select 4 GB
Click OK
7. Click “Play virtual Machine” or “Power on this virtual machine” to start the VMware image of the Windows 2016 Server.
8. Access the VMware image of the Windows 2016 Server.
Username: “administrator”
Password: “Test1234”
9. Supply a valid license or rearm for temporary use (10 days)
Right Click the “rearm” icon, and select “run as administrator”
Reboot the system
Do not activate the Windows 2016 server again!!!!!!
The below commands will allow you to supply a valid license when using the image for more than 10 days
To supply a new key use “slmgr -ipk <key>”
To set the proper kms server use “slmgr -skms <server name or IP address>[:<port>]”
To verify the expiry date use “slmgr -xpr”
To verify the activation details, use “slmgr -dlv”
To verify the activation summary use “slmgr -dli”
10. Windows Shortcuts
Open the Charms bar Windows +C
Search for apps, files, or settings Windows +Q
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 9 of 212
Return to the Start screen Windows key
Change settings Windows +I
11. Optional tools that you can use (we provide no guidance to install the tools in this handout)
These tools are available on IDENTIKEY_Authentication_Server_3.15_Training_Tools.iso.
As text editor, you can use notepad++ (https://notepad-plus-plus.org/download)
As pdf reader, you can use Foxit reader (https://www.foxitsoftware.com/downloads/ and click free download of Foxit reader)
12. Tools needed during labs ((we provide no guidance to install the tools in this handout)
These tools are available on IDENTIKEY_Authentication_Server_3.15_Training_Tools.iso.
Optional: Tail for windows (https://sourceforge.net/projects/tailforwin32/)
snmpb (https://sourceforge.net/projects/snmpb/)
NTRadPing (http://www.novell.com/coolsolutions/tools/downloads/ntradping.zip).
These tools are available on IDENTIKEY_Authentication_Server_3.15_Training_Tools.iso.
13. If needed, increase the Windows page file size
Open a Windows explorer
Point to “My PC”, right click and select properties
In the Control Panel > System and Security > System, select “Advanced system settings”
In the System Properties, in the advanced tab, in the performance frame, select “Settings”
In Performance Options, select the advanced tab
In the Virtual Memory frame, click on the “Change” button
Set the page file size to custom size; minimum 6000; maximum 9000
Click on the “Set” button
Do NOT reboot the system
14. If needed, turn the Windows Firewall OFF on your VM-ware Host AND Guest (or open the necessary OAS ports)
15. If needed, disable the scanning of all disks/drives in the Windows Defender (virus scanner)
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 10 of 212
3.4 AWS Environment
3.4.1 Discover your AWS domain topology
The topology consists of:
• A domain "onespan.local", which has
• one domain controller "onespan-dc1" in the domain "onespan.local".
3.4.2 IP addresses
When you work in AWS, you will work on an AWS instance.
This instance has a public IP address and an internal IP address.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 11 of 212
You can gain access to your AWS machine by a Remote Desktop Connection (RDP).
Each student will have his own machine and its own RDP file. SEAL mails the RDP file to you, prior to starting the training.
IMPORTANT NOTE: your machine will have a public and an internal IP address. You must know these addresses. This is an absolute
requirement to successfully setup OAS with e.g., Push Notification (PN) or for obtaining a license.
3.4.3 AWS related tips and tricks
You will work on a machine setup in AWS through a remote desktop.
We have collected some bits of information, aka gold nuggets, which will make your live easier during the exercises on the AWS machine.
3.4.4 AWS related tips and tricks when working with AWS and RDP
You will work on a machine setup in AWS through a remote desktop.
We have collected some bits of information, aka gold nuggets, which will make your live easier when working with a Remote Desktop
Connection to AWS.
3.4.4.1 do a remote desktop connection to Error! Unknown document property name. by its public IP address
Get the public IP reference of your Error! Unknown document property name.
o By RDP in an email
▪ You may receive an RDP file by email. It will look something like
▪ Save the file.
▪ The file name includes the public IP address of your machine. You can find in the square in the picture above.
▪ Or you can find it in the file itself. Open the file with a text editor.
▪ Get the IP V4 Address of your Error! Unknown document property name.. The instance name is behind "full
address:s:ec-". In it marked in the purple rectangle.
It the case of the example it is 18.197.198.137
▪ write down the public IP address of your Error! Unknown document property name.
…………………………………………………………………………………
o By IP V4 address by email
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 12 of 212
▪ Occasionally, you may receive an V4 public IP address and not the RDP file. Use this IP address to connect to your
AWS machine.
It the case of the example it is 18.197.198.137.
▪ write down the public IP address of your Error! Unknown document property name. ……………
Connect to the Error! Unknown document property name. by its IP V4 address, as Error! Unknown document property name.
• Through the "Windows" key, start the "Remote Desktop Connection" program.
• Select "Show the options"
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 13 of 212
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 14 of 212
• Select the "Advanced" tab.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 15 of 212
• In the pane "connect from anywhere" select "settings …".
Mark the "Automatically detect RD Gateway server settings".
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 16 of 212
• In the "General" tab
o In the "Computer" field, enter your IP V4 address, e.g., 18.197.198.137.
o In the "User name" field, enter "Error! Unknown document property name."
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 17 of 212
o Initiate your connection by clicking on the "Connect" button
• Trust your connection and click on "Connect".
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 18 of 212
• Enter your password "Pastarebelswithoutaspicysauceclue$01"
IMPORTANT NOTE
When you have the Digipass Authentication for Windows Logon client installed on your laptop/desktop, we recommend that you select
"More choices".
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 19 of 212
• Select "Use a different account". This to force an ONESPAN non-domain login.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 20 of 212
• Enter Error! Unknown document property name. and password "Pastarebelswithoutaspicysauceclue$01"
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 21 of 212
• Accept the remote desktop connection startup, by clicking on "Yes".
TIP 1:
The login is easier when you modify the .rdp file. You can add/suffix @onespan.local to the username.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 22 of 212
TIP 2: It is common for trainees to lock the administrator account, during the first RDP login attempts. Your administrator account
becomes locked after 3 failing login attempts.
No worries, there are 4 administrator accounts on the machine. The other 3 accounts can be used to unlock the administrator account.
username password
[email protected] Pastarebelswithoutaspicysauceclue$01
admin2 Pastarebelswithoutaspicysauceclue$01
academyadmin Pastarebelswithoutaspicysauceclue$01
bckadm Pastarebelswithoutaspicysauceclue$01
IMPORTANT NOTE: Only the administrator account has a prepared desktop. This desktop which holds e.g., the AS software
distribution. In practice, you will successfully login with e.g., admin2. And as admin2, you will then unlock the administrator account.
Next you will continue the exercises with the administrator account.
Use long passwords for the administrator accounts
You must protect your administrator accounts on your AWS machines.
The public AWS IP addresses are consistently probed by hackers. They test on RDP for the default accounts and password.
Hence, you must change the Windows passwords of the accounts, in the table below. We strongly recommend that you use
strong passphrases of at least 17 characters, as a password. This is to protect your work but also the work of other trainees. These
trainees have an AWS instance in the same virtual data center.
You can change the password of these user by the "Active Directory Users and Computers" tool. You can find this tool at the Windows
Start.
username password new password
[email protected] Pastarebelswithoutaspicysauceclue$01
admin2 Pastarebelswithoutaspicysauceclue$01
academyadmin Pastarebelswithoutaspicysauceclue$01
bckadm Pastarebelswithoutaspicysauceclue$01
Write down your public and your private IP address.
• write down
o the public IP address of Error! Unknown document property name. ……………
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 23 of 212
o the private IP address of Error! Unknown document property name. ……………
o what is the private subnet of your machine?
• Logoff with "shutdown /L"
o Start the command prompt
o Enter the command "shutdown /L"
How to access to your AWS machine despite RDP port firewalling?
Many organizations control, in a very strict manner, the access to the RDP port, on the internal network.
If you cannot access the AWS instance, then try accessing it by a guest or a public network. In general, public RDP access is allowed.
Otherwise, you must ask for access to RDP, at your IT Services.
How to do a <ALT><CTRL><DEL> within an RDP session?
• Enter <ALT><CTRL><END>
RDP and file transfers to your machine in AWS
• Start the Remote Desktop Connection program
• At the bottom, select show options
• Select the tab “Local Resources”
• At the bottom, for “Local Devices and resources”, click on the “More” button
• In the new window, mark your local drive that you want to share.
Shutdown or reboot your AWS machine?
• If you are doing an exercise, which requires fixed IP addresses, then only do reboots, during the time of the exercise.
A typical exercise, which requires a fixed public IP address, is a Push Notification setup.
On the AWS machine, never ever do random shutdowns unless told so.
Shutdown/start results in a new public IP address assigned to your machine.
Can you make two=2 RDP connections to the SAME AWS machine?
• Yes. You can do this in two ways:
o From your laptop start a new remote desktop connection while using another username for logging in locally.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 24 of 212
o Alternatively, on the AWS machine itself, do remote desktop connection to 127.0.0.1.
There is a side effect, disconnecting the remote desktop, disconnects both connections.
Verify the GMT time
Your training will inform you of location / region where your AWS instance is running. If required, then you need to adjust the time zone
settings to the region. In other words, verify the GMT time. When required, correct it.
The default AWS region is Frankfrut.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 25 of 212
3.4.5 OASPe016: Finalize Your AWS Lab Setup
OneSpan Authentication Server for Engineers Server Preparation on AWS
Reference Number OASPe016
Title Finalize Your AWS Lab Setup
Est. time to complete 15 min
Type Mandatory
Purpose Deploy the virtual environment
Fast Track
• Connect to your AWS instance
• All DVDs, files can be found on the Administrator’s desktop, in the Academy directory.
• Check if you need to download the ISO image: “IDENTIKEY_Authentication_Server_3.21_WIN64.iso”
• Disable Windows firewall
• Disable the IE Enhanced Security
• Disable the Windows defender
• Eventually, install other tools, like notepad++. They are available on IDENTIKEY_Authentication_Server_3.15_Training_Tools.iso.
Detailed Steps
1. Access the AWS instance of a Windows Server 2019 Essential.
User Name: "[email protected]"
Password: "Pastarebelswithoutaspicysauceclue$01"
If not already done, then execute the following steps
2. Open the file explorer, and search into the desktop’s Academy folders, for the
IDENTIKEY_Authentication_Server_3.21_WIN64.iso. Mount the .iso as a DVD.
3. If needed, download the ISO image: “IDENTIKEY_Authentication_Server_3.21_WIN64.iso” from our training server Academy.
The ftp link is in Academy.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 26 of 212
4. FYI: Windows Shortcuts
Open the Charms bar Windows +C
Search for apps, files, or settings Windows +Q
Return to the Start screen Windows key
Change settings Windows +I
5. Optional tools that you can use (we provide no guidance for installing these tools in this document)
You can also find the installation kits for these tools on your instance.
They are in the IDENTIKEY_Authentication_Server_3.15_Training_Tools.iso. file.
This iso file is on your desktop, under the seal directory.
As text editor, you can use notepad++ (https://notepad-plus-plus.org/download)
As pdf reader, you can use Foxit reader (https://www.foxitsoftware.com/downloads/ and click free download of Foxit reader)
6. Tools needed during labs (we provide no guidance for installing these tools in this document
You can also find the installation kits for these tools on your instance.
They are in the IDENTIKEY_Authentication_Server_3.15_Training_Tools.iso. file.
This iso file is on your desktop, under the seal directory.
Tail for windows (https://sourceforge.net/projects/tailforwin32/) or notepad++
snmpb (https://sourceforge.net/projects/snmpb/)
NTRadPing (http://www.novell.com/coolsolutions/tools/downloads/ntradping.zip).
These tools are available on IDENTIKEY_Authentication_Server_3.15_Training_Tools.iso.
7. Disable the IE Enhanced Security
Open “Server Manager”
Select “Local Server” in the properties section
Set “IE Enhanced Security Configuration” to “Off”
8. Turn the Windows Firewall OFF (or open the necessary OAS ports)
Open “Server Manager”
Select “Local Server” in the properties section
Set “Windows Firewall” to “Off”
9. Turn off the Windows Defender
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 27 of 212
Start Windows defender
In the setting menu, exclude all disk drives. Hence effectively disabling the virus scanning.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 28 of 212
4 Exercises
4.1 Built-in errors
There are errors built into the execution steps of the exercises. This is done on purpose.
We mimic the configuration effort of the OAS in an advanced topology set up. In such an effort, one typically performs some ‘trial and
error’ before defining the final set up. The critical tools during the configuration phase are the Audit viewer and certainly the tracing file.
Another reason is that the trace file lists the full details of the processing steps executed by the OAS server, during the authentication
process. Verifying these steps in the trace file will bring a better understanding of the basic principles embedded in the OAS server.
4.2 OAS server address
You can do the exercise either
• On your own VMWARE environment.
In this case, you will use the IP Address 10.10.200.75
• In an AWS machine.
In this case, the machine will have its own internal IP Address. We will refer to this address as the AIIA (AWS INTERNAL IP
ADDRESS)
We refer to the OAS server address, in the exercises, as for
• VM-ware as 10.10.200.75
• AWS instance as AIIA (AWS INTERNAL IP ADDRESS)
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 29 of 212
4.1 OASPe020: Create a Windows Active Directory user
OneSpan Authentication Server for Engineers Server Preparation
Reference Number OASPe020
Title Create a Windows Active Directory user
Est. time to complete 10 min
Type Optional – for reference
Purpose Create a user in the Window's active directory
Fast Track
If you know how to create a Windows user, then skip this exercise
• Open “Active Directory Users ad computers”
• Create a user in the Windows Active Directory
• Username “U_OASPe020” or any other username that is needed during the exercise
• Password “Test1234”
• Deselect “User must change password at next login”
• Select “User cannot change password” and “Password never expires”
Detailed Steps
If you know how to create a Windows user, the skip this exercise
1. Open “Active Directory Users ad computers”
a. Press Windows +Q
b. Search for programs and files for “Users” and start “Active Directory Users and Computers” or “dsa.msc”
2. Create a user in the Windows Active Directory
a. Expand the tree from the domain “onespan.local”
b. Right click the “Users” group
c. Select “New” / “User”
d. Complete the form and click Next
• First name: “U_OASPe020”
• User logon name: “U_OASPe020”
e. Complete the form and click Next
• Password: “Test1234”
• Deselect “User must change password at next login”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 30 of 212
• Deselect “User cannot change password”
• Select “Password never expires”
f. Click Finish
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 31 of 212
4.2 OASPe050: Demo DIGIPASS
OAS for Engineers Server Preparation
Reference Number OASPe050
Title Demo DIGIPASS
Est. time to complete 10 min
Type Mandatory
Purpose Generate a one-time password with a Demo DIGIPASS
Fast Track
Generate a one-time password with a Demo DIGIPASS
• You can use a hardware DIGIPASS with the LABEL demo at the back
• You can use an emulated token at
▪ https://gs.onespan.cloud/te-demotokens/go3
▪ https://gs.onespan.cloud/te-demotokens/go6
Detailed Steps
A Demo DIGIPASS is a DIGIPASS that has a non-unique secret. In other words, all demo DIGIPASS have the same secret. Therefore, all
hardware DEMO DIGIPASS have as their label, the text “demo”. They do not have a serial number. All DEMO DIGIPASS have the same
parameters. Hence, they should generate the same OTP, which makes it practical for testing.
A DEMO DIGIPASS always comes with DEMO DPX files. These DEMO DPX files do have serial numbers, which makes it possible to use the
DIGIPASS for multiple cases, in the same environment. When used in a live environment, you must keep track of these DEMO DIGIPASS
serial number as they cannot be used for production users.
1. Generate a one-time password with a Demo DIGIPASS
a. You can use a hardware DIGIPASS with the LABEL demo at the back
b. You can use an emulated token at
▪ https://gs.onespan.cloud/te-demotokens/go3 or
▪ https://gs.onespan.cloud/te-demotokens/go6
For generating OTPs:
c. A DEMO DIGIPASS Go3, Go6, Go7, or DP300 all hold the same parameters (for the RO codeword 00005200)
d. A DEMO DIGIPASS 270 has different parameters (for the RO codeword 0080C802)
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 32 of 212
A DEMO DIGIPASS from the Go Series have their server pin set to “1234”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 33 of 212
4.3 OASPe060: Request a Trial License
OAS for Engineers Server Preparation
Reference Number OASPe060
Title Request a Trial License
Est. time to complete 10 min
Type Mandatory
Purpose Request a trial license for the IDENTIKEY Authentication Server 3.21 and options
Fast Track
Generate a temporary license for the IDENTIKEY Authentication Server 3.21
• On the website https://cp.vasco.com, go to “Get an evaluation license”
• Fill in all the fields including a valid e-mail address
• Look for the e-mail and follow the guidelines
• Locate the correct version of temporary license and download the license.
• Proceed with the installation or configuration
Detailed Steps
You have two options for obtaining a trial license from the product maintenance and registration site
• Option 1: before to the installation
OR
• Option 2: during the installation
OPTION 1 – Before
On the VASCO license registration website as you browse to "https://cp.onespan.com/contracts/sign_in".
• Select "Get an evaluation license" at the bottom of the window
• Fill all the fields, add a working valid E-mail address, and click register. You will receive a new e-mail in
the supplied address. This e-mail has a link to download page of the evaluation license.
• OPTION 1:
• Click on the link (E.G., clicking here), provided in the received e-mail.
• A new browser window opens the link (do not paste this here as such, it will not work!)
• OPTION 2:
• You can copy the hyperlink, hidden under the here.
• Open a browser of your choice
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 34 of 212
• And browse to the hyperlink which you just copied
• The link looks like "https://cp.onespan.com/evaluation_license_contacts/confirmation?confirmation_token=[custom code]"
• Browse to this "here" link.
• Select to open IDENTIKEY Product Family by clicking on the " " key.
• Click "Continue" button.
• Select "IDENTIKEY Authentication Server" to open this up
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 35 of 212
• Click "Continue"
• Click on "IDENTIKEY Authentication Server"
• Click "Continue"
• For the "Evaluation license details"
• Fill in the "IP address" 10.10.200.75/AWS INTERNAL IP ADDRESS
• The description is optional and not needed.
• REMARK: the provided IP address is the IP address used to bind the license on. This can be different!
• Select to "I Accept the End User License agreement"
• Click on the "Create" button
• Click to "Download the license file".
• Save this license file to your local system.
• Click "I’m done" to finish the license process.
• Do not remove the license file. You will reuse it during the two different OAS installations during the next labs.
When it is not available on the virtual machine, you can copy or drag this file from the host machine to the virtual machine.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 36 of 212
OPTION 2 - When the "IDENTIKEY Server Configuration Wizard" requests a license, follow these guidelines.
The following guidelines depend on the "IDENTIKEY Server Configuration Wizard"
• When you see: Select "Request a license Key", click on the link/button
• When you receive the message to enable the "SmartScreen filter", enable the recommended settings.
• If the OneSpan Registration Website does not load, you can request the license file from the host machine using:
"Copy URL to clipboard" https://cp.vasco.com and pasting the link in the browser of the host machine.
• Follow the steps described in "OPTION 1- Before" above
Proceed with the labs.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 37 of 212
4.4 OASEe100: Basic installation OAS with the embedded MariaDB data base
OneSpan Authentication server Basic Install
Reference Number OASEe100
Title Basic installation OAS with the embedded MariaDB data base
Est. time to complete 20 min
Type Optional
Purpose Perform a basic installation on a Windows Server
Fast Track
• Run the IDENTIKEY Authentication Server 3.21 media
• Install the IDENTIKEY Authentication Server 3.21 as “Basic Installation”
• Run the “OneSpan Authentication server Setup” (The first Administrator: “iasadmin”, “Test1234”)
Detailed Steps
1. Run the IDENTIKEY Authentication Server 3.21 media.
a. Login on your exercise machine "ONESPAN-DC1" (Use administrator or see lab OASPe010 for credentials).
b. Open the Windows "File Explorer" found on the "Task Bar"
c. Go to your desktop
d. Go to the academy folder
e. Go to kits
f. Unzip IDENTIKEY_Authentication_Server_3.21_WIN64.zip
g. Go to your unzip directory e.g., IDENTIKEY_Authentication_Server_3.21_WIN64
h. Next, start autorun.exe.
2. Install the IDENTIKEY Server
a. Select "Install IDENTIKEY IDENTIKEY Authentication Server 3.21"
b. At the "IDENTIKEY Authentication Server 3.21 Setup", click on "Next" button
i. At the "Installation type", select the "Basic Installation", click on "Next" button
j. Read and Agree to the "End-User License Agreement" and click "Next"
k. Read and Agree to the "Oracle BCL License Agreement" and click "Next"
l. Confirm the Installation path (default to C:\Program Files\VASCO), click "Next"
m. At "Installation Progress",
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 38 of 212
a. Visually inspect which optional modules, which can be automatically installed. E.G. Can net SNMP be installed optionally?
b. Confirm, by clicking on the "Install" button
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 39 of 212
3. At "Do you want to enable encryption for the embedded database store and database connections (GDPR compliance)?"
a. select "NO".
Note: If you must be GDPR compliant in your production environment, then install the database with the encryption mode on.
Select "Yes" to do so.
4. Wait while the installer is installing the different components.
5. Continue with the "IDENTIKEY Authentication Server Configuration Wizard"
b. On the "Start" screen, click "Next"
c. Confirm the "IP address" as 10.10.200.75/AWS INTERNAL IP ADDRESS, click "Next"
d. At "License", either
• Select "Request a license Key" → see OASPe060 on page 34, to create evaluation license when not already done.
OR
• Immediately go to the License page. See OASPe060 on page 34
• To load the license key, click on "…", select the license file and click "Next"
e. The "Server Functionality" step
• Leave all the pre-selected IDENTIKEY functionality as is
but unmark the EMV-CAP functionality.
• Click "Next"
f. The "First Administrator" step
• User ID: "iasadmin"
• Password: "Test1234"
• Confirm Password: "Test1234"
• Click "Next"
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 40 of 212
g. The "SSL Certificate" step
• Private Key Password: "Test1234Test1234"
• Confirm Password: "Test1234Test1234"
• Click "Next"
h. The "RADIUS topology" step
• Select the option "IDENTIKEY Authentication Server as standalone RADIUS server"
• Click "Next"
i. The "Radius Client" step
• Location: "10.10.200.75/AWS INTERNAL IP ADDRESS"
• "Shared secret": "Test1234"
• "Confirm shared Secret": "Test1234"
• Click "Next"
j. The "Confirmation" step
• Confirm the chosen configuration by clicking on "Next".
• Read the summary list of your chosen configuration options and click "Yes".
• It will take some time for your system to complete your configuration settings.
k. The "Summary" step
• Click on the "Finish" Button
l. The IAS Web Administration installs automatically.
When finished, click "Next"
6. Continue with the "IDENTIKEY Authentication Server 3.21 Setup" at "Installation Progress"
a. Click "Next"
b. The "Import DPX" File’s step
• Load the file "Demo_DP300.dpx" from the installation directory "C:\Program Files\VASCO\IDENTIKEY Authentication
Server\dpx"
• Enter the Transport key: "11111111111111111111111111111111"
Alternatively, just press "1" until the end of the field is reached
• For the "UserID" enter "iasadmin"
• For the "Password" enter "Test1234"
• Check the server IP
• Click on the button "IMPORT"
• Press "Enter" to terminate the import job if the import was successful
• Click on "Next"
c. At "Installation Completed", click "Finish"
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 41 of 212
7. Verify if the installation was successful. To do this just start the "OAS Audit Viewer"
d. Press Windows +Q
e. Search for programs and files for "Audit" and start "OAS Audit Viewer" or "dpauditviewer.exe"
f. Navigate in the tree to "ODBC Database"
g. Click on the + before the "ODBC Database"
h. Double click on the "IDENTIKEY Database..."
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 42 of 212
i. In the right-hand pane "IDENTIKEY Database… " mark the "Auto Scroll Down" option to view the last audit records automatically
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 43 of 212
4.5 OASEe105: Advanced Installation OAS with the ODBC data store
OneSpan Authentication server Advanced Install
Reference Number OASEe105
Title Advanced Installation OAS with the ODBC data store
Est. time to complete 30 min
Type Mandatory
Purpose Perform an advanced installation on a Windows Server
Fast Track
In this exercise, you will perform an advanced OAS server installation. During the installation, the OAS must
be configured to use the MariaDB, as its database. The policy is set to a Local/DIGIPASS. Then we will try an
authentication with an OTP.
If you already have completed exercise “OASEe100: Basic installation OAS with the embedded MariaDB data
base”, then you must revert to a clean OS. To do so, shutdown the virtual machine, revert to snapshot
and execute the steps from exercise “OASPe015: Deploy Your Lab Setup”.
This also applies if you are working on an AWS machine. You must use a new machine to do this installation.
• Run the IDENTIKEY Authentication Server 3.21 media
• Install the IDENTIKEY Authentication Server 3.21 as “Advanced Installation” with ODBC
Database and GDPR enabled
• Generate a temporary license as described in OASPe060
• Add a new Database Role (Role name: “ias_dbadmin”, Password: “Test1234”) to change the
default Database Administrator
• Run the “OAS Configuration Wizard” (The first Administrator: “iasadmin”, “Test1234”)
Detailed Steps
1. If you have completed exercise “OASEe100: Basic installation OAS with the embedded MariaDB data base”, then
a. For a VMWARE image
• shutdown the machine,
• revert to snapshot and
• execute the steps from exercise “OASPe015: Deploy Your Lab Setup”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 44 of 212
b. For an AWS instance,
• Ask your trainer or [email protected] for your new AWS machine/instance.
• You will receive a new RDP file to connect to the new machine/instance
• execute the steps from exercise “OASPe016: Finalize Your AWS Lab Setup”
2. Run the IDENTIKEY Authentication Server 3.21 media
a. Login on the machine “ONESPAN-DC1” (See lab OASPe010 for credentials).
b. Open the Windows “File Explorer” located on the “Task Bar”
c. Click “Computer” in the navigation bar
d. Right click the DVD drive holding the OneSpan Authentication server Installation Disk
e. select “Install or run program from your media”
or
start autorun
3. Install the OAS
a. In the window “Welcome to the OneSpan Authentication server Installation”, select “Install IDENTIKEY Authentication Server
3.21”
b. At the “IDENTIKEY Authentication Server 3.21 Server Setup”, click on “Next”
c. At the “Installation type”, select the “Advanced Installation”, click next
d. At the “Data Storage”, select the “ODBC Database”, click next
e. Start the installation of the OAS itself.
• At “Select Components”, click the “IDENTIKEY Authentication Server 3.21” button
• A new window opens
4. This is the “OneSpan Authentication server v3.15.x” Setup Wizard
a. On the “Welcome to the …” screen click “Next”
b. At the “End-User License Agreement”,
• Read the terms
• Mark “I accept the terms in this license Agreement”, to agree
• click “Next”
c. On the “Custom Setup” screen click “Next”
d. At “Ready to Install OAS Authentication …”., start the installation by clicking on the 'Install' button
e. When the setup wizard completes, click on “Finish”
5. You are still in the “Select Components” of the “OneSpan Authentication server Setup” and will install the next components
a. Click the “Net SNMP …” button (needed for system monitoring only)
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 45 of 212
b. Click the “Embedded MariaDB …” button
c. At “Do you want to enable encryption for the embedded database store and database connections (GDPR compliance)?”
Select “Yes”
Do NOT start the “Run Configuration Wizard” button.
You must first create a new data base administrator account. The OAS, to access the MariaDB, uses this account.
6. Create a new data base administrator account “ias_dbadmin” with the required privileges and access rights.
a. Open a Windows command prompt and execute the following commands
REM open the database with the pre-defined root account
REM do this with mysql.exe from the directory C:\Program Files\VASCO\MariaDB\bin
REM
mysql.exe -u root -pdigipassword "identikey server" --ssl=TRUE
#
# Comments follow below
# These statements are provided as is, in YOYO mode and do NOT imply any support
#
# list all user in the data base, searching for a template setup
SELECT user,host,password FROM mysql.user;
#
#
# List all the access rights and privileges of the default and pre-defined “digipass” user, searching for template
SHOW GRANTS FOR 'digipass'@'localhost' ;
SHOW GRANTS FOR 'digipass'@'::1' ;
SHOW GRANTS FOR 'digipass'@'127.0.0.1' ;
#
#
# create the new ias_dbadmin account for each network location
CREATE USER 'ias_dbadmin'@’localhost’ IDENTIFIED BY 'Test1234' ;
CREATE USER 'ias_dbadmin'@’127.0.0.1’ IDENTIFIED BY 'Test1234' ;
CREATE USER 'ias_dbadmin'@’::1’ IDENTIFIED BY 'Test1234' ;
#
#
# list the users
SELECT user,host,password FROM mysql.user;
#
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 46 of 212
#
# grant the access rights AND the privileges to the ias_dbadmin accounts
GRANT USAGE ON *.* TO 'ias_dbadmin'@’localhost’ IDENTIFIED BY 'Test1234' REQUIRE SSL ;
GRANT ALL PRIVILEGES ON `identikey server`.* TO 'ias_dbadmin'@'localhost' ;
#
GRANT USAGE ON *.* TO 'ias_dbadmin'@’127.0.0.1’ IDENTIFIED BY 'Test1234' REQUIRE SSL ;
GRANT ALL PRIVILEGES ON `identikey server`.* TO 'ias_dbadmin'@'127.0.0.1' ;
#
GRANT USAGE ON *.* TO 'ias_dbadmin'@’::1’ IDENTIFIED BY 'Test1234' REQUIRE SSL ;
GRANT ALL PRIVILEGES ON `identikey server`.* TO 'ias_dbadmin'@'::1' ;
#
# verify for a job well done
# show the 'grants' and implictely the ias_dbadmin users
SHOW GRANTS FOR 'ias_dbadmin'@'localhost' ;
SHOW GRANTS FOR 'ias_dbadmin'@'127.0.0.1' ;
SHOW GRANTS FOR 'ias_dbadmin'@'::1' ;
#
# leave now
EXIT;
7. Test the new account
REM ==========
REM Verify if the ias_dbadmin account can connect to the database
REM ==========
mysql -u ias_dbadmin -pTest1234 "identikey server" --ssl=TRUE
USE `identikey server` ;
# Database changed
show tables;
# Empty set (0.00 sec)
# this is normal there is nothing in the DB yet.
If you cannot connect to the database with this ias_dbadmin account, then you have missed something in the setup
of the role.
You MUST get this role working BEFORE continuing the IDENTIKEY installation
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 47 of 212
8. Only Inspect the ODBC connector settings. Do NOT change anything!!!!!!
a. Press Windows +Q
b. Search for programs and files for “odbc” and start “ODBC Data Sources (64-bit)” or “odbcad32.exe”
c. Select the “System DSN” tab.
The “Identikey Server” DSN is only used for getting the settings to connect to the database.
It is not used for authenticating to the database. The DSN does not have a username or a password in its definition.
Changes are only needed when the database is on a different server.
9. Continue with the “OAS Configuration Wizard”
a. Click the “Run Configuration Wizard” button on the OneSpan Authentication server Setup screen
b. On the “welcome” / start screen click “Next”
c. Confirm the “IP address” by clicking “Next”
d. Load the license
• Select “Request a license Key” → see exercise OASPe060 on page 34, to create an evaluation license
• Load the license key and click “Next”
e. The “Server Functionality” step
• Select all OAS functionality, except the EMV-CAP functionality
• Click “Next”
f. The “Database” step
• DSN: “IDENTIKEY Server”
• User ID: “ias_dbadmin
• Password: “Test1234”
• Click “Next”
g. The “User ID/Domain Conversion” step
• Case Conversion: “Convert to lower case”
• Click “Next”
h. The “Master Domain” step
• Master domain name: “master”
• Click “Next”
i. The “First Administrator” step
• User ID: “iasadmin”
• Password & Confirm Password: “Test1234”
• Click “Next”
j. The “Sensitive Data Encryption” step
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 48 of 212
• Select “Standard with embedded key”
• Click “Next”
k. The “Secure Auditing” step
• Select “Do Not Use Secure Auditing”
• Click “Next”
l. The “SOAP SSL Certificate” step
• Select “Generate and install a new test certificate (self-signed)”
• Select “Next”
• Private Key Password: “Test1234Test1234”
• Confirm Password: “Test1234Test1234”
• Click “Next”
m. The “SEAL SSL Certificate” step
• “Use and existing certificate”
• Click “Next”
• “Select Certificate”, choose “SOAP Communicator”
• Click “Next”
n. The “RADIUS SSL Certificate” step
• Select “Use an existing certificate”
• Click “Next”
• Select “SEAL Communicator”
• Click “Next”
o. The “MDC SSL Certificate” step
• Select “Use an existing certificate”
• Click “Next”
• Select “RADIUS Communicator”
• Click “Next”
p. The “Live Audit SSL Certificate” step
• Select “Use an existing certificate”
• Click “Next”
• Select “MDC Server”
• Click “Next”
q. The “SNMPv3 User” step
• Security Name: “ias_snmpadmin”
• Authentication Type: “MD5”
• Authentication Secret: “Test1234”
• Privacy Type: “AES”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 49 of 212
• Privacy Secret: “Test1234”
• Click “Next”
r. The “Automatic Server Discovery support” step
• Select “No DNS Service Registration”
• Click “Next”
s. The “Create Web Administration Program …” step
• Select “Local”
• Click “Next”
t. The “Sample SDK Web Client” step
• Click “Next”
u. The “Confirmation” step
• Click “Next”. You may have to wait while the wizard executes the configuration steps.
• If a warning message about “Windows Firewall Settings” is displayed, click “Yes”.
v. The “Summary” step
• Click “Finish”
10. Continue with the “OneSpan Authentication server Setup”
a. Install the OAS WebAdmin
• Click on “OAS Web Administration 3.15”
• A new wizard is launched “Welcome to the InstallShield wizard for OAS Web .”
• Click “Next”
• Read and accept the license agreements
• Click “Next”
• Click “Install” and the installation starts
• Click “Finish” to close this wizard
11. Continue with the “OneSpan Authentication server Setup”
a. Click “Next”
b. Click “Finish”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 50 of 212
4.6 OASEe103: Set the session time out of the Web Admin
OneSpan Authentication server Install
Reference Number OASEe103
Title Set the session time out of the Web Admin
Est. time to complete 5 min
Type Mandatory
Purpose Learn how session lifetime with WebAdmin can be increased
Fast Track
• Modify the OneSpan Authentication server Configuration Idle Timeout to 3600 seconds
• Modify the Apache configuration file session timeout to 60 minutes
• Restart the tomcat service
Detailed Steps
1. Modify the OneSpan Authentication server Configuration Idle Timeout to 3600 seconds
a. Press Windows +Q
b. Search for programs and files for “web” and
start “OAS Web Administration” or https://localhost:8443 or https://onespan-dc1.onespan.local:8443.
Note: when port 8443 is blocked, the installation program uses the port 9443 instead of 8443. Then you must use
https://localhost:9443
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Hoover over the “SERVERS” tab and click the “Session Management” menu item
e. In the “Settings” tab, Click the “Edit” Button
f. Enter "3600" in the field “Idle Timeout (seconds)”
g. Click on the “Save” button
How many Administrators can connect at the same time?
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 51 of 212
2. Modify the Apache configuration file session timeout to 60 minutes
a. Open the Windows “File Explorer” located on the “Task Bar”
b. Navigate to “C:\Program Files\VASCO\OAS Web Administration\tomcat\webapps\ROOT\WEB-INF”
c. Right Click the file “web.xml” and select “Edit”
d. Change the session timeout from 20 to 60 minutes.
• Look for <session-timeout>
<session-config>
<session-timeout>20</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
• Change 20 to 60
<session-config>
<session-timeout>60</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 52 of 212
e. Save the file and
3. Restart the Tomcat Service
a. Press Windows +Q
b. Search for programs and files for “tomcat”
c. Start “Apache Tomcat for OAS Web Administration”
d. Click the “Stop” button
e. Click the “Start” button
f. Click “OK”
Remark: if you reload the ROOT.war (the webadmin site definition) file, the changes to the web.xml file are lost
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 53 of 212
4.7 OASPe107: Install the OAS Radius Simulator
OneSpan Authentication server Install
Reference Number OASPe107
Title Install the OAS Radius Simulator Tool
Est. time to complete 5 min
Type Mandatory
Purpose Install the radius simulator for client testing
Fast Track
• Open the DVD Drive holding the OneSpan Authentication server Installation Disk
• Open the folder “...:\Software\Windows\Utilities\RADIUS Client Simulator”
• Install the “radius-simulator_....msi”
Detailed Steps
1. Open the DVD Drive holding the OneSpan Authentication server Installation Disk
a. Open the Windows “File Explorer” located on the “Task Bar”
b. Click “Computer” in the navigation bar
c. Right click the DVD drive holding the OneSpan Authentication server Installation Disk and select “Open”
2. Open the folder “...:\Software\Windows\Utilities\RADIUS Client Simulator”
a. Double click “Software”
b. Double click “Windows”
c. Double click “Utilities”
d. Double click “Radius Simulator”
3. Install the “radius-simulator_....msi”
a. Double click “radius-simulator_....msi”
b. Click “Next”
c. Check “I accept the terms in the License Agreement”
d. Click “Next”
e. Click “Next”
f. Click “Install”
g. Click “Finish” to end the installation.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 54 of 212
4.8 OASEe109: Configure the OAS Radius Simulator
OneSpan Authentication server Install
Reference Number OASEe109
Title Configure the OAS Radius Simulator
Est. time to complete 5 min
Type Mandatory
Purpose Configure the radius simulator for client testing
Fast Track
Open the VASCO Radius Simulator
• Server IP: “10.10.200.75” / AWS Internal IP Address
• Shared Secret: “Test1234”
• Enable “Return Framed IP Address”
Detailed Steps
1. Open the VASCO Radius Simulator
a. Press Windows +Q
b. Search for programs and files for "Radius" and start "RADIUS Client Simulator" or "vradsim.exe"
2. Or open the folder "...:C:\Program Files (x86)\Vasco\RADIUS Client Simulator\bin"
a. Complete the form and click next
• Server IP: "10.10.200.75 / AWS INTERNAL IP ADDRESS"
• Shared Secret: "Test1234"
• Enable "Return Framed IP Address"
• Disable "Enable RADIUS Accounting".
If you do not disable this then you will get errors in the OAS, even when the authentication is
Successful. This is the case when Windows back-end authentication is enabled.
b. Click "Save"
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 55 of 212
4.9 OASEe120: Authentication Process: Client
OneSpan Authentication server Components
Reference Number OASEe120
Title Authentication Process: Client
Est. time to complete 15 min
Type Mandatory
Purpose Prove that a client record is needed for a successful authentication
Fast Track
Enable full tracing and view the IAS trace log
Start the IDENTIKEY Audit Viewer to view the life audit
Delete all RADIUS client records
Create the user "OASEe120" with password "Test1234"
Authenticate with the user "OASEe120" using the RADIUS Simulator Tool (RST) (This should fail)
Set up a policy named "pOASEe120" inherit from: "IDENTIKEY Local Authentication with Auto-Unlock"
Register/Create a RADIUS client
Authenticate with the user "OASEe120" using the RADIUS Simulator Tool (This should work)
Detailed Steps
1. Verify and enable full tracing on the OAS
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or https://localhost:8443 or
https://vasco-dc1.vasco.local:8443. During the installation of the WebAdmin, port 9443 may have been setup iso :8443.
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Hoover over the “SYSTEM” tab and click the “Server Configuration” menu item
e. In the “General” tab, click the “Edit” Button
f. In the field “Level”, select “Full”
g. Click on the “Save” button
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 56 of 212
2. View the IDENTIKEY debug log "ias.trace" from "C:\Program Files\VASCO\IDENTIKEY Authentication Server\log"
a. Open the file with the tool "notepad++" (Or you can use "Tail") (see OASPe015 for installation)
• Right-click on the file and select "edit with Notepad++"
• Notepad++ opens the file
• When the file changes, Notepad++ asks you to reload the file, click "Yes".
• TIP: you can enable the automatic reloading of the trace file in notepad++. To do
so:
o In Settings, select Preferences
o In Preferences select MISC.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 57 of 212
o In MISC., for File Status Auto-Detection, enable "Update Silently"
TIP: Enable the Document Map in Notepad++. Select "View" and click on "Document Map".
3. Start the IDENTIKEY Audit Viewer to view the life audit
a. Press Windows +Q
b. Search for programs and files for "Audit" and start "Audit Viewer"
c. Navigate in the tree to "ODBC Database" and open the list by clicking on the "+"
d. Double click the "IDENTIKEY Database..."
e. Select "Auto scroll down" to see the latest messages in the "IDENTIKEY Audit Viewer"
NOTE: There are errors built into the execution steps of the exercises. The purpose is to mimic the configuration effort of the OAS in an
advanced topology set up. In such an effort, one typically must perform some ‘trial and error’ before defining the final set up. The critical
tools during the configuration phase are the Audit viewer and certainly the tracing file. Another reason is that the trace file lists the full
details of the processing steps executed by the OAS, during the authentication process. Verifying these steps in the trace file will bring a
better understanding of the basic principles embedded in the OAS.
Perform a FAILING login when there is no radius client record defined.
We will first delete ALL the predefined RADIUS clients, which could be used by the RST (RADIUS Simulator Tool).
When the OAS receives the RADIUS packet from the RST, the OAS will check if a client record exists for the IP address with the RADIUS
protocol. As there will be no record, the authentication must fail, even if we use correct user credentials for the login.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 58 of 212
4. Delete all RADIUS client records and only delete the RADIUS clients
a. In the WebAdmin, click the tab "CLIENTS"
b. Filter for the RADIUS clients
• In the filter header, select RADIUS as the protocol to filter on.
• Click on the FILTER button
• Mark all the clients in the tick box at the left.
c. Delete the default RADIUS Client. Note: This record is "added" as the result of the installation option. Look for
• Hit the DELETE button
• Next, click on the "CLEAR FILTER" button.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 59 of 212
5. Authenticate with the user “OASEe120” using the RADIUS Simulator Tool (This will fail)
a. Create a user in the Web Admin
• Hoover over the tab “USERS” and click on “Create”
• Create user: “OASEe120”
• Password: “Test1234”
b. Configure the RST (if needed see exercise OASEe109 )
• the "Server IP" "10.10.200.75/AWS INTERNAL IP ADDRESS"
• Shared Secret: "Test1234"
• Enable RADIUS accounting: disable
• Return Framed IP Address: disable
• Set the "Timeout (sec) " "4" seconds
• Click on the Save button to safeguard the configuration
c. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as
▪ User ID “OASEe120”
▪ with password “Test1234”
▪ click on the login button
d. Verify the related messages
• First check in the audit viewer for warnings or errors.
• You will find that there is a warning (Make sure you are viewing the last messages)
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 60 of 212
"A RADIUS request has been received by the IDENTIKEY Server for which there is no client component defined"
• Verify in the trace file, for the "processing" reason for the failing authentication.
• Check for the messages
Dropping packet from unknown source <10.10.200.75/AWS INTERNAL IP ADDRESS>
{A RADIUS request has been received by the IDENTIKEY Server for which there is no client component defined.}
Perform a successful login with a specific radius client for the RST and policy.
We will first make a specific policy for this exercise. Next, we will create a new RADIUS Client that is linked to the new policy. When we
login again, a Client record and Policy and User is available for the OneSpan Authentication server. This way the authentication will
succeed for the existing user “OASEe120”.
6. Set up a policy named “pOASEe120”
a. Start or return to the Web Admin
b. Select “POLICIES” and click on “Create”
c. Enter the required information
• Policy ID: “pOASEe120”
• Inherits from: “IDENTIKEY Local Authentication with Auto-Unlock”
• Enter a description if desired
7. Register/Create a RADIUS client
a. Point to the tab “CLIENT”, and select “Register”
b. Enter the required information
• Client Type, click on the button “SELECT FROM LIST” and select “RADIUS Client”
• Location "10.10.200.75/AWS INTERNAL IP ADDRESS"
• Policy ID: “pOASEe120”
• Protocol ID: “RADIUS”
• Set the shared secret to “Test1234”
8. Authenticate the user with the RADIUS Simulator Tool.
a. Configure the RST see OASEe109
• Set the "Server IP" to "10.10.200.75/AWS INTERNAL IP ADDRESS"
• Shared Secret: “Test1234”
• Enable RADIUS accounting: disable
• Return Framed IP Address: disable
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 61 of 212
• Set the ‘Timeout (sec) ‘to ‘4’ seconds
• Click on the Save button to safeguard the configuration
b. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe120” with password “Test1234”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 62 of 212
4.10 OASEe140: Authentication Process: DIGIPASS User
OneSpan Authentication server Components
Reference Number OASEe140
Title Authentication Process: DIGIPASS User
Est. time to complete 15 min
Type Mandatory
Purpose Learn about local authentication with a DIGIPASS
Fast Track
In exercise OASEe120, we did an authentication with an OAS static password. In this exercise, we will perform an authentication for a
user with an OTP. Therefore, we will have to assign a DIGIPASS to the user. We will assign this DIGIPASS to the user OASEe140. We will
modify the policy, so that
• only logins with a DIGIPASS are allowed and
• define that only Response Only OTPs can be used for logins (even if we are using a DIGIPASS that also can generate a Challenge
Response OTP).
Create a user “OASEe140” in the Web Admin
Verify if a DIGIPASS is uploaded in the OneSpan Authentication server
Create a policy named “pOASEe140” inherit from “IDENTIKEY Local Authentication with Auto-Unlock” & set Local Authentication to
“DIGIPASS Only”
Assign a DIGIPASS to the “OASEe140”
Login with the radius simulator
Deassign the DIGIPASS from user
Detailed Steps
1. Create a user “OASEe140” in the Web Admin
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Select the tab “USERS” and click on “create”
• Create user: “OASEe140”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 63 of 212
• Password: “Test1234”
2. Verify if a DIGIPASS is uploaded in OAS
a. Select the tab “DIGIPASS”
b. If the list shows a DIGIPASS with no UserID,
then you can continue to step 3
c. If the list shows a DIGIPASS with a UserID,
then you can deassign the DIGIPASS and continue to step 3
d. Select the tab “DIGIPASS” and click on “Import”
• Load 1 DIGIPASS from the file “Demo_DP300.dpx” from the directory “C:\Program Files\VASCO\IDENTIKEY Authentication
Server\dpx”
• Enter the Transport key is “11111111111111111111111111111111”
Or just press ‘1’ until the end of the field is reached
• Click on the button “UPLOAD”
• Click on the button “NEXT”
• Click on the button “IMPORT”
• Do not schedule the import as a task by leaving the options “Run immediately” enabled and click on the button “NEXT”
• If the import was successful, click on the button “FINISH”
3. Set up a policy named “pOASEe140”
a. Select “POLICIES” and click on “Create”
b. Enter the required information
• Policy ID: “pOASEe140”
• Inherits from: “IDENTIKEY Local Authentication with Auto-Unlock”
• Enter a description if desired
c. List the policies
d. Click the newly created policy
e. Modify the local and Back-End authentication settings
• Click on the tab “Policy”
• Click on the button “EDIT”
• Set “Local Authentication” to “DIGIPASS Only”
• Set “Back-End Authentication” to “None”
• Save the settings
f. Set Application Type to Response Only
• Click on the tab “DIGIPASS”
• Click on the button “EDIT”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 64 of 212
• For the field “Application Type”, select the “Response Only” from the drop-down list
• “Save”, the modifications
4. Link the policy “pOASEe140” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENTS”, and select “List”
b. Click on the “RADIUS Client” for location “10.10.200.75” / AIIA
c. Link the (new) policy to the client
• In the tab “Client”, click on the button “EDIT”
• Select for Policy ID: “pOASEe140”
• Click on “SAVE”
5. Assign a DIGIPASS record to the “OASEe140”
a. Open the Web Admin
b. Click on the tab “USERS”
c. Search for the user “OASEe140” using the criteria in the “Search Users” tab
• Enter “OASEe140” in the field “User ID”
• Click on the button “SEARCH”
d. Mark the user “OASEe140” and click on “Assign DIGIPASS”
e. Search for a DIGIPASS. In the “Search DIGIPASS” tab
• Mark the option “Search now to select DIGIPASS to assign”
• Click Next
f. Under “4. Select DIGIPASS”
• Mark a DP300
• Click on “Next”
g. Under the “5. Options” tab Click on “ASSIGN”
h. In the tab “6. Finish”
• Note if a DIGIPASS was assigned, e.g., “0097123456”
• Click on Finish
6. Perform a FAILING login when using a PASSWORD (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe140” with password “Test1234”
b. Verify the related messages
• Check first in the audit viewer for warnings or errors
• You will find that there is an error (Make sure you are viewing the last messages)
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 65 of 212
“User authentication failed”.
• Click the error message and locate the reason in the preview section
• Verify in the trace file, for the ‘processing’ reason for the failing authentication.
• Check for the messages
{Error Code: '(1033)' ; Error Message: 'A DIGIPASS must be used for this login'}}
7. Perform a successful login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Generate a Response Only OTP with a (demo) DIGIPASS (More information on demo DIGIPASS can be found in OASPe050)
b. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe140” with password the response from the DIGIPASS
8. If you only imported 1 DIGIPASS then deassign the DIGIPASS from user “OASEe140”
a. Select the tab “USERS” and click on “list”
b. Select the checkbox next to user “OASEe140”
c. Click deassign DIGIPASS and “OK”
TIP: You can also import .dpx from the DVD “IDENTIKEY_Authentication_Server_3.15_Training_Tools.iso“. In the DVD, there is a
directory SEAL-DPX. This directory holds dpx file with 10 to 20 DIGIPASS in them. The advantage of loading such a DIGIPASS is that,
during the exercises, you can always assign another DIGIPASS, iso assigning a DIGIPASS and deassigning the same DIGIPASS
9. MUST DO:
Import .dpx from the DVD "IDENTIKEY_Authentication_Server_3.15_Training_Tools.iso".
In the DVD, there is a directory SEAL-DPX.
This directory holds dpx files with 10 to 20 DIGIPASS in them.
The advantage of loading these added DIGIPASS is, that during the exercises, you always have a free DIGIPASS to assign, instead of
assigning a DIGIPASS and deassigning the same DIGIPASS repeatedly.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 66 of 212
4.11 OASEe160: Authentication Process: Backend
OneSpan Authentication server Components
Reference Number OASEe160
Title Authentication Process: Backend
Est. time to complete 10 min
Type Mandatory
Purpose Only authenticate against Windows for Authorization
Fast Track
We will do an authentication with a Back-End Authentication to Windows, ONLY. Therefore, we will use the OAS user “OASEe160” and the
policy “pOASEe160”.
Create the user “OASEe160” in the Windows Active Directory
Set up a policy named “pOASEe160” inherits from: “IDENTIKEY Windows Password Replacement”
Link the policy “pOASEe160” to the Radius client
Perform a successful login with the RADIUS Simulator Tool as user “OASEe160” with the password “Test1234”
Detailed Steps
1. Create the user “OASEe160” in the Windows Active Directory (see OASPe020)
2. Set up a policy named “pOASEe160”
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 67 of 212
d. Set up a policy named “pOASEe160”
• Select “POLICIES” and click on “Create”
• Enter the required information
▪ Policy ID: “pOASEe160”
▪ Inherits from: “Identikey Windows Password Replacement”
▪ Enter a description if desired
e. Make these changes to the Policy “pOASEe160”
• Set Local Auth. to None
• Set Back-End Auth. to Always
• Set Back-End Protocol to Windows, by using the select from list button
3. Link the policy “pOASEe160” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENT”, and select “List”
b. Click on the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
c. Link the (new) policy to the client
• In the tab “Client”, click on the button “EDIT”
• Select for Policy ID: “pOASEe160”
• Click on “SAVE”
4. Perform a successful login with the RADIUS Simulator Tool
a. Login as user “OASEe160” with the password “Test1234”
(If your radius simulator was not yet setup see exercise OASEe107 & OASEe109 for installation details)
b. Verify the Audit and the trace file messages
We want to verify that the effectively a Windows Login is performed for the user ‘OASEe160’.
You can proof this by disabling the windows account for the user. It the RADIUS authentication request then fails, this is by the
failing/refuse Windows login.
5. Perform a failing login with the RADIUS Simulator Tool
a. Set “Account is disabled” on the Windows account of the user “OASEe160”
b. With the RST, login as user “OASEe160” with the password “Test1234”
c. Verify the Audit and the trace file messages.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 68 of 212
4.12 OASEe200: Authentication Elements: Client: RADIUS
OneSpan Authentication server Components
Reference Number OASEe200
Title Authentication Elements: Client: RADIUS
Est. time to complete 20 min
Type Mandatory
Purpose Learn how to setup and use a second RADIUS client from a different NAS IP
Fast Track
In this exercise you will learn how setup a second RADIUS client connecting from a different NAS IP
Create a user “OASEe200” in the Web Admin
Assign a DIGIPASS record supporting virtual DIGIPASS to the “OASEe200” user
If you only imported 1 DIGIPASS then deassign the DIGIPASS from user “OASEe200”
For the second part of this lab, NTRadping is used as NTRadping supports the use of the RADIUS attribute NAS-IP. This tool will set the
NAS-IP to 10.10.200.85. You must create a new policy with the location set to this NAS-IP attribute.
Detailed Steps
1. Create a user “OASEe200” in the Web Admin
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Select the tab “USERS” and click on “create”
• Create user: “OASEe200”
• Password: “Test1234”
2. Verify if a DIGIPASS was uploaded in OAS
a. Select the tab “DIGIPASS”
b. If the list shows a DIGIPASS with no UserID you can continue to step 3
c. If the list shows a DIGIPASS with a UserID you can deassign the DIGIPASS and continue to step 3
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 69 of 212
d. Select the tab “DIGIPASS” and click on “Import”
• Load 1 DIGIPASS from the file “Demo_DP300.dpx” from the directory “C:\Program Files\VASCO\IDENTIKEY Authentication
Server\dpx”
• Enter the Transport key is “11111111111111111111111111111111”
• Or just press ‘1’ until the end of the field is reached
• Click on the button “UPLOAD”
• Click on the button “NEXT”
• Click on the button “IMPORT”
• Do not schedule the import as a task by leaving the options “Run immediately” enabled and click on the button “NEXT”
• If the import was successful, click on the button “FINISH”
• Verify if the DIGIPASS has VIRTUAL Token Enabled
OR
You can also import .dpx from the DVD “IDENTIKEY_Authentication_Server_3.15_Training_Tools.iso“. In this DVD, there is a
directory SEAL-DPX. This directory holds dpx file with 10 to 20 DIGIPASS in them. The advantage of loading such a DIGIPASS is
that, during the exercises, you can always assign another DIGIPASS, iso assigning a DIGIPASS and deassigning the same
DIGIPASS.
3. Assign a DIGIPASS record to the user “OASEe200”
a. Open the Web Admin
b. Click on the tab “USERS”
c. Search for the user “OASEe200” using the criteria in the “Search Users” tab
• Enter “OASEe200” in the field “User ID”
• Click on the button “SEARCH”
d. Mark the user “OASEe200” and click on “Assign DIGIPASS”
e. Search for DIGIPASS using the criteria on the “3. Search DIGIPASS” tab
• Mark “Search now to select DIGIPASS to assign”
• Click Next
f. Under “4.Select DIGIPASS”
• Mark a DIGIPASS
• Click on “NEXT”
g. Under the “5. Options” tab Click on “ASSIGN”
h. In the tab “6. Finish”
• Note that a DIGIPASS was assigned for example: “0097123456”
• Click on Finish
4. Set up a policy named “pOASEe200”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 70 of 212
a. Select “POLICIES” and click on “Create”
b. Enter the required information
• Policy ID: “pOASEe200”
• Inherits from: “IDENTIKEY Local Authentication with Auto-Unlock”
• Enter a description if desired
c. List the policies
d. Click the newly created policy
e. Modify the local and Back-End authentication settings
• Click on the tab “Policy”
• Click on the button “EDIT”
• Set “Local Authentication” to “DIGIPASS Only”
• Set “Back-End Authentication” to “None”
f. List and Set the RADIUS Authentication protocols which are allowed for
• Click on the tab “RADIUS”
• Click on the “EDIT” button
• For Supported Protocols, in the drop-down box, select “Any”
• Click on the button “SAVE”
5. Link the policy “pOASEe200” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENT”, and select “List”
b. Click on the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
c. Link the (new) policy to the client
• In the tab “Client”, click on the button “EDIT”
• Select for Policy ID: “pOASEe200”
• Click on “SAVE”
6. Perform a successful login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Generate a Response Only OTP with a (demo) DIGIPASS (More information on demo DIGIPASS can be found in OASPe050)
b. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe200” with password the response from the DIGIPASS
c. Check for the related messages in the Audit Viewer, first. Then check for the related messages in the tracing file and note down
the RADIUS NAS IP, as listed in the Audit viewer: _____________________________________
The current client and policy do not allow the use of passwords.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 71 of 212
We will setup a policy that allows passwords but only for a client specific from the NAS IP 10.10.200.85/AIIA+1.
To achieve, we need to setup a second RADIUS client with a new location. Do not delete the original policy. This policy will override the
old policy.
For this test, a new tool is used, NTRadPing (see OASPe015, optional section). This Radius client tool can set the NAS-ID field and/or
NAS-IP field.
In the remainder of this lab, we will create a new Radius Client using this Radius NAS-IP. You can find the full explanation on how the
OneSpan Authentication server handles this is described in a support KB. You can find the KB on
https://www.vasco.com/images/KB_120200_tcm42-47801.pdf
7. Deassign the DIGIPASS from user “OASEe200”
a. Select the tab “USERS” and click on “list”
b. Select the checkbox next to user “OASEe200”
c. Click deassign DIGIPASS and “YES”
8. Set up a policy named “pOASEe200b”
a. Select “POLICIES” and click on “Create”
b. Enter the required information
• Policy ID: “pOASEe200b”
• Inherits from: “pOASEe200”
• Enter a description if desired
c. List the policies
d. Click the newly created policy
e. Modify the local and Back-End authentication settings
• Click on the tab “Policy”
• Click on the button “EDIT”
• Set “Local Authentication” to “DIGIPASS/PASSWORD during Grace Period”
• Set “Back-End Authentication” to “None”
9. Register/Create a RADIUS client
a. Point to the tab “CLIENT”, and select “Register”
b. Enter the required information
• Client Type, click on the button “SELECT FROM LIST” and select “RADIUS Client”
• Location “10.10.200.85”
• Policy ID: “pOASEe200b”
• Protocol ID: “RADIUS”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 72 of 212
• Set the shared secret to “Test1234” (not required)
10. Complete the configuration of the tool NTRadPing
a. RADIUS Server: 10.10.200.75 /AWS INTERNAL
IP ADDRESS
b. RADIUS Port: 1812
c. RADIUS Secret Key: Test1234
d. User-Name: OASEe200
e. Password: Test1234
f. Set Request type to: Authentication Request
g. Under “Additional RADIUS Attributes”, in the left
field, enter in the “list” NAS-IP-Address
h. In the right field, Fill in: 10.10.200.85
i. Click on Add
j. Check all fields
See screenshot for the required result.
11. Perform a successful login with the Radius tool NTRadPing.
a. Click on “Send”, to send an authentication request from the RADIUS Client to the RADIUS Server.
• Login as user “OASEe200” with the password “Test1234”
b. Verify the Audit and the trace file messages
What is the RADIUS NAS IP listed in the Audit viewer for point 10:
Verify the trace file, and find for point 10, find the component that is used to verify the license. What is the component?
Tip: In the audit viewer look for “A RADIUS Access-Request has been received and list the “Input Details” of the audit message. Next look
at all the details of the “User authentication was successful” event.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 73 of 212
4.13 OASEe210: Authentication Elements: Client: SOAP
OneSpan Authentication server – Authentication Elements - Clients
Reference Number OASEe210
Title Authentication Elements: Client: SOAP
Est. time to complete 15 min
Type Optional
Purpose Learn how to setup and use a SOAP client
Fast Track
We will do an authentication over the SOAP protocol with a tool that “shows” you the SOAP message and its contents.
The first attempt will fail because there is
• NO Client record for the SOAP client in the OAS.
• NO SOAP “application name” specified this authentication request.
Create the user “OASEe210” in the Windows Active Directory
Launch an Authentication Soap Request With soap UI (CREDFLD_USERID=“OASEe210”, CREDFLD_PASSWORD=“Test1234”)
Set up a policy named “pOASEe210” inherits from: “IDENTIKEY Windows Password Replacement”
Create a client record for SOAPUI client
Launch an Authentication Soap Request With soap UI (CREDFLD_USERID=“OASEe210, CREDFLD_PASSWORD=“Test1234”)
Detailed Steps
1. Create the user “OASEe210” in the Windows Active Directory (see OASPe020)
2. Set up a policy named “pOASEe210”
• inherits from: “IDENTIKEY Windows Password Replacement”
3. Launch an Authentication Soap Request With soap UI
a. Install SoapUI (http://www.soapui.org/)
OR
b. Or get it from the DVD “IDENTIKEY_Authentication_Server_3.15_Training_Tools.iso“.
• In the DVD, there is a directory SEAL-SOAPUI.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 74 of 212
• This directory holds SOAP-UI installation kit and the OAS-soapUI-auth.xml project
c. Start SOAPUI
• Press Windows +Q
• Search for programs and files for “soap” and start “soapUI-…” or “soapUI-….exe”
d. Import a project with File/Import Project “OAS-soapUI-auth” from the DVD
IDENTIKEY_Authentication_Server_3.15_Training_Tools.iso, directory SEAL-SOAPUI
e. Browse the project
• Select and \IDENTIKEY\Authentication\authUser\Request1
• Double click on Request1
f. Click on the IP address
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 75 of 212
g. Select “Edit Current”
h. Change the IP address to “10.10.200.75” /AWS INTERNAL IP ADDRESS and port 8888
Soap Requests for the OneSpan Authentication server contain attributes, for an authentication specifically the attribute with
attributeID “CREDFLD_USERID” and “CREDFLD_PASSWORD”, the values of these attributes need to be update with the credentials of
the newly created user.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 76 of 212
i. Change the user “student” to “OASEe210”
j. Change the password “952228” to “Test1234”
1 SOAP client can access 1 SOAP port for n applications. The distinction between the different clients is made in the OneSpan
Authentication server, with the field CREDFLD_COMPONENT_TYPE. This means that you can have 1 OAS client record per
CREDFLD_COMPONENT_TYPE.
k. Change the Component Type “SoapUI” to “soapui”
l. Send the request by clicking on the play button. This will fail!
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 77 of 212
m. The SOAP Message is refused by the OAS because there is no Client Record defined for the SOAPUI tool
• You should get the error “<errorDesc>Client component does not exist</errorDesc>”
4. Set up a policy named “pOASEe210”
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Select “POLICIES” and click on “Create”
e. Enter the required information
• Policy ID: “pOASEe210’’
• Inherits from: “Identikey Windows Password Replacement”
• Enter a description if desired
f. Make these changes to the Policy “pOASEe210”
• Set Local Auth. to None
• Set Back-End Auth. to Always
• Set Back-End Protocol to Windows
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 78 of 212
5. Create a client record for the SOAPUI client
a. Click on the tab “CLIENTS” and select “Register”
b. Fill in the fields.
• For the field “Client Type”, enter “soapui”
• Location: “10.10.200.75” /AWS INTERNAL IP ADDRESS
• Policy: “pOASEe210”
• Protocol Id: SOAP
c. Click on “CREATE”
6. Launch an Authentication Soap Request With soap UI
a. Send the request again
b. Check for a successful completion
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 79 of 212
4.14 OASEe280: Authentication Elements: User: Domains and organizations
OneSpan Authentication server – Authentication Elements - Users
Reference Number OASEe280
Title Authentication Elements: User: Domains and organizations
Est. time to complete 20 min
Type Mandatory
Purpose In this exercise you will learn that you can create domains with OUs in the OAS ODBC databases
Fast Track
Create a domain "DIGIPASS" with organizational units "270" and "300"
Create a domain "GO" with organizational units (OU) "3", "6" and "7"
Import the DIGIPASS Authenticators (C:\Program Files\VASCO\IDENTIKEY Authentication Server\dpx)
Dpx file Into domain Organizational Unit
Demo_DP270.dpx DIGIPASS 270
Demo_DP300.dpx DIGIPASS 300
Demo_GO3.dpx GO Unit 3
Demo_GO6.dpx GO Unit 6
Demo_GO7.dpx GO Unit 7
Copy the file "C:\Program Files\VASCO\IDENTIKEY Authentication Server\dpx\userimport.csv" to "C:\Program Files\VASCO\IDENTIKEY
Authentication Server\dpx\userimport_.csv"
Edit with WORDPAD, the C:\Program Files\VASCO\IDENTIKEY Authentication Server\dpx\userimport_.csv
Change the username “testuser1” to “OASEe280_1”
Change the username “testuser2” to “OASEe280_2”
Change the domain for “OASEe280_1” to “DIGIPASS” organization unit “270”
Change the domain for “OASEe280_2” to “GO”
Import Users (C:\Program Files\VASCO\IDENTIKEY Authentication Server\dpx\userimport.csv)
Move the “OASEe280_2” to organizational unit “3”
Assign a DIGIPASS to “OASEe280_1”
Assign a DIGIPASS to “OASEe280_2”
Assign a second DIGIPASS to “OASEe280_1”, with search upwards , why does it fail?
Move the “DIGIPASS 300” to the domain “DIGIPASS”
Assign a second DIGIPASS to “OASEe280_1”, with search upwards
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 80 of 212
Perform a successful login with a specific policy for the RADIUS Simulator Tool using OASEe280_2
Create a user “OASEe280_3” in the Web Admin with admin rights
Perform a login with a specific policy for the RADIUS Simulator Tool using OASEe280_3
Detailed Steps
1. Create a domain “DIGIPASS” and “GO” in the Web Admin
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Select the tab “ORGANIZATION”, select the option “Add domain”
• Domain Name: “DIGIPASS”
e. Create a second domain
• Domain Name: “GO”
2. Create the “270” and “300” organizations in the domain “DIGIPASS”
a. Select the tab “ORGANIZATION”, select the option “List”
b. Click “View details” for the “DIGIPASS” domain
c. Click the “Add Org. Unit” button
• Organizational Unit: “270”
d. Create a second organizational unit
• Organizational Unit: “300”
3. Create the “3”, “6” and “7” organizations in the domain “GO”
a. Select the tab “ORGANIZATION”, select the option “List”
b. Click “View details” for the “GO” domain
c. Click the “Add Org. Unit” button
• Organizational Unit: “3”
d. Create a second organizational unit
• Organizational Unit: “6”
e. Create a third organizational unit
• Organizational Unit: “7”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 81 of 212
4. Upload a DIGIPASS 300 in the domain “DIGIPASS” and organizational unit “300” in the OneSpan Authentication server
a. Select the tab “DIGIPASS”
b. If the list shows a DIGIPASS with no UserID in the correct domain and organization than you can continue to the next step
• If the list shows a DIGIPASS with a UserID you can deassign the DIGIPASS
• If the list shows a DIGIPASS with an incorrect domain and/or organization than you can move the DIGIPASS
c. Select the tab “DIGIPASS” and click on “Import”
• Load 1 DIGIPASS from the file “Demo_DP300.dpx” from the directory “C:\Program Files\VASCO\IDENTIKEY Authentication
Server\dpx”
• Enter the Transport key is “11111111111111111111111111111111”
• Or just press ‘1’ until the end of the field is reached
• Click on the button “UPLOAD”
• Click on the button “NEXT”
• Select the proper Domain and OrgUnit
• Click on the button “IMPORT”
• Do not schedule the import as a task by leaving the options “Run immediately” enabled and click on the button “NEXT”
• If the import was successful, click on the button “FINISH”
d. Check the file name in the directory “C:\Program Files\VASCO\IDENTIKEY Authentication Server\dpx” if a copy of the file is
available like “Demo_DP300.dpx****000*.dpx”. The dpx file is imported.
5. Repeat step 4 for the following DIGIPASS Authenticators
a. Demo_DP270.dpx in domain “DIGIPASS” and organizational unit “270”
b. Demo_GO3.dpx in domain “GO” and organizational unit “3”
c. Demo_GO6.dpx in domain “GO” and organizational unit “6”
d. Demo_GO7.dpx in domain “GO” and organizational unit “7”
6. In the File Explorer copy the file “C:\Program Files\VASCO\IDENTIKEY Authentication Server\dpx\userimport.csv” to “C:\Program
Files\VASCO\IDENTIKEY Authentication Server\dpx\userimport.csv”
7. Edit with WORDPAD, the C:\Program Files\VASCO\IDENTIKEY Authentication Server\ dpx\userimport.csv
a. For the user "testuser1"
• Change the username to "OASEe280_1"
• Change the domain to "DIGIPASS"
• Change the OU to "270"
b. For the user "testuser2"
• Change the username to "OASEe280_2"
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 82 of 212
• Change the domain for "OASEe280_2" to "GO"
8. Import Users (C:\Program Files\VASCO\IDENTIKEY Authentication Server\dpx\userimport.csv)
a. Select the tab “USERS” and click on “Import”
b. Locate the file “C:\Program Files\VASCO\IDENTIKEY Authentication Server\dpx\userimport.csv”
c. Enable the creation of the user during the import
9. Move the “OASEe280_2” to organizational unit “3”
a. Select “USERS”, “List”
b. Check the “OASEe280_2” user
c. Click the “Move” button
d. Select the organizational unit “3”
10. Assign a DIGIPASS to “OASEe280_1”
a. Click on the tab “USERS”
b. Search for the user “OASEe280_1” using the criteria in the “Search Users” tab
• Enter “OASEe280_1” in the field “User ID”
• Click on the button “SEARCH”
c. Mark the user “OASEe280_1” and click on “Assign DIGIPASS”
d. Search for DIGIPASS using the criteria on the “Search DIGIPASS” tab
• Click Next
e. Under the “5. Options” tab Click on “ASSIGN”
f. In the tab “6. Finish”
• Note that a DIGIPASS was assigned for example: “0097123456”
• Click on Finish
Which DIGIPASS type was assigned? ____________________
11. Assign a DIGIPASS to “OASEe280_2”
a. Click on the tab “USERS”
b. Search for the user “OASEe280_2” using the criteria in the “Search Users” tab
• Enter “OASEe280_2” in the field “User ID”
• Click on the button “SEARCH”
c. Mark the user “OASEe280_2” and click on “Assign DIGIPASS”
d. Search for DIGIPASS using the criteria on the “Search DIGIPASS” tab
• Click Next
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 83 of 212
e. Under the “5. Options” tab Click on “ASSIGN”
f. In the tab “6. Finish”
• Note that a DIGIPASS was assigned for example: “0097123456”
• Click on Finish
Which DIGIPASS type was assigned? _________________
12. Assign a DIGIPASS to “OASEe280_1”
a. Click on the tab “USERS”
b. Search for the user “OASEe280_1” using the criteria in the “Search Users” tab
• Enter “OASEe280_1” in the field “User ID”
• Click on the button “SEARCH”
c. Mark the user “OASEe280_1” and click on “Assign DIGIPASS”
d. Search for DIGIPASS using the criteria on the “Search DIGIPASS” tab
• Enable Search upwards in the organizational hierarchy
• Click Next
e. Under the “5. Options” tab Click on “ASSIGN”
f. In the tab “6. Finish”
• Note that there was an error
• Click on Finish
Why was there no DIGIPASS assigned? ____________________
13. Move the “DIGIPASS 300” to the domain “DIGIPASS”
a. Select “DIGIPASS”, “List”
b. Check the “DIGIPASS 300”
c. Click the “Move” button
d. Select the domain “DIGIPASS”, no organizational unit
14. Assign a DIGIPASS to “OASEe280_1”
a. Click on the tab “USERS”
b. Search for the user “OASEe280_1” using the criteria in the “Search Users” tab
• Enter “OASEe280_1” in the field “User ID”
• Click on the button “SEARCH”
• Mark the user “OASEe280_1” and click on “Assign DIGIPASS”
c. Search for DIGIPASS using the criteria on the “Search DIGIPASS” tab
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 84 of 212
• Enable Search upwards in the organizational hierarchy
• Click Next
d. Under the “5. Options” tab Click on “ASSIGN”
e. In the tab “6. Finish”
f. Note if a DIGIPASS was assigned for example: “0097123456”
g. Click on Finish
Which DIGIPASS type was assigned?
15. Set up a policy named “pOASEe280”
a. Select “POLICIES” and click on “Create”
b. Enter the required information
• Policy ID: “pOASEe280”
• Inherits from: “IDENTIKEY Local Authentication with Auto-Unlock”
• Enter a description if desired
16. Link the policy “pOASEe280” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENTS”, and select “List”
b. Click on the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
c. Link the (new) policy to the client
• In the tab “Client”, click on the button “EDIT”
• Select for Policy ID: “pOASEe280”
• Click on “SAVE”
17. Perform a failing login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Generate a Response Only OTP with a (demo) DIGIPASS (More information on demo DIGIPASS can be found in OASPe050)
b. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe280_1” with password the response from the DIGIPASS
c. Check for the related messages in the Audit Viewer
d. Check for the related messages in the tracing file
18. Perform a successful login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Generate a Response Only OTP with a (demo) DIGIPASS (More information on demo DIGIPASS can be found in OASPe050)
b. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 85 of 212
• Authenticate as User ID “OASEe280_1@DIGIPASS” with password the response from the DIGIPASS
c. Check for the related messages in the Audit Viewer
d. Check for the related messages in the tracing file
19. Update the policy named “pOASEe280”
a. List the policies
b. Click the newly created policy “pOASEe280”
c. Click on the tab “User”
• Click on the button "EDIT"
• For "Default Domain", enter "DIGIPASS"
• "SAVE" your changes
20. Perform a successful login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Generate a Response Only OTP with a (demo) DIGIPASS (More information on demo DIGIPASS can be found in OASPe050)
b. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe280_1” with password the response from the DIGIPASS
c. Check for the related messages in the Audit Viewer
d. Check for the related messages in the tracing file
21. Perform a successful login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Generate a Response Only OTP with a (demo) DIGIPASS (More information on demo DIGIPASS can be found in OASPe050)
b. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe280_2@GO” with password pin + the response from the DIGIPASS
c. Check for the related messages in the Audit Viewer
d. Check for the related messages in the tracing file
22. Update the policy named “pOASEe280”
a. List the policies
b. Click the “pOASEe280”
c. Click on the tab “User”
• Click on the button “EDIT”
• For “Accepted Domain”, enter “DIGIPASS”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 86 of 212
23. Perform a failing login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Generate a Response Only OTP with a (demo) DIGIPASS (More information on demo DIGIPASS can be found in OASPe050)
b. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe280_2@GO” with password pin + the response from the DIGIPASS
c. Check for the related messages in the Audit Viewer
d. Check for the related messages in the tracing file
24. Create a user “OASEe280_3” in the Web Admin
a. Select the tab “USERS” and
b. click on “create”
• Create user: “OASEe280_3”
• Password: “Test1234”
• Domain: DIGIPASS
25. Edit the user “OASEe280_3's” privileges
a. Click on the tab “Admin Privileges”, edit
b. Click on the tab "Admin Privileges", edit
c. In the section "ADMINISTRATIVE SESSION", enable the Administrative Logon
d. Enable "View User"
e. Domain scope must be "Digipass"
26. Perform a failing login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe280_3@DIGIPASS” with password “Test1234”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 87 of 212
b. Check for the related messages in the Audit Viewer
c. Check for the related messages in the tracing file
27. Update the policy named “pOASEe280” so that user with AS admin privileges may login on the client.
a. List the policies
b. Click the policy “pOASEe280”
c. Click on the tab “User”
• Click on the button “EDIT”
• For “Local Admin Users”, enter “Accept”
28. Perform a successful login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe280_3@DIGIPASS” with password “Test1234”
b. Check for the related messages in the Audit Viewer
c. Check for the related messages in the tracing file
29. Logout from the webadmin
a. Login using the administrator created during the previous steps
• User ID: “OASEe280_3@DIGIPASS”
• Password: “Test1234”
b. Verify the available items that you can see in the webadmin
30. Deassign the DIGIPASS authenticators
a. Logout from the webadmin
b. Login using the default administrator
• User ID: “iasadmin”
• Password: “Test1234”
c. Deassign the DIGIPASS from user “OASEe280_1”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 88 of 212
d. Deassign the DIGIPASS from user “OASEe280_2”
e. Move the DIGIPASS 300 back to the master domain
f. Remove the DIGIPASS 270, Go 3, Go 6, Go 7 from the OAS
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 89 of 212
4.15 OASEe290: Authentication Elements: User: Domains and SOAP Auth & Sig
OAS - Authentication Elements - User
Reference Number OASEe290
Title Authentication Elements: User: Domains and SOAP Auth & Sig
Est. time to complete 30 min
Type Optional
Purpose Learn how to setup and use a SOAP client with authentication and signature
Fast Track
We will do an authentication over the SOAP protocol with a tool that “shows” you the SOAP message and its contents.
The first attempt will fail because there is
• NO Client record for the SOAP client in the OAS.
• NO SOAP “application name” specified this authentication request.
Create a user “OASEe290” in the domain “DIGIPASS” with organization unit “300” in the Web Admin
Assign a DIGIPASS with signature capability to user “OASEe290”
Set up a policy named “pOASEe290” inherits from: “IDENTIKEY Local Authentication with Auto-Unlock”
Create a client record for SOAPUI client
Launch an Authentication Soap Request With soap UI (CREDFLD_USERID=“OASEe290”, CREDFLDPASSWORD=OTP)
Launch a Signature Soap Request With soap UI (CREDFLDUSERID=“OASEe290”, CREDFLD_PASSWORD=OTP)
Detailed Steps
1. Create a user “OASEe290” in the domain “DIGIPASS” with organization unit “300” in the Web Admin
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 90 of 212
d. Select the tab “USERS” and click on “create”
• Create user: “OASEe290”
• Password: “Test1234”
• Domain: “DIGIPASS”
• Organizational unit: “300”
2. Upload a DIGIPASS 300 in the domain “DIGIPASS” and organizational unit “300” in the OneSpan Authentication server
a. Select the tab “DIGIPASS”
b. If the list shows a DIGIPASS with no UserID in the correct domain and organization than you can continue to the next step
• If the list shows a DIGIPASS with a UserID you can deassign the DIGIPASS
• If the list shows a DIGIPASS with an incorrect domain and/or organization than you can move the DIGIPASS
c. Select the tab “DIGIPASS” and click on “Import”
• Load 1 DIGIPASS from the file “Demo_DP300.dpx” from the directory “C:\Program Files\VASCO\IDENTIKEY Authentication
Server\dpx”
• Enter the Transport key is “11111111111111111111111111111111”
• Or just press ‘1’ until the end of the field is reached
• Click on the button “UPLOAD”
• Click on the button “NEXT”
• Select the proper Domain and OrgUnit
• Click on the button “IMPORT”
• Do not schedule the import as a task by leaving the options “Run immediately” enabled and click on the button “NEXT”
• If the import was successful, click on the button “FINISH”
3. Assign a DIGIPASS with signature capability to user “OASEe290”
a. Click on the tab “USERS”
b. Search for the user “OASEe290” using the criteria in the “Search Users” tab
• Enter “OASEe290” in the field “User ID”
• Click on the button “SEARCH”
c. Mark the user “OASEe290” and click on “Assign DIGIPASS”
d. Search for DIGIPASS using the criteria on the “Search DIGIPASS” tab
• Click Next
e. Under the “5. Options” tab Click on “ASSIGN”
f. In the tab “6. Finish”
• Note that a DIGIPASS was assigned for example: “0097123456”
g. Click on Finish
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 91 of 212
Which DIGIPASS type was assigned? ____________________
What is the grace period? _________________________
4. In the web admin test the OTP validation for application 1
a. Select the tab “DIGIPASS”
b. Select the DIGIPASS DP300, serial number 0097123456
c. Select tab “APPL 1”
d. Click the button “test OTP” using your demo token.
5. In the web admin test the Signature validation for application 2
a. With your selected DIGIPASS, generate a MAC (Message Authentication Code) / SG (Signature)
b. Enter the DIGIPASS Pin “1234”
c. Select “Application 2”
• In field 1, enter the Senders Account 12345
• In field 2, enter the Receivers Account 54321
• In field 3, enter the Amount 10000
The MAC should be identical on all DIGIPASS 311284 (check it via your DIGIPASS)
d. Fill in the same values in the application 2 test in OAS
7. Launch an Authentication Soap Request With soap UI
a. Install SoapUI (http://www.soapui.org/)
b. Start SOAPUI
• Press Windows +Q
• Search for programs and files for “soap” and start “soapUI-…” or “soapUI-….exe”
c. Import a project with File/Import Project “OAS-soapUI-auth”
d. Browse the project
• Select and \ OAS\Authentication\authUser\Request1
• Double click on Request1
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 92 of 212
e. Click on the IP address
f. Select “Edit Current”
g. Change the IP address to “10.10.200.75” /AWS INTERNAL IP ADDRESS and port 8888
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 93 of 212
Soap Requests for the OneSpan Authentication server contain attributes, for an authentication specifically the attribute with
attributeID “CREDFLD_USERID” and “CREDFLD_PASSWORD”, the values of these attributes need to be update with the credentials of
the newly created user.
h. Change the user “student” to “OASEe290”
i. Change the password “952228” to “Test1234”
1 SOAP client can access 1 SOAP port for n applications. The distinction between the
different clients is made in the OneSpan Authentication server, with the field
CREDFLD_COMPONENT_TYPE. This means that you can have 1 OAS client record
per CREDFLD_COMPONENT_TYPE.
n. Change the Component Type “SoapUI” to “soapui_2”
o. Send the request by clicking on the play button
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 94 of 212
p. The SOAP Message is refused by the OAS because there is no Client Record defined for the SOAPUI tool
• You should get the error “<errorDesc>Client component does not exist</errorDesc>”
8. Set up a policy named “pOASEe290”
a. Select “POLICIES” and click on “Create”
b. Enter the required information
• Policy ID: “pOASEe290’’
• Inherits from: “Identikey Local Authentication”
• Enter a description if desired
c. Make these changes to the Policy “pOASEe210”
• Set Local Auth. to “DIGIPASS/Password during Grace Period”
• Set Back-End Auth. to “None”
9. Create a client record for the SOAPUI client
a. Click on the tab “CLIENTS” and select “Register”
b. Fill in the fields.
• For the field “Client Type” enter “soapui_2”
• Location: “10.10.200.75” /AWS INTERNAL IP ADDRESS
• Policy: “pOASEe290”
• Protocol Id: SOAP
c. Click on “CREATE”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 95 of 212
10. Launch an Authentication Soap Request With soap UI
a. Send the request again
b. Check for a failed completion
• You should get the error “<errorDesc>Digipass user account not found ….</errorDesc>”
11. Change the user “OASEe290” to “OASEe290@DIGIPASS”
12. Launch an Authentication Soap Request With soap UI
a. Send the request again
b. Check for a successful completion
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 96 of 212
13. Change the password from “Test1234” to a value generated by a demo DIGIPASS 300 (More information on demo DIGIPASS can be
found in OASPe050)
14. Verify the grace period in OAS
Validate a signature
15. Create a client record for the SOAPUI client
a. Click on the tab “CLIENTS” and select “Register”
b. Fill in the fields.
• For the field “Client Type” enter “soapui_3”
• Location: “10.10.200.75” / AWS INTERNAL IP ADDRESS
• Policy: “pOASEe290”
• Protocol Id: SOAP
c. Click on “CREATE”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 97 of 212
16. In soap UI Browse the project
a. Select and \IDENTIKEY\Signature\authSignature\Request1
b. Double click on Request1.
• Change the IP address to 10.10.200.75 /AWS INTERNAL IP ADDRESS port 8888
• Change the User student to “OASEe290@DIGIPASS”
• Change the string SoapUI to “soapui_3”
• In data field 1, enter the Senders Account 12345
• In data field 2, enter the Receivers Account 54321
• In data field 3, enter the Amount 10000
• The Signature should be 311284
Tip: you can also get to the signature by using https://gs.onespan.cloud/te-demotokens
17. Deassign the DIGIPASS from user “OASEe290”
a. Move the DIGIPASS 300 back to the master domain
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 98 of 212
4.16 OASEe300: Authentication Elements: User: Windows Name Resolution
- Authentication Elements - User
Reference Number OASEe300
Title Authentication Elements: User: Windows Name Resolution
Est. time to complete 15 min
Type Mandatory
Purpose Learn about the different name resolution possibilities
Fast Track
During the exercise, we will explore:
• How the “domain” of a user is processed by the OneSpan Authentication server
• How the option Windows Name Resolution can automatically reduce the synonyms of a Windows user account into the one UPN
format
• The interaction between a user domain name and the Windows Name Resolution option.
With Windows Username Resolution disabled
• Create the user “OASEe300” in the Windows Active Directory member of the user group “Digipass Users”
• Set up a policy named “pOASEe300” that inherits from “IDENTIKEY Windows Password Replacement” with a group check
• Login with the Radius Simulator Authenticate as UserID
• “OASEe300” with password “Test1234”
• “[email protected]” with password “Test1234”. Create the OAS domain onespan.local and login again.
• “ONEWSPAN-AC\OASEe300” with password “Test1234”
Enable windows name resolution with the OAS Configuration tool
• Login with the RST as User ID “[email protected]” with password “Test1234”
• Create the OAS domain onespan.local in the OAS database
• Login with the RST as User ID User ID “onespan-ac\OASEe300” with password “Test1234”
Disable windows name resolution with the OAS Configuration tool
Detailed Steps
1. Create the user “OASEe300” in the Windows Active Directory (see OASPe020)
2. Create a windows user group “Digipass Users”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 99 of 212
3. Make “OASEe300” a member of the user group “Digipass Users”. If needed, then create this windows user group "Digipass Users"
first.
4. Set up a policy named “pOASEe300”
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Select “POLICIES” and click on “Create”
Enter the required information
• Policy ID: "pOASEe300"
• Inherits from: "IDENTIKEY Windows Password Replacement"
• Enter a description if desired
• Set the "Windows Group Check" to "No Check"
• Set DUR to "Yes"
5. Link the policy “pOASEe300” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENTS”, and select “List”
b. Click on the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
c. Link the (new) policy to the client
• In the tab “Client”, click on the button “EDIT”
• Select for Policy ID: “pOASEe300”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 100 of 212
• Click on “SAVE”
6. Perform a successful login as "OASEe300"with a specific policy for the RADIUS Simulator Tool (To configure the RST see exercise
OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID "OASEe300" with password "Test1234"
b. Check for the related messages in the Audit Viewer
c. Check for the related messages in the tracing file
This authentication will succeed.
d. List all the "300" users by using the "FIND" field and the SEARCH button.
How many 300 users did you find and in which domain?
The policy specifies a Windows Back-End Authentication. The user "OASEe300" exists in the ADUC. Hence, the authentication succeeds,
because of the "Windows" back-end authentication is successful. This "Windows" authentication uses by default the windows domain in
which IDENTIKEY is installed. Hence the user "OASEe300" is authenticated as user [email protected] to Windows. However,
you will see that the user OASEe300 is created in the OAS in the master domain.
7. Perform a successful login as "[email protected]"with a specific policy for the RADIUS Simulator Tool (To configure the RST
see exercise OASEe109)
a. If the domain onespan.local does not exist in the OAS, then create it in the OAS.
b. Perform a successful login as "[email protected]" with a specific policy for the RADIUS Simulator Tool (To configure
the RST see the exercise OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID "OASEe300@onespan" with password "Test1234"
b. Check for the related messages in the Audit Viewer
c. Check for the related messages in the tracing file
d. List all the "300" users, by using the "FIND" field and the SEARCH button.
How many 300 users did you find and in which domain?
The authentication will work because the Windows back-end gives the authorization to create the user. The OAS server will create the
user "[email protected]" after searching for the user OASEe300 in the domain "onespan.local". The user does not exist in this
domain and is created.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 101 of 212
8. Perform a successful login as "onespan-ac\OASEe300" with a specific policy for the RADIUS Simulator Tool (To configure the RST
see OASEe109)
a. Authenticate the user "onespan-ac\OASEe300" with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID "onespan-ac\OASEe300" with password "Test1234"
b. Check for the related messages in the Audit Viewer
c. Check for the related messages in the tracing file
This window authentication will work, and the IDENTIKEY server will create the user "onespan-ac\OASEe300" in the master domain.
The Windows back-end server can translate "OASEe300\OASEe300" into the windows user "[email protected]". After
verification of the Windows user, Windows will give the authorization to the OAS. The OAS will then create "onespan-ac\OASEe300 " in
the master domain.
9. List all users in OAS. For the same user *OASEe300* in Windows, you will find 3 OAS users
• OASEe300 in domain master (Step 6)
• [email protected] in domain onespan.local (Step 7)
• onespan-ac\OASEe300 in domain master (Step 8)
10. Delete the OAS user "OASEe300" in the OAS "master" domain.
11. Delete the OAS user "OASEe300" in the OAS domain "onespan.local"
12. Delete the OAS user "onespan-ac\OASEe300" in the in the OAS "master" domain.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 102 of 212
13. Enable windows name resolution with WebAdmin
a. Hoover over the "BACK-END" tab and
b. click the "Settings" menu item
c. Enable the "Windows User Name Resolution"
d. Click on the "Save" button
IMPORTANT:
• If "Windows User Name Resolution" is enabled, then the user must exist in Windows. If the user does not exist in a
domain, then windows cannot "resolve" the name. The OAS then stops the authentication process.
• The OAS also expects that the username always includes a domain name.
e. Must Do: Restart the OAS. Have a look at the Windows Service to do so.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 103 of 212
14. Perform a login as user "OASEe300".
The user will be created in the OAS master domain. Windows only receives the username from the OAS. Windows will then
authenticate the user in the default windows domain. As the Windows authentication succeeds, the OAS will create the user in the
default OAS master domain.
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID OASEe300 with password "Test1234"
b. Check for the related messages in the Audit Viewer
c. Check for the related messages in the tracing file
15. Perform a successful login as user "[email protected]".
As the Windows authentication succeeds, the OAS creates the user in the OAS "onespan.local" domain.
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID "OASEe300" with password "Test1234"
b. Check for the related messages in the Audit Viewer
c. Check for the related messages in the tracing file
16. Perform a successful login as "onespan-ac\OASEe300"
with a specific policy for the RADIUS Simulator Tool (To configure the RST see the exercise OASEe109).
Because of the Windows User Name Resolution, the OAS will ask to translate "onespan-ac\OASEe300" into
"[email protected]"
a. Delete the OAS user "OASEe300" in the OAS domain "onespan.local"
b. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID "onespan-ac\OASEe300" with password "Test1234"
c. Check for the related messages in the Audit Viewer
d. Check for the related messages in the tracing file
a. List all *300* in OAS. For the same user *OASEe300*
17. MUST DO: Disable windows name resolution in the webadmin
a. Hoover over the "BACK-END" tab and
b. click the "Settings" menu item
c. Enable the "Windows User Name Resolution"
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 104 of 212
d. Click on the “Save” button
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 105 of 212
4.17 OASEe260: Authentication Elements: User: Group Check
OneSpan Authentication server – Authentication Elements - Policies
Reference Number OASEe260
Title Authentication Elements: User: Group Check
Est. time to complete 10 min
Type Mandatory
Purpose Learn how the Windows Group Check can be used
Fast Track
In this exercise, you will learn how the “Windows Group Check” policy option is processed by the OAS.
Create the user “OASEe260” in the Windows Active Directory
Create the group “OASEe260_group” in the Windows Active Directory
Set up a policy named “pOASEe260” inherits from: “Base Policy”
• Firstly, enable “Windows Group Check” in the policy for the client.
• When enabled, the OAS will verify is the user belongs to a Windows User Group. This user group is specified, as a filter, in the
policy.
• The policy must also define, which action the OAS must do when the user in not in the group. We will choose the policy option
“Reject Requests for users not listed groups”. This will force the OAS to reject / fail any authentication request, if the user is
not a member of the group.
We will do two authentications for a user.
• One where the user is not a member of the windows group as defined in the policy. This authentication must fail.
• Next, we will make the user member of the user group and verify if the authentication will succeed. As a bonus, you will see that
during this authentication, the user will be DUR-ed.
The combination of the policy options Windows group check and DUR is a powerful instrument to easily deploy the OAS when only
need strong authentication for a restricted group of Windows users.
Note: Some OAS built-in policies have the windows group check predefined. One should always verify if this is the case.
Detailed Steps
1. Create the user “OASEe260” in the Windows Active Directory (see OASPe020)
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 106 of 212
2. Create the group “OASEe260_group” in the Windows Active Directory (see OASPe020)
3. Set up a policy named “pOASEe260”
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 107 of 212
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Select the tab “POLICIES”, to list all the policies
e. Select the policy “Base Policy”
• Under the tab “Policy”, click on the button “COPY”
Note: Here you learn that you can copy the settings of another policy. This has the benefit that you can easily create a new policy,
based on an existing and working one, without modifying the policy that is already in place.
f. For the policy to create, enter the Policy ID “pOASEe260”
g. Modify the policy “pOASEe260”
• In the tab Policy set
o Back-End Authentication to “Always”
o Back-End Protocol to “Windows”
• In the tab User
o Set “Dynamic User Registration” to “Yes”
o Set “Windows Group Check” to “Reject Requests for users not listed groups”
o At the "Windows Group List" filter for “OASEe260_group”
Select the group by marking the tick box in front of the name.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 108 of 212
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 109 of 212
o Select the group by marking the tick box in front of the name.
o Save your changes
4. Link the policy “pOASEe260” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENTS”, and select “List”
b. Click on the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
c. Link the (new) policy to the client
• In the tab “CLIENTS”, click on the button “EDIT”
• Select for Policy ID: “pOASEe260”
• Click on “SAVE”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 110 of 212
Perform a failing login with the RST and check for the user [email protected] in the OAS
5. Perform a login using a PASSWORD (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “[email protected]” with password “Test1234”
b. Verify the related messages
• Check first in the audit viewer for warnings or errors
• You will find that there is an error (Make sure you are viewing the last messages)
“User authentication failed.”
• Click the error message and locate the reason in the preview section
• Verify in the trace file, for the “Status Message”
Perform a successful login with the RST and check for the user [email protected] in the OAS
6. In the Active Directory, make the user “OASEe260” member of the user group “OASEe260_group”, through the 'Member Of' tab
7. Perform a login using a PASSWORD (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “[email protected]” with password “Test1234”
b. Verify the related messages
8. Check if the user was added in the OneSpan Authentication server
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 111 of 212
4.18 OASEe220: Authentication Elements: User: Dynamic User Registration
OneSpan Authentication server – Authentication Elements - Policies
Reference Number OASEe220
Title Authentication Elements: User: Dynamic User Registration
Est. time to complete 10 min
Type Mandatory
Purpose Learn how IDENTIKEY can automatically create users for you
Fast Track
In this exercise, we will learn how OAS can automatically create OAS users. This feature is named DUR or Dynamic User Registration. A
DUR of an OAS user is only done if in the policy:
• DUR is enabled.
• The Back-End Authentication is successful for the Back-End user.
During the exercise, we will use the “Windows” Back-End authentication. This means that the Windows user must exist.
NOTE: The policy may require an OAS “local authentication”; this is irrelevant, as the OAS user does not exist at the user’s first
authentication request.
Set up a policy named “pOASEe220”
• With DUR enabled
• With the Back-End Authentication set to “Windows”
• With the local authentication set to the “DIGIPASS/Password during Grace Period”
• Set the radius supported protocols to “any”
Verify that the user “OASEe220” does not exist
Perform a failing login with the RADIUS Simulator Tool as user “OASEe220” with the password “Test1234”
Create the user “OASEe220” in the Windows Active Directory
Perform a successful login with the RADIUS Simulator Tool as user “OASEe220” with the password “Test1234”
In exercise OASEe362, we will extend the lab “Authentication Elements: BACK-END: Server AD” with and Dynamic User Registration and
User Info Synchronization.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 112 of 212
Detailed Steps
1. Set up a policy named “pOASEe220”
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Select “POLICIES” and click on “Create”
e. Enter the required information
• Policy ID: “pOASEe220’’
• Inherits from: “None”
• Enter a description if desired
f. Make these changes to the Policy “pOASEe220”
• Located in the tab “Policy”
o With the local authentication set to the “DIGIPASS/Password during Grace Period”
o with the back-end Authentication set to “Always”
o with the Authentication protocol set to “Windows”
• Located in the tab “user”
o with Dynamic User Registration set to “Yes”
• Find in the tab “Digipass”
o Set the grace period to 7 days
• In the “Radius” Tab
o Set the supported protocols to “any”
2. Verify that the user “OASEe220”
a. Does not exist in the OAS (Do a “Search”)
b. Does not exist in the Active Directory.
c. Do not create the user
3. Link the policy “pOASEe220” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENTS”, and select “List”
b. Click on the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
c. Link the (new) policy to the client
• In the tab “Client”, click on the button “EDIT”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 113 of 212
• Select for Policy ID: “pOASEe220”
• Click on “SAVE”
Perform a failing login with the RST
The authentication will fail as the Windows user “OASEe220” does not exist. Hence the ‘Windows’ Back-End Authentication will fail. As this
fails, the user “OASEe220” will not be created as an OAS user.
4. Perform a FAILING login using a PASSWORD (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe220” with password “Test1234”
b. Verify the related messages
• Check first in the audit viewer for warnings or errors
• You will find that there is an error (Make sure you are viewing the last messages)
“User authentication failed”.
• Click the error message and locate the reason in the preview section
• Verify in the trace file, for the ‘processing’ reason for the failing authentication.
• Check for the messages
Error message: <Windows Authentication failed: 1326 Logon failure: unknown user name or bad password.>
Perform a successful login with the RST and check for the dpuser in the OAS
Create the Windows user “OASEe220”.
Authenticate to the OAS. As the Windows user exists, the Windows Back-End authentication will succeed, and the OneSpan
Authentication server will create the IDENTIKEY user “OASEe220”.
5. Create the user “OASEe220” in the Windows Active Directory (see OASPe020)
6. Perform a login using a PASSWORD (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe220” with password “Test1234”
b. Verify the related messages
7. Check if the user was added in the OneSpan Authentication server
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 114 of 212
4.19 OASEe240: Authentication Elements: User: PASSWORD AUTO-LEARN, PASSWORD
PROXY
OAS 3.21 – Authentication Elements - Policies
Reference Number OASEe240
Title Authentication Elements: User: PASSWORD AUTO-LEARN, PASSWORD PROXY
Est. time to complete 10 min
Type Mandatory
Purpose Learn how the OAS can use the learned backend password of a user
Fast Track
In this exercise, we will learn how the OneSpan Authentication server can use the learned backend password of a user.
When a user logs in with only his OTP, The OAS can send a “learned” back-end password to the back-end server.
The advantage is that the user does not have to send both his OTP and this back-end password for every login.
Set up a policy named “pOASEe240” which inherits from: “Identikey RADIUS Password Replacement”
• With the Back-End Authentication set to “Windows”
• With the local authentication set to the “DIGIPASS/Password during Grace Period”
• With DUR enabled
• Set Stored Password Proxy to Yes
• Set Password Auto-learn to Yes
Create the user “OASEe240” in the Windows Active Directory
Perform a successful login with the RADIUS Simulator Tool as user “OASEe240” with the password “Test1234”
With the first login, we will DUR the user and Password Auto-learn the Windows password of the user. The Windows password is stored in
the OAS as the local static password. Next, we assign a DIGIPASS to the user and login. During the login, the OAS will first verify the
OTP.
Next, the user Authenticates against windows, with the learned password.
Assign a DIGIPASS to the user “OASEe240”.
Login with the radius simulator.
De-assign the DIGIPASS from user.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 115 of 212
Detailed Steps
1. Set up a policy named “pOASEe240”
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Select “POLICIES” and click on “Create”
e. Enter the required information
• Policy ID: “pOASEe240’’
• Inherits from: “Identikey RADIUS Password Replacement”
• Enter a description if desired
f. Make these changes to the Policy “pOASEe240”
• For the tab “policy”
o Set Local Auth. to DIGIPASS/Password during Grace Period
o Set Back-End Auth.to Always
o Set Back-End Protocol to Windows
• For the tab “User”
o Set the DUR to Yes
o Set Stored Password Proxy to Yes
o Set Password Auto-learn to NO
• For the tab “Digipass”
o Set Application Type to Response Only
o Set the Grace Period to 7 days
2. Link the policy “pOASEe240” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENTS”, and select “List”
b. Click on the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
c. Link the (new) policy to the client
• In the tab “Client”, click on the button “EDIT”
• Select for Policy ID: “pOASEe240”
• Click on “SAVE”
3. Create the user “OASEe240” in the Windows Active Directory (see OASPe020)
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 116 of 212
Perform a successful login with the RST, DUR the user and check for the user OASEe240 in the OAS
4. Perform a login using a PASSWORD (To configure the RST see OASEe109)
When the Windows back-end authentication succeeds, the OAS will add the user to its database.
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe240” with password “Test1234”
b. Verify the related messages
5. Check if the user “OASEe240” was added in the OneSpan Authentication server. Alternatively, did the DUR happen?
As it is a pure “DUR” situation, the user can login with the Windows password and the OAS user is created.
6. Verify if a DIGIPASS is uploaded in OAS
a. Select the tab “DIGIPASS”
b. If the list shows a DIGIPASS with no UserID, then you can first move the DIGIPASS to the master domain; and next continue at
step 7
c. If the list shows a DIGIPASS with a UserID, then you can deassign the DIGIPASS and continue to step 7
d. Select the tab “DIGIPASS” and click on “Import”
• Load 1 DIGIPASS from the file “Demo_DP300.dpx” from the directory “C:\Program Files\VASCO\IDENTIKEY Authentication
Server\dpx”
• Enter the Transport key is “11111111111111111111111111111111”
• Or just press ‘1’ until the end of the field is reached
• Click on the button “UPLOAD”
• Click on the button “NEXT”
• Click on the button “IMPORT”
• Do not schedule the import as a task by leaving the options “Run immediately” enabled and click on the button “NEXT”
• If the import was successful, click on the button “FINISH”
7. Assign a DIGIPASS record to the user “OASEe240”
a. Open the Web Admin
b. Click on the tab “USERS”
c. Search for the user “OASEe240” using the criteria in the “Search Users” tab
• Enter “OASEe240” in the field “User ID”
• Click on the button “SEARCH”
d. Mark the user “OASEe240” and click on “Assign DIGIPASS”
e. Search for DIGIPASS using the criteria on the “Search DIGIPASS” tab
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 117 of 212
• Click Next
f. Under the “5. Options” tab Click on “ASSIGN”
g. In the tab “6. Finish”
• Note that a DIGIPASS was assigned, for example: “0097123456”
• Click on Finish
8. Perform a failing login with a specific policy for the RADIUS Simulator Tool (to configure the RST, please refer to the exercise
OASEe109).
The windows password has not been learned yet. Hence, a login with OTP will fail. The OTP checks OK, but the back-end Windows
authentication fails, as it has not been learned yet.
a. Generate a Response Only OTP with a (demo) DIGIPASS (More information on demo DIGIPASS can be found in OASPe050)
b. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe240” with password = the response from the DIGIPASS
9. Make the OAS learn the windows password through the policy setting
a. Make these changes to the Policy “pOASEe240”
• For the tab “User”
o Set Password Auto-learn to YES
b. Perform a successful login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
• Generate a Response Only OTP with a (demo) DIGIPASS (More information on demo DIGIPASS can be found in OASPe050)
• Authenticate the user with the RADIUS Simulator Tool (RST)
o Click on a NAS Port (Yellow Box)
o Authenticate as User ID “OASEe240” with password “Test1234” + the response from the DIGIPASS
10. Verify if the OAS has learned the windows password.
As you only logged in with an OTP, the OAS must fetch the Windows password from its database and proxy it to Windows.
• Perform a successful login with only the OTP as a password
11. If you only imported 1 DIGIPASS then de-assign the DIGIPASS from user “OASEe240”
a. Select the tab “USERS” and click on “list”
b. Select the checkbox next to user “OASEe240”
c. Click deassign DIGIPASS and “OK”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 118 of 212
4.20 OASEe276: Authentication Elements: User: Expire Part 1
OneSpan Authentication server – Authentication Elements - Users
Reference Number OASEe276
Title Authentication Elements: User: Expire Part 1
Est. time to complete 10 min
Type Mandatory
Purpose Learn how to expire user accounts
Fast Track
Create a user “OASEe276_1” in the Web Admin set the expiry date to the next day
Set up a policy named “pOASEe276_1” that inherits from “IDENTIKEY Local Authentication with Auto-Unlock”
Perform a successful login with “OASEe276_1” using a specific policy for the RADIUS Simulator Tool “OASEe276_1”
Set up a policy named “pOASEe276_2” that inherits “IDENTIKEY Local Authentication with Auto-Unlock”, with “Max Days Since User
Login” = 1
Perform a successful login with “OASEe120” using a specific policy for the RADIUS Simulator Tool
Detailed Steps
1. Create a user “OASEe276_1” in the Web Admin
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Select the tab “USERS” and click on “create”
• Create user: “OASEe276_1”
• Password: “Test1234”
• Expires At: Next day at 6h00
2. Set up a policy named “pOASEe276_1”
a. Select “POLICIES” and click on “Create”
b. Enter the required information
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 119 of 212
• Policy ID: “pOASEe276_1”
• Inherits from: “IDENTIKEY Local Authentication with Auto-Unlock”
• Enter a description if desired
3. Link the policy “pOASEe276_1” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENTS”, and select “List”
b. Click on the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
c. Link the (new) policy to the client
• In the tab “Client”, click on the button “EDIT”
• Select for Policy ID: “pOASEe276_1”
• Click on “SAVE”
4. Perform a successful login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe276_1” with password “Test1234”
b. Check for the related messages in the Audit Viewer
c. Check for the related messages in the tracing file
5. Set up a policy named “pOASEe276_2”
a. Select “POLICIES” and click on “Create”
b. Enter the required information
• Policy ID: “pOASEe276_2”
• Inherits from: “IDENTIKEY Local Authentication with Auto-Unlock”
• Enter a description if desired
c. Edit the policy and set the “Max Days Between Authentications/ Max Days Since User Login” to “1” in the user Tab
6. Link the policy “pOASEe276_2” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENTS”, and select “List”
b. Click on the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
c. Link the (new) policy to the client
• In the tab “Client”, click on the button “EDIT”
• Select for Policy ID: “pOASEe276_2”
• Click on “SAVE”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 120 of 212
OASEe275: Authentication Elements: User: Unlock Users
OneSpan Authentication server – Authentication Elements - Users
Reference Number OASEe275
Title Authentication Elements: User: Unlock Users
Est. time to complete 15 min
Type Mandatory
Purpose Learn how to unlock user accounts
Fast Track
Create a user “OASEe275” in the Web Admin
Verify if a DIGIPASS is uploaded in OAS
Assign a DIGIPASS record to the user “OASEe275”
Set up a policy named “pOASEe275” that inherits from: “IDENTIKEY Local Authentication with Auto-Unlock”
Perform 4 failing logins with a specific policy for the RADIUS Simulator Tool
Unlock the user “OASEe275”
Perform 4 failing logins with a specific policy for the RADIUS Simulator Tool
Unlock the user “OASEe275” with the auto-unlock feature
Deassign the DIGIPASS from user “OASEe275”
Detailed Steps
1. Create a user “OASEe275” in the Web Admin
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Select the tab “USERS” and click on “create”
• Create user: “OASEe275”
• Password: “Test1234”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 121 of 212
2. Verify if a DIGIPASS is uploaded in OAS
a. Select the tab “DIGIPASS”
b. If the list shows a DIGIPASS with no UserID you can continue to step 3
c. If the list shows a DIGIPASS with a UserID you can deassign the DIGIPASS and continue to step 3
d. Select the tab “DIGIPASS” and click on “Import”
• Load 1 DIGIPASS from the file “Demo_DP300.dpx” from the directory “C:\Program Files\VASCO\IDENTIKEY Authentication
Server\dpx”
• Enter the Transport key is “11111111111111111111111111111111”
• Or just press ‘1’ until the end of the field is reached
• Click on the button “UPLOAD”
• Click on the button “NEXT”
• Click on the button “IMPORT”
• Do not schedule the import as a task by leaving the options “Run immediately” enabled and click on the button “NEXT”
• If the import was successful, click on the button “FINISH”
3. Assign a DIGIPASS record to the user “OASEe275”
a. Click on the tab “USERS”
b. Search for the user “OASEe275” using the criteria in the “Search Users” tab
• Enter “OASEe275” in the field “User ID”
• Click on the button “SEARCH”
c. Mark the user “OASEe275” and click on “Assign DIGIPASS”
d. Search for DIGIPASS using the criteria on the “Search DIGIPASS” tab
• Click Next
e. Under the “5. Options” tab Click on “ASSIGN”
f. In the tab “6. Finish”
• Note that a DIGIPASS was assigned for example: “0097123456”
• Click on Finish
4. Set up a policy named “pOASEe275”
a. Select “POLICIES” and click on “Create”
b. Enter the required information
• Policy ID: “pOASEe275”
• Inherits from: “IDENTIKEY Local Authentication with Auto-Unlock”
• Enter a description if desired
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 122 of 212
5. Link the policy “pOASEe275” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENTS”, and select “List”
b. Click on the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
c. Link the (new) policy to the client
• In the tab “Client”, click on the button “EDIT”
• Select for Policy ID: “pOASEe275”
• Click on “SAVE”
6. Perform 4 failing logins with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe275” with password “888888”
b. Check for the related messages in the Audit Viewer
c. Check for the related messages in the tracing file
d. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe275” with password “888888”
e. Check for the related messages in the Audit Viewer
f. Check for the related messages in the tracing file
g. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe275” with password “888888”
h. Check for the related messages in the Audit Viewer
i. Check for the related messages in the tracing file
j. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe275” with password “888888”
k. Check for the related messages in the Audit Viewer
l. Check the events in the User dashboard
m. Check for the related messages in the tracing file
n. Verify the OAS Trace file for “<Digipass User account is locked>”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 123 of 212
7. Unlock the user “OASEe275”
a. Open the Web Admin
b. Click on the tab “USERS”
c. Search for the user “OASEe275”
d. Click the user and in the manage user window click unlock
8. Perform a successful login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Generate a Response Only OTP with a (demo) DIGIPASS (More information on demo DIGIPASS can be found in OASPe050)
b. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe275” with password the response from the DIGIPASS
c. Check for the related messages in the Audit Viewer
d. Check the events in the User dashboard
e. Check for the related messages in the tracing file
In the first part of this exercise, the user is unlocked via the administrator. It is also possible that the user can use the auto-unlock
feature. This allows the user to unlock without intervention of an administrator.
9. Set up a policy named “pOASEe275b”
a. Select “POLICIES” and click on “Create”
b. Enter the required information
• Policy ID: “pOASEe275b”
• Inherits from: “IDENTIKEY Local Authentication with Auto-Unlock with Auto-Unlock”
• Enter a description if desired
c. Make these changes to the Policy “pOASEe275b”
• For the tab “User”
o Set the Minimum Lock Duration (minutes) to “1”
This change sets the minimum time that a user stays locked.
10. Link the policy “pOASEe275b” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENTS”, and select “List”
b. Click on the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
c. Link the (new) policy to the client
• In the tab “Client”, click on the button “EDIT”
• Select for Policy ID: “pOASEe275b”
• Click on “SAVE”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 124 of 212
11. Lock the account. Perform 3 failing logins with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
Perform step a below, exactly 3 times, so that the account becomes locked
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe275” with password “888888”
b. Check for the related messages in the Audit Viewer
c. Check for the related messages in the tracing file
d. Check the events in the User dashboard
e. Verify the OAS Trace file for “<Digipass User account is locked>”
12. Unlock the user “OASEe275” by performing a successful login with a specific policy for the RADIUS Simulator Tool (To configure the
RST see OASEe109).
Note: this will only work if you have waited for at least one minute.
a. Generate a Response Only OTP with a (demo) DIGIPASS (More information on demo DIGIPASS can be found in OASPe050)
b. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe275” with password the response from the DIGIPASS
c. Check for the related messages in the Audit Viewer
d. Check the events in the User dashboard
e. Check for the related messages in the tracing file
You will see, later, how we can unlock a user via the “OAS USER Websites”, see OASEe520.
13. Deassign the DIGIPASS from user “OASEe275”
a. Select the tab “USERS” and click on “list”
b. Select the checkbox next to user “OASEe275”
c. Click deassign DIGIPASS and “OK”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 125 of 212
4.21 OASEe265: Authentication Elements: User: RADIUS attributes
OneSpan Authentication server – Authentication Elements - Policies
Reference Number OASEe265
Title Authentication Elements: User: RADIUS attributes
Est. time to complete 10 min
Type Mandatory
Purpose Learn how RADIUS attributes can be sent to a RADIUS client
Fast Track
In this exercise, you will learn how the RADIUS attributes, assigned to a user, and are filtered by the policy, before sending them to the
RADIUS client.
We will assign RADIUS attributes to the user. The RADIUS attributes will be grouped in 2 separate groups, being WIFI and RST.
Next, we will create a policy in which only the sending of the attributes belonging to the RADIUS attribute group RST is allowed. Then we
will create a client and link the client to the policy. During the Authentication process, the OAS will filter all the assigned attributes for the
RADIUS attribute group name RST. The OAS will send only the allowed for RADIUS attributes.
Create a user “OASEe265” in the Web Admin with Password “Test1234”
In the Web Admin, add RADIUS attributes to the user “OASEe265”
Set up a policy named “pOASEe265”
Perform a login using a PASSWORD
Detailed Steps
1. Create a user “OASEe265” in the Web Admin
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Select the tab “USERS” and click on “create”
• Create user: “OASEe265”
• Password: “Test1234”
• In the tab “Policy Overrides”, set the Local Authentication to “DIGIPASS/Password during Grace Period”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 126 of 212
• Set the Back-End Authentication to “None”
2. In the Web Admin, add RADIUS attributes to the user “OASEe265”
a. In the Web Admin list the users and click on the user “OASEe265”
b. Click on the tab “User Attributes”
c. Click on the button “ADD RADIUS ATTRIBUTE”
d. Add attributes to the group WIFI
• The attribute “Reply-Message”
o For Attribute Name, in the drop-down list, select the attribute “Reply-Message”
o In the field “Attribute group”, enter “WIFI”
o In the field “Value”, enter “WIFI Blocked by the policy”
o Click on the “CREATE” button
• The attribute “Framed-IP-Address”
o For Attribute Name, in the drop-down list, select the attribute “Framed-IP-Address”
o In the field “Attribute group”, enter “WIFI”
o In the field “Value”, enter “1.2.3.5”
o Click on the “CREATE” button
e. Add attributes to the group RST
• The attribute “Reply-Message”
o For Attribute Name, in the drop-down list, select the attribute “Reply-Message”
o In the field “Attribute group”, enter “RST”
o In the field “Value”, enter “RST Allowed By The Policy”
o Click on the “CREATE” button
• The attribute “Session-Timeout”
o For Attribute Name, in the drop-down list, select the attribute “Session-Timeout”
o In the field “Attribute group”, enter “RST”
o In the field “Value”, enter “200”
o Click on the “CREATE” button
f. List the RADIUS attributes for this user
• In the Web Admin list the users and click on the user “OASEe265”
• Click on the tab “User Attributes”
• Sort the attributes on their group name
o Next to “Select All”, select and click on “Attribute Group”
3. Set up a policy named “pOASEe265”
a. Select “POLICIES” and click on “Create”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 127 of 212
b. Enter the required information
• Policy ID: “pOASEe265”
• Inherits from: “IDENTIKEY RADIUS Password Replacement”
• Enter a description if desired
c. List the policies
d. Click the newly created policy
e. Click on the tab “Policy”
• Click on the button “EDIT”
• For “Back-End Authentication”, in the drop-down box, select “None”
f. Click on the tab “USER”
• Click on the button “EDIT”
• For “RADIUS Reply Attributes”, in the drop-down box, select “Yes”
• In the field RADIUS Reply Attributes Group List, enter “RST”
• Click On the button “SAVE”
g. Set the RADIUS Authentication protocols which are allowed for
• Click on the tab “RADIUS”
• Click on the “EDIT” button
• For Supported Protocols, in the drop-down box, select “Any”
• Click on the button “SAVE”
4. Link the policy “pOASEe265” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENTS”, and select “List”
b. Click on the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
c. Link the (new) policy to the client
• In the tab “Client”, click on the button “EDIT”
• Select for Policy ID: “pOASEe265”
• Click on “SAVE”
5. Perform a login using a PASSWORD (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe265” with password “Test1234”
b. Verify the Returned Radius Attributes
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 128 of 212
4.22 OASEe330: Authentication Elements: DIGIPASS: Unlock / Reset
OAS – Authentication Elements - DIGIPASS
Reference Number OASEe330
Title Authentication Elements: DIGIPASS: Unlock / Reset
Est. time to complete 10 min
Type Mandatory
Purpose Unlock a Pin Pad DIGIPASS
Fast Track
Application Reset
Find a DIGIPASS 300 in the OAS
Manage the DIGIPASS APPL 1
Test an OTP
Look at the ‘Sync Window Reset’, ‘Last Time Shift’ and ‘Last Time Used’
Reset the application
Look at the ‘Sync Window Reset’, ‘Last Time Shift’ and ‘Last Time Used’
DIGIPASS Unlock
Find a demo DIGIPASS 300/270 in the OAS
Manage the DIGIPASS APPL 1
Verify, in the WebAdmin, the APPL1/RO of the DIGIPASS, against the OTP generated by the DIGIPASS 300/270. Do this BEFORE
locking the hardware DIGIPASS.
Lock a physical demo DIGIPASS 300/270 by entering several times a wrong PIN until the DIGIPASS is locked
Find a demo DIGIPASS 300/270 in the OAS
Manage the DIGIPASS APPL 1
Click the unlock button
Generate an unlock code
Enter the unlock code in the locked DIGIPASS
TIPS: DIGIPASS 270 Usage
1. A DIGIPASS 270 can be unlocked by first pressing the “<|” (triangle) button. Keep this pressed. Next, press the button with the
unlock signal. The DIGIPASS PIN is 12541.
Next, to get an OTP press 1; for a Challenge/ Response press 2;
2. Pressing the “<|” is like a pressing the return button.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 129 of 212
4.23 OASEe270: Authentication Elements: DIGIPASS: Link Users
OneSpan Authentication server – Authentication Elements - Users
Reference Number OASEe270
Title Authentication Elements: DIGIPASS: Link Users
Est. time to complete 10 min
Type Mandatory
Purpose Learn how to use one DIGIPASS with 2 user accounts
Fast Track
Create a user “OASEe270_ImFirst” in the Web Admin
Verify if a DIGIPASS is uploaded in the OAS
Assign a DIGIPASS record to the user “OASEe270_ImFirst”
Create a user “OASEe270_ImLinked” in the Web Admin
Link the user “OASEe270_ImLinked” to the user “OASEe270_ImFirst”
Set up a policy named “pOASEe270” that inherits from: “IDENTIKEY Local Authentication with Auto-Unlock”
Perform a successful login with a specific policy for the RADIUS Simulator Tool
Deassign the DIGIPASS from user “OASEe270_Imfirst”
Verify the account link from user “OASEe270_ImLinked”
Detailed Steps
Note
During the exercises, you could have failing authentications. Please do check, during the exercise, if the OAS account is locked. If
required, unlock before proceeding with the exercise.
1. Create a user “OASEe270_ImFirst” in the Web Admin
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Select the tab “USERS” and click on “create”
• Create user: “OASEe270_ImFirst”
• Password: “Test1234”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 130 of 212
2. Verify if a DIGIPASS is uploaded in OAS
a. Select the tab “DIGIPASS”
b. If the list shows a DIGIPASS with no UserID you can continue to step 3
c. If the list shows a DIGIPASS with a UserID you can deassign the DIGIPASS and continue to step 3
d. Select the tab “DIGIPASS” and click on “Import”
• Load 1 DIGIPASS from the file “Demo_DP300.dpx” from the directory “C:\Program Files\VASCO\IDENTIKEY Authentication
Server\dpx”
• Enter the Transport key is “11111111111111111111111111111111”
• Or just press ‘1’ until the end of the field is reached
• Click on the button “UPLOAD”
• Click on the button “NEXT”
• Click on the button “IMPORT”
• Do not schedule the import as a task by leaving the options “Run immediately” enabled and click on the button “NEXT”
• If the import was successful, click on the button “FINISH”
3. Assign a DIGIPASS record to the user “OASEe270_ImFirst”
a. Open the Web Admin
b. Click on the tab “USERS”
c. Search for the user “OASEe270_ImFirst” using the criteria in the “Search Users” tab
• Enter “OASEe270_ImFirst” in the field “User ID”
• Click on the button “SEARCH”
d. Mark the user “OASEe270_ImFirst” and click on “Assign DIGIPASS”
e. Search for DIGIPASS using the criteria on the “Search DIGIPASS” tab
• Click Next
f. Under the “5. Options” tab Click on “ASSIGN”
g. In the tab “6. Finish”
• Note that a DIGIPASS was assigned for example: “0097123456”
• Click on Finish
4. Create a user “OASEe270_ImLinked” in the Web Admin
a. Select the tab “USERS” and click on “create”
• Create user: “OASEe270_ImLinked”
• Password: “Test1234”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 131 of 212
5. Link the user “OASEe270_ImLinked” to the user “OASEe270_ImFirst”
a. “Manage” the user “OASEe270_ImLinked”
b. Under the tab “User Account”, click on the button “LINK”
c. Proceed through the “LINK” wizard.
d. Under the tab “1. Search User”, enter “OASEe270_Imfirst” in the field “User ID”
e. Under the tab “2. Search Result” and mark the user “OASEe270_imfirst” and click on the button “NEXT”
f. Proceed through the “LINK” wizard
g. List all users
h. Note that the Serial Number of the linked token is shown between []
6. Set up a policy named “pOASEe270”
a. Select “POLICIES” and click on “Create”
b. Enter the required information
• Policy ID: “pOASEe270”
• Inherits from: “IDENTIKEY Local Authentication with Auto-Unlock”
• Enter a description if desired
7. Link the policy “pOASEe270” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENTS”, and select “List”
b. Click on the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
c. Link the (new) policy to the client
• In the tab “Client”, click on the button “EDIT”
• Select for Policy ID: “pOASEe270”
• Click on “SAVE”
8. Perform a successful login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Generate a Response Only OTP with a (demo) DIGIPASS (More information on demo DIGIPASS can be found in OASPe050)
b. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe270_ImLinked” with password the response from the DIGIPASS
c. Check for the related messages in the Audit Viewer
d. Check for the related messages in the tracing file
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 132 of 212
9. Deassign the DIGIPASS from user “OASEe270_Imfirst”
a. Select the tab “USERS” and click on “list”
b. Select the checkbox next to user “OASEe270_Imfirst”
c. Click deassign DIGIPASS and “OK”
10. Verify the account link from user “OASEe270_ImLinked”.
Is there still a Digipass linked?
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 133 of 212
4.24 OASEe320: Authentication Elements: DIGIPASS: Authentication local with SERVER PIN
OAS – Authentication Elements - DIGIPASS
Reference Number OASEe320
Title Authentication Elements: DIGIPASS: Authentication local with SERVER PIN
Est. time to complete 10 min
Type Mandatory
Purpose Learn how to use a server pin
Fast Track
Create a user “OASEe320” in the Web Admin
Verify if a Go series DIGIPASS is uploaded in the OAS
Assign a DIGIPASS record to the user “OASEe320”
Set the Server Pin to “1234”
Set up a policy named “pOASEe320” copy from: “IDENTIKEY Local Authentication with Auto-Unlock”
Link the policy “pOASEe320” to the Radius client
Perform a successful login with a specific policy for the RADIUS Simulator Tool
Detailed Steps
1. Create a user “OASEe320” in the Web Admin
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Select the tab “USERS” and click on “create”
• Create user: “OASEe320”
• Password: “Test1234”
2. Verify if a Go series DIGIPASS is uploaded in OAS
a. Select the tab “DIGIPASS”
b. If the list shows a DIGIPASS with no UserID you can continue to step 3
c. If the list shows a DIGIPASS with a UserID you can deassign the DIGIPASS and continue to step 3
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 134 of 212
d. Select the tab “DIGIPASS” and click on “Import”
• You can also import .dpx from the “IDENTIKEY_Authentication_Server_3.15_Training_Tools.iso“.
In the directory SEAL-DPX, select the file 3_DemoGO1_PIN_10.DPX
OR
Load 1 DIGIPASS from the file “Demo_Go….dpx” from the directory “C:\Program Files\VASCO\IDENTIKEY Authentication
Server\dpx”
• Enter the Transport key is “11111111111111111111111111111111”
Alternatively, just press ‘1’ until the end of the field is reached
• Click on the button “UPLOAD”
• Click on the button “NEXT”
• Click on the button “IMPORT”
• Do not schedule the import as a task by leaving the options “Run immediately” enabled and click on the button “NEXT”
• If the import was successful, click on the button “FINISH”
3. Assign a DIGIPASS record to the user “OASEe320”
a. Click on the tab “USERS”
b. Search for the user “OASEe320” using the criteria in the “Search Users” tab
• Enter “OASEe320” in the field “User ID”
• Click on the button “SEARCH”
c. Mark the user “OASEe320” and click on “Assign DIGIPASS”
d. Search for DIGIPASS using the criteria on the “Search DIGIPASS” tab
• Set the DIGIPASS Type to e.g., DPGO1
• Click Next
e. Under the “5. Options” tab Click on “ASSIGN”
f. In the tab “6. Finish”
• Note that a DIGIPASS was assigned for example: “0097123456” (Must be a Go Series)
• Click on Finish
4. Set the Server Pin to “1234”
a. Click the DIGIPASS serial number
b. Click “APPLI 1” or “GO1 SRV PIN”
c. Click “Set PIN”
d. Set the Server Pin “1234”
5. Set up a policy named “pOASEe320”
a. Select “POLICIES” and click on “List”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 135 of 212
b. Open the “IDENTIKEY Local Authentication with Auto-Unlock”
c. Click the “copy” button
d. Enter the required information
• Policy ID: “pOASEe320”
• Enter a description if desired
6. Link the policy “pOASEe320” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENTS”, and select “List”
b. Click on the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
c. Link the (new) policy to the client
• In the tab “Client”, click on the button “EDIT”
• Select for Policy ID: “pOASEe320”
• Click on “SAVE”
7. List the policy settings in the Command-Line Administration
a. Start the OAS's 'Command-Line Administration'
• Press Windows +Q
• Search for programs and files for “OAS” and start “OAS Command-line Administration” or “dpadmincmd.exe”
b. Enter the following commands:
Help
logon {userid iasadmin password Test1234}
### comment get the attributes of the policy
policy get {policy_id pOASEe320 }
### comment get the real-time attributes of the policy
policy get_effective {policy_id pOASEe320}
8. Perform a successful login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Generate a Response Only OTP with a (demo) DIGIPASS (More information on demo DIGIPASS can be found in OASPe050)
b. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe320” with password PIN and the response from the DIGIPASS
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 136 of 212
9. If you only imported 1 DIGIPASS then deassign the DIGIPASS from user “OASEe320”
a. Select the tab “USERS” and click on “list”
b. Select the checkbox next to user “OASEe320”
c. Click deassign DIGIPASS and “OK”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 137 of 212
OASEe340: Authentication Elements: DIGIPASS: Expire
OneSpan Authentication server – Authentication Elements - Users
Reference Number OASEe340
Title Authentication Elements: DIGIPASS: Expire
Est. time to complete 10 min
Type Mandatory
Purpose Learn how to expire a DIGIPASS
Fast Track
Create a user “OASEe340” in the Web Admin
Verify if a DIGIPASS is uploaded in the OAS
Assign a DIGIPASS record to the user “OASEe340”
Set up a policy named “pOASEe340” that inherits from “IDENTIKEY Local Authentication with Auto-Unlock”, with “DIGIPASS” “Expiration
Period” = 1
Perform a successful login with a specific policy for the RADIUS Simulator Tool
Deassign the DIGIPASS from user “OASEe340”
Detailed Steps
1. Create a user “OASEe340” in the Web Admin
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Select the tab “USERS” and click on “create”
• Create user: “OASEe340”
• Password: “Test1234”
2. Verify if a DIGIPASS is uploaded in OAS
a. Select the tab “DIGIPASS”
b. If the list shows a DIGIPASS with no UserID you can continue to step 3
c. If the list shows a DIGIPASS with a UserID you can deassign the DIGIPASS and continue to step 3
d. Select the tab “DIGIPASS” and click on “Import”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 138 of 212
• Load 1 DIGIPASS from the file “Demo_DP300.dpx” from the directory “C:\Program Files\VASCO\IDENTIKEY Authentication
Server\dpx”
• Enter the Transport key is “11111111111111111111111111111111”
• Or just press ‘1’ until the end of the field is reached
• Click on the button “UPLOAD”
• Click on the button “NEXT”
• Click on the button “IMPORT”
• Do not schedule the import as a task by leaving the options “Run immediately” enabled and click on the button “NEXT”
• If the import was successful, click on the button “FINISH”
3. Assign a DIGIPASS record to the user “OASEe340”
a. Click on the tab “USERS”
b. Search for the user “OASEe340” using the criteria in the “Search Users” tab
• Enter “OASEe340” in the field “User ID”
• Click on the button “SEARCH”
c. Mark the user “OASEe340” and click on “Assign DIGIPASS”
d. Search for DIGIPASS using the criteria on the “Search DIGIPASS” tab
• Click Next
e. Under the “5. Options” tab Click on “ASSIGN”
f. In the tab “6. Finish”
• Note that a DIGIPASS was assigned for example: “0097123456”
• Click on Finish
g. Click the DIGIPASS serial number
h. Change the “Expires At” date from the DIGIPASS to the date of today
i. Click on “Finish”
4. Set up a policy named “pOASEe340”
a. Select “POLICIES” and click on “Create”
b. Enter the required information
• Policy ID: “pOASEe340”
• Inherits from: “IDENTIKEY Local Authentication with Auto-Unlock”
• Enter a description if desired
5. Link the policy “pOASEe340” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENTS”, and select “List”
b. Mark the button next to the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 139 of 212
c. Click on the button “CHANGE POLICY”
d. Link the (new) policy to the client
• In the new window, next to “Policy ID”, select “pOASEe340” from the list
• Click on “Yes”
6. Perform a failing login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Generate a Response Only OTP with a (demo) DIGIPASS (More information on demo DIGIPASS can be found in OASPe050)
b. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe340” with password the response from the DIGIPASS
c. Check for the related messages in the Audit Viewer. Something like “The temporary user account has expired”.
d. Check for the related messages in the tracing file
7. Deassign the DIGIPASS from user “OASEe340”
a. Select the tab “USERS” and click on “list”
b. Select the checkbox next to user “OASEe340”
c. Click deassign DIGIPASS and “OK”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 140 of 212
4.25 OASEe360: Authentication Elements: BACK-END: RADIUS Server IAS / NAP / NPS
OAS – Authentication Elements - Back-End
Reference Number OASEe360
Title Authentication Elements: BACK-END: RADIUS Server IAS / NAP / NPS
Est. time to complete 20 min
Type Mandatory
Purpose Authenticate against a back-end RADIUS server
Fast Track
In this exercise, you will set up a topology where the RST is a client of the IDENTIEY server. The OAS on its turn is a client of the
NAP/NPS server. In this topology, you will verify how the OAS passes through the RADIUS attributes sent by the NAS / NSP radius
SERVER.
Authenticate against the OAS using an OTP followed by the back-end authentication of the Windows RADIUS server OAS / NAP / NPS
using the user with his stored static password. If the Authentication on the RADIUS server is successful, NPS will send a RADIUS
(attribute) Hello Message back to the OAS. The OAS will relay this message to the RST.
We will also learn how the users’ realm/domain name is used by the OAS. The back-end record for the RADIUS Back-End server will be
specific for the realm domain “onespan.local”. You will first do a successful login as the username “[email protected]” contains the
realm name. Next, you will do a failing login with the user “radiusBA” because it lacks the realm/domain name.
Create the OAS domain “onespan.local” in the OAS database
Set up a policy named “pOASEe360” inherited from: “IDENTIKEY Radius Password Replacement”
Register a Radius Back-End with IP address: 10.10.200.75 /AWS INTERNAL IP ADDRESS and Port: 21812
Create the user “OASEe360” with the password “Test1234” in Windows
Create the user “OASEe360” with the password “Test1234” in OAS, in the domain “onespan.local”
Assign a DIGIPASS to the user “OASEe360”
Upload a DIGIPASS in the domain “onespan.local” in the OneSpan Authentication server
Configure the windows 2008 NAP/NPS server to send a RADIUS hello message attribute
Login to the OAS and the Windows NAP using the radius simulator
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 141 of 212
Detailed Steps
1. If you are working on an AWS machine, you must first setup the NPS
a. Enable the server role Network Policy and Access Services
• Start the server manager
• Add Roles and Features
• Continue
• Select “Role based or feature-based installation”
• Select the local machine
• Add “Network Policy and Access Services”
• Continue with the wizard
b. Setup the Network Policy and Access Services ports
• From the server manager, start the tool, “Network Policy Server”
• Select NPS (local), and start the Properties
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 142 of 212
• Select the ports
• Set Authentication to 21812,21645
• Set Authentication to 21813,21646
• Apply
• OK
c. Add the OAS a client on the Network Policy and Access Services
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 143 of 212
• Select RADIUS Clients
• Add a new one
• Enable the RADIUS Client
• Specify the IP address 10.10.200.75 /AWS INTERNAL IP ADDRESS
• Specify the shared secret “Test1234”
2. Create the OAS domain “onespan.local” in the OAS database (If not yet present)
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Select the tab “ORGANIZATION”, select the option “List”
• If the domain exists, then continue with step 2
e. Select the tab “ORGANIZATION”, select the option “Add domain”
• Domain Name: “onespan.local”
3. Set up a policy named “pOASEe360”
a. Select “POLICIES” and click on “Create”
b. Enter the required information
• Policy ID: “pOASEe360”
• Inherits from: “IDENTIKEY Radius Password Replacement”
• Enter a description if desired
c. Make these changes to the Policy “pOASEe360”
• Set Back-End Protocol to RADIUS, by selecting it from the drop-down list
• Set Back-End Authentication to “Always”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 144 of 212
4. Link the policy “pOASEe360” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENTS”, and select “List”
b. Mark the square [] before the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
c. Link the (new) policy to the client
• Click on the button CHANGE POLICY
• In the new windows, select for Policy ID: “pOASEe360”
• Click on “YES”
5. Register a Radius Back-End.
a. Select the tab “BACK-END” and click on “Register RADIUS Back-End”
• Back-End Server ID: NAP
• Select the domain name “onespan.local”
• Authentication
o IP address: 10.10.200.75 /AWS INTERNAL IP ADDRESS
o Port: 21812
• Accounting
o IP address: 10.10.200.75 /AWS INTERNAL IP ADDRESS
o Port: 21813
• Shared Secret/Confirm Shared Secret: Test1234
• Timeout: 10
• Retries: 3
• CREATE the record
6. Create the user “OASEe360” with the password “Test1234” in Windows in the Active Directory Users and Computers(See lab
OASPe020)
7. Create the user “OASEe360” with the password “Test1234” in OAS, in the domain “onespan.local”
a. Select the tab “USERS” and click on “create”
• Create user: “OASEe360”
• Domain “onespan.local”
• Password: “Test1234”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 145 of 212
8. Upload a DIGIPASS in the domain “onespan.local” in the OneSpan Authentication server
a. Select the tab “DIGIPASS”
b. If the list shows a DIGIPASS with no UserID in the correct domain and organization than you can continue to the next step
• If the list shows a DIGIPASS with a UserID you can deassign the DIGIPASS
• If the list shows a DIGIPASS with an incorrect domain and/or organization than you can move the DIGIPASS
c. Select the tab “DIGIPASS” and click on “Import”
• Load 1 DIGIPASS from the file “Demo_DP300.dpx” from the directory “C:\Program Files\VASCO\IDENTIKEY Authentication
Server\dpx”
• Enter the Transport key is “11111111111111111111111111111111”
Alternatively, just press ‘1’ until the end of the field is reached
• Click on the button “UPLOAD”
• Click on the button “NEXT”
• Select the proper Domain and OrgUnit
• Click on the button “IMPORT”
• Do not schedule the import as a task by leaving the options “Run immediately” enabled and click on the button “NEXT”
• If the import was successful, click on the button “FINISH”
9. Assign a DIGIPASS to the user “OASEe360”
a. Click on the tab “USERS”
b. Search for the user “OASEe360” using the criteria in the “Search Users” tab
• Enter “OASEe360” in the field “User ID”
• Click on the button “SEARCH”
c. Mark the user “OASEe360” and click on “Assign DIGIPASS”
d. Search for DIGIPASS using the criteria on the “Search DIGIPASS” tab
• Click Next
e. Under the “5. Options” tab Click on “ASSIGN”
f. In the tab “6. Finish”
• Note that a DIGIPASS was assigned for example: “0097123456”
g. Click on Finish
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 146 of 212
10. Configure the windows NAP/NPS server to send a RADIUS hello message attribute
a. Press Windows +Q
b. Search for programs and files for “nps” and start “Network Policy Server” or “nps.msc”
c. In the policies, select the Connection request policies
d. Select and double click on “Use Windows Authentication for all User”
e. Select the tab “Settings”
f. Select the RADIUS attributes / Standard
g. Click “Add”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 147 of 212
h. Select the attribute “Reply-Message”
i. Click on the Add button
j. In the Attribute Information window, click on the add button.
k. Enter the text “Hello from NAP through the OAS”
l. Confirm all windows
11. Perform a successful login with a specific policy for the RADIUS Simulator Tool
(To configure the RST, see OASEe109)
a. Generate a Response Only OTP with a (demo) DIGIPASS (More information on
demo DIGIPASS can be found in OASPe050)
b. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “[email protected]” with password the
response from the DIGIPASS
c. Check for the related messages in the Audit Viewer
d. Check for the related messages in the tracing file
12. For the policy “pOASEe360” in the tab User
a. Set the default domain to onespan.local
13. Perform a successful login with a specific policy for the RADIUS Simulator Tool
(To configure the RST, see OASEe109)
a. Generate a Response Only OTP with a (demo) DIGIPASS (More information on demo DIGIPASS
can be found in OASPe050)
b. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe360” with password the response from the DIGIPASS
c. Check for the related messages in the Audit Viewer
d. Check for the related messages in the tracing file
14. Deassign the DIGIPASS from user “OASEe360”
a. Select the tab “USERS” and click on “list”
b. Select the checkbox next to user “OASEe360”
c. Click deassign DIGIPASS and move the DIGIPASS back to the master domain
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 148 of 212
4.26 OASEe362: Authentication Elements: BACK-END: Server AD
OAS – Authentication Elements - Back-End
Reference Number OASEe362
Title Authentication Elements: BACK-END: Server AD
Est. time to complete 25 min
Type Mandatory
Purpose First authenticate on OAS and then on a Back-End Active Directory server
Fast Track
In this exercise, you will use the LDAP AD as the back-end authentication server.
The first authentication will fail, as the user is tied to the domain master and there is no LDAP back-End information for the domain
master.
The second authentication will succeed, by using a back-end record, as
• The domain name is in the username
• The domain name will be resolved, as the Windows name resolution is enabled.
The Third authentication will succeed just by using the global catalog.
Create the OAS domain “onespan.local” in the OAS database
Set up a policy named “pOASEe362” that inherits from: “IDENTIKEY Microsoft AD Password Replacement”
Register an Active Directory Back-End
Create the user “OASEe362” with the password “Test1234”
Logon into OAS using the radius simulator with LDAP Microsoft AD backend as user “OASEe362”
Logon into OAS using the radius simulator with LDAP Microsoft AD backend as user “[email protected]”
Logon into OAS and over LDAP into the Microsoft AD as user “[email protected]”, through the global catalog
Create the user “OASEe362b” in the Windows Active Directory and add the mobile phone and the address
Change the policy “pOASEe362”
• Enable user Info Synchronization
• Change the OAS Password Policies
Perform a successful login with the RADIUS Simulator Tool as user “OASEe362b” with the password “Test1234” and check if the user
is create together with the extra information
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 149 of 212
Detailed Steps
1. If not already done, create the IDENTIKEY domain “onespan.local” in the OAS database
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Select the tab “ORGANIZATION”, select the option “List”
• If the domain exists, then continue with step 2
e. Select the tab “ORGANIZATION”, select the option “Add domain”
• Domain Name: “onespan.local”
2. Set up a policy named “pOASEe362”
a. Select “POLICIES” and click on “Create”
b. Enter the required information
• Policy ID: “pOASEe360”
• Inherits from: “IDENTIKEY Microsoft AD Password Replacement”
• Enter a description if desired
c. Make these changes to the Policy “pOASEe362”
• Set Back-End Authentication to “Always”
• Set Back-End Protocol to “Microsoft Active Directory”
3. Link the policy “pOASEe362” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENTS”, and select “List”
b. Click on the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
c. Link the (new) policy to the client
• In the tab “Client”, click on the button “EDIT”
• Select for Policy ID: “pOASEe362”
• Click on “SAVE”
4. Create the windows user "ldap", as a copy of the administrator user, with the password "Test1234" in Windows (See lab
OASPe020)
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 150 of 212
5. Register an Active Directory Back-End
a. Select the tab “BACK-END” and click on “Register Active Directory Back-End”
• Back-End Server ID to “onespan-dc1”
• Domain Name: onespan.local (select from list)
• Priority: 100
• Enable SSL: DO NOT ENABLE SSL
• Location: 10.10.200.75 /AWS INTERNAL IP ADDRESS
• Timeout: 20
• Search Base DN: "dc=onespan,dc=local"
• Security Principal ID: ldap
• Security Principal Password: “Test1234”
• Confirm Principal Password: “Test1234”
6. Create the user “OASEe362” with the password “Test1234” in Windows (See lab OASPe020)
7. Logon (failing) into OAS and over LDAP into the Microsoft AD as user “OASEe362”
As we login with “OASEe362”, the OneSpan Authentication server will search for a back-end server record for the default domain
master. As there is no AD back-end server record for a Windows Domain Controller for this “” domain, the OAS will try to locate a
domain controller via the Global Catalog setting. As these settings are not defined, the authentication will fail.
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe362” with password “Test1234”
b. Check for the related messages in the Audit Viewer
{User ID : 362}
{Domain Name : master}
{Status Message : An unspecified error occurred}
{Auxiliary Message :
{Error Code: '(-400)' ; Error Message: 'There was no comms descriptor available;Could not find backend server component for domain
'master', using LDAP global catalog'}
{Error Code: '(-1)' ; Error Message: 'An unspecified error occurred;Failed to query DNS for LDAP global catalog'}}
c. Check for the related messages in the tracing file
] > === Error Stack =========================
] > Error code: <-1> Error message: <An unspecified error occurred;Failed to query DNS for LDAP global catalog>
] > Error code: <-400> Error message: <There was no comms descriptor available;Could not find backend server component for domain
'master', using LDAP global catalog>
] > === End of Error Stack ==================
18. Perform a successful login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 151 of 212
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “[email protected]” with password “Test1234”
b. Check for the related messages in the Audit Viewer
c. Check for the related messages in the tracing file
19. Logon into OAS and over LDAP into the Microsoft AD as user “[email protected]”, through the global catalog
a. Delete the Back-end record “onespan-dc1”
b. Define the global catalog settings in the WebAdmin,
from the tab “BACK-END”,
select the option “Settings”
• In the tab “Settings, click on the button “EDIT”
• In the field “Global Catalog location”, enter “10.10.200.75” / AWS INTERNAL IP ADDRESS
• In the field “Global Catalog Port, enter nothing or enter “3268”.
This port, 3268, is defined as the port used for querying the Active Directory Global Catalog.
• In the field “Timeout”, enter “20”
• In the field “Security Principal ID’, enter “ldap”
• In the field “Security Principal Password’, enter “Test1234”
• In the field “Confirm Principal Password’, enter “Test1234”
• Click on the button “SAVE”
20. Perform a successful login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “[email protected]” with password “Test1234”
b. Check for the related messages in the Audit Viewer
c. Check for the related messages in the tracing file
21. Perform a successful login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe362” (do NOT add the domain name) with password “Test1234”
b. Check for the related messages in the Audit Viewer
c. Check for the related messages in the tracing file
Search the OAS trace file for the text string “Performing DNS SRV query for _ldap._tcp.onespan.local”
and find a trace like e.g.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 152 of 212
Could not find backend server component for domain 'master', using LDAP global catalog
Server <10.10.200.75/AIIA:3268> is available (no failures yet)
Attempting LDAP bind before LDAP search...
Realm:
Username: ldap
LDAP bind result: Success (0)
Attempting LDAP search...
Base distinguished name:
Filter: (sAMAccountName=362)
LDAP search result: Success (0)
Performing DNS SRV query for _ldap._tcp.onespan.local
DNS SRV query returned 1 entry
Attempting search on and bind to LDAP server(s)
Server <vasco-dc1.onespan.local:389> is available (no failures yet)
Attempting LDAP bind before LDAP search...
Realm:
Username: ldap
LDAP bind result: Success (0)
Attempting LDAP search...
Base distinguished name: DC=onespan,DC=local
Filter: (&(objectClass=user)(sAMAccountName=362))
LDAP search result: Success (0)
DN retrieve: [CN=362,CN=Users,DC=onespan,DC=local]
Server <onespan-dc1.vasco.local:389> is available (no failures yet)
Attempting LDAP bind...
Realm:
Username: 362
LDAP bind result: Success (0)
Successful LDAP server authentication
Setting m_backEndAuthState to [Success]
User checks state is [Possible DUR], local auth state is [Password not locally verified], backend auth state is [Success]
What is the reason that the user can login using the User ID “OASEe362” or the User ID “[email protected]”?
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 153 of 212
In the second part of this exercise, we will create a new user and synchronize the user information towards OAS
22. Change the policy named “pOASEe362”
a. Select “POLICIES” and click on “List”
b. Look for the policy “pOASEe362” and open it
c. Make these changes to the Policy “pOASEe362”
• Located in the tab “User”
o User Info Synchronization: “Yes”
o Different from Last # Passwords “0”
23. Perform a successful login with the RST and check for the dpuser in the OAS
a. Create the Windows user “OASEe362b”.
b. Authenticate to the OAS.
As the Windows user exists, the Windows Back-End authentication will succeed, and the OneSpan Authentication server will create
the OAS user “OASEe362b” and will synchronize the extra information.
24. Register an Active Directory Back-End
a. Select the tab "BACK-END" and click on "Register Active Directory Back-End"
• Back-End Server ID to "onespan-dc1"
• Domain Name: onespan.local (select from list)
• Location: 10.10.200.75 (onespan-dc1.onespan.local) / the AIIA address
• Timeout: 20
• Search Base DN: "dc=onespan,dc=local"
• Security Principal ID: ldap
• Security Principal Password: "Test1234"
• Confirm Principal Password: "Test1234"
• Save your settings
25. If needed, create the user “OASEe362b” in the Windows Active Directory (see OASPe020)
26. Edit this user in Active Directory
a. In the tab address, add an address
b. In the tab Telephones, add a Mobile Phone Number
c. In the tab General,
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 154 of 212
• add the E-mail address: "[email protected]" and
• add a phone number which is different from the mobile number
d. Click OK
27. Delete the user “[email protected]” in the WebAdmin.
This is needed, as the auto-sync of the AD attributes, is when the user is created. The user creation is enabled by the DUR.
28. Perform a login using a PASSWORD (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “[email protected]” with password “Test1234”
b. Verify the related messages.
Check if the auto-sync fields were extracted from the AD user.
c. Check if the user was added in the OneSpan Authentication server
d. Check in the tab “User Account” if the user Info is synchronized
e. Check, which Back-End Configuration is used for a successful login?
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 155 of 212
4.27 OASEe364: Authentication Elements: BACK-END: Server AD with SSL
OAS – Authentication Elements - Back-End
Reference Number OASEe364
Title Authentication Elements: BACK-END: Server AD with SSL
Est. time to complete 20 min
Type Optional
Purpose First authenticate on OAS and then on a Back-End Active Directory server with SSL
Fast Track
In this exercise, we will use the LDAP AD as the back-end authentication server. The communication between de OAS and the AD server
is over SSL.
The configuration needed for this exercise is described in lab OASEe362. The only difference is the setup of SSL.
The first authentication will fail as the user is tied to the domain master and there is no LDAP back-End information for the domain
master.
The second authentication will succeed, by using a back-end record, as
• The domain will be specified in the username
• The domain will be resolved, as the Windows name resolution is enabled.
The third authentication will succeed just by using the global catalog.
The fourth authentication will succeed:
• A default domain is added in the policy
• Windows name resolution is disabled
• The domain is not specified in the username
Guidelines to enable SSL communication between the OAS and Active Directory
1. Your DNS names must resolve. Moreover, vasco-dc1.vasco.local must resolve, as its certificate will be used.
You can test this, at the command prompt with the following command
“ping -a -4 vasco-dc1.vasco.local”
If it does not resolve then do the necessary DNS things (to make this exercise work quickly) like:
• Disable IPV6 on your network controller
Add a reverse lookup zone for 10.200.75
• Add a DNS PTR record for vasco-dc1.vasco.local
• At the command prompt “ipconfig /registerdns”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 156 of 212
2. If not already available, install Certificate Services on the LDAP back end, as a role.
This is a Windows component, and should be available on your Windows operating system installation media.
a. Add the Role “Active Directory Certificate Services”
b. Enable the role Service “Certification Authority”
3. Generate an Enterprise root CA Certificate.
You may need to wait several minutes to allow the domain controllers to enroll for domain controller certificates. You can test this
(see TIP)
a. You will have to start “Configure Active Directory Certificate Services on destination server”
b. Do not change the credentials; Enable “Certification Authority”; Enterprise CA; Root CA; create a new private key
c. Select SHA256 as hash algorithm and leave the rest at the default values.
d. Set the common name for this CA to onespan-DC1-CA-1
e. leave the rest at the default values
f. reboot your machine
TIP: Active Directory Certificate Services add the root certificate of certificate chain 0 to the downloaded Trusted Root
Certification Authorities Enterprise store on the CA computer.
This store will be updated from the Certification Authorities container in Active Directory the next time Group Policy is applied.
To verify that the CA certificate is published correctly in Active Directory, run the following command:
certutil -viewstore "ldap:///CN=onespan-VASCO-DC1-CA,CN=Certification Authorities,CN=Public Key
Services,CN=Services,CN=Configuration,DC=onespan,DC=local?cACertificate?base?objectClass=certificationAuthority"
(you must include the quotation marks when you run this command).
If the root CA certificate is not present,
use the Certificates console on the root CA computer to export the certificate to a file, and
then run the following command to publish it to Active Directory: Certutil -dspublish %certificatefilename% Root.
X509
4. Export the CA Certificate accordingly:
a. Launch the Windows Certification Authority application.
This is typically launched via Start > Administrative Tools > Certification Authority on most Windows servers.
b. Select a certification authority, right-click it, and select “Properties”.
c. In the Properties window, click the “View Certificate” button.
d. In the Certificate window, select the Details tab and click the “Copy to File” button. Doing so will launch the Certificate Export
Wizard.
e. In the Certificate Export Wizard, click “Next”.
f. Select DER encoded binary X.509 (.CER) option and click “Next”.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 157 of 212
g. Specify the path and name of the CA Certificate file and click “Next”.
h. Click “Finish” to export the certificate. Restart the server.
5. After exporting the certificate, convert it for use with OneSpan Authentication server:
a. Convert the .cer file to .pem file using the command:
“openssl x509 -inform DER -outform PEM -in certname.cer –out certname.pem”
where certname is the name of the self-signed certificate just created.
Note
OneSpan Authentication server ships with a specific version of the OpenSSL utility. VASCO advises very strongly that you use this version for
any procedures in this book involving the openssl command. This specific version of OpenSSL is located in <install_dir>\bin\, where
<install_dir> is the installation directory of OneSpan Authentication server. This directory is C:\Program Files\VASCO\IDENTIKEY
Authentication Server\ for Windows or /opt/vasco/ias by default for Linux.
b. Obtain the hash of the .pem file using the following command:
“openssl x509 -noout -hash -in certname.pem”
c. Record the hash output of this command, and rename the .pem file to be hashvalue.0. For example, if the hash result is
54321, rename the .pem file to 54321.0.
d. Copy the renamed .pem file to the following location, according to the platform used:
• (Linux) --- /etc/ssl/certs
• (Windows) --- C:\Program Files\VASCO\IDENTIKEY Authentication Server\certs
• Warning : Make sure to manually restart the VASCO OneSpan Authentication server service. If the service is
not restarted, the certificate files will not be read!
Tip: You can find the full details on the certificate in the KB 150093.
TIP: You can easily test the SSL connection to the Active directory with the tool “ldp.exe”
Create the OAS domain “onespan.local” in the OAS database
Set up a policy named “pOASEe364” that inherits from: “IDENTIKEY Microsoft AD Password Replacement”
In Active Directory, create the user “ldap” with the password “Test1234”.
In Active Directory, create the user “OASEe364” with the password “Test1234”.
Register an Active Directory Back-End over SSL
• In the field Back-End Server ID, enter vasco-dc1
• For Domain Name, select onespan.local
• For priority set 100
• Mark “Enable SLL” as enabled
• In the field “Location”, enter vasco-dc1.vasco.local
• In the field “Security Principal ID”, enter “CN=ldap,CN=Users,DC=onespan,DC=local”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 158 of 212
• All the other settings remain the same
Link the policy to the RADIUS client.
Logon into OAS using the radius simulator with LDAP Microsoft AD backend as user “OASEe364”
You can find the following in the trace file
> Finished executing query, results are: <
=====================Query Results========================
<Result Codes: { Status Code: 'Call completed successfully (0)' ; Return Code: 'Success (0)' }>
<Results: 1 attributes
[ Attribute 0:
{Back-End Server ID : onespan-dc1}
{Protocol ID : Microsoft AD}
{Domain Name : onespan.local}
{Priority : 100}
{Authentication IP Address : onespan-dc1.vasco.local}
{Timeout : 10}
{Created Time : 2018/02/13 14:47:07}
{Modified Time : 2018/02/13 16:48:33}
{Base Search DN : DC=onespan,DC=local}
{Security Principal DN : CN=ldap,CN=users,DC=onespan,DC=local}
{Security Principal Password : ********}
{SSL Authentication Port : 636}
{Include Realm : No}]>
<Error stack: >
Logon into OAS using the radius simulator with LDAP Microsoft AD backend as user “[email protected]”
Logon into OAS and over LDAP into the Microsoft AD as user “[email protected]”, through the global catalog
Add a default domain onespan.local in the policy “pOASEe364” and logon into OAS using the radius simulator with LDAP Microsoft AD
backend as user “OASEe364”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 159 of 212
4.28 OASEe520: Authentication Elements: DIGIPASS: OAS User Self-management Website
OAS Tools: IDENTIKEY User Websites
Reference Number OASEe520
Title Authentication Elements: DIGIPASS: OAS User Self-management Website
Est. time to complete 20 min
Type Mandatory
Purpose Setup of the OAS User Websites and it’s uses
Fast Track
The first part of this exercise handles the automatic assignment of a DIGIPASS to a new user.
In the second part, it is the user himself who will assign a DIGIPASS to his user account.
Create users “OASEe520” and “OASEe520b”in Windows.
Set up a policy named “pOASEe520” that inherits from “Identikey Windows Auto-Assignment”.
Set up a policy named “pOASEe520b” that inherits from “Identikey Windows Self-Assignment”.
Setup the “OAS User Websites: Self-Management Website”.
Create an evaluation license for the “Vasco IDENTIKEY User Websites”.
Register the newly created Active Directory User “[email protected]” in the Self-Management Website and automatically
assign a Digipass Go3.
Register the newly created Active Directory User “[email protected]” in the Self-Management Website and assign your
Digipass Go3.
Change the Password of the Active Directory User “[email protected]” in the Self-Management Website.
Detailed Steps
1. Create the user “OASEe520” with the password “Test1234” in Windows (See lab OASPe020)
2. Create the user “OASEe520b” with the password “Test1234” in Windows (See lab OASPe020)
3. Create the OAS domain “onespan.local” in the OAS database (see lab OASEe362) (Optionally, enable SSL, see lab OASEe364)
4. Verify if a DIGIPASS is uploaded in OAS
a. Select the tab “DIGIPASS”
b. If the list shows a DIGIPASS with no UserID you can continue to step 3
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 160 of 212
c. If the list shows a DIGIPASS with a UserID you can deassign the DIGIPASS and continue to step 3
d. Select the tab “DIGIPASS” and click on “Import”
• Load 1 DIGIPASS from the file “Demo_GO3.dpx” from the directory “C:\Program Files\VASCO\IDENTIKEY Authentication
Server\dpx”
• Enter the Transport key is “11111111111111111111111111111111”
• Or just press ‘1’ until the end of the field is reached
• Click on the button “UPLOAD”
• Click on the button “NEXT”
• Set domain to “onespan.local”
• Click on the button “IMPORT”
• Do not schedule the import as a task by leaving the options “Run immediately” enabled and click on the button “NEXT”
• If the import was successful, click on the button “FINISH”
5. Set up a policy named “pOASEe520”
a. Select “POLICIES” and click on “Create”
b. Enter the required information
• Policy ID: “pOASEe520”
• Inherits from: “Identikey Windows Auto-Assignment”
• Enter a description if desired
6. Set up a policy named “pOASEe520b”
a. Select “POLICIES” and click on “Create”
b. Enter the required information
• Policy ID: “pOASEe520”
• Inherits from: “Identikey Windows Self-Assignment”
• Enter a description if desired
7. Run the IDENTIKEY Authentication Server 3.21 media
a. Login on the machine “ONESPAN-DC1” (see lab OASPe010 for credentials).
b. Open the Windows “File Explorer” located on the “Task Bar”
c. Click “Computer” in the navigation bar
d. Right click the DVD drive containing the OneSpan Authentication server Installation Disk and select “Open”
8. Install the OAS User Websites
a. Browse to “D:\IDENTIKEY User Websites\Software\Windows”
b. Open the file “identikey-user-websites_3.15.0_x64.msi”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 161 of 212
c. Click “Next” to begin.
d. Read the OAS User Websites license agreement, select I accept the terms in the license agreement, and click “Next”.
e. Read the Oracle Binary Code license agreement, select I accept the terms in the license agreement, and click “Next”.
f. Select all Features to install and click “Next”.
g. Click “Install” to start the installation of OAS User Websites.
h. Click “Finish” to close the OAS User Websites Setup.
9. Create a trial license for the Self-Management Website
a. Go to the website https://cp.vasco.com
b. Select “Get an evaluation license” at the bottom of the window
c. Fill all the fields, add a working valid E-mail address, and click register. You will receive a new e-mail the supplied address. This e-
mail contains link to download the evaluation license.
d. Click on the link (clicking here) provided in the received e-mail A new browser window opens the link (do not paste this link, it will
not work!!) http://cp.vasco.com/evaluation_license_contacts/confirmation?confirmation_token=[customcode]. You can copy this
link from the host machine to the virtual machine.
e. Select to open OAS Product Family by clicking on the “>” key.
f. Click “Continue”.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 162 of 212
g. Select to open “IDENTIKEY Add-on Software”.
h. Click “Continue”.
i. Select to open “OAS User Websites”
j. Click “Continue”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 163 of 212
k. Fill in the IP address 10.10.200.75/AIIA and the description is optional and not required.
• REMARK: the provided IP address is the IP address used to bind the license on. This can be different! Check your exercise!
l. Select to “Accept the license agreement”.
m. Click on “Create”
n. Click to “Download the license file”. Save this license file to your local system.
o. Click “I’m done” to finish the license process.
p. When the license file is not available on the virtual machine, copy this file from the host machine to the virtual machine.
10. Register the Self-Management Website as SOAP client and link the policy “pOASEe520”
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Point to the tab “CLIENTS”, and select “Register”
e. Fill in the fields.
• For the field “Client Type” enter “OAS User Websites” (Select from list)
• Location: “10.10.200.75” /AWS INTERNAL IP ADDRESS
• Policy: “pOASEe520”
• Protocol Id: SOAP
• Click on “CREATE”
11. Load the license to register the Self-Management Website as SOAP client and link the policy “pOASEe520”
a. Select “CLIENTS” > “List”.
• Select the respective client component for OAS User Websites (previously created)
• Location: 10.10.200.75/AIIA
• Policy: “pOASEe520”
• Create the client
• Switch to the License tab.
• Click LOAD LICENSE KEY.
• Click Choose File and select the license file downloaded from the VASCO Customer Portal.
• Click UPLOAD.
• The license file is loaded and verified.
• Click FINISH.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 164 of 212
PART 1 : Login with a user account and automatically assign a DIGIPASS.
12. Start the “OAS User Self-Magement Website”
a. Press Windows +Q
b. Search for programs and files for “Self” and start “User Self-Magement Website” or browse to
https://localhost:9443/selfmgmt. The OAS Self-Management Website opens.
Home
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 165 of 212
13. The self-registration functionality in the “OAS User Self-User Management Website”
a. Click “home”
b. Click the “Self-Registration and Auto-Assignment”
• UserID: “[email protected]”
• Password “Test1234”
• Click “Register”
c. Verify the related messages
14. Test the user in the “OAS User Self-User Management Website”
a. Click “home”
b. Click the “Login Test”
• UserID: “[email protected]”
• Password “Test1234”
• Click “Log In”
c. Verify the related messages
PART 2: The user will assign his DIGIPASS that he has received from his administrator.
1. Link the policy “pOASEe520B” to the “VASCO User Websites”
(If you have not setup, the “VASCO User Websites” see OASEe520)
a. Point to the tab “CLIENT”, and select “List”
b. Click on the “OAS User Websites” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
c. Link the (new) policy to the client
• In the tab “Client”, click on the button “EDIT”
• Select for Policy ID: “pOASEe520b”
• Click on “SAVE”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 166 of 212
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 167 of 212
2. Assign a “DIGIPASS” in the “IDENTIKEY User Self-User Management Website”
a. Click “home”
b. Click the “DIGIPASS Self-Assignment”
• UserID: “OASEe520 @onespan.local”
• Password “Test1234”
• DIGIPASS Serial number “0091234568”
• DIGIPASS response retrieved from the demo token. (https://gs.onespan.cloud/te-demotokens/go3), start
• Click “Assign DIGIPASS”
c. Verify the related messages and check why it fails.
Set localAuthState to [Response OK, Password Wrong]
Set localAuthState to [Response OK, Password Wrong]
Fast authentication is <false>, will try to do backend auth
Password format is [Cleartext combined]
Length of static password for back-end authentication is [19]
Cached backend server list contains no servers for protocol ID <Windows> domain <onespan.local>
Authenticating user with backend authenticator. Auth params are:
{User ID : 520}
{Password : ********}
{Domain Name : onespan.local}
{Password Format : 0}
{Static Password : ********}
{Component Type : IDENTIKEY User Websites}
{Request Host Verification ID : 1} Server list is: 0 attributes
User ID : 520
Domain : onespan.local
Logon-Provider: Standard
Incorrect Windows user name or password.
Setting m_backEndAuthState to [Fail]
Back-End Authentication has failed with error [00007FFA3A28BF98].
User checks state is [User Exists], local auth state is [Response OK, Password Wrong], backend auth state is [Fail]
Tip: The "login permutation" cannot be interpreted correctly as the user already has a DIGIPASS assigned
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 168 of 212
3. Assign a new DIGIPASS in the “IDENTIKEY User Self-User Management Website”
a. Click “Home”
b. Click the “DIGIPASS Assignment”
• UserID: “[email protected]”
• Password “Test1234”
• DIGIPASS Serial number “0091234568”
• DIGIPASS response retrieved from the demo token (https://gs.onespan.cloud/te-demotokens/go3), start with the pin “1234”
• Click “Assign DIGIPASS”
c. Verify the related messages
4. Test the DIGIPASS in the “IDENTIKEY User Self-User Management Website”
a. Click “home”
b. Click the “Login Test”
• UserID: “[email protected]”
• Password “Pin + DIGIPASS response retrieved from the demotokenTest1234”
• Click “Log In”
c. Verify the related messages
PART 3: Change the user’s AD password, through the Users Web Site
1. Check in AD that the user “OASEe520” the Account option “User cannot change password” is deselected
2. Change the password of an AD user in the “OAS User Self-User Management Website” and fail
a. Click “Home”
b. Click the “Password Change”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 169 of 212
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 170 of 212
• UserID: “[email protected]”
• Current password “Test1234”
• New password “Test123T”
• Confirm New Password “Test123T”
• DIGIPASS PIN “1234”
• DIGIPASS response retrieved from the demo token
• Click “Change”
c. Verify the related messages and check why it fails
When the password change fails due to password lifetime restrictions, it is normal because the Windows policy described that
password must exists for one day.
Set Minimum Password age to “0” and apply
When you change the policy, force the changes via “gpupdate /force” (in a command prompt) on your system
To be 100% certain that the new domain policies will be set, do a reboot of the machine.
3. Remove any OAS password strength settings, in the policy.
Note: this is OK for this exercise, but it is bad practice on a production machine. You must meet at least the password strength
requirements, or as demanded by your organization’s security policies
a. Select the policy pOASEe520b
b. Select the User tab
c. Search for the section “Static Password”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 171 of 212
d. Minimum Password Length 8
e. Minimum # Lowercase Characters 0
f. Minimum # UPPERCASE Characters 0
g. Minimum # Numerical Digits 0
h. Minimum # Special Characters 0
i. Different from Last # Passwords 0
j. Not Based on User ID No
k. Maximum Age in Days 28
l. Minimum Age in Days 0
m. Days to Notify before Expiration 0
n. SAVE the policy changes
4. Change the password of an AD user in the “OAS User Self-User Management Website” and fail
d. Click “Home”
e. Click the “Password Change”
• UserID: “[email protected]”
• Current password “Test1234”
• New password “Test123T”
• Confirm New Password “Test123T”
• DIGIPASS PIN “1234”
• DIGIPASS response retrieved from the demo token
• Click “Change”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 172 of 212
4.29 OASEe267: Authentication Elements: Virtual DIGIPASS: Backup virtual DIGIPASS
OneSpan Authentication server – Authentication Elements - Policies
Reference Number OASEe267
Title Authentication Elements: Virtual DIGIPASS: Backup virtual DIGIPASS
Est. time to complete 30 min
Type Mandatory
Purpose Learn how Send a Backup OTP by E-MAIL
Fast Track
In this exercise you will learn how send an OTP to a user, by e-mail.
Create a user “OASEe267” in the Web Admin
Assign a DIGIPASS record supporting virtual DIGIPASS to the “OASEe267” user
Setup the Virtual DIGIPASS OTP Request Web Site parameters
Set up a policy named “pOASEe267” for Virtual DIGIPASS use
Setup the receiving e-mail address in the OAS user “[email protected]”
Setup the SMTP email server
Setup the Message Delivery Component for email delivery
Use the Virtual DIGIPASS OTP Request Web Site
Detailed Steps
Notes
During the exercises, you could have failing authentications. Please do check, during the exercise, if the OAS account is locked. If
required, unlock before proceeding with the exercise (see lab OASEe275).
You MUST work with a Digipass that has the “Backup Virtual Digipass” enabled. This requires a specific dpx. Load
Demo_DP300_BUVDP_2.dpx from the DVD “IDENTIKEY_Authentication_Server_3.15_Training_Tools.iso“. If you use a regular Digipass,
the exercise will never work.
1. Create a user “OASEe267” in the Web Admin
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 173 of 212
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Select the tab “USERS” and click on “create”
• Create user: “OASEe267”
• Password: “Test1234”
2. Verify if there is a DIGIPASS with Backup virtual DIGIPASS support, uploaded in OAS
a. Select the tab “DIGIPASS”
b. If the list shows a DIGIPASS with no UserID you can continue to step 3
c. If the list shows a DIGIPASS with a UserID you can deassign the DIGIPASS and continue to step 3
d. Select the tab “DIGIPASS” and click on “Import”
• Load Demo_DP300_BUVDP_2.dpx from the DVD “IDENTIKEY_Authentication_Server_3.15_Training_Tools.iso“
• Enter the Transport key is “11111111111111111111111111111111”
• Or just press ‘1’ until the end of the field is reached
• Click on the button “UPLOAD”
• Click on the button “NEXT”
• Click on the button “IMPORT”
• Do not schedule the import as a task by leaving the options “Run immediately” enabled and click on the button “NEXT”
• If the import was successful, click on the button “FINISH”
• Verify if the DIGIPASS has VIRTUAL Token Enabled
• Keep note of the serial number of this DIGIPASS
3. Assign a DIGIPASS supporting virtual DIGIPASS record to the “OASEe267”
a. Open the Web Admin
b. Click on the tab “USERS”
c. Search for the user “OASEe267” using the criteria in the “Search Users” tab
• Enter “OASEe267” in the field “User ID”
• Click on the button “SEARCH”
d. Mark the user “OASEe267” and click on “Assign DIGIPASS”
e. Search for DIGIPASS using the criteria on the “Search DIGIPASS” tab
• Select the serial number of the Digipass imported in Step 2, above
• Click Next
f. Under the “5. Options” tab Click on “ASSIGN”
g. In the tab “6. Finish”
• Note that a DIGIPASS was assigned for example: “5000050055”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 174 of 212
• Click on Finish
4. Set up a policy named “pOASEe267”
a. Select “POLICIES” and click on “Create”
b. Enter the required information
• Policy ID: “pOASEe267”
• Inherits from: “IDENTIKEY RADIUS Password Replacement”
• Enter a description if desired
c. List the policies
d. Click the newly created policy
e. Click on the tab “Policy”
• Click on the button “EDIT”
• For “Local Authentication”, in the drop-down box, select “DIGIPASS/Password during Grace Period”
• For “Back-End Authentication”, in the drop-down box, select “None”
f. Set the RADIUS Authentication protocols which are allowed for
• Click on the tab “RADIUS”
• Click on the “EDIT” button
• For Supported Protocols, in the drop-down box, select “Any”
• Click on the button “SAVE”
5. Link the policy “pOASEe267” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENTS”, and select “List”
b. Click on the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
c. Link the (new) policy to the client
• In the tab “Client”, click on the button “EDIT”
• Select for Policy ID: “pOASEe267”
• Click on “SAVE”
6. Also link the policy “pOASEe267” to the OAS User Websites
7. Check if the policy and the user are OK.
Perform a successful login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe267” with password “Test1234”
b. Check for the related messages in the Audit Viewer
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 175 of 212
c. Check for the related messages in the tracing file
8. Use the Virtual DIGIPASS OTP Request Web Site
a. Press Windows +Q
b. Search programs and files for “OTP”
c. open “Virtual DIGIPASS OTP Request Website” or “https://localhost:9443/votp”
d. Authenticate as User ID “OASEe267” with password “Test1234”
e. Check for the related messages in the OAS tracing file
NOTE: This Authentication will succeed but, at this moment time, no OTP is sent via email. The “request” part is not defined in the policy.
9. Define the receiving e-mail address in the OAS user
a. Set the email address in the Web Admin
b. List and then select the user “OASEe267”
c. Click on the tab “User Account”
d. Click on the button “EDIT”
e. In the field Email Address, enter “[email protected]”
f. Click on the button “SAVE”
10. Request an OTP by email for the user on the Virtual DIGIPASS OTP Request Web Site, which will fail
a. Start the Virtual DIGIPASS OTP Request Web Site
• As username, enter “OASEe267”
• As the password, enter “OTPbyemail”
b. Why does this OTP request fail?
• Check for the related messages in the Audit Viewer
• Check for the related messages in the tracing file
You cannot use VIRTUAL DIGIPASS if there is no Email configuration and the policy has no request keyword defined.
11. Setup the SMTP email server
a. Press Windows +Q
b. Search for programs and files for “IIS” and start “Internet Information Services (IIS) 6.0 Manager” or “InetMgr6.exe”
• Expand the Tree
• Right click the SMTP server
• Select Start
• Right click the SMTP server
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 176 of 212
• Select properties
• Select the Access Tab
• Click the Relay button
• Select the radio button “All except the list below”
• Click OK
• Click OK
• Verify in the folder C:\inetpub\mailroot\queue
12. Setup the Message Delivery Component for email delivery in the MDC
a. Press Windows +Q
b. Search for programs and files for “MDC” and start “MDC Configuration Utility” or “mdcconfiggui.exe”
c. Set the correct IP address
• At the right-hand side click the “General” icon
• Set the IP address to 10.10.200.75/AIIA
d. Set the tracing to full
• At the right-hand side click the “General” icon
• Select and mark the option “Full Tracing”
• Click on Apply and accept the change
• Restart the service when requested
e. set the email details
• At the left-hand side click “Email Delivery” icon
• Select and mark the option “Enable Email delivery”
• Click the “Add” button and set Display Name to: Local Test
• Set the Profile Name to: “LocalTest”
• Check and /or set the SMTP host to “10.10.200.75”/AIIA
• In the SMTP options, set the From Address, to [email protected]
• Apply and restart the service when requested
f. Test the email connection from the MDC to the mail server
• Click on the button “Test e-mail” (to send an email)
• In the window “Test Email Gateway”, set the address, to “[email protected]”
• Check for the success message 'Message was sent successfully to the SMTP sever. ....'
• Close the test window
• Check the folder “C:\inetpub\mailroot\Queue” and open the .eml Email file in this folder.
g. Click on Apply and accept the change
h. Restart the service when requested
i. Click on OK
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 177 of 212
13. Setup the OAS to work with the Message Delivery Component with email delivery
a. In the OAS, hoover over the “SYSTEM” tab and click the “Server Configuration” menu item
b. Select “Scenarios”
c. Click the “Edit” Button
d. Click the “+” Button next to the “Authentication Scenario”
• For the “MDC Server Address”, set the IP address to “10.10.200.75” /AWS INTERNAL IP ADDRESS
e. Click on the “Save” button
14. Adjust the policy named “pOASEe267” for Virtual DIGIPASS use
a. List and then select the policy “pOASEe267”
b. Click on the tab “Virtual DIGIPASS”
c. Click on the button “EDIT”
d. For the Virtual DIGIPASS/Delivery Method, select from the dropdown list “Email”
e. For the MDC Profile, set to “LocalTest”
f. For the Backup Virtual DIGIPASS fields, do the following
• For BVDP Mode, in the dropdown list, select “Yes – Permitted”
• For Time Limit (days), enter 15
• For Max. Uses/User, enter 100
• For Request Method, in the dropdown list, select “Keyword”
• For Request Keyword, enter “OTPbyemail”
• Click on the save button
15. Request an OTP by email for the user, which will fail
a. Start the Virtual DIGIPASS OTP Request Web Site
• As username, enter “OASEe267”
• As the password, enter “OTPbyemail”
b. Why does this OTP request fail?
• Check for the related messages in the Audit Viewer
• Check for the related messages in the tracing file
You cannot use a VIRTUAL DIGIPASS if the user is still in his grace period.
Therefore we are logging in with an OTP to expire the grace period. In other words, we are activating the DIGIPASS of the user.
16. We are going to do a login with an OTP, to end the grace period.
a. Authenticate the user with the User Self-Management Site
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 178 of 212
• Select the “Login Test” page
• Authenticate as User ID “OASEe267” with as the password, the response from a demo DP300 DIGIPASS
b. Check for the related messages in the Audit Viewer
c. Check for the related messages in the tracing file
17. Request an OTP by email for the user
a. Start the Virtual DIGIPASS OTP Request Web Site
• As username, enter “OASEe267”
• As the password, enter “OTPbyemail”
b. Verify in the folder C:\inetpub\mailroot\queue
• You can open the most recent file using notepad
If it did fails, the recheck if the DIGIPASS assigned to the user, has in its “APPL 1”/”RO” Virtual Token Enabled set to
YES, e.g., from Demo_VDP.DPX
18. Perform a successful login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe267” with password “Test1234” + the 'OTP' which you read from the email
b. Check for the related messages in the Audit Viewer
c. Check for the related messages in the tracing file
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 179 of 212
4.30 OASEe420: System: Restore policies with OAS Configuration Wizard
OAS Tools
Reference Number OASEe420
Title System: Restore policies with OAS Configuration Wizard
Est. time to complete 10 min
Type Mandatory
Purpose Learn how to recover from unwanted changes of the default policies
Fast Track
In this exercise, you will learn how to recover from unwanted changes of the default policies
1. In the web admin, change the setting of the policy “Identikey Windows Password Replacement”
a. For Back-End Authentication to “None”
b. For the Back-End Protocol enter manually “jabberwocky”
c. Click on the “SAVE” button.
2. Start the OAS Maintenance Wizard using the windows search (Windows +Q)
a. Choose the option “Restore Default Policy & Report Definitions”
b. Only select “Standard Policy definitions”
c. Confirm And continue
3. Verify the restored values in the WebAdmin
a. In the web admin, verify the setting of the policy “Identikey Windows Password Replacement”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 180 of 212
4.31 OASEe390: System: Monitoring
OAS – Monitoring
Reference Number OASEe390
Title System: Monitoring
Est. time to complete 20 min
Type Optional
Purpose Use SNMP to monitor the OAS
Fast Track
Enable Performance and system monitoring
Retrieve the “sysDescr” value from the MIB
Enable Performance and system monitoring
Receive the SNMP Trap
Detailed Steps
This exercise will only work with an OAS that was installed in “BASIC” mode
1. Enable Performance and system monitoring
a. Start the “OAS Configuration Utility” using the windows search (Windows +Q)
b. Select “Monitoring” in the left bar
• Check “Enable System Monitoring”
• And “Apply”
c. Select “Performance” in the left bar
• Check “Enable Performance Monitoring”
• Select the “Plugins” tab
• Select the “Counter Plugin” tab
• Check “Enable Counter Plugin”
d. Click on “Apply”
e. Click “OK” and restart
f. Restart the OAS Configuration Utility
g. Select “SNMP” in the left bar
• Check “Overwrite SNMP Configuration”
• IP Address: 10.10.200.75/AWS INTERNAL IP ADDRESS
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 181 of 212
• Port: 161
• Security Name: administrator
• Authentication Type: SHA1
• Secret: Test1234
• Privacy Type: AES
• Secret: Test1234
• Click Apply
• Click OK and restart
2. Check in the Webadmin GUI if System Monitoring is enabled
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Select the tab “SYSTEM”, select the option “Server Configuration”, then the tab “SYSTEM Monitoring”
• Click on “EDIT”
• Check if “Enable System Monitoring” is enabled. If not enabled, then mark “Enable System Monitoring” to enable.
• Click “SAVE”
3. MUST DO: Start the Windows service “Net-SNMP Agent”
4. MUST DO RE-start the OAS (OneSpan Authentication server)
5. You check if the settings have been added to net-snmp
a. Snmpd.conf
• At the command prompt enter the command
type "C:\Program Files\VASCO\Net-SNMP\etc\snmp\snmpd.conf"
Your output could look like (# comments have been added for your understanding)
# This is the listening address
# The agent will listen to UPD on IP address 10.10.200.75/AIIA on port 161
agentaddress 10.10.200.75/AIIA:161
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 182 of 212
sysObjectID 1.3.6.1.4.1.3995.2.2.1
# There will be only 1 service running, named identikey
proc identikey 1 1
# The agent (nicknamed) master, will talk the protocol agent-x
master agentx
# And our master agent will listen to a loopback TCP port 705
agentXSocket tcp:localhost:705
# Grant user netadmin access to all the available mibs
rwuser netadmin
b. Snmp.conf (check WHICH mibs can be used)
• At the command prompt enter the command
type "C:\Program Files\VASCO\Net-SNMP\etc\snmp\snmp.conf"
mibdirs +C:\Program Files\VASCO\Net-SNMP\share\snmp\mibs
mibdirs +C:\Program Files\VASCO\OneSpan Authentication server\mibs
persistentDir C:\Program Files\VASCO\Net-SNMP\snmp\persist
mibs +VASCO-MIB
mibs +VASCO-IDENTIKEY-MIB
mibs +VASCO-IDENTIKEY-COMMUNICATOR-SEAL-MIB
mibs +VASCO-IDENTIKEY-COMMUNICATOR-SOAP-MIB
mibs +VASCO-IDENTIKEY-CRYPTO-MIB
mibs +VASCO-IDENTIKEY-DATAMODEL-MIB
mibs +VASCO-IDENTIKEY-SCENARIO-MIB
mibs +RADIUS-AUTH-SERVER-MIB
mibs +RADIUS-AUTH-CLIENT-MIB
c. Verify if the user netadmin has been added to the net-snmp configuration
• At the command prompt enter the commands
Cd “C:\Program Files\VASCO\Net-SNMP”
findstr /c:netadmin /s /i *.*
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 183 of 212
# Look for
snmp\persist\snmpd.conf:usmUser 1 3 0x80001f8880c67f0000d7a1865a00000000 "netadmin" "netadmin" NULL
.1.3.6.1.6.3.10.1.1.3 0x856dcc64cc148eb43f4912c1fe726ffd265b7e4 .1.3.6.1.6.3.10.1.2.4
0x856dcc64cc148eb43f4912c1fea726ff 0x
d. Also, The snmpbulkwalk tool can be used, to test the setup
• At the command prompt enter the commands
cd “C:\Program Files\VASCO\Net-SNMP\bin”
snmpwalk -v 3 -a SHA -A Test1234 -l authPriv -u netadmin -x AES -X Test1234 10.10.200.75/AIIA
vdsIkData
6. Install the SnmpB tool (http://sourceforge.net/projects/snmpb/)
7. Run the SnmpB Tool
8. Create the SNMPv3 USM Profile
a. Select the “Options”, “Manage SNMPv3 USM Profiles…”
b. Right Click in the white square and select “New USM profile”
• (Security) Name: ias_snmpadmin
• Authentication Protocol: SHA
• Authentication Password: Test1234
• Privacy Protocol: AES128
• Privacy Password: Test1234
• Click OK
9. Create the Agent Profile
a. Select the “Options”, “Manage Agent Profiles…”
b. Right Click in the white square and select “New Agent profile”
• Name: OAS
• Agent Address/Name: 10.10.200.75/AWS INTERNAL IP ADDRESS
• Only select SNMPV3
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 184 of 212
c. Open the OAS item in the tree at the left
d. Select in the tree SnmpV3
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 185 of 212
e. Context Name: netadmin
• Security Level: authPriv
f. Click OK
a. In the MIB Tree Drill down to:
iso.org.dod.internet.mgmt.mib-2.system
b. Right Click “sysDescr” and select get
10. Convert the additional Mibs
c. Select the “Editor” tab
d. Load the VASCO MIBs, using the “File”, “Open MIB” Menu
• Navigate to C:\Program Files\VASCO\IDENTIKEY Authentication Server\mibs
• Change to all files
• Select the “VASCO-MIB.txt”
e. Save the MIB, using the “File”, “Save MIB” Menu
• Navigate to c:\program files (x86)\SnmpB\mibs
• File Name: “VASCO-MIB”
11. Repeat step 9 for the following mibs:
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 186 of 212
a. “VASCO-IDENTIKEY-MIB”
b. “VASCO-IDENTIKEY-COMMUNICATOR-SOAP-MIB”
c. ……
12. Login in the IDENTIKEY WebAdmin
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
13. Run the SnmpB Tool
14. Select the modules tab
a. Move the “VASCO-MIB” from available to Loaded
b. Move the “VASCO-IDENTIKEY-MIB” from available to Loaded
c. Move the “VASCO-IDENTIKEY-COMMUNICATOR-SOAP-MIB” from available to Loaded
d. Move the “RADIUS-AUTH-CLIENT-MIB” from available to Loaded
e. Move the “RADIUS-AUTH-SERVER-MIB” from available to Loaded
15. Select the tree tab then in the MIB Tree Drill down to:
iso.org.dod.internet.private.enterprises.vascoDataSecurity.vdsRegistrations.vdsProducts.vdsIdentikey.vdsIkData.VDSIkCommunicator
Data.vdsIkSOAP.vdsIkSOAPClientTable.vdsIkSOAPClientEntry
16. Right Click “vdsIkSOAPClientConnections” and select “get, select instance”
17. Double click the IP address “10.10.200.75/AIIA” and verify the query results
18. Perform a radius authentication with the radius simulator to the OAS
• Remark: The RADIUS-AUTH-SERVER-MIB clients table gets populated after the first request, if there was no radius request the
client is not listed
19. Navigate in the tree and select
iso.org.dod.internet.mgmt.mib-2.radiusMIB.radiusAuthentication.radiusAuthServMIB.radiusAuthServMIBObjects.radiusAuthServ.
radiusAuthClientTable.radiusAuthClientExtEntry
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 187 of 212
20. Right Click “radiusAuthClientExtID” and select “get, select instance”
21. Double click the entry “1” and verify the IP address in the query results
22. Enable Performance and system monitoring
a. Start the OAS Configuration Wizard using the windows search (Windows +Q)
b. Select “Monitoring” in the left bar
c. Select the “Targets” tab
d. Click the EDIT button
• Name: 10.10.200.75/AWS INTERNAL IP ADDRESS
• SNMP
• Host: 10.10.200.75/AWS INTERNAL IP ADDRESS
• TRAP
• Security Name: netadmin
• Authentication Type: SHA
• Secret: Test1234
• Privacy Type: AES
• Secret: Test1234
• Mark the new target and click on SAVE
e. Select the “Filters” tab
f. Click the CREATE button
• Check “Enable”
• Name RADIUS_fail
• Target: 10.10.200.75/AWS INTERNAL IP ADDRESS
• Look at all the audit message Types. Do not do anything
g. Click the new button
• Field: Code (This is a field from the audit file)
• Condition: equals
• Value: I-007003 (This is a value found in the audit file)
• Click OK
• Click OK
23. Receive the SNMP Trap
a. Perform a failing radius user authentication with the radius simulator to the OAS
b. The trap should be listed in the traps tab of snmpb
c. Select the Tree Tab
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 188 of 212
d.
e. Navigate in the tree and select
iso.org.dod.internet.private.enterprises.vascoDataSecurity.vdsRegistrations.vdsProducts.vdsIdentikey.vdsIkData.vdsIKSecurityAler
tData.VdsIKSecAlerts. VdsIKSecAlertTable.VdsIKSecAlertEntry
f. Right Click “VdsIKSecAlertContent” and select “get, select instance”
g. Double click the entry “1” and verify the query results
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 189 of 212
4.32 OASEe380: System: Reporting
OAS – Reporting
Reference Number OASEe380
Title System: Reporting
Est. time to complete 20 min
Type Mandatory
Purpose Generate reports on the authentication activities
Fast Track
Run a detailed analysis report of the authentication Activities
Through web admin GUI, run the report “Detailed Authentication” to verify the logins of the last 2 days. Select "the template to use" PDF.
Run the report wizard. Click on the “Open” link to view the report.
Run a list analysis report of the authentication Activities
Through web admin GUI, run the report “User Authentication History” to verify the logins of the last 2 days. Run the report wizard. Click
on the “Open” link to view the report.
Run a trend analysis report of the authentication Activities
Through web admin GUI, run the report “Authentication Trend” to verify the logins of the last 2 days. Run the report wizard. Click on the
“Open” link to view the report.
Run a distribution analysis report of the authentication Activities
Through web admin GUI, run the report “Authentication Activity by User” to verify the logins of the last 2 days. Run the report wizard.
• In the tab “4. Schedule Task”, mark the option “Run in background”
• For “Scheduled”, select “Yes”
• Enter in the “Hour” field, 1 minute later than the current time
• For the “Date”, select the current date
• Click on next
• Read the report by pointing to the “SYSTEM” tab, and selecting “Reporting Retrieval”
• Click on the report name “auth_activity_user”
• Click on the button “DOWNLOAD”
Create a new report
Define a new report listing all radius authentications, with userid and location
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 190 of 212
• Describe report
• Report Name: rOASEe400
• Detailed analysis
• Options
• Grouping Level: Domain
• Data Source: Users + Audit
• Define Fields, Create
• “User:UserID” with display name User
• “Audit:Client Location” with display name Source
• In '4. Define Query'
• Query Name: qOASEe400
• Add a Definition that filters in the 'source field' on “Audit:client Type=RADIUS Client”
Run the report
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 191 of 212
4.33 OASEe395: Authentication Elements: User: Expire Part 2
OneSpan Authentication server – Authentication Elements - Users
Reference Number OASEe395
Title Authentication Elements: User: Expire Part 2
Est. time to complete 10 min
Type Mandatory
Purpose Learn how to enable expired user accounts
Fast Track
This exercise can only be executed after completing the exercise OASEe276, on the previous day
Perform a failing login with “OASEe276_1” using a specific policy: “pOASEe276_1” for the RADIUS Simulator Tool
Reset the “Expires at” of the user “OASEe276_1”
Perform a successful login with “OASEe276_1” using a specific policy: “pOASEe276_1” for the RADIUS Simulator Tool
Perform a failing login with “OASEe120” using a specific policy: “pOASEe276_2” for the RADIUS Simulator Tool
Reset the “Last Authentication Time” of the user “OASEe120”
Perform a successful login with “OASEe120” using a specific policy: “pOASEe276_2” for the RADIUS Simulator Tool
Detailed Steps
1. Link the policy “pOASEe276_1” to the Radius client (If you do not have a radius client see OASEe120)
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Point to the tab “CLIENTS”, and select “List”
d. Click on the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
e. Link the (new) policy to the client
• In the tab “Client”, click on the button “EDIT”
• Select for Policy ID: “pOASEe276_1”
• Click on “SAVE”
2. Perform a failing login for the user with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 192 of 212
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe276_1” with password “Test1234”
b. Check for the related messages in the Audit Viewer
c. Check for the related messages in the tracing file
3. Reset the user “OASEe276_1”, “Expires At” date
4. Perform a successful login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe276_1” with password “Test1234”
b. Check for the related messages in the Audit Viewer
c. Check for the related messages in the tracing file
5. Link the policy “pOASEe276_2” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENTS”, and select “List”
b. Click on the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
c. Link the (new) policy to the client
• In the tab “Client”, click on the button “EDIT”
• Select for Policy ID: “pOASEe276_2”
• Click on “SAVE”
6. Perform a failing login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe276” with password “Test1234”
b. Check for the related messages in the Audit Viewer
c. Check for the related messages in the tracing file
7. Reset the user “OASEe276_1”, “Last authentication time” date
a. Can be found in the “Other Actions”
8. Perform a successful login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe276” with password “Test1234”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 193 of 212
4.34 OASEe400: System: Install OAS with the Active Directory as data store
OneSpan Authentication server Advanced Install
Reference Number OASEe400
Title System: Install OAS with the Active Directory as data store
Est. time to complete 30 min
Type Mandatory
Purpose Perform an advanced AD installation on a Windows Server
Fast Track
In this exercise, you will perform an advanced OAS installation. During the installation, the OAS must be configured to use the Microsoft
Active Directory as its database. We will verify the installation doing a local authentication that will fail as the OAS static password is not
set for the user. We will then set the OAS static password for the user and authenticate again.
Having done both logins, you can see that the same Windows object, the user OASEe400, has a set of values which are specific to
Windows and a set of values which are specific to OAS. The policy is then set to a Local/Digipass. Thus, we will try to authentication with
an OTP.
If you have completed previous exercises shutdown the virtual machine, revert to snapshot and execute the steps from exercise
“OASPe015: Deploy Your Lab Setup”
Run the IDENTIKEY Authentication Server 3.21 media
Install the IDENTIKEY Authentication Server 3.21 as “Advanced Installation” with Active Directory
Run the “ OAS Configuration Wizard” (The first Administrator: “iasadmin”, “Test1234”)
Generate a temporary license as described in OASPe060
Installation Remarks
The installation of the OAS with AD, requires that the schema of the AD is extended
1. You can add the schema extension manually, prior to the OAS installation. This is advised in bigger organizations.
2. Extend the AD schema automatically.
The Installation Wizard can detect whether the Active Directory database already uses the required schema.
If this is the case, then the Installation Wizard will not prompt you to perform a schema extension.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 194 of 212
IMPORTANT NOTE: If you allow the Installation Wizard to make the schema changes, you will have to wait while the schema
changes are applied and wait while replication of the changes occurs across all domains. You will only be able to continue with
the Installation Wizard after the schema changes have been applied and replicated.
How you choose to make the schema changes will depend on the security settings on your data store, and your company's data security
processes.
For this exercise, you have two options:
1. Big Organization
o (for this exercise only) If you have completed previous exercises shutdown the machine, revert to snapshot and execute
the steps from exercise “OASPe015: Deploy Your Lab Setup”
o Extending the AD schema manually and
o then run the OAS installation (do not revert to the snapshot)
2. Small organization
o Read the text of “Extending the AD schema manually” and
o then run the OAS installation
Extending the AD schema manually
1. Log into the Schema Master using an account that is a member of the following groups:
• Schema Admins group
• Domain Admins group
• Domain Administrator accounts are typically members of these groups.
• Copy dpadadmin.exe from the installation DVD, from “D:\Software\Windows\Utilities\dpadadmin”
• Open a command prompt in the location to which dpadadmin.exe is copied.
• From there, run the following command:
dpadadmin addschema -v
• If the dpadadmin utility detects that Schema extensions are not currently permitted, it will prompt you whether to enable them
or not.
• Enter y to enable them, or n to cancel.
• After performing an Active Directory data store extension, wait several minutes for the schema extensions to replicate
across the system.
• Use the dpadadmin checkschema command to periodically check if the schema updates have been completed:
dpadadmin checkschema –u <schema_admin> –p <sa_password>
where:
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 195 of 212
✓ <schema_admin> is the username of the Schema Administrator
✓ <sa_password> is the corresponding password of the Schema Administrator
Do not continue with the installation until a checkschema result, without errors, is obtained.
The schema extension requires time to propagate under Windows. Hence, you may see ‘cached’ errors on the checkschema
command.
To speed up the replication of the schema extension you have 2 options:
• OPTION 1: restart the windows service 'Active Directory Domain Services'
NOTE: this is the fastest way to do this on a TEST machine. NEVER EVER do this on a production machine.
• OPTION 2: Reload the schema with the active Directory Schema Admin
o Register the active directory schema admin tool (reference https://docs.microsoft.com/en-us/previous-
versions/windows/it-pro/windows-server-2008-R2-and-2008/cc794773(v=ws.10)
▪ Open Command Prompt, type: 'regsvr32 schmmgmt.dll'
This command will register Schmmgmt.dll on your computer
▪ Click Start, click Run, type mmc /a
▪ On the File menu, click Add/Remove Snap-in
▪ Select “Active Directory Schema
▪ Click 'Add >'
▪ Click OK
▪ Under Available Standalone Snap-ins, double-click Active Directory Schema, click Close, and then click OK
o Reload the schema
▪ In the console tree, right-click Active Directory Schema, and then click Reload the Schema
Detailed Steps
Save your OAS license files (on the guest) to the host system. You will reuse the license files during this and other the installations.
If you have completed previous exercises then shut down the machine, revert to snapshot and execute the steps from exercise
“OASPe015: Deploy Your Lab Setup”
1. Create the user “iasadmin” with the password “Test1234” in Windows (See lab OASPe020).
This new Active Directory User must be member of the
a. existing Group “Domain Admins (Security Group – Global)”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 196 of 212
b. existing Group “Administrators”
[The easiest way is to copy the built-in administrator account]
2. Run the IDENTIKEY Authentication Server 3.21 media
a. Login on the machine “ONESPAN-DC1” (See lab OASPe010 for credentials).
b. Open the Windows “File Explorer” located on the “Task Bar”
c. Click “Computer” in the navigation bar
d. Right click the DVD drive containing the OneSpan Authentication server Installation Disk and select “Install or run program
from your media”
3. Install the OAS
a. Select “Install IDENTIKEY Authentication Server 3.21”
b. At the “IDENTIKEY Authentication Server 3.21 Setup”, click on next
c. At the “Installation type”, select the “Advanced Installation”, and click next
d. At the “Data Storage”, select the “Active Directory”, and click next
e. Click the “IDENTIKEY Authentication Server 3.21” button
4. OneSpan Authentication server Setup
a. On the “Welcome” screen click “Next”
b. Agree to the “End-User License Agreement” and click “Next”
c. On the “Custom Setup” screen click “Next”
d. Install, by clicking on the 'Install' button
e. Click “Finish” when the setup wizard completes
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 197 of 212
5. OneSpan Authentication server Setup Components
a. Click the “Net SMMP …” button (needed for system monitoring only and
auditing)
b. Click the “Embedded MariaDB …” button (needed for auditing)
6. Add a new Database Role
a. Press Windows +Q
b. Search for programs and files for “pg” and start “pgAdmin III” or
“pgAdmin3.exe”
c. Right click the “MariaDB … (localhost:5432)”
• Select Connect (Password: digipassword)
d. Right Click Login Roles
e. Select “New Login Role …”
• Properties: Role name: “ias_dbadmin”
• Definition: Password: “Test1234”
• Definition: Password (again): “Test1234”
• Role privileges: Check all privileges
• Click on OK
7. Inspect the ODBC connector settings
a. Press Windows +Q
b. Search for programs and files for “odbc” and start “ODBC Data Sources (64-bit)” or “odbcad32.exe”
c. Select the System DSN tab.
d. The DSN settings are only used for connecting to the database.
e. These settings are NOT used to authenticating to the database.
During the installation of the embedded database, the data base administrator account is created.
This account and its credentials are used when the OAS connects to the OAS.
Changes to the ODBC Data Sources connection settings are only required when the database is on a different server.
8. Continue with the “ OAS Configuration Wizard”
a. Click the “Run Configuration Wizard” button on the OneSpan Authentication server Setup screen
b. On the “OneSpan Authentication server Configuration Wizard” start screen, click on “Next”
c. Confirm The IP address
d. Select “Request a license Key” → see exercise OASPe060 to create and load an evaluation license
e. The “Server Functionality” step
• Select all OAS functionality, except the EMV-CAP functionality.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 198 of 212
• Click “Next”
f. AD Prerequisites step
• Check “This is the first OneSpan Authentication server installed”
• Click “Next”
g. DIGIPASS Domain step
• Check if Domain name is “onespan.local”
• Click “Next”
h. Add schema step
• Click “Next”
• A pop-up Window appears to Allow Schema Updates, Click “Yes”
i. Update schema step
• This step is required to update the Active Directory Shema
• Click “Check” – Must show fully replicated.
• Click “Next”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 199 of 212
j. Active Directory Certificate Authority step
• Disable “Enable LDAP SSL”
• Click “Next”
k. The “First Administrator” step
• User ID: “iasadmin”
• Password: “Test1234”
• Click “Next”
If you get an error when you click on “Next”, then you very likely did not add iasadmin to the Domain Admins group
l. Legacy Mode
• Do NOT enable “Use legacy sensitive data encryption mode
• Click “Next”
m. The “Data Encryption” step
• Select “Standard with embedded key”
• Click “Next”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 200 of 212
n. The “Secure Auditing” step
• Select “Do Not Use Secure Auditing”
• Click “Next”
o. The “SOAP SSL Certificate” step
• Select “Generate and install a new test certificate (self-signed)”
• Private Key Password: “Test1234Test1234”
• Confirm Password: “Test1234Test1234”
• Click “Next”
p. The “SEAL SSL Certificate” step
• Select “Use an existing certificate”
• Click “Next”
• Select “SOAP Communicator”
• Click “Next”
q. The “RADIUS SSL Certificate” step
• Select “Use an existing certificate”
• Click “Next”
• Select “SEAL Communicator”
• Click “Next”
r. The “MDC SSL Certificate” step
• Select “Use an existing certificate”
• Click “Next”
• Select “RADIUS Communicator”
• Click “Next”
s. The “Live Audit SSL Certificate” step
• Select “Use an existing certificate”
• Click “Next”
• Select “MDC Server”
• Click “Next”
t. The “SNMP User” step
• Security Name: “ias_snmpadmin”
• Authentication Type: “MD5”
• Authentication Secret: “Test1234”
• Privacy Type: “AES”
• Privacy Secret: “Test1234”
• Click “Next”
u. The “Automatic Server Discovery Support” step
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 201 of 212
• Select “No DNS Service Registration”
• Click “Next”
v. The “Create Web Administration Program Client” step
• Select “Local”
• Click “Next”
w. The “Sample SDK Web Client” step
• Click “Next”
x. The “Confirmation” step. All the configuration settings will now be put in place. This may take some time.
• Click “Next”
y. The “Summary” step
• Click “Finish”
9. Continue with the “OneSpan Authentication server Setup”
a. Click OAS Web Administration 3.14
• A new wizard is launched “Welcome to the InstallShield wizard for OAS Web ...”
• Click “Next”
• Read and accept the license agreements
• Click “Next”
• Click “Install” and the installation starts
• Click “Finish” to close this wizard
b. A new window will appear and ask you if you want to reboot your system, click “yes”.
10. Reboot the machine
11. Change the auditing DSN
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Hoover over the “SYSTEM” tab and click the “Server Configuration” menu item
e. Select “Auditing”
f. Click the “Edit” Button
g. Click the “+” Button next to the “Database”
• Change the Username to “ias_dbadmin”
• Change the Password to “Test1234”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 202 of 212
h. Click on the “Save” button
12. Change the Scenarios DSN
a. Hoover over the “SYSTEM” tab and click the “Server Configuration” menu item
b. Select “Scenarios”
c. Click the “Edit” Button
d. Click the “+” Button next to the “Reporting Scenario”
• Change the Username to “ias_dbadmin”
• Change the Password to “Test1234”
e. Click on the “Save” button
13. Install the RADIUS simulator (See Exercise OASEe107 & OASEe109 for full details)
14. Set up a policy named “pOASEe400”
a. Press Windows +Q
b. Search for programs and files for “web” and start “OAS Web Administration” or “https://localhost:8443”
c. Login using the administrator created during installation
• User ID: “iasadmin”
• Password: “Test1234”
d. Select “POLICIES” and click on “Create”
e. Enter the required information
• Policy ID: “pOASEe400’’
• Inherits from: “IDENTIKEY Local Authentication with Auto-Unlock”
• Enter a description if desired
15. Link the policy “pOASEe400” to the Radius client (If you do not have a radius client see OASEe120)
a. Point to the tab “CLIENTS”, and select “List”
b. Click on the “RADIUS Client” for location “10.10.200.75” /AWS INTERNAL IP ADDRESS
c. Link the (new) policy to the client
• In the tab “Client”, click on the button “EDIT”
• Select for Policy ID: “pOASEe400”
• Click on “SAVE”
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 203 of 212
Perform a failing login with the OAS static password with a specific radius client for the RST and policy
This login will fail, as the OAS user does not exist. As the OAS user does not exist, there is also no
OAS static password, to be used during the local authentication.
16. Create the user “OASEe400” in the Windows Active Directory (see OASPe020)
17. Perform a FAILING login using a PASSWORD (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe400” with password “Test1234”
b. Verify the related messages
• Check first in the audit viewer for warnings or errors
• Verify in the trace file, for the ‘processing’ reason for the failing authentication.
Perform a successful login with the OAS static password with a specific radius client for the
RST and policy
We will set the OAS password for the OAS user manually. Therefore, the local authentication against
the OAS static password will succeed.
18. Open “Active Directory Users ad computers”
a. Press Windows +Q
b. Search for programs and files for “Users” and start “Active Directory Users and Computers” or “dsa.msc”
19. Set the OAS static password for the user ‘OASEe400’
a. Double click on the user “OASEe400”
b. Click on the tab “Digipass User Account”
c. In the frame “Digipass Support”, mark “Enable Digipass”
d. Verify the OAS static password
e. In the frame “Stored Static Password” set the “New Password” and “Confirm Password” to “Test1234”
f. Click on OK
20. Perform a successful login using a PASSWORD (To configure the RST see OASEe109)
a. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe400” with password “Test1234”
b. Verify the related messages
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 204 of 212
• Check first in the audit viewer for warnings or errors
• Verify in the trace file, for the ‘processing’ reason
Perform a successful login with an OTP with a specific radius client for the RST and policy
The authentication will succeed as the policy allows for DIGIAPSS authentication.
21. In the ADUC, import a DIGIPASS
a. In the file menu select “View/Advance Features”
b. Select the “users’ container”
c. Right click and select the option “Import Digipass...”
d. Import the “Demo_DP300.dpx” (C:\Program Files\VASCO\IDENTIKEY Authentication Server\dpx)
e. Assign the DIGIPASS to the user “OASEe400”
22. Perform a successful login with a specific policy for the RADIUS Simulator Tool (To configure the RST see OASEe109)
a. Generate a Response Only OTP with a (demo) DIGIPASS (More information on demo DIGIPASS can be found in OASPe050)
b. Authenticate the user with the RADIUS Simulator Tool (RST)
• Click on a NAS Port (Yellow Box)
• Authenticate as User ID “OASEe400” with password the response from the DIGIPASS
23. Verify the related messages
a. Check first in the audit viewer for warnings or errors
b. Verify in the trace file
24. Deassign the DIGIPASS
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 205 of 212
4.35 OASEe540: System: Relicense the IDENTIKEY server
OAS Tools
Reference Number OASEe540
Title System: Relicense the IDENTIKEY server
Est. time to complete 10 min
Type Mandatory
Purpose Update the license of The OneSpan Authentication server
Fast Track
Here you will learn how to replace an (expired) license with new license.
1. In the web admin, obtain license a trial license for the OAS
a. Click on the “HOME” tab
b. Click on the link “Server info”
c. Click on the tab “License”
d. Click on the button “GET LICENSE KEY”, to start the request for the trial license.
e. Load the license by clicking on the “LOAD license button”
2. Restart the OAS windows service
Logon into the web admin and check the license expiration date.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 206 of 212
4.36 OASEe560: System: Reconfigure the IDENTIKEY Web Admin and define a new IK
server
OAS Tools
Reference Number OASEe560
Title System: Reconfigure the IDENTIKEY Web Admin and define a new IK server
Est. time to complete 10 min
Type Mandatory
Purpose Change the name of the servers from ‘local_host’ to the actual machine name
Fast Track
The OneSpan Authentication server WebAdmin interface can connect to several remote OASs. In this exercise, you want to change the
connection name to the actual machine name and IP address of the remote OAS.
1. Verify that the WebAdmin connects to the “10.10.200.75” /AWS INTERNAL IP ADDRESS
a. Logon into the web admin by selecting “10.10.200.75” /AWS INTERNAL IP ADDRESS
b. Here you see the Web Admin’s view on the connection to the OAS
2. Verify the Client connection setting for the WebAdmin in the OAS
a. list the clients
b. and select the “Administration Program” for “10.10.200.75” /AWS INTERNAL IP ADDRESS
3. Open a command prompt and go to C:\Program Files\VASCO\IAS Web Administration
4. List the current servers with “admintool server list”
The output will contain the name of the server and the URL of the OAS. Please note that the connections are done over SSL.
Configured servers:
Server: 10.10.200.75/AIIA = https://10.10.200.75/AIIA:8888
5. Delete the local_server “admintool server delete 10.10.200.75/AIIA”
6. Create a new server entry “admintool server add OASDC1 https://10.10.200.75:8888”
7. Restart the WebAdmin Tomcat service. To do so use the tool “Apache Tomcat for OAS Web Administration”
8. To validate the new settings, log into the web admin on the server IKDC1, named OASDC1.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 207 of 212
4.37 OASEe700: OAS Authentication Appliance Basic Install
OneSpan Authentication server Appliance
Reference Number OASEe700
Title OAS Authentication Appliance Basic Install
Est. time to complete 20 min
Type Optional
Purpose Deploy an IDENTIKEY Appliance
Fast Track
In this exercise, you will do a default set up of an IDENTIKEY Authentication Appliance.
Reset the OAS Appliance to Factory Defaults
Assign the IP address: 10.10.200.77/24 with Gateway: 10.10.200.254 using the rescue tool
Complete the “First Time Configuration Wizard” using the console tool from the “ONESPAN-DC1”
• New Password: Test1234
• Hostname: IDENTIKEY-
• IP address: 10.10.200.77/24
• DNS: 10.10.200.75/AWS INTERNAL IP ADDRESS
• DNS Suffix: onespan.local
• Gateway: 10.10.200.254
Complete the “License wizard” using the console tool from the “ONESPAN-DC1”
Complete the “ OAS Setup Wizard” using the console tool from the “ONESPAN-DC1”
• Master Domain: master
• Name conversion: Convert to lower case
• Username: iasadmin
• Password: Test1234
Import a DIGIPASS Go Series
• The DPX files can be found on D:\VASCO\
• The transport key is “11111111111111111111111111111111” (32x1)
Test the OneSpan Authentication server with the use of the radius simulator
Detailed Steps
1. Select the VMware image test of the OAS Appliance.
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 208 of 212
2. Use the rescue tool to configure the network settings.
The rescue tool is the command line interface available in the VMware window.
To escape the rescue tool in VMware press [CTRL][ALT] to return to the host OS.
3. In the console login with user ‘rescue’
4. Press r for the “Reset Configuration” menu
5. Press f for “Reset to Factory Defaults”
6. Confirm with y
7. The System will reboot
8. Use the rescue tool to configure the network settings.
The rescue tool is the command line interface available in the VMware window.
9. In the console login with user “rescue”
10. Press n for the “Network menu”
11. Press i for “Set System IP address and Subnet”
Assign the IP address: 10.10.200.77/24
12. Press g for “Set Default Gateway”
Gateway: 10.10.200.254
13. Press p for “ping” to test the connection using ping
Use as destination the gateway: 10.10.200.254
14. Select the VMware image “ONESPAN-DC1” of the Windows 2016 Server.
15. We will use the Console Tool to finish the Installation
Navigate with Internet Explorer to “https://10.10.200.77” from your “ONESPAN-DC1” also known as “ONESPAN-DC1”
Select “Continue to this website”
16. Select the Appliance Configuration option
17. Login with user “sysadmin”, password “sysadmin”
18. Complete the “First Time Configuration Wizard”
a. You already tested the Appliance network settings, thus click Next to continue
b. Accept the End User License Agreement
c. Accept the Oracle Binary Code License Agreement for Java SE
d. Enter the New Password: Test1234
e. Hostname: IDENTIKEY
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 209 of 212
f. Network Settings
• IP address: 10.10.200.77/24
• Gateway: 10.10.200.254
• DNS: 10.10.200.75/AWS INTERNAL IP ADDRESS
• DNS Suffix: onespan.local
g. Leave the default ntp server settings
h. (No proxy is needed)
19. Continue with the “License wizard”
a. Download the “systeminfo.txt” file (Download link)
b. Navigate to https://sc.vasco.com/registration
c. Click the evaluation license button
d. Select OneSpan Authentication Server Registration
e. Agree to the Terms and conditions of the EULA
f. Select OAS Physical or Virtual Appliance
g. Complete the fields and upload your ”systeminfo.txt” file
h. Download the license.dat file
i. Upload the license
20. Continue with the “ OAS Setup Wizard”
a. OAS Settings
• Master Domain: master
• Name conversion: Convert to lower case
b. OAS Administrator
• Username: administrator
• Password: Test1234
21. You can explore the Configtool interface using “https://10.10.200.77/configtool/”
22. Access the OneSpan Authentication server using the Web Administration interface “https://10.10.200.77/webadmin/”
a. Login with user iasadmin, password Test1234
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 210 of 212
23. Create a new Radius Client
a. Select “CLIENTS” \ “Register” to register a new radius client record
• Type: “Radius Client”
• Location: 10.10.200.75/AWS INTERNAL IP ADDRESS
• Policy ID: “IDENTIKEY Local Authentication with Auto-Unlock”
• Shared Secret: Test1234
24. Import a DIGIPASS Go Series
a. Select “DIGIPASS” \ “Import” (from the OAS installation directory) and
b. Select “DIGIPASS” \ “List” to manage your DIGIPASS
c. Click the serial number of the imported DIGIPASS
d. Click the “APPLI 1” tab
e. Disable the server pin in the “Other Actions” drop down
25. Create a new OAS user
a. Select “Users” \ “Create”
• User ID: OASEe700
• Static Password: Test1234
26. Configure the Radius Simulator (If your radius simulator was not yet setup see exercise OASEe107 & OASEe109 for installation
details)
a. Update the following values
• Server IP: 10.10.200.77
• Shared Secret: Test1234
• Uncheck “Enable Radius Accounting”
27. Test the authentication server
a. Click on a Yellow square
• User ID: OASEe700
• Password: Test1234
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 211 of 212
5 Disclaimer
Disclaimer of Warranties and Limitations of Liabilities
This Report is provided on an 'as is' basis, without any other warranties, or conditions.
Copyright
© 2021 OneSpan. All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security.
Trademarks
OneSpan®, VASCO®, VACMAN®, IDENTIKEY®, aXsGUARD®, DIGIPASS® and the ® logo are registered or unregistered trademarks of
VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries
X_IAS_3X_05_OneSpan Authentication Server Exercises - Professional 20210726-509 - Classroom.docx
OneSpan Authentication Server - Professional - Exercises -Document - 3.21
© 2021 OneSpan. All rights reserved. Page 212 of 212
You might also like
- Configuring Any Connect VPN Client ConnectionsNo ratings yetConfiguring Any Connect VPN Client Connections18 pages
- NetWorker 19.3 VMware Integration GuideNo ratings yetNetWorker 19.3 VMware Integration Guide184 pages
- Microsoft Official Course: Implementing DNSNo ratings yetMicrosoft Official Course: Implementing DNS27 pages
- 11.3.1.1 Packet Tracer - Skills Integration Challenge PDF100% (1)11.3.1.1 Packet Tracer - Skills Integration Challenge PDF10 pages
- BKACAD Network Design and Configuration Guide100% (1)BKACAD Network Design and Configuration Guide2 pages
- Kerio Control Adminguide en 9.3.1 3465 PDFNo ratings yetKerio Control Adminguide en 9.3.1 3465 PDF352 pages
- Vsphere Esxi Vcenter Server 703 Networking GuideNo ratings yetVsphere Esxi Vcenter Server 703 Networking Guide293 pages
- Veeam Backup 9 5 U4 User Guide VsphereNo ratings yetVeeam Backup 9 5 U4 User Guide Vsphere1,246 pages
- Sophos XG Firewall Virtual Appliance: Getting Started GuideNo ratings yetSophos XG Firewall Virtual Appliance: Getting Started Guide10 pages
- ESXi Configuration Backup and Restore GuideNo ratings yetESXi Configuration Backup and Restore Guide4 pages
- Understanding Read-Only Domain ControllersNo ratings yetUnderstanding Read-Only Domain Controllers9 pages
- Creating Group Policy Objects Lab GuideNo ratings yetCreating Group Policy Objects Lab Guide10 pages
- NuDesign SNMPv3 Tutorial & Demo Manual PDFNo ratings yetNuDesign SNMPv3 Tutorial & Demo Manual PDF44 pages
- Imperva - SecureD Data Protection v1.5 HSL v1.2No ratings yetImperva - SecureD Data Protection v1.5 HSL v1.232 pages
- Active Directory - What Are CN, OU, DC in An LDAP Search - Stack OverflowNo ratings yetActive Directory - What Are CN, OU, DC in An LDAP Search - Stack Overflow3 pages
- Configuring GlobalProtect SSL VPN Using A User-Defined PortNo ratings yetConfiguring GlobalProtect SSL VPN Using A User-Defined Port28 pages
- VMware VMware Vsphere Operate Scale and Secure V8 - BETANo ratings yetVMware VMware Vsphere Operate Scale and Secure V8 - BETA3 pages
- CST8342 Week 05 Lab 05 Exchange Server 2019 AdministrationNo ratings yetCST8342 Week 05 Lab 05 Exchange Server 2019 Administration100 pages
- F5 BIG-IP ASM - AWAF Administration (Feb, 2023) 1No ratings yetF5 BIG-IP ASM - AWAF Administration (Feb, 2023) 1473 pages
- FortiManager 7.2.4 Administration GuideNo ratings yetFortiManager 7.2.4 Administration Guide916 pages
- PKCS#12 Certificate Guide for NG AppliancesNo ratings yetPKCS#12 Certificate Guide for NG Appliances4 pages
- OpenStage IEEE 802.1x Configuration Management Administrator Documentation Issue 6No ratings yetOpenStage IEEE 802.1x Configuration Management Administrator Documentation Issue 6154 pages
- IDENTIKEY Authentication Server Product GuideNo ratings yetIDENTIKEY Authentication Server Product Guide254 pages
- Symantec DLP Cloud Service For Email Implementation GuideNo ratings yetSymantec DLP Cloud Service For Email Implementation Guide35 pages
- Symantec Endpoint Encryption Installation Guide 11 4 0No ratings yetSymantec Endpoint Encryption Installation Guide 11 4 084 pages
- Deploying SEE Management Server To Be Internet Facing-1No ratings yetDeploying SEE Management Server To Be Internet Facing-15 pages
- Renew The Tenable Nessus Self Sign CertificateNo ratings yetRenew The Tenable Nessus Self Sign Certificate2 pages
- Configuring Ivanti Security Controls Data Model For Xtraction (v2023.1.1)No ratings yetConfiguring Ivanti Security Controls Data Model For Xtraction (v2023.1.1)14 pages
- Tunneling and Ipsec f5 Networks Tmos Tunneling and Ipsec ExampleNo ratings yetTunneling and Ipsec f5 Networks Tmos Tunneling and Ipsec Example118 pages
- FortiSandbox 4.2.0 Best Practices GuideNo ratings yetFortiSandbox 4.2.0 Best Practices Guide42 pages
- Understanding It Applications in Global Business: Understanding Information Management (IM) and Information Systems (IS)100% (1)Understanding It Applications in Global Business: Understanding Information Management (IM) and Information Systems (IS)31 pages
- Gsma Official Document IR.81 GRQ Measurement ImplementationNo ratings yetGsma Official Document IR.81 GRQ Measurement Implementation82 pages
- Computer-Aided Design in The United States 19491984 Designing in A Closed WorldNo ratings yetComputer-Aided Design in The United States 19491984 Designing in A Closed World17 pages
