Challenge and Response How to Guide

From Swivel Knowledgebase Wiki

Contents 1 Challenge and Response Authentication 2 Introduction 3 Prerequisites 4 Baseline 5 Architecture 6 Installation 7 Challenge and Response PINsafe 3.8 onwards 8 Challenge and response PINsafe 3.7 9 SMS Configuration 10 Verifying the Installation 11 Troubleshooting 11.1 Error Messages 12 Known Issues and Limitations 13 Additional Information

Challenge and Response Authentication

Introduction

This is where a user enters a password (see Password How to Guide), and if this is correct the user will then be sent automatically a One Time Code for authentication by their transport (see On Demand Authentication). The benefit of Challenge and Response authentication is that the Transport delivery is password protected against malicious requests. see Also Challenge response.

Prerequisites

PINsafe 3.7

Access Device which supports RADIUS Challenge and Response

Dual Channel authentication

Baseline

PINsafe 3.7

Architecture

PINsafe configured as a RADIUS server, when a password is successfully entered the user is sent a One Time Code by their defined transport.

Installation

Configure the PINsafe server and Access Device for Dual Channel Authentication. Ensure either the user has a PINsafe password, or that Check password with repository is enabled.

Challenge and Response PINsafe 3.8 onwards

For PINsafe 3.8 Challenge and Response Authentication is used when Two Stage Authentication is enabled. On the PINsafe Administration Console select RADIUS/NAS then set the Two Stage Auth to Yes.

Challenge and response PINsafe 3.7

On the PINsafe Administration Console server select RADIUS/Server and ensure the Use Challenge/Response is set to Yes, then click on Apply

On the PINsafe Administration Console server select RADIUS/NAS and the Access device which two stage authentication is required. Set the Two stage Auth to Yes and Apply.

SMS Configuration

On the PINsafe Administration Console server select Server/Dual Channel. For delivery of a new security string upon entering a correct password, ensure On-Demand Authentication is set to Yes, then click on Apply.

Verifying the Installation

Check the PINsafe logs

Check the Access Device logs

Troubleshooting

View the users security string to ensure the correct security string is being used.

Ensure authentication is working with standard authentication.

Error Messages

RADIUS: <0> Access-Request(1) LEN=64 x.x.x.x:1265 Access-Request by username Failed: AccessRejectException: Two Stage Password Fail

x.x.x.x Identifier:Failed to get LDAP context for username@domain

The check password with repository is failing for the first stage of two stage authentication. This could be due to an incorrect password being entered. This could be due to an incorrect password being entered or not recognised. On the PINsafe Administration console when using AD try setting the AD server settings username to the UPN name.

Known Issues and Limitations

Additional Information

For assistance in the PINsafe installation and configuration please firstly contact your reseller and then email Swivel Secure support at support@swivelsecure.com