Password How to Guide
From Swivel Knowledgebase Wiki
Contents |
Overview
PINsafe can use a static password in addition to a One Time Code. The static password may be used to make shoulder surfing techniques less effective, since it will be difficult to discern password from OTC, as well as its length. When a PINsafe password is set for a user, it must be used.
Passwords
There are two types of password that PINsafe can use in addition to the One Time Code:
1. A PINsafe password, set on the PINsafe server .
2. A Repository password, defined on the repository such as AD or LDAP. This is used with the 'Check password with repository' option on the PINsafe server under Policy/Password
Check password with repository
From PINsafe 3.8 onwards the option for Check Password with Repository is applied for an agent or RADIUS NAS entry.
For PINsafe versions prior to PINsafe 3.8, the Check Password with Repository is a global option located under Policy then Password.
When this option is selected the user must enter their password with their OTC. If the password is an external repository such as AD, then they must enter their AD password. If there is a PINsafe password then this must be entered. If the PINsafe password is not set, then the field should be left empty, see below.
The local XML repository does not have a password field, so a password cannot be set for the XML repository data source. It is possible to set a password for the user in the data store. When Check password with repository is used the Reset Password option is greyed out and not selectable, since there is no XML repository data source password.
Note: For Active Directory The username must be passed to AD as username@domain in order to authenticate via LDAP. This can be specified by using the the administrator or service account username for the repository configuration as administrator@domain.name, rather than just administrator or service account username, PINsafe will automatically append the domain to the username when authenticating to AD, if one is not specified.
PINsafe Password
A password defined on the PINsafe administration console.
External Repository Password
PINsafe does not know what this password is and cannot change it. However PINsafe can check if a password entered by the user is correct by making an LDAP bind against the AD or LDAP server. This is used with the 'Check password with repository' option on the PINsafe server under Policy/Password.
Note: When using Check Password with Repository and RADIUS is being used, then the RADIUS authentication method must be set to PAP. CHAP, MSCHAP and MSCHAP v2 will not work. See RADIUS How To Guide
Note: the local XML Repository does not have a password, passwords that are set, are entered into the PINsafe Data Store.
Where do I use the Passwords
There is a large degree of flexibility in the configuration of how a password can be used, and can be adapted to suit certain environments thus the password to be used varies with each deployment. Below are the common use cases.
1. An Access device may have a single RADIUS field defined for authentication, in which case the password, is configured with the One Time Code in the format:
Password Field: passwordOTC
2. Where PINsafe is defined as a secondary authentication server, it is usual to have the LDAP or AD server defined as the Primary password field, usually to enable sign on to AD/LDAP resources, and the PINsafe field used just for a One Time Code.
Primary Password Field 1: AD or LDAP Password Secondary Password Field 2: OTC
3. Where the 'Check password with repository' option is used then the password is entered with the One Time Code in the format:
Password Field: passwordOTC
Troubleshooting
Error Messages
x.x.x.x Identifier:Failed to get LDAP context for username@domain
Password has failed to be matched from a LDAP data source when using Check Password with repository. This could be due to an incorrect password being entered or not recognised. On the PINsafe Administration console when using AD try setting the AD server settings username to the UPN name.
