Latest revision as of 12:52, 11 May 2017

Overview

The Swivel Windows Phone 7 Mobile client allows the storage of 100 security strings on a Windows Phone 7 (and 7.5). The PIN is not stored on the phone. Requesting a top up from the Swivel server resets all the security strings on the mobile phone. You can use the device to get one-time codes for Swivel login and PIN change. The app is available for Windows 7 Phones as Swivel, for Windows 8 phones use the Swivel Mobile Client.

Prerequisites

This application is for phones running Windows Phone 7.x only

User must have Mobile Phone Client or Swivlet enabled to use this Application

The Swivel server must be reachable from the mobile phone to receive security strings

The index is required to be entered as nn on the end eaxample: 292401, Swivel versions earlier than 3.10 require ,nn example: 2924,01 otherwise it will see it as a dual channel authentication.

This application is compatible with versions of Swivel from 3.2 onwards. To download security strings from Swivel versions 3.8 onwards, the phone must be provisioned first. For versions 3.7 and earlier, provisioning is not required or supported.

Appliances using Swivel 3.8 may require an upgrade on their proxy to provision a mobile device, see Appliance Proxy Server Upgrade

RADIUS authentications made against Swivel must use PAP RADIUS authentication since with other RADIUS protocols such as CHAP and MSCHAP the access device requests the OTC from Swivel.

Mobile App Store versions

• "Swivel Mobile Client" which is compatible with Windows 8 phones but not Windows 7 phones.

• "Swivel" which is compatible with Windows 7 phones but not Windows 8 phones.

• "Swivel Mobile" which is compatible with both Windows 8 phone only and not a Windows 7 phone.

Swivel Configuration

Configuring Mobile Client user access on the Swivel appliance

To allow a user to authenticate using a One Time Code from the Mobile Phone Client, the user must have the Mobile Client authentication enabled. To do this on the Swivel Administration console ensure that the group they are part of has access to the Mobile Client under Repository Groups.

Configuring the Swivel Authentication

Swivel can authenticate users using the mobile client to authenticate by RADIUS or Agent-XML authentication

• For RADIUS authentication see RADIUS Configuration Note: The access device must be configured to use PAP for authentication.

• For Agent-XML authentication see XML Authentication Configuration

Mobile Provisioning

Swivel 3.8 and higher requires each mobile phone to be provisioned so it can be uniquely identified. Ensure that all Mobile Client users have suitable Transports configured to receive their Mobile Provision Code. To provision the mobile client select the user and click Re-provision. Earlier versions of Swivel do not need to use a Mobile Provision Code. See Mobile Provision Code.

Mobile Client Policies

For the Server based policies see Mobile Client Policies

Getting the Application

The application must be downloaded from Windows Marketplace. Search for "Swivel".

Using the Application

When you start the application, you will see the following screen:

Help is available from the application on all pages by pressing the ? button at the top right.

The first time this application is used, it must be configured with the details of the Swivel server. If a SSD server is being used, then select Get Server Settings and enter the Server ID, otherwise the settings can be manually entered with information from the Swivel System administrator by choosing the Configuration. Your administrator will provide you with these.

Once the Swivel server details are configured, for Swivel version 3.8 or later, you must provision your phone before you can request security strings. Press Provision to provision this phone with the Swivel server. You will need to request a Mobile Provision Code from your helpdesk, which must be used immediately. The code will be sent either to your phone as an SMS, or via email, depending on how your Swivel server is configured. Provisioning is not necessary for versions of Swivel earlier than 3.8.

Once the phone is provisioned, you can request new security strings. Press the Top Up button to do this. Your phone will be pre-loaded with 100 new security strings.

Once you have carried out the 3 steps above, you can use the Authentication button to request security strings one at a time for Swivel authentication. Your phone will not need to connect to the Swivel server again until you have used all your strings.

Configuration

Enter the Swivel server details on this page.

You will need to get the server details from your system administrator.

WARNING: the "Allow self-signed" option does not work. Unfortunately, there is no way on a Windows Phone 7.x to connect to a web server over HTTPS if the SSL certificate is not valid. There may also be a problem with some servers, even if the certificate is valid, due to an issue with TLS Server Name Indication (SNI). This has been observed and fixed on the Swivel Taskbar client for Windows 7 (desktop), but unfortunately the same fix cannot be used on Windows Phone. In this case, the only fix is on the server side: either disable HTTPS or ensure that the server (or firewall if Swivel is being proxied) either has SNI (or TLS) disabled, or has the correct server name(s) configured.

Provisioning

Before you can request security strings, you must provision your phone with the PINsafe server (PINsafe version 3.8 or later). Make sure that the phone is properly configured with the Swivel server details before doing this.

Ask your administrator or helpdesk to send you a provision code. You will receive this via SMS or email, depending on the configuration of your Swivel server. You must enter this code into this phone as soon as you receive it, as it has a limited lifespan.

Top Up

Use this page to request more security strings. Before you do this, make sure your phone is correctly provisioned with the PINsafe server (PINsafe version 3.8 or later).

Click Top Up to request more strings. If successful, you will be sent 100 new strings. Any previous strings you had been issued with will no longer be valid.

Authentication

To get the next available security string, click Get Next String. You will be shown the next string and its index.

To authenticate, calculate your one-time code from the security string, then append "," and the 2-digit index shown.

For example, if the security string is "2468013579", the index is "02" and your PIN is 1357, the authentication code will be "2603,02".

Change PIN

To change your PIN, you need to apply the same process to both the current and the new PIN. Use the same security string for both PIN's.

For example to use the string above to change your PIN, if your existing PIN is 1357 and your new PIN will be 2468, use "2603,02" as your old one-time code, and "4815,02" as your new one-time code.

Known Issues

Allow self-signed Certificate does not work with the Windows Phone, where HTTPS is used a valid certificate must be used.

Windows Phone does not support connecting to HTTPS servers with certificate errors. If you are publishing a Swivel server using HTTPS, make sure that the certificate is valid, and that you use the correct host name when configuring the client.

If you are using a proxy server that supports TLS for HTTPS connections, be aware that you must configure the correct host name for server name indication (SNI), or the phone will reject the connection. There is no way to disable this, or to force the connection to use SSL instead of TLS.

We have had reports that this application is not available in all markets. To the best of our knowledge, the application should be available in all countries supported by the Microsoft Market Place, but if you have difficulty finding the application in your country, please let us know through support@swivelsecure.com, so that we can investigate the problem.

Troubleshooting

The remote server returned an error: Notfound

The Swivel server cannot be contacted. This may be due to certificate errors described above.

Login fails and User receives a security string or One Time Code by SMS or email at each login attempt. The index is required to be entered as nn or ,nn example 2924,01 otherwise it will see it as a dual channel authentication.