Test scenario: Management features

These scenarios cover basic management features in OneSpan Authentication Server.

Managing users with auto-assignment

If maker–checker authorization is enabled, assigning an authenticator requires the approval of a checker administrator. In that case, auto-assignment is not available.

To test auto-assignment

  1. Log on to the Administration Web Interface.
  2. Select CLIENTS > List.
  3. Locate the client record for the RADIUS Client Simulator application and ensure that Test Policy is applied (Policy ID column).

  4. Make the following changes to the test policy (see Modifying the test policy):

    • Policy > Local Authentication: DIGIPASS/Password during Grace Period
    • Policy > Back-End Authentication: Always
    • Policy > Back-End Protocol: RADIUS
    • User > Password Auto-learn: Yes
    • User > Stored Password Proxy: Yes
    • User > Dynamic User Registration: No
    • DIGIPASS > Assignment Mode: Neither
    • DIGIPASS > Grace Period (days): 7
    • DIGIPASS > Search Upwards in Org. Unit Hierarchy: Yes
    • DIGIPASS > Application Type: No Restriction
  5. Create or use a user account in the RADIUS server, which does not currently have a corresponding user account in the OneSpan Authentication Server instance.
  6. Verify that at least one unassigned authenticator is available.

  7. Test auto-assignment.

    In this test, both Dynamic User Registration (DUR) and auto-assignment should fail, meaning that no user account will be created and no authenticator will be assigned to the user. This shows that the OneSpan Authentication Server record has been configured successfully.

    Run a test logon using RADIUS Client Simulator (see Testing a logon with RADIUS Client Simulator):

    1. Enter the user ID for the RADIUS server user account you created earlier in the User ID field.
    2. Enter the password of the RADIUS server user account.

    3. Click Login.

      The Status information field will indicate the success or failure of your logon.

  8. Verify the test results.

    To test whether a user account has been created, search for the user account record in the Administration Web Interface.

    If it does not exist, the test has been successful.

  9. Make the following changes to the test policy (see Modifying the test policy):

    • User > Dynamic User Registration: Yes
    • DIGIPASS > Assignment Mode: Auto-Assignment

  10. Test auto-assignment a second time.

    In this test, bothDynamic User Registration (DUR) and auto-assignment should succeed, meaning that a user account will be created, and an available authenticator will be assigned to the user.

    Run a test logon using RADIUS Client Simulator (see Testing a logon with RADIUS Client Simulator):

    1. Enter the user ID for the RADIUS server user account you created earlier in the User ID field.
    2. Enter the password for the user account.

    3. Click Login.

      The Status information field will indicate the success or failure of your logon.

  11. Verify the test results:

    1. To test whether a user account has been created, search for the user account record in the Administration Web Interface.

    2. Verify whether an authenticator has been assigned to the user:

      1. Click Assigned DIGIPASS.

        If an authenticator is listed, the user has been assigned the listed authenticator.

      2. Verify the grace period end field to see that a grace period of the correct length (7 days) has been set.

  12. Verify the grace period:

    1. Password logon. Using RADIUS Client Simulator, attempt a logon using the RADIUS server user ID and password only. If the grace period is still effective, this should be successful.
    2. OTP logon. Using RADIUS Client Simulator, attempt a logon using the RADIUS Server user ID and OTP. This should be successful.
    3. Password logon. Using RADIUS Client Simulator, attempt a logon using the RADIUS Server user ID and password only. Since the logon using an OTP in the previous step should have ended the grace period for the authenticator, this logon should fail.
    4. Check the grace period end in the user record. It should contain the current date.

Managing users with self-assignment

To complete this test scenario, you need to have an authenticator physically available, and free to be assigned to a test user account.

To test self-assignment

  1. Log on to the Administration Web Interface.

  2. Make the following changes to the test policy (see Modifying the test policy):

    • User > Dynamic User Registration: No
    • DIGIPASS > Assignment Mode: Neither
    • DIGIPASS > Search Upwards in Org. Unit Hierarchy: Yes
    • DIGIPASS > Serial No. Separator: - (hyphen)
  3. Create a new user account or use an existing one in the RADIUS Server, which does not currently have a corresponding user account in the OneSpan Authentication Server database.
  4. Check that the desired authenticator is in the authenticator container and unassigned.

  5. Test self-assignment.

    In this test, both Dynamic User Registration (DUR) and self-assignment should fail, meaning that a user account will not be created, and the selected authenticator will not be assigned to the user.

    Run a test logon using RADIUS Client Simulator (see Testing a logon with RADIUS Client Simulator):

    1. Select any port in the Simulated NAS Ports group.
    2. Enter the user ID for the RADIUS server user account you created earlier in the User ID field.

    3. Enter the serial number of the authenticator, the separator, the password of the RADIUS server user account, a server PIN (if required), and an OTP generated by the authenticator into the Password field, e.g. 98765432-password12340098787.

      For more information, refer to the OneSpan Authentication Server Administrator Reference, Section "Login Permutations".

    4. Click Login.

      The Status information field will indicate the success or failure of your logon.

  6. Verify the test results.

    A successful test should result in a failed logon and no new user account created in the OneSpan Authentication Server database. To test whether a user account has been created, search for the user account record in the Administration Web Interface.

  7. Make the following changes to the test policy (see Modifying the test policy):

    • User > Dynamic User Registration: Yes
    • DIGIPASS > Assignment Mode: Self-Assignment

  8. Test self-assignment a second time.

    In this test, both Dynamic User Registration (DUR) and self-assignment should succeed, meaning that a user account will be created in the OneSpan Authentication Server database, and the intended authenticator will be assigned to the user.

    Run a test logon using RADIUS Client Simulator (see Testing a logon with RADIUS Client Simulator):

    1. Select any port in the Simulated NAS Ports group.
    2. Enter the user ID for the RADIUS server user account you created earlier in the User ID field.
    3. Enter the serial number of the authenticator, the separator, the password of the RADIUS server user account, a server PIN (if required), and an OTP generated by the authenticator into the Password field, e.g. 98765432-password12340098787.

    4. Click Login.

      The Status information field will indicate the success or failure of your logon.

  9. Verify the test results.

    1. To test whether a user account has been created, search for the user account record in the Administration Web Interface.

    2. Verify whether an authenticator has been assigned to the user:

      1. Click Assigned DIGIPASS.

        If an authenticator is listed, the user has been assigned the listed authenticator.

      2. Verify that no grace period has been set.

  10. Perform a test password logon.

    Using RADIUS Client Simulator, attempt a logon using the RADIUS server user account and password only. This should fail, as a grace period is not set for self-assignment.

  11. Perform a test OTP logon.

    Using RADIUS Client Simulator, attempt a logon using the RADIUS server user account and OTP. This should be successful.