Test scenario: Windows back-end authentication
This scenario covers authentication handled by OneSpan Authentication Server using Microsoft Windows for both, only back-end authentication and combining local and back-end authentication. The following logon methods will be covered:
- Using static password. Does not require an authenticator.
- Using Response-Only. Requires an authenticator with a Response-Only application.
- Using Challenge/Response. Requires an authenticator with a Challenge/Response application.
Back-end authentication only
Static password
To test Windows back-end authentication only with static password
-
Make the following changes to the test policy (see Modifying the test policy):
- Policy > Local Authentication: None
- Policy > Back-End Authentication: Always
- Policy > Back-End Protocol: Windows
- Verify that the grace period of the authenticator used for testing is set to a time in the future. If it is not, the static password logon will fail.
- Run a test logon using RADIUS Client Simulator (see Testing a logon with RADIUS Client Simulator), using the user ID and stored static password.
Local and back-end authentication
Static password
To test local and Windows back-end authentication with static password
-
Make the following changes to the test policy (see Modifying the test policy):
- Policy > Local Authentication: DIGIPASS/Password during Grace Period
- Policy > Back-End Authentication: Always
- Policy > Back-End Protocol: Windows
- Run a test logon using RADIUS Client Simulator (see Testing a logon with RADIUS Client Simulator) using the user ID and stored static password.
Response-only
To test local and Windows back-end authentication with Response-Only
-
Make the following changes to the test policy (see Modifying the test policy):
- Policy > Local Authentication: DIGIPASS/Password during Grace Period
- Policy > Back-End Authentication: Always
- Policy > Back-End Protocol: Windows
- User > Stored Password Proxy: Yes
- DIGIPASS > Application Type: Response Only
- Run a test logon using RADIUS Client Simulator (see Testing a logon with RADIUS Client Simulator), using the user ID and the OTP generated by your authenticator.
Challenge/response
To test local and Windows back-end authentication with Challenge/Response
-
Make the following changes to the test policy (see Modifying the test policy):
- Policy > Local Authentication: DIGIPASS/Password during Grace Period
- Policy > Back-End Authentication: Always
- Policy > Back-End Protocol: Windows
- User > Stored Password Proxy: Yes
- DIGIPASS > Application Type: Challenge/Response
- Challenge > 2-step Challenge/Response > Request Method: Keyword
- Challenge > 2-step Challenge/Response > Request Keyword: 2StepCR
-
Run a test logon using RADIUS Client Simulator (see Testing a logon with RADIUS Client Simulator):
- Enter the user ID and the keyword (2StepCR) in RADIUS Client Simulator.
- Enter the challenge provided by RADIUS Client Simulator into your authenticator.
- Enter the same user ID and the response provided by your authenticator in RADIUS Client Simulator.