Configuring OneSpan Authentication Server

The Administration Web Interface is the main administration tool for OneSpan Authentication Server. It can be used to manage authenticator user accounts and authenticator records, and to configure various settings and connections.

For more information, refer to the OneSpan Authentication Server Product Guide.

Creating a test policy

The test scenarios assume that a test policy has been created.

To create a test policy

  1. Log on to the Administration Web Interface.
  2. Select POLICIES > Create.

  3. Configure the test policy settings:

    1. Policy ID: Test Policy
    2. Description: My test policy
    3. Inherits from: Identikey Local Authentication
  4. Click SUBMIT.

Setting up a client record

Configure the default RADIUS client record to use the test policy created in Creating a test policy. The RADIUS Client Simulator application will use this component record.

To assign the test policy to the RADIUS client component

  1. Log on to the Administration Web Interface.
  2. Select CLIENTS > List.
  3. Select the default RADIUS client component in the list and click CHANGE POLICY.
  4. Select the test policy in the Policy ID list and click YES.

The shared secret for the default RADIUS client record and RADIUS Client Simulator are set to default.

Creating a RADIUS back-end server record

This task is only required if you want to test back-end authentication with a RADIUS server (see Test scenario: RADIUS back-end authentication).

OneSpan Authentication Server needs to be able to locate the RADIUS server. This requires a back-end server record in the data store.

To create a new RADIUS back-end server record

  1. Log on to the Administration Web Interface.
  2. Select BACK-END > Register RADIUS Back-End.

  3. Enter the following data:

    • Back-End Server ID: An identifier for the RADIUS server.
    • Domain Name: This is master if the RADIUS server should process authentication requests from all domains, else a specific domain.
    • Priority: Use this if you want to define multiple back-end servers for failover reasons – the one with the highest priority will be used first.
    • Authentication IP Address: The IP address that the RADIUS server is using for authentication requests.
    • Authentication Port: The port that the RADIUS server is using for authentication requests.
    • Accounting IP Address: The IP address that the RADIUS server is using for accounting requests.
    • Accounting Port: The port that the RADIUS server is using for accounting requests.
    • Shared Secret: The shared secret of the RADIUS server.
    • Timeout (seconds): Timeout value for the connection to the RADIUS server.
    • Retries: Number of retries before abandoning attempts to send an authentication request to the RADIUS server.
    • Character Encoding: Encoding/locale format required by the RADIUS server.
    • Include Realm: Determines whether to include the realm in the userName RADIUS attribute of an authentication request.
    • Custom Realm: The realm to be included in the userName RADIUS attribute of an authentication request.
  4. Click SUBMIT.

Importing user records

Demo users can be used for testing purposes. OneSpan Authentication Server provides a sample user import file (userimport.csv) for this purpose:

  • On Windows, this file is located in %PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\DPX by default.
  • On Linux, this file is located in/opt/vasco/ias/templates/identikey by default.

To import a user import file

  1. Log on to the Administration Web Interface.
  2. Select USERS > Import.
  3. Click Browse and select the user import file. Click UPLOAD.
  4. Complete the remaining steps with the default settings.

When importing user records via a comma-separated values files, the password must meet the password complexity requirements of the policy. If a user account is created without a password, the password field must be omitted.

Importing authenticator records

Before an authenticator can be assigned to a user, a respective authenticator record must be imported into the data store. This record includes all important information about the authenticator, including its serial number, authenticator applications, and programming information. This information is sent to you as a DIGIPASS export file (DPX).

Demo authenticators can be used for testing. OneSpan Authentication Server provides sample authenticator import files:

  • On Windows, those files are located in %PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\DPX by default.
  • On Linux, those files are located in /opt/vasco/ias/dpx by default.

To import authenticator records (in bulk) from a DIGIPASS export file (DPX)

  1. Log on to the Administration Web Interface.
  2. Select DIGIPASS > Import DPX.
  3. Click Browse and select the DPX.

  4. Enter the transport key.

    For the installed demo DPX files, this is 11111111111111111111111111111111 (press the 1 key 32 times).

  5. Click UPLOAD.
  6. In the Applications tab verify that all applications are selected.
  7. Complete the remaining steps with the default settings.

Assigning authenticators to test users

Before users can use an authenticator to log in, the authenticators must be assigned to their user accounts.

To assign an authenticator record to the test user account

  1. Log on to the Administration Web Interface.
  2. Select USERS > Assign DIGIPASS.
  3. Keep the default settings and click SEARCH.
  4. Click the checkbox to select the respective user and click Next.
  5. In the Search DIGIPASS tab, keep the default settings and click SEARCH.
  6. If more than one authenticator is available, click the checkbox to select a particular authenticator and click Next.
  7. In the Options tab, click ASSIGN.
  8. Click FINISH.