CRYPTO-MAP
™
CRYPTO-MAP (Managed Authentication Portal)
Administration Guide
CRYPTO-MAP Administration Guide
1
Proprietary Notice
License and Warranty Information
CRYPTOCard Inc. and its affiliates retain all ownership rights to the computer program described in this manual, other computer
programs offered by the company (hereinafter called CRYPTOCard) and any documentation accompanying those programs. Use
of CRYPTOCard software is governed by the license agreement accompanying your original media. CRYPTOCard software source
code is a confidential trade secret of CRYPTOCard. You may not attempt to decipher, de-compile, develop, or otherwise reverse
engineer CRYPTOCard software, or allow others to do so. Information needed to achieve interoperability with products from
other manufacturers may be obtained from CRYPTOCard upon request.
This manual, as well as the software described in it, is furnished under license and may only be used or copied in accordance
with the terms of such license. The material in this manual is furnished for information use only, is subject to change without
notice, and should not be construed as a commitment by CRYPTOCard. CRYPTOCard assumes no liability for any errors or
inaccuracies that may appear in this document. Except as permitted by such license, no part of this publication may be
reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic, mechanical, recording or
otherwise, without the prior written consent of CRYPTOCard.
CRYPTOCard reserves the right to make changes in design or to make changes or improvements to these products without
incurring the obligation to apply such changes or improvements to products previously manufactured. The foregoing is in lieu of
all other warranties expressed or implied by any applicable laws. CRYPTOCard does not assume or authorize, nor has it
authorized any person to assume for it, any other obligation or liability in connection with the sale or service of these products.
In no event shall CRYPTOCard or any of its agents be responsible for special, incidental, or consequential damages arising from
the use of these products or arising from any breach of warranty, breach of contract, negligence, or any other legal theory.
Such damages include, but are not limited to, loss of profits or revenue, loss of use of these products or any associated
equipment, cost of capital, cost of any substitute equipment, facilities or services, downtime costs, or claims of customers of the
Purchaser for such damages. The Purchaser may have other rights under existing federal, state, or provincial laws in the USA,
Canada, or other countries or jurisdictions, and where such laws prohibit any terms of this warranty, they are deemed null and
void, but the remainder of the warranty shall remain in effect.
Customer Obligation
Shipping Damage: The purchaser must examine the goods upon receipt and any visible damage should immediately be
reported to the carrier so that a claim can be made. Purchasers should also notify CRYPTOCard of such damage. The customer
should verify that the goods operate correctly and report any deficiencies to CRYPTOCard within 30 days of delivery. In all
cases, the customer should notify CRYPTOCard prior to returning goods. Goods returned under the terms of this warranty must
be carefully packaged for shipment to avoid physical damage using materials and methods equal to or better than those with
which the goods were originally shipped to the purchaser. Charges for insurance and shipping to the repair facility are the
responsibility of the purchaser. CRYPTOCard will pay return charges for units repaired or replaced under the terms of this
warranty.
Copyright
Copyright © 2010, CRYPTOCard Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted,
transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written
permission of CRYPTOCard Inc.
Trademarks
CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO-VPN, CRYPTO-Shield, CRYPTO-MAS, are
either registered trademarks or trademarks of CRYPTOCard Inc. Java is a registered trademarks of Sun Microsystems, Inc.;
Microsoft Windows and Windows XP/2000/2003/NT are registered trademarks of Microsoft Corporation. SecurID is a registered
trademark of RSA Security. All other trademarks, trade names, service marks, service names, product names, and images
mentioned and/or used herein belong to their respective owners.
CRYPTO-MAP Administration Guide
2
Additional Information, Assistance, or Comments
CRYPTOCard’s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your
network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment
procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for
network users. We can also help you leverage your existing network equipment and systems to maximize your return on
investment. This support service is available from your first evaluation system download.
CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product
through a CRYPTOCard channel partner, please contact your reseller directly for support needs.
Contact CRYPTOCard directly:
International Voice: +1-613-599-2441
North America Toll Free: 1-800-307-7042
Email: support@cryptocard.com
For information about obtaining a support contract, see our Support Web page at:
http://www.cryptocard.com/support/cryptocardannualsupportandmaintenance/
Related Documentation
Refer to the Technical Documentation section of the CRYPTOCard website for additional documentation and interoperability
guides: http://www.cryptocard.com/support/technicaldocumentation/
CRYPTO-MAP Administration Guide
3
Solution Overview
Summary
Product Name
CRYPTO-MAS
Vendor Site
http://www.cryptocard.com
CRYPTOCard Product Requirements
Supported Token types
KT-1, KT-2, RB-1, ST-1, ST-A, BlackBerry, SMS (WT-3)
CRYPTO-MAP Administration Guide
4
Table of Contents
Solution Overview .......................................................................................................................................... 4
Introduction ................................................................................................................................................... 6
1. Accessing MAP ........................................................................................................................................... 7
2. Establishing a New Organization in MAS .................................................................................................... 8
3. Removing an Organization in MAS ........................................................................................................... 13
1. User Management .................................................................................................................................... 14
1.1.
1.2.
1.3.
1.4.
1.5.
1.6.
Add a User to an Organization ........................................................................................... 15
Importing users into an Organization ................................................................................. 16
Deleting Users ................................................................................................................. 16
Editing User Information ................................................................................................... 16
Designating a User as an Administrator .............................................................................. 17
Adding RADIUS Return Attributes ...................................................................................... 18
2. Token Management ................................................................................................................................. 19
2.1.
2.2.
2.3.
2.4.
2.5.
2.6.
2.7.
2.8.
2.9.
2.10.
Assigning a Token to a User .............................................................................................. 19
De-Assigning a Token from a User ..................................................................................... 24
Editing a Token................................................................................................................ 26
2.3.1. Editing a Software Token ..................................................................................... 27
2.3.2. Editing a Hardware Token/Reset Server-side PIN .................................................... 28
2.3.3. Editing an SMS Token .......................................................................................... 28
Testing if a Token is Synchronized with the Server .............................................................. 30
Re-Synchronizing Tokens .................................................................................................. 31
2.5.1. Re-Synchronizing ST Tokens ................................................................................. 32
2.5.2. Re-Synchronizing KT Tokens ................................................................................. 33
2.5.3. Re-Synchronizing RB Tokens ................................................................................ 34
2.5.4. User Re-synchronizing KT, RB or ST tokens ............................................................ 35
Unlocking Tokens ............................................................................................................. 36
Disabling Tokens.............................................................................................................. 37
Enabling Tokens .............................................................................................................. 37
Hardware Tokens Self Service ........................................................................................... 38
SMS Tokens Self Service................................................................................................... 39
3. Group Management ................................................................................................................................. 41
3.1.
3.2.
3.3.
3.4.
3.5.
3.6.
Adding Groups ................................................................................................................. 41
Deleting Groups ............................................................................................................... 42
Editing Group(s) .............................................................................................................. 42
Adding RADIUS Return Attributes ...................................................................................... 43
Moving Users between Groups ........................................................................................... 43
Importing Users into an Organization / Company ................................................................. 44
4. Company Management............................................................................................................................. 45
4.1.
4.2.
4.3.
4.4.
4.5.
For Service Providers ....................................................................................................... 45
Multi-Tier ........................................................................................................................ 46
Deleting a Company ......................................................................................................... 48
Editing a Company ........................................................................................................... 49
Uploading a Logo ............................................................................................................. 49
5. Report Generation ................................................................................................................................... 50
6. Service Request Form .............................................................................................................................. 54
7. Trademarks ............................................................................................................................................. 55
8. Publication History .................................................................................................................................. 55
CRYPTO-MAP Administration Guide
5
Introduction
The purpose of this document is to familiarize a CRYPTO-MAP Administrator with the use of the CRYPTOCard
Managed Authentication Portal (MAP).
CRYPTOCard Managed Authentication Service (CRYPTO-MAS) is a two factor authentication system that allows
Users within an organization to authenticate through a CRYPTOCard managed server without having to maintain
an in-house authentication system.
Although the CRYPTO-MAS network is managed by CRYPTOCard, MAP allows customers to manage their Tokens
and Users remotely using the CRYPTO-MAP tool. MAP is easily accessible via a web browser, and very user
friendly, thus enabling end user organizations to address changes and troubles locally.
Definitions
2FA
Two Factor Authentication. The requirement to use a User ID combined with a
One-Time Password from a CRYPTOCard token
Administrators
Users with a special designation in MAS/MAP who have additional functional capabilities
enabling them to manage users and tokens within their organizational structure.
Only Administrators have the ability to access CRYPTO-MAP, and to troubleshoot and
escalate trouble calls.
Administrators can only be created by other administrators.
Auth ID
Unique identifier associated with only one organization.
End-User Organization
Units (EOU)
An Organization that has subscribed to CRYPTO-MAS for End-User 2FA and is not a reseller.
Integrator / Service
Provider
An organization that provisions CRYPTO-MAS service to EOU’s and provides administrative
support via CRYPTO-MAP. This includes the capability to:
(manage/create/modify/troubleshoot) the EOU’s organization, users and tokens.
(ISP)
Also referred to as a customer or Tier 2 organization.
The ISP also provisions and provides customer support services to the EOU.
MAP
Managed Authentication Portal. The web based tool used by EOU and ISP Administrators to
manage CRYPTO-MAS Organizations, Users and Tokens.
Organization
Typically a ‘Company’ with any number of users that appears as either an ISP or EOU in
CRYPTO-MAP.
Group
A sub-section of users within an organization that have common characteristics.
Token Pool
Tokens in the MAS system that have been purchased by and allocated to a specific
Organization, and have not yet been assigned to a User.
User
A person within an organization registered in MAP for CRYPTO-MAS 2FA.
CRYPTO-MAP Administration Guide
6
1.
Accessing MAP
Only Users designated with “Administrator” status are able to access CRYPTO-MAP.
To access the CRYPTO-MAP Portal, browse to https://mas.cryptocard.com
Supported Browsers:
Internet Explorer Version 6 or higher
Mozilla Firefox Version 2.0 or higher
Please enter your User ID (User Name), OTP (One-Time Password) and AuthID (Company Identifier) into the
supplied fields. If the PIN is entered into your token (ST-1 or RB-1), then enter just your One-Time Password. If
you are using a KT-1 token, enter your PIN immediately followed by the One-Time Password generated by your
token.
Upon successful authentication you will automatically be logged into your Organization’s home page with general
statistics about your current use of CRYPTOCard services.
If you failed to authenticate, you will stay at the Login Page and an error message will appear below the login
panel indicating an authentication failure.
CRYPTO-MAP Administration Guide
7
2.
Establishing a New Organization in MAS
As a VAR Administrator, you will need to use CRYPTO-MAP to establish a new organization (customers
Companies). Although each of these steps is contained in various sections throughout the CRYPTO-MAP
Guide, this section pulls them together to provide step-by-step instructions to complete the entire process.
Steps:
1. Create an organization (Company Tab)
2. Add a user to the organization (User Tab)
3. Allocate tokens from the VAR Token Pool to the organizations Token Pool (Token Tab)
4. Assign a token to the organization user (Token Tab)
5. Designate that user as an administrator (User Tab)
Note 1: There is a significant variation to the first two steps of this process if you are using the
LDAP Agent. Please refer to the LDAP Agent Guide for a complete set of instructions to install and
configure a new organization using the LDAP synchronization agent.
Note 2: These separate events also need to occur to support this process:
1. Prior to the above, tokens must be obtained from CRYPTOCard and allocated to your “VAR token Pool”
before Step 2 can be executed.
2. Following the above, CRYPTOCard must configure the MAS network to allow communication from the
customer’s Authentication Node.
CRYPTO-MAP Administration Guide
8
Step 1: Create the Organization (Company Tab)
Click the “Company” tab located across the top of the CRYPTO-MAP web page.
To create an End-Customer Organization (EOU):
1. Click the “Add” button under the ‘Manage Company’ heading.
2.
*
Enter the company’s information into the fields and click the “Create” button.
If the new company requires the use of the LDAP Synchronization Agent, you must select the ‘Use LDAP’ check
box. Please refer to the LDAP Agent specific document for further detailed instructions on setup and usage.
CRYPTO-MAP Administration Guide
9
Step 2: Add a User to the Organization (User Tab)
Click on the “User” tab located across the top of the webpage.
1. Click on the newly created organization. The organization’s name will appear under ‘Selected Group’.
2. Click the “Add” button.
3. Fill in the User’s information in the ‘Add User Information’ panel.
Required information fields are marked with red asterisks “*”, and as such the user cannot be added until valid
information has been entered into these fields.
Click the “Save” button.
NOTE: If using the LDAP Agent, any users manually created through the MAP interface will be removed each time
the agent synchronizes users.
Also, if using the LDAP Agent, the synchronization process will only create the number of users up to the total
quantity of tokens existing in the organization’s token pool. If the LDAP group contains more users than tokens,
users will be created in numeric then alphabetic order.
CRYPTO-MAP Administration Guide
10
Step 3: Allocate Tokens to the Organization (Token Tab)
Click on the ‘Token’ tab located across the top of CRYPTO-MAS web page.
1. Select the Service Provider (Your Company) in the left pane.
2. Highlight the Tokens you wish to allocate to the new Organization.
3. Select the Organization from the ‘Companies’ list.
4. The “Force server-side PIN change” setting can be changed (optional).
5. Click “Allocate to Company”.
The tokens selected will now be available to “Company A” for assignment to the users of the company.
Step 4: Assign a Token to a User (Token Tab)
Click on the ‘Token’ tab located across the top of the webpage.
To assign a Token:
1. Click on the Organization name located under the Service Provider on the left-hand panel.
2. Select a Token from the token list appearing in the ‘Manage Tokens’ panel.
3. Then select a User from the ‘Users’ list.
4. The “Force server-side PIN change” setting can be changed (optional).
5. Click the “Assign To User” button in the ‘Users’ panel.
CRYPTO-MAP Administration Guide
11
Step 5: Designate the User as an Administrator (User Tab)
1. Click the ‘User’ tab located across the top of the webpage.
2. Click on the organization name located under the ‘Service Provider’ panel on the left-hand panel.
3. Select the user you wish to assign administrator privileges to.
4. Open the ‘User Edit’ page of the selected user.
(This is done by double-clicking on the user, or clicking on the “Edit” button.)
5. Check the box in the “Admin” column in the user’s ‘Assigned Token’ token table.
6. Click “OK” when the confirmation dialog appears to give administrative rights.
CRYPTO-MAP Administration Guide
12
7. This user now has admin rights for his company and may login to CRYPTO-MAP to setup their users.
3.
Removing an Organization in MAS
As a VAR Administrator, from time to time you will need to use MAP to remove an existing organization
(Company).
NOTE: Care must be taken with this, as it is not possible to recover a deleted organization.
Steps to remove an organization:
1. On the ‘User Tab’, remove any administrative privileges previously assigned to user(s) within the company.
2. On the ‘Token Tab’, de-assign all token(s) assigned to the company’s users.
3. On the ‘Token Tab’, de-allocate all token(s) assigned to the company.
4. On the ‘Company Tab’, select the company to delete and click the “Delete” button.
NOTE: It is not possible to recover a deleted organization.
5. All users belonging to the company and company information will be deleted.
CRYPTO-MAP Administration Guide
13
Detailed Instructions
1. User Management
To manage Users in an organization, click on the ‘User Tab’ from the tabs across the top of the page.
This will bring up a display of all the users in the selected organization. The group to view can now be selected in
the ‘Selected Group’ dropdown list for this organization.
On the right side of the User screen are filters for the ‘User’ tab. The filters in the ‘Search User List’ are:
a) User login,
b) First Name,
c)
Last Name.
These filters can be used to quickly search to find a desired user. As you type in text into the search filters, all
users that do not have the entered text will be removed from the list.
NOTE: To disable a filter, simply clear the filter box.
CRYPTO-MAP Administration Guide
14
1.1.
Add a User to an Organization
Click on the ‘User’ tab located across the top of CRYPTO-MAP.
To add a User:
1. Click on the organization. The name will appear under ‘Selected Group’.
2. Click the “Add” button.
3. Fill in the User’s information in the ‘Add User Information’ panel.
4. Select the group the user is being added to using the ‘Select Group’ dropdown list.
5. To submit the new user information, click the “Save” button. The user will now be displayed on the ‘User’ tab
located under the selected group within this organization.
NOTE: Completing the “User Verification Questions” is optional, but is available to companies who
require this as part of their security policies. It is recommended this section be completed for all
Administrators so their identity can be verified when they place calls into the Help Desk.
If no group is created, the user will be placed onto the same root level of the company. Alternatively,
if a group was created under a company name and that same group was chosen under the ‘Selected
Group’ drop down before saving a user’s information; that user would be placed under that group
heading.
To move a user to another group see Section 3.
CRYPTO-MAP Administration Guide
15
1.2.
Importing users into an Organization
Note: Refer to section 3 for details on this feature.
The “Import User” function is available in the ‘Group’ Tab to bring many users into a group simultaneously.
It is not available to bring users into the organization under the ‘User’ Tab.
1.3.
Deleting Users
Note:
Admin Users cannot be deleted without first un-assigning the Admin tokens from the user.
(Refer to Section 2.2 if there are currently tokens assigned to the user).
Once a User has been deleted from the system, all record of the User is permanently removed.
To delete a User:
1. Select a user from the ‘User List’.
2. Then click the “Delete” button.
3. A confirmation dialogue panel will appear. Click “OK” to delete the user.
NOTE: If users originate via the LDAP Synchronization agent, users which are deleted will reappear when the
agent runs the synchronization process.
1.4.
Editing User Information
All user information may be edited on the ‘Edit User’ screen. CRYPTO-MAP will not allow duplicate user logons
between two users within the same organization. If this occurs, an error message is displayed when an attempt is
made to save the changes.
Note: If a duplicate logon exists, simply change the entry to a unique logon and retry.
1. If the user belongs to a group, select the appropriate group in the dropdown ‘Selected Group’ list for the
organization to display the user on the tab.
2. Select the user from the list.
3. Click on the “Edit” button or double-click on the user you want to edit.
CRYPTO-MAP Administration Guide
16
This will open the ‘Manage – Edit User’ page displaying the user’s information and a list of tokens currently
assigned to the user.
4. To edit the user’s information, simply modify the entries in the fields on the ‘Edit User Information’ panel.
5. To save the changes, click the “Save” button.
1.5.
Designating a User as an Administrator
General Notes about Administrators:
1. Only Administrators are able to access the MAP
2. Only existing Administrators in the Customer Organization or in the Service Provider Organization are able to
designate Users as Administrators.
3. Administrators are contractually responsible for addressing User support calls and managing tokens on behalf
of their Organization.
Steps to assign Administrator privileges to a User:
1. Open the ‘User Edit’ page for a selected user selected by double clicking on the highlighted user or selecting
the user then clicking the “Edit” button.
CRYPTO-MAP Administration Guide
17
2. Confirm the user has a token assigned. If the user has no token assigned, assign a token following the steps in
Section 2 of this document, and then continue.
3. Check the “Admin” box in the ‘Assigned Tokens’ panel.
Note:
If the User has more than one token, only one can be designated (and used) for
Administration purposes.
4. Click “OK” to confirm the designation of administrative rights when the dialog box appears.
5. This user now has admin rights for his company and may login to MAP to setup his users.
1.6.
Adding RADIUS Return Attributes
Adding Vendor Specific Attributes:
1. Select the user that require Vendor Specific Attributes applied and click the “Edit” button.
2. Add the vendor specific attributes that are required for the group chosen.
3. Choose the attribute that is required, and click “Save” under “Required for authentication” to apply 1
attribute.
4. Repeat step three until all attributes required have been added.
5. Once the Vendor Specific Attribute(s) have been applied, click the “Cancel” button to return to the
previous screen.
If MSCHAPv2 is required for RADIUS authentication, then place a checkmark in “Enable MSCHAPv2” to turn on
MSCHAPv2.
CRYPTO-MAP Administration Guide
18
2. Token Management
This Section describes how to manage tokens in MAP.
From any page in CRYPTO-MAP, select an organization/company the token(s) are allocated to.
Note: Many of the functions described in this Section can be performed by accessing the same screens from either
the ‘User’ Tab or the ‘Token’ Tab across the top. In these instances, instructions for both access methods are
described.
If the ‘Token’ Tab is selected, a window containing a list of all tokens allocated to the selected organization will be
displayed.
To the right of the ‘Manage Tokens’ table are the ‘Search Token List’ filters which are search criteria to seek:
a)
b)
c)
d)
e)
Token’s Serial Number,
Token Type,
Token State,
User Login (Token Owner).
Server Side PIN setting.
These filters can be used to quickly search through the list of tokens to find a desired token and or user.
As you type in text into the search filters, all tokens that do not have the entered text at the beginning of the
corresponding field will be removed from the list. To disable a filter, simply clear the filter box.
2.1.
Assigning a Token to a User
Rules of Assigning Tokens:
a) Tokens purchased and allocated to an organization are distributed by the Service Provider into the
organization’s token pool and are available to be assigned to their users.
These tokens are referred to as “unassigned” tokens.
b) An unassigned token must be assigned to a user within that organization before it can be used for
authenticating. The Service Provider may assign tokens to any user in any organization.
An organization administrator can only see and assign tokens within his organization.
CRYPTO-MAP Administration Guide
19
c)
More than one token can be assigned to a single user (see exception below); however, this is discouraged
for security and ease of administration purposes. Notwithstanding, there are unique circumstances where
a user has multiple network devices (eg: laptop & Blackberry) and multiple tokens are beneficial
d) SMS tokens (WT-3) are exclusive in nature and cannot be assigned to a user already having another
token. Once assigned, no other token may be added to the user until the WT-3 is unassigned.
e) Assigning a Token can be done from the ‘User’ tab or the ‘Token’ tab.
Either method will produce the same result.
To Assign a Token from the ‘Token’ Tab:
1. Click on the ‘Token’ Tab at the top of the page.
2. Select the token to be assigned.
3. Select the user the token is being assigned to.
To Assign a Token from the ‘User’ Tab:
1. Open the ‘Manage – Edit User’ page for the user by going to the ‘User Tab’.
2. Double-click on the user being assigned the token or single-click on the user and click the “Edit” button.
CRYPTO-MAP Administration Guide
20
3. Click the “Assign” button.
This will display the ‘Manage User – Assign Token To User’ page. This page contains a list of all tokens allocated
to the selected company that have not been assigned to a user (ie: are Unassigned).
4. Search and select a token from the list, then click on the token to be assigned to the user.
The ‘Search Token List’ section on the right hand side allows the list to be filtered by serial number or token type.
5. Optionally, the Server Side PIN setting can be change.
6. Once the token to be assigned has been selected, click on the “Assign Token” button.
7. This will assign the token to the selected user, and the token state will change to ‘Assigned’.
8. If the user has been assigned a Software Token (ST), highlight their token and click on the “Email” button.
CRYPTO-MAP Administration Guide
21
9. If the user requires a BlackBerry token to perform their authentications via their BlackBerry then the
administrator simply needs to click the “BlackBerry” button. This will automatically E-Mail the token in a
default configuration to the User’s configured E-mail.
To Assign an SMS Token:
CRYPTO-MAS/MAP administrator assigns an SMS WT token using steps identical those for hardware tokens
through MAP.
1. From the User Tab select the user that requires a WT-3 token assigned and click Edit;
2. Select Assign from the Edit User page and select the WT-3 token to be assigned to this user. The SMS
token must be the only token assigned to this user and the user must have a Cell phone number
associated with him. If either of these conditions is not met the token cannot be assigned.
3. From the Token Tab select the token and the User to assign it to. Click Assign to User;
CRYPTO-MAP Administration Guide
22
4. Optionally, the Server Side PIN setting can be change.
5. The WT-3 token has been assigned to this user. The token must be the only token assigned to the user
and the user must have a Cell phone number associated with him. If either of these conditions is not met
the Assign to User button will not activate to allow the assignment.
SMS Assignment:
On assignment of an SMS token to a user, an SMS message containing the Auth ID, User ID, Initial PIN and
TokenCode is sent to the user.
The following is an example of a token assignment message.
New TokenCode:
CRYPTO-MAP Administration Guide
23
Upon any successfully authentication of an SMS token user, a new TokenCode is automatically sent to user.
The following is an example of the new TokenCode message.
Reset PIN (by administrator):
A CRYPTO-MAS/MAP administrator may reset a user’s PIN at any time. In this case, the new pin will be
automatically sent via SMS to the token owner. The following is an example of the reset PIN message
2.2.
De-Assigning a Token from a User
CRYPTO-MAP Administration Guide
24
General Notes:
Note: A token that has been assigned Administrative rights can not be de-assigned without removing
the Administrative rights first.
Reasons to de-assign tokens from users are:
a) The user no longer requires use of the token,
b) The token has been lost/stolen/broken and must be disabled,
c) The user is being deleted from the system
1. Once the token has been de-assigned from the user, it is returned to the organization’s Token Pool. At that
point it can be re-assigned to another user, or can be de-allocated from the token pool.
To de-assign a token from the ‘Token’ Tab:
1. Highlight the token that you wish to de-assign from the user.
2. Click the De-assign button.
CRYPTO-MAP Administration Guide
25
To de-assign a token from the ‘User’ Tab:
1. From the ‘User’ tab, double-click on a user or select a user and click “Edit” to open the ‘Manage - Edit User’
panel. This panel displays the all the tokens currently assigned to the selected user in the
‘Assigned Tokens’ panel.
2. Click on the desired token to be de-assigned from the user.
3. Click on the “De-Assign” button above.
The token will be de-assigned from the user and returned to the organization’s Token Pool as an unassigned
token.
Note for organizations using the LDAP Agent:
If a user with an assigned token in MAP is removed from the AD group for CRYPTO-MAS, at the next
synchronization the user will not appear in the Organization and the token belonging to that user will
automatically be de-assigned and returned to the unused token pool.
2.3.
Editing a Token
The information associated with a token can be changed using the editing instructions contained in this section:
a) Initial PIN, including resetting the PIN and having it emailed to the user.
b) The Start Date for the token.
This is the date the token will begin to be recognized (useable) by the CRYPTO-MAS server.
c)
The End Date for the token.
This is the date the token will stop being recognized (useable) by the CRYPTO-MAS server.
d) The ability to force a PIN change the next time a User authenticates. This is useful if a new token is being
issued or because of internal policy procedures.
Note: Start and End Dates are useful to grant access to a person for a pre-determined period (eg:
contractor), or to temporarily suspend the use of a token without de-assigning.
CRYPTO-MAP Administration Guide
26
2.3.1. Editing a Software Token
To access the ‘Edit Software Token’ panel from the Token Tab:
1. From the ‘Token’ tab, highlight the token you wish to edit and either click the “Edit” button or double-click on
the token you want to edit. This will open the ‘Edit Software Token’ panel.
2. Once all necessary changes have been made in the ‘Edit Software Token’ panel, click the “Save” button.
To access the ‘Edit Software Token’ panel from the User Tab:
1. To edit the software token, highlight the user with the token you wish to edit. Click the “Edit” button or
double-click on the token to edit its properties.
2. Edit the desired Token properties.
3. Click the “Save” button located at the top of the panel under the ‘Edit Software Token’ title.
CRYPTO-MAP Administration Guide
27
2.3.2. Editing a Hardware Token/Reset Server-side PIN
To access the ‘Edit Hardware Token’ panel from the ‘Token’ Tab:
1. To edit the software token, highlight the user with the token you wish to edit.
Click the “Edit” button or double-click on the token to edit its properties.
2. If you are resetting the Server-Side PIN, enter the desired new PIN and click the “Reset PIN” button.
3. Once all necessary changes have been made in the ‘Edit Hardware Token’ panel, click the “Save” button.
To access the ‘Edit Hardware Token’ panel from the User Tab:
1. To edit the hardware token, highlight the user with the token you wish to edit. Click the “Edit” button
2. To edit the hardware token, simply double-click on token to be edited.
3. Edit the desired Token properties. If you are resetting the Server-Side PIN, enter the desired new PIN and
click the “Reset PIN” button.
4. Click the “Save” button under the ‘Edit Token’ title.
2.3.3. Editing an SMS Token
CRYPTO-MAP Administration Guide
28
To access the “Edit Token” page from the Token Tab:
1. Highlight the token you wish to edit. Then click the “Edit” button.
Alternatively, you can double click on the WT token you wish to edit and that will also bring you to the
“Edit Token” page.
2. Edit the desired Token properties and click ‘Save’. If you are resetting the Server-side PIN, enter the desired
new PIN and select “Reset PIN” button.
To access the “Edit Token” page from the User Tab:
1. To edit the WT token, highlight the user with the token you wish to edit. Click the “Edit” button
2. To edit the WT token, simply double click on the token that will be edited.
CRYPTO-MAP Administration Guide
29
3. Edit the desired Token properties and click ‘Save’. If you are resetting the Server-side PIN, enter the desired
new PIN and select “Reset PIN” button.
2.4.
Testing if a Token is Synchronized with the Server
General Notes about the synchronization of tokens:
A common reason why users cannot authenticate, and call for Administrator support is when too many OTP’s have
been generated by a token since the last time the server received a token OTP.
The server will not recognize the OTP and the token and server will be “out of sync”.
The steps below will determine if a token is synchronized with the CRYPTOCard – Managed Authentication Server.
Note: This requires coordination between the Administrator using MAP, and the user using their token.
To Test Token Synchronization from the ‘Token’ Tab:
1. Select the token associated with the user that you wish to test.
2. Click the “Test/Resync” button to test the token.
CRYPTO-MAP Administration Guide
30
3. Ask the user to generate a One-Time Password from the token, enter it into the field and click “OK”.
If the test succeeds, a pop-up window will appear that says ‘Response Succeeded’, meaning the system has
confirmed the token is in sync.
If the test fails a pop-up window will appear that says ‘Response Failed’. In this situation, proceed to the next
section that describes how to resynchronize the token with the server.
To Test Token Synchronization from the User Tab:
1. In the ‘User’ Tab, highlight the user then click on “Edit” or double-click on the user.
2. In the ‘Manage – Edit User’ page, select the token in the ‘Assigned Tokens’ panel to be tested and click on the
“Test” button.
3. Enter the response from the token into the field in the panel and click “OK”.
If the test succeeds, a pop-up window will appear that says ‘Response Succeeded’, meaning the system has
confirmed the token is in sync.
If the test fails a pop-up window will appear that says ‘Response Failed’. In this situation, proceed to the next
section that describes how to resynchronize the token with the server.
2.5.
Re-Synchronizing Tokens
CRYPTO-MAP Administration Guide
31
General Notes about the synchronization of tokens:
If too many OTP’s have been generated by a token since the last time the server received an OTP from the token,
the server will not recognize the OTP and the token and server are said to be “out of sync”.
The steps below will re-synchronize a token with CRYPTO-MAS. This process requires coordination between the
Administrator using MAP, and the user using their token.
2.5.1. Re-Synchronizing ST Tokens
To re-synchronize a software token from the Token Tab:
1. Select the token associated with the user that you wish to test to see if the token is in sync.
2. Click the “Test/Resync” button.
3. A panel will be displayed that provides a ‘challenge’ number for the token. (eg: 14817554 in the illustration).
Note: This number must be retained and provided to the user when proceeding through the steps
below.
Note: Do not close this window while helping the user through the steps below. The user will be
providing a Secure Password that must be entered into the displayed field.
4. The end user must then be directed on their own terminal to:
a)
b)
c)
d)
Go to “Start” in their Windows environment
Click “All Programs”
Click “CRYPTOCard”
Click “CRYPTOCard Authenticator”
Note: If the user is using a BlackBerry token, the BlackBerry will provide the option to Resync the
token. The steps will be much the same as described here for Software or Smartcard tokens.
5. A “CRYPTOCard Token Authenticator” window will appear on the User’s terminal.
6. In the new window, click on “Tools” > “Re-sync”.
An ‘Enter Challenge’ window will then appear on the user’s terminal.
CRYPTO-MAP Administration Guide
32
7. The user must then enter their PIN in the ‘Enter PIN’ field, and the challenge number that was displayed in
Step 3 above must be typed into the ‘Challenge from server’ field.
8. The user must then click “OK”, and a new Secure Password (‘response’) is generated on the user’s terminal.
9. The Administrator must then enter the Secure Password provided by the user in Step 6 (above) into the
response field on the Administrator’s terminal in Step 3 (above).
A success message will be generated by the server to inform the administrator that the Resync was successful.
To Re-Synchronize a Software Token from the User Tab:
1. In the ‘User’ Tab, highlight the user then click on “Edit” or double-click on the user.
2. Click on the “Test” button for the selected token in the ‘Assigned Tokens’ panel.
3. The process will be identical to the process described above.
2.5.2. Re-Synchronizing KT Tokens
To Re-Synchronize a KT Token from the Token Tab:
1. Select the token that is associated with the user that has their token out of sync.
2. Then click the “Test/Resync” button.
3. A panel will be displayed that provides an eight (8) digit ‘challenge’ number for the token
(ie: 33580856 in the illustration).
This challenge number must then be provided to the user while proceeding through the steps below.
CRYPTO-MAP Administration Guide
33
Note: Do not leave this screen while helping the user through the steps below, as the user will
eventually return a “Secure Password” number that will need to be entered in to the ‘Response’ field
displayed on this panel.
The user must then enter the ‘challenge’ number into their KT token by following these steps:
a) Hold down the button on the KT Token until "Init" appears in the display then let go of the button.
b) The token will automatically start scrolling through a menu, and when "Resync" appears, immediately click
the button to stop the menu from scrolling.
c)
“Resync?” plus a scrolling digit 0-9 will appear in the display. Press the button to stop the scrolling when
the digit displayed is the first digit (from the left) in the “challenge” (step 3 above).
d) The “Resync?” will be replaced by the first digit selected, and scrolling for the next digit in the “challenge”
will begin. Follow the same steps to stop the scolling at the correct digits until the complete 8-digit
“challenge” appears.
e) When the challenge number is correctly entered/displayed, click the button again and a new One-Time
Password (or ‘response’) will be automatically generated by the token.
4. This token generated ‘response’ must then be entered by the Administrator into the ‘response’ field displayed
in MAP panel in Step 3 above. If there is a PIN associated with the token, then enter the PIN + ‘response’ into
the field.
To Re-Synchronize a KT Token from the User Tab:
1. On the ‘User’ Tab, highlight the user and click on “Edit” or double-click on the user.
2. Click on the “Test” button for the desired token in the ‘Assigned Tokens’ panel.
Note: The process that will continue from this point is identical to the process described above.
2.5.3. Re-Synchronizing RB Tokens
To Re-Synchronize a RB Token from the Token Tab:
1. Select the token that is associated with the user that has their token out of sync.
2. Then click the “Test/Resync” button.
3. A panel will be displayed that provides a “challenge” number for the token. (ie: 99024258 in the illustration).
This ‘challenge’ number must then be provided to the user to enter into their RB token while proceeding
through the steps below.
CRYPTO-MAP Administration Guide
34
Note: Do not leave this screen while helping the User through the steps below, as the User will
eventually return a “response” number that will need to be entered in to the field displayed on this
panel.
4. The user must then enter the “challenge” number into their RB token by following these steps:
5. Click on the “Menu” button (Enter PIN if there is a RB PIN Pad lock) until you see ‘ReSync’ appear in the
display. Then click the “ENT” button.
6. Use the keypad to enter the challenge number into the RB Token that is displayed in CRYPTO-MAP Token test
panel in Step 3 above.
7. When the challenge number has been correctly entered, click the “ENT” button and a new One-Time Password
(or ‘response’) will be automatically generated by the token.
8. This token generated ‘response’ must be entered by the Administrator into the ‘response’ field displayed in MAP
panel in Step 3 above. If there is a PIN associated with the token, then pre-pend the PIN in-front of the
‘response’ number.
To Re-Synchronize a RB Token from the User Tab:
1. Double-click on a user or select a user and click the “Edit” button to open the ‘User Edit’ panel.
2. Click on the “Test” button in the ‘Assigned Tokens’ panel for the token you wish to test.
3. The process that will continue from this point is identical to the process described above.
2.5.4. User Re-synchronizing KT, RB or ST tokens
To re-synchronize a KT, RB or ST Token from the Self Service web site:
1. The user can access the Resync web site at http://auth.cryptocard.com and will be prompted to enter his
user ID and Authentication ID.
2. The user is presented with a challenge to be entered into the token and is prompted to enter the response
into the OTP field.
CRYPTO-MAP Administration Guide
35
3. The user then receives a success message and the token may be used for authentication.
2.6.
Unlocking Tokens
A token becomes locked on the server after too many unsuccessful attempts to authenticate. Unlocking a token
will restore the token back to a fully functional state for authenticating. This does not apply to RB tokens locked at
the token level.
Note: Prior to unlocking the token, the Administrator must confirm the identity of the user and verify
the unsuccessful attempts were legitimate.
To Unlock a Locked Token:
1. All Locked tokens will show ‘Locked’ in the ‘State’ column in the list. Select the Locked Token from the Token
list.
2. Click the “Unlock” button at the top of the ‘Manage Tokens’ panel.
3. The token will return to an Active state. It is a good idea to Test/Resync the token at this time to determine the
cause of the problem.
Once the token is unlocked the token may be used for authenticating by the user.
The Unlock button will no longer be available.
CRYPTO-MAP Administration Guide
36
2.7.
Disabling Tokens
For an Administrator to Disable an Enabled Token:
1. Select the ‘Token’ tab.
2. Select an enabled token from the Token list.
3. Click the “Disable” button in the ‘Managed Tokens’ menu.
The token will now show a ‘Disabled’ state and may not be used for authentication until re-enabled.
Note: A disabled token may only be De-assigned or Enabled. It can not be tested, edited, emailed or
sent to a BlackBerry.
2.8.
Enabling Tokens
To Enable a Disabled Token:
1. Select the disabled token from the Token list.
2. Click the “Enable” button in the ‘Managed Tokens’ panel.
The token will now show an ‘Active’ state and may once again be used for authentication.
CRYPTO-MAP Administration Guide
37
2.9.
Hardware Tokens Self Service
KT and RB Token Self Service PIN Change:
An RB or KT Token user can change their Server Side, User Changeable PIN at any time. To change the PIN, the
user browses to the User Self-service web page at http://auth.cryptocard.com/hardware. The user must first
authenticate before being presented with the PIN Change page.
After successful authentication the user is redirected to the PIN Change page. In this page the user is required to
enter their current PIN and the new PIN to complete PIN change process. The PIN length and complexity reflects
the minimum requirements for this specific token.
If the correct Current PIN is entered and the New PIN meets the complexity requirements of the token a PIN
Change Success message is displayed and the New PIN is now in effect and must be used to Authenticate.
CRYPTO-MAP Administration Guide
38
2.10. SMS Tokens Self Service
SMS Self Service PIN Change:
An SMS WT user can change their PIN at any time. To change the PIN, the user browses to the User Self-service
web page at http://auth.cryptocard.com/sms . The user must first authenticate before being presented with the
PIN Change page.
After successful authentication the user is redirected to the PIN Change page. On this page the user is required to
enter their current PIN and the new PIN to complete PIN change process. The PIN length and complexity reflects
the minimum requirements for this specific token.
A new TokenCode is automatically sent to the user.
CRYPTO-MAP Administration Guide
39
SMS Self Service Request a TokenCode:
The SMS owner can request a TokenCode at any time by visiting the self-service page. This facility is provided to
handle occasions where an SMS/TokenCode message was not received after a successful authentication. This
TokenCode can be sent as an SMS Message or sent as an E-mail, as long as a valid email address has been
entered for the user through CRYPTO-MAP.
In the SMS TokenCode Request page, the user is required to enter their User ID, Auth ID and PIN. An OTP will be
sent to user on successful validation of the provided information. Note that the TokenCode sent to the user
remains unchanged until the user successfully authenticates, however it will be resent each time this form is
completed.
Note as well that if the PIN state at the server is set to Change on first use, the User will be required to
change their PIN before a TokenCode is sent.
CRYPTO-MAP Administration Guide
40
3. Group Management
Groups can be used to organize users with a common characteristic into sub-sections within an organization and
or company. Also, if a specific group requires certain RADIUS return attributes to be returned to authenticate
successfully then the Admin to the company has the ability to add those attributes.
For example: departments within a company or network access methods, terminal types, etc.
General Rules for Working with Groups:
a) Users can only be moved between groups within the same organization/company.
b) Should the need arise to move a user from one organization to another, the user must be deleted from
the system and then completely re-entered into the new organization / company.
c)
The default group (root) is identified as your Authentication Identifier. If no group(s) are defined and a
user is added to the organization / company then they will be placed into the root (default group) of your
Authentication Identifier.
d) Once a group has been selected from the ‘Selected Group’ dropdown, all users in that group will be
displayed.
3.1.
Adding Groups
To Add a Group:
1. Click on the ‘Group’ Tab to access the Group page.
2. Click the “Add” Button at the top of the page below the word ‘Manage Groups’.
3. Enter the new group name and description.
4. Click the “Create” button at the top left of the page.
Once the group has been created users may be added or transferred into the newly created group.
CRYPTO-MAP Administration Guide
41
3.2.
Deleting Groups
To Delete a Group:
1. Select the group to delete on the right side of the page.
2. Click the “Delete” button at the top right of the page.
Note: The Root Group may not be deleted.
A group cannot be deleted if it contains a user with Administrative rights. The Administrative user must be
transferred out of the group or Administrative rights removed from the token first. All users assigned to the group
will be deleted with the group and tokens assigned to these users will be de-assigned to the groups root
organization / company.
Note: There is no way to recover these users so care should be used when deleting groups.
3.3.
Editing Group(s)
To Edit a Group:
1. Select the group to edit on the right side of the page.
2. Click the “Edit” button.
3. Update the group description information
4. Click the “Save” button to save changes and return to the group screen.
CRYPTO-MAP Administration Guide
42
3.4.
Adding RADIUS Return Attributes
Adding Vendor Specific Attributes:


Select the group to edit on the right side of the page.
Click the “Edit” button.
1. Add the vendor specific attributes that are required for the group chosen.
2. Choose the attribute that is required, and click “Save” under “Required for authentication” to apply 1
attribute.
3. Repeat step three until all attributes required have been added.
4. Click the “Save” button to save changes and return to the group screen.
If MSCHAPv2 is required for RADIUS authentication, then place a checkmark in “Enable MSCHAPv2” to turn on
MSCHAPv2.
Note: The Root Group cannot be edited.
3.5.
Moving Users between Groups
To move a user from one group to another within an organization:
1. Select the company from the left-side ‘Company List’.
2. Select the ‘Group’ Tab along the top of the site.
3. Select the group the user currently belongs to in the ‘Selected Group’ drop down list.
4. Select the user to move user under the ‘Users In Selected Group’ panel.
5. Select the group into which you wish to move the user.
6. Click the “Transfer User” button under the ‘Manage Group’ menu.
CRYPTO-MAP Administration Guide
43
To confirm the user has been moved, click the dropdown box on the top left under ‘Selected Group’ menu and
select the group the user was moved to. This will display all users in the group.
3.6.
Importing Users into an Organization / Company
The ‘Import Multiple Users’ function is available in the ‘Group’ Tab to bring users in to a group. It is not available
to bring users into the organization under the ‘User’ Tab. If this is required, users may be imported into a group
and then transferred to an organization from the group.
The import function works with any comma-delimited (.csv) files. It does not expect a header row and all fields
must be populated; it will import six column fields as follows:
1.
2.
3.
4.
5.
6.
Field1:
Field2:
Field3:
Field4:
Field5:
Field6:
First name of the user
Surname of the user
User Id or Logon id
User’s e-mail address
User’s phone number
User’s cell phone number
Please ensure that all fields are complete and contain the proper information. The first four fields are mandatory
data and missing information may have a detrimental effect on the ability of the user, once imported, to acquire
and use tokens. A missing Cell phone number will preclude the user’s ability to be assigned a WT-3 token.
To Import Users into a Group:
1. Prepare or obtain the file for import. The file should look similar to the following:
2. Select the ‘Destination Group’ on the right side of the page.
3. Click on the “Browse” button in the ‘Import Multiple Users Into Group (optional)’ section to browse to the
local file for import.
4. Locate and click the “Import” button to import the users.
The application will import all users from the file into
the group selected on this tab. Refresh the tab and
reselect the group to see the results of the import.
CRYPTO-MAP Administration Guide
44
4. Company Management
To manage the “Company / Organization” within your Value-Added Reseller (VAR) organization or to view your
own organization’s status, click on the “Company” tab across the top of the page.
Note: The ‘Company’ tab displays a summary of all the information associated with your organization.
Customer organizations are not allowed to edit this information. If this information is inaccurate and
needs to be updated, they must contact their Service Provider to change this information.
4.1.
For Service Providers
The ‘Company’ tab displays summary fields for the complete list of customer organizations you are managing as
well as information for your own organization.
Selecting an organization from the list will show the summary information in the ‘General Information’ section.
CRYPTO-MAP Administration Guide
45
4.2.
Multi-Tier
Multi-tier provides the ability for top level resellers to create other Resellers or end user organizations (EOU).
Resellers have the ability to create subsequent Resellers or EOU’s within CRYPTO-MAS.
There are a few limitations as follows:

It will not be possible to “convert” an EOU to Reseller or a Reseller to an EOU.

The only limitation to how deep the tiers can go is the maximum number of characters that can be
used to describe the Reseller or EOU organization path is limited to 254. Therefore it is
recommended to use short AuthID’s.
To Add a Reseller:
Note: Ensure that the name provided in the Auth Identifier has no spaces.
1.
2.
3.
4.
*
Click the “Add” button under the ‘Manage Company’ heading.
There will be two options to choose from: Reseller or End User Organization.
Select “Reseller”, and enter in the Auth ID, and the Company Name.
Enter the Reseller’s Information into the fields and click the “Create” button.
If the new company requires the use of the LDAP Synchronization Agent, you must select the ‘Use LDAP’ check
box. Please refer to the LDAP Agent specific document for further detailed instructions on setup and usage.
5. The Reseller may now have users added and tokens assigned to it.
CRYPTO-MAP Administration Guide
46
To Add an End User Organization:
1.
2.
3.
4.
*
Click the “Add” button under the ‘Manage Company’ heading.
There will be two options to choose from: Reseller or End User Organization.
Select “End User Organization”, and enter in the Auth ID, and the Company Name.
Enter the End User Organization’s Information into the fields and click the “Create” button.
If the new company requires the use of the LDAP Synchronization Agent, you must select the ‘Use LDAP’ check
box. Please refer to the LDAP Agent specific document for further detailed instructions on setup and usage.
5. The End User Organization may now have users added and tokens assigned to it.
After adding a new Reseller and End User Organization, here is what the tree would look like.
CRYPTO-MAP Administration Guide
47
4.3.
Deleting a Company
General Rules for Deleting a Company:
Before a company can be deleted all tokens assigned to the company must be de-allocated. Any administrative
rights given to the users must be removed first and all tokens must be de-assigned before they can be deallocated.
Users without administrative rights do not need to be deleted.
1. Select the company from the ‘Company List’ table.
2. Click the “Delete” Button.
Note: You cannot delete your own company. For assistance contact your CRYPTOCard MAS office.
CRYPTO-MAP Administration Guide
48
4.4.
Editing a Company
1. Select the company from the ‘Company List’ panel.
2. Click the “Edit” button or double-click on the company name to edit the properties of a company..
3. Update the desired Information.
3. Click “Save” button.
Note: You cannot edit your own company information. If you need this information updated, please
contact your CRYPTOCard MAS office.
4.5.
Uploading a Logo
1. Select the company from the ‘Company List’ panel.
2. Click on the “Edit” button.
3. Click on the “Browse” button and select a ‘GIF’ image to be used as the company’s logo.
4. Click on the “Accept” button to upload the image.
Note: This feature is available from the home page for each organization and images should be in
162x50 GIF format. All images will be scaled to fit.
CRYPTO-MAP Administration Guide
49
5. Report Generation
1. To generate reports, click on the ‘Report’ tab across the top of site pages.
Note: Please be aware that these reports do not include any records of CRYPTO-MAP
Administrator logins to the MAS system.
When any report is selected, it will appear on screen for viewing. plus the screen will have a “Save”
and “Close” button. That way, every report can be saved in .csv (hence Excel) format for local
manipulation as desired.
Most reports contain data for the Organization the Administrator is logged into (eg: ”Whitehat” in the
screen shot below). However, report Type 7 & 8 includes data for all Organizations under the Organization
the Administrator is logged into (eg: Whitehat + Big Red Inc + Test Inc in the screen shot below).
2. To select a report from the reports tab click on:
o
o
o
o
o
o
o
o
o
o
Type
Type
Type
Type
Type
Type
Type
Type
Type
Type
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
Token Usage
Token Reconciliation
Token State Detail
Token Count
Token In-Service
System Summary
Managed Account
Managed Account Summary
Authentication Activity
Authentication Node
Examples of each Report Type are shown
below.
Token Usage
This report contains pertinent information about every authentication attempt for all tokens in an Organization
within the prescribed date range. The records are listed in ascending serial numbers.
Serial
Action
Protocol
Source IP
TimeStamp
User Name
Company
Company ID
860001064
CHAL PASS
HTTPS
213.142.217.40
2009.04.08-15:58:41
sheri.c
xyz.com
492
860001091
FAIL
HTTPS
213.142.217.41
2009.04.08-15:59:27
sam.b
xyz.com
492
860001127
CHAL PASS
HTTPS
213.142.217.42
2009.04.08-16:06:16
john.m
xyz.com
492
860000914
FAIL
HTTPS
213.142.217.42
2009.04.08-16:16:40
john.m
xyz.com
492
Token Reconciliation
This report lists the authentication history for each token within the prescribed date range.
The records are listed in ascending serial numbers.
Serial
User Name
Total Auth
Pass
Fail
Last Auth Date
670022568
john.m
2
2
0
2009.04.15-12:44:41
670051406
john.m
0
0
0
2009.04.15-12:14:23
670055378
brumwell.r
0
0
0
2009.04.15-12:44:43
670055379
renn.i
1
1
0
2009.03.25-17:08:04
670056725
sheri.c
3
3
0
2009.03.14-19:42:09
670056726
sam.b
7
6
1
2009.03.30-09:54:39
670056727
robert.g
6
4
2
2009.03.21-10:22:51
670056728
thomas.h
5
5
0
2009.03.08-07:55:32
670056729
james.n
3
3
0
2009.03.21-16:38:19
CRYPTO-MAP Administration Guide
50
Token State Detail
This report shows the current number of tokens in each ‘token state’ by token type.
Token State / Type
RB-X
KT-X
KT-2
ST-X
WT-X
SC-X
UB-X
6
14
2
36
5
3
1
67
29
58
26
137
42
28
21
341
Active
2
1
1
3
0
0
0
7
Locked
0
2
0
1
0
0
0
3
Disabled
0
5
1
1
0
0
0
7
Others
0
0
0
0
0
0
0
0
37
80
30
178
47
31
22
425
Unassigned
Assigned
Total
Total
Token Count
This report shows the total number of tokens in an Organization by token type at the time of the request.
Token State / Type
RB-X
KT-X
KT-2
ST-X
WT-X
SC-X
UB-X
Total
Count
175
55
140
139
32
46
42
629
Token In-Service
This report provides the “In-Service Date” for all tokens in an Organization sorted by ascending serial numbers.
The “In-Service Date” is the date the token was first created in the MAS system.
In-Service Date
(YYYY.MM.DD)
Token
Type
Serial
Number
2009.01.15
KT-X
312275448
2009.01.15
KT-X
312275465
2009.01.13
KT-X
312275466
2009.01.13
KT-X
312275467
2009.03.19
KT-X
312296274
2009.03.19
KT-X
312296278
2009.01.06
ST-X
670054991
2009.01.06
ST-X
670055025
2009.01.06
ST-X
670055026
2008.05.23
ST-X
670051054
2008.05.23
ST-X
670051136
2009.03.31
ST-X
670056339
2009.03.31
ST-X
670056349
System Summary
This report provides a summary of all pertinent user and token data for an Organization at the time of the
request. It is similar to the information provided in the MAP “Home Tab”.
User Count
3
Group Count
0
Total Token Count
194
Unassigned Tokens
191
RB-X Count
0
KT-X Count
55
KT-2 Count
0
ST-X Count
139
WT-X Count
0
SC-X Count
0
UB-X Count
0
Total Successful Responses
3
Total Failed Responses
0
Total Bad PIN
0
Total Auth Attempts
3
CRYPTO-MAP Administration Guide
51
Managed Account
This report provides a current summary of all pertinent user and token data for Organizations in MAP managed by
a Service Provider, excluding the Service Provider Organization.
Organization
Activation
Date
Tokens
Allocated
Tokens
Unassigned
Comecka.net
2008.11.05
30
25
Netdesignsa.co.uk
2009.04.08
79
66
casewares.nl
2008.10.14
153
145
Modelsolutions.net
2008.10.14
0
0
Mediantwks.com
2008.10.28
5
Harrisonsca.com
2008.11.14
17
kinetic.uk.com
2008.11.21
cadnet-systems.com
2008.12.02
denisanworks.net
2008.12.09
User
Count
Total Successful
Responses
Total Failed
Responses
Total Bad
PIN
Total Auth
Attempts
3
26
7
1
15
35
209
5
0
269
9
145
3
0
157
0
0
0
0
0
4
1
3
0
0
3
14
8
110
8
0
118
10
8
2
19
4
0
30
16
14
2
10
7
0
17
104
100
4
24
2
0
26
Managed Account Summary
This report provides an overall total of pertinent user and token data for Organizations in MAP managed by a
Service Provider, including the Service Provider Organization.
User Count
599
Group Count
2
Company Count
30
Total Token Count
1562
Unassigned Tokens
972
RB-X Count
0
KT-X Count
282
KT-2 Count
639
ST-X Count
517
WT-X Count
124
SC-X Count
0
UB-X Count
0
Total Successful Responses
7878
Total Failed Responses
2825
Total Bad PIN
99
Total Auth Attempts
10802
Authentication Activity
Provides detail of all authentication activity by selected organization, one row per authentication. This report
supports date range criteria. This report is similar to Type 1: Token Usage except you can also filter by specific
protocols (eg: HTTPS, Radius, etc), or by Action (eg: chal pass, fail, etc.)
Timestamp
User Name
Serial Number
Action
Source IP
Protocol
2009.04.08-15:59:27
petersmith
861001467
FAIL
256.135.218.11
HTTPS
2009.04.08-16:06:40
frankjamieson
861001613
FAIL
256.141.238.18
HTTPS
Authentication Node
This report summarized authentication activity by Authnode. Each row represents an Authnode (IP address) and
the total number of passed and failed authentication attempts through the node within the date range specified.
Authnode (IP)
Authentication Pass
Authentication Fail
213.134.250.44
956
85
213.134.256.23
658
24
CRYPTO-MAP Administration Guide
52
There are also four charts / graphs available which are illustrated below:
Type 3:
Token State Detail
Type 4:
Token Count
Type 6:
System Summary
Type 10: Authentication Node
CRYPTO-MAP Administration Guide
53
6. Service Request Form
The CRYPTO-MAP “Options” tab provides CRYPTO-MAP Administrators with access to the Service Request Form
which is used to add, change or delete AuthNode access, or to control authentication access by specific user
groups.
1. The left pane shows the CRYPTO-MAP Administrator’s own Company and all managed Companies.
2. The CRYPTO-MAS Service Request Change indicates the time and date of the request, the Company to
which the request will be applied and the name/company of the CRYPTO-MAP Administrator.
3. The Access Point Configuration allows an Authnode for the Company to be added, modified and deleted.
Complete the fields in the “Access Point Configuration” section and press “Submit”. This will generate an
email to CRYPTOCard Support who will enable Authnode access for your VPN device. Tech Support will
send you an email to confirm when this is complete and you are able to authenticate.
4. The Access Control List Configuration allows an ACL for the Company to added, modified or deleted.
Simply complete the fields in the “Access Control List Configuration” section and press “Submit”.
Access Point Configuration (Authnode)

Dropdown: add, modify, delete options

Make: used to specify the manufacturer or type of NAS device. For example, Juniper Networks SSL VPN

Model: used to specify the model of NAS device. For example: SA 700

Host Name: specifies the fully qualified domain name of the NAS device

LAN IP Address: the internal IP of the NAS device

WAN IP: the external IP of the NAS device

Shared Secret: data only known to the Authnode and MAS
Access Control List Configuration
An ACL is an authorization method that is applied within CRYPTO-MAS to a Group(s) during the authentication
process. The purpose of the ACL is to allow or deny access to users based on two conditions:
1. A specific combination of Source IP and Group membership
2. Specific inclusion or exclusion of a User membership.
The most common use of ACL is to restrict access through specified NAS devices based on Group membership.
An example would be to protect an area of the network that should only be accessible to members of the “HR”
group. With all authentication requests, the server checks the source IP and any associated conditions such as an
ACL. If the associated ACL specifies “HR”, all non‐HR members will be rejected by the authentication server and
an “access‐reject” message is sent to the NAS.
CRYPTO-MAP Administration Guide
54
7. Trademarks
CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO-VPN, CRYPTO-MAS are either
registered trademarks or trademarks of CRYPTOCard Corp.
Microsoft Windows and Windows XP/2000/2003/NT are registered trademarks of Microsoft Corporation. All other
trademarks, trade names, service marks, service names, product names, and images mentioned and/or used
herein belong to their respective owners.
8. Publication History
Date
Changes
October 12, 2006
April 26, 2007
October 19, 2007
December 12, 2007
February 28, 2008
September 17, 2008
Initial Draft
Additional sections and screen shots
Additional sections and screen shots
Upgraded version and information to match 6.4.72 upgrade
Updated for minor corrections and the SMS Token
Additional sections for Reporting, Multi-Tier and RADIUS Return
Attributes
LDAP Synchronization Agent information notes added to appropriate
sections.
Added RADIUS Return Attributes User Level, MSCHAPv2 checkbox, and
enhanced the Reports section
Added information for modifying force pin change on next use.
June 12, 2009
September 24, 2009
January 6, 2010
CRYPTO-MAP Administration Guide
55