CryptoCard is wonderful, the way it works is that it knows what the next X number of possible codes that the shiny dongle of fun will generate (My guess is 3,600 of them).
In the “Policy Admin” screen there are some options for “Syncronization” the important ones are the top 2.
From the Crypto Hand-Book modified to make sense:
INNER EVENT BASED OTP WINDOW SIZE
This represents the number of passwords the server will “Look-ahead” from the last successful logon by the user.
Using an Example, if the user presses the button and does not use that number. The server will be expecting token number 1. But when the user authenticates they use token number 2. The server will look through token codes, 1 through to 10 (the default) and if a match is found they will be authenticated.
OUTER EVENT BASED OTP WINDOW SIZE
When the entered token code is not found in the Inner Event Based OTP Window the server will check the next set of codes up to the limit in the Outer Event Based setting (default 100). If a token code match is found the user will need to resync their token, in admin the web interface this can be seen with the “Result”: “Outer Window Authentication"
Junos Pulse doesnt handle the "Enter Next Token" bit properly and just comes up saying "BAD Passcode" and asks for a response. I tried everything I could think of, same code with and without pin, next code with and without pin and the same for the next 2 screens that come up. No luck.This leaves us with no real way to resync a token that is in this state. The options are to increase the OTP Window Sizes, or find some way to resync.
I have gone with both... 10 is a bit too few. Especially if the Crytpo box has a problem and users keep trying to login over a weekend.
The 2nd part was to have a way to actually do a resync when it is needed, since the proposed method on a crypto card requires the user to enter challenge codes on a token with 1 button... not ideal. The alternative isnt pretty but will do the job and get them logged in.
On the Crypto Server add the user as an Operator with the lowest privileges (Reporting). They give you the PIN and Token number which you use to login. The login page will prompt again for the login details telling you to enter the NEXT OTP (One Time Passcode).
Enter the username, PIN + Token number. You should see the reporting page. Log out, remove the Operator roles from the user and they can login as them selves from home.
Not ideal to add them to the server as an Operator, but they never attempt the logins (an admin does) and the roles should be removed straight away. Its got us out of a jam in a week that should have been quiet.
thanks for the post!
ReplyDelete