Additional securing of the VPN IPSec tunnel with a one-time password (optional) |
To further secure the VPN IPSec tunnel, there is the option of enabling a one-time password request. This example describes the KOBIL SecOVID™ one-time password solution. The one-time password is generated with a token. At setup of the VPN IPSec tunnel, this one-time password is authenticated on the KOBIL SecOVID™ Radius Server.
The installation program of the
KOBIL SecOVID™ server is launched on the CD by opening the
win32\server\SECOVID Server.exe
file. Please read the setup outputs for your information
and follow the instructions and recommendations of the installation routine. At conclusion of the installation routine,
the logfile of the
KOBIL SecOVID™ server should be checked to insure that the server started
up.
Installation of the KOBIL SecOVID ™
For installation of the KOBIL SecOVID™ administration tool under Win32 systems, proceed as follows:
Launch the setup program for the drivers of your KOBIL chip card terminal via
/Driver Setup/KOBILDriverSetup.exe
Follow setup program instructions and close the chip card terminal when prompted. The chip card terminal is required to administer the KOBIL SecOVID™ server per remote console. The KOBIL chip card terminal is not required for local administration of the KOBIL SecOVID™ server.
For installation of the
KOBIL SecOVID™ administration tool, the setup program
/win32/admin/Setup_admintools.exe
on the installation CD must be launched. At
installation, please follow additional instructions of the setup program.
The
KOBIL SecOVID™ administration tool is launched over the
Start ->Programs-> SecOVID Admintools-> WxOvid menu. After initial startup of
KOBIL SecOVID™ Admintools, the secret token data can be imported and added to the
SecOVID data bank. At a second SecOVID testing, token data are displayed in clear text. If you've bought the
SecOVID tokens, the token data are generally provided in encrypted form. Import of token data (e.g.
tokendata_firm.db
) occurs via menu
Other Tokens -> Import Tokens.
Launching KOBIL SecOVID ™ admintools
For assignment of tokens to a user, token sets must be blocked. After temporary blocking of a token data set, user information can be saved by editing the entry. The information in the User Name field is used after configuration of the bintec secure IPSec client™ for advanced IPSec authentication.
User information
The data set must subsequently be unblocked.
Unblock
An initial function test can be performed with the command line tool
radping.exe
. With the one-time password,
Radping
initiates an authentication request on the SecOVID RADIUS server. During
installation, the tool was saved in the
\etc\SecOVID\
directory.
With the
-u
option, the user name and the one-time password are transmitted to the SecOVID server.
The one-time password must be generated with the user token. The SecOVID server is addressed with the
-S
option. For the first function test,
radping
must be executed directly on the server. The RADIUS password is sent with the
-k
option. The default value is
secret
. The SecOVID logfile (\etc\SecOVID\ovid.proto) displays
the following message in case of successful authentication:
Function test
All RADIUS clients (e.g. the bintec VPN gateway, or the test application
radping
) must be saved on the SecOVID server as RADIUS client. For this, configuration
file
\etc\SecOVID\clients
is edited. In our example, the bintec VPN gateway with the IP address
192.168.0.30 and the RADIUS password radius_PWD is
added. This password is subsequently also saved on the VPN gateway in the RADIUS settings. The SecOVID server service
must be restarted for these changes to become effective.
Clients-Editor
Copyright© Version 01/2020 bintec elmeg GmbH |