Creating a WiKID Authentication Domain
The WiKID Authentication System employs the concept of authentication domains. They are not related to your Windows domains! An authentication domain is a segmentation of authentication authority. Any given device using the system can participate in any number of authentication domains. These domains may exist on an individual WiKID Strong Authentication Server or they may exist on separate and discrete servers (or any combination). Conversely, a WiKID Strong Authentication Server may provide authentication services for any number of discrete domains. These domains may be exclusive or inclusive of any set of devices.
An authentication domain is initially defined by the 12-digit code used in device provisioning. This code allows any un-configured, unrelated device to locate and register with a particular WiKID Strong Authentication Server and domain. In practice, the 12-digit code signifies a zero-padded IP address that is Internet accessible. Optionally, it may designate a prefix in the wikidsystems.net domain. For example, a WiKID Strong Authentication Server with the public IP address of 220.127.116.11 would be directly accessible via the 12-digit code 027232007014. Using the wikidsystem.net service, codes signifying non-routable IP addresses may be used, such as 999888777666. You can also alter the DNS settings by deploying a custom jw.properties file with your software token.
Note that the tokens need to be able to connect to the WiKID server on port 80 (no need for SSL as we use asymmetric encryption). Your server can be NAT'd, but use the external IP for the domain identifier.
Selecting the [Domains] header option will display the current domains served by this WiKID Strong Authentication Server. See Figure 12 below.
Selecting [Create New Domain] on this screen will allow the administrator to establish a new authentication domain for this server.
Click Create. The required domain configuration options are:
Domain Name – This is a descriptive label for this domain visible only in the administration system.
Device Domain Name – This is the domain label that will appear in the menu option on the user's token client. This label should be relatively short to facilitate viewing on a mobile device.
Minimum PIN Length - This is the minimum allowable PIN length for this domain. Any attempt to set a pin shorter than this value will generate an error on the client device.
Passcode Lifetime – This parameter specifies the maximum lifetime of the one-time passcode generated in this domain. After N elapsed seconds, the one-time passcode will automatically be invalidated.
Server Code/Domain Identifier – This is the zero-padded, internet-routable IP address of the server (e.g: 18.104.22.168 becomes 064120060154) or the pre-registered prefix in the wikidsystems.net domain. This value must be exactly 12 digits in length. This field cannot be edited. You can delete and create new domains.
Max Bad PIN Attempts – The maximum number of bad PINs attempted by a device in this domain before the device is disabled.
Max Bad Passcode Attempts – The maximum number of bad passcodes entered for a userid registered in this domain before the userid is disabled.
Max Sequential Offlines – The maximum number of times a device may use the offline challenge/response authentication before being required to authenticate online. This feature is used in the Enterprise version for the wireless clients when they are out-of-network coverage.
Use TACACS+ Select this to use TACACS+ for this domain. Do not select this unless you know what you are doing.
Token Types: You can limit the types of token your users can have. For now, leave it as Allow All Token Types.
Mutual HTTPS Auth Registered URL- LEAVE THIS EMPTY unless you are implementing mutual https authentication. Enter an HTTPS URL here if you want this domain to support mutual authentication. In brief, the WiKID server will fetch the certificate and store a hash of it. When a user requests a one-time password from a PC software token, the token client will also get this hash and URL. Before presenting the one-time password, it will fetch the URL's certificate, hash it and compare the two. If the hashes match, the OTP will be presented and the default browser (if supported) will be launched to the URL. This system will prevent network-based man-in-the-middle attacks.
After specifying these parameters, select Create to add the domain. Figure 18 indicates the successful creation of the domain.
After adding the domain, select the [Domains] option from the header bar. You should see the new domain listed under Current Domains.
Your two-factor authentication users will be associated with WiKID domains, which in turn are associated with network clients - those services which require two-factor authentication for access. Now that one domain has been configured, we will focus on configuring protocols such as RADIUS and LDAP and setting up network clients.