Test Scenario: Windows Back-End Authentication

This scenario covers authentication handled by OneSpan Authentication Server using Microsoft Windows for both, only back-end authentication and combining local and back-end authentication. The following logon methods will be covered:

• Using static password. Does not require an authenticator.
• Using Response-Only. Requires an authenticator with a Response-Only application.
• Using Challenge/Response. Requires an authenticator with a Challenge/Response application.

Back-end authentication only

Static password

To test Windows back-end authentication only with static password

1. Make the following changes to the test policy (see Modifying the test policy):

   • Policy > Local Authentication: None
   • Policy > Back-End Authentication: Always
   • Policy > Back-End Protocol: Windows
2. Verify that the grace period of the authenticator used for testing is set to a time in the future. If it is not, the static password logon will fail.
3. Run a test logon using RADIUS Client Simulator (see Testing a logon with RADIUS Client Simulator), using the user ID and stored static password.

Local and back-end authentication

Static password

To test local and Windows back-end authentication with static password

1. Make the following changes to the test policy (see Modifying the test policy):

   • Policy > Local Authentication: DIGIPASS/Password during Grace Period
   • Policy > Back-End Authentication: Always
   • Policy > Back-End Protocol: Windows
2. Run a test logon using RADIUS Client Simulator (see Testing a logon with RADIUS Client Simulator) using the user ID and stored static password.

Response-only

To test local and Windows back-end authentication with Response-Only

1. Make the following changes to the test policy (see Modifying the test policy):

   • Policy > Local Authentication: DIGIPASS/Password during Grace Period
   • Policy > Back-End Authentication: Always
   • Policy > Back-End Protocol: Windows
   • User > Stored Password Proxy: Yes
   • DIGIPASS > Application Type: Response Only
2. Run a test logon using RADIUS Client Simulator (see Testing a logon with RADIUS Client Simulator), using the user ID and the OTP generated by your authenticator.

Challenge/response

To test local and Windows back-end authentication with Challenge/Response

1. Make the following changes to the test policy (see Modifying the test policy):

   • Policy > Local Authentication: DIGIPASS/Password during Grace Period
   • Policy > Back-End Authentication: Always
   • Policy > Back-End Protocol: Windows
   • User > Stored Password Proxy: Yes
   • DIGIPASS > Application Type: Challenge/Response
   • Challenge > 2-step Challenge/Response > Request Method: Keyword
   • Challenge > 2-step Challenge/Response > Request Keyword: 2StepCR

2. Run a test logon using RADIUS Client Simulator (see Testing a logon with RADIUS Client Simulator):

   1. Enter the user ID and the keyword (2StepCR) in RADIUS Client Simulator.
   2. Enter the challenge provided by RADIUS Client Simulator into your authenticator.
   3. Enter the same user ID and the response provided by your authenticator in RADIUS Client Simulator.