Two Factor Authentication (TFA) For Remote Access Documentation

Last Updated: 2/5/2018 – Supported by SAS IT

TWO FACTOR AUTHENTICATION (TFA).......................1

What is Two Factor Authentication...................................................................................1

Obtaining a Two Factor token............................................................................................1

Registering your TFA Token (Enrollment)..........................................................................2

Frequently Asked Questions..............................................................................................3Trouble Logging In......................................................................................................3

Problems with the Windows or Mac Soft-Token........................................................3

Problems with the iOS or Android Soft-Token............................................................4

USING CISCO ANYCONNECT VPN WITH TFA................5

SAS provided Windows and Mac based computers...........................................................5

Non-SAS provided (Personally-owned) computers............................................................5If you have a Push-Enabled Smartphone Device........................................................5

If you do NOT have a Push-enabled Smartphone device...........................................6

USING JUNIPER SSL VPN (WBI) WITH TFA..................7

Connecting to Juniper SSL VPN VIA a Browser...................................................................7

USING MAC NATIVE VPN WITH TFA..........................10

Supported versions..........................................................................................................10

Configuration...................................................................................................................10

Authenticating to VPN Via Smartphone with TFA push...................................................12

Authenticating to VPN Via TFA Without push..................................................................13

Two Factor Authentication (TFA) For Remote Access Documentation

Last Updated: 2/5/2018 – Supported by SAS IT

TWO FACTOR AUTHENTICATION (TFA)

WHAT IS TWO FACTOR AUTHENTICATION

Two factor authentication consists of something you know (your password) and something you have (a two factor token). The combination of these two items allows you to securely authenticate your user session. The benefit of two factor to SAS is that your credentials could not be re-used by an attacker to remotely access SAS. Our initial deployment at SAS will be used to secure remote access services. SAS currently uses the Symantec VIP authentication service to provide the second authentication factor.

OBTAINING A TWO FACTOR TOKEN

In order to utilize the VIP TFA system, you will need to obtain a token. The preferred option is for you to use an iOS or Android device and utilize the smartphone token option. The next best option would be to utilize the Windows or Mac-based soft token. If you do not have a smartphone or mobile device and need to access VIP-protected resources from outside SAS, then you would also be eligible for a physical token. You may associate multiple tokens with your account in case you wish to use both a smartphone token and a computer-based soft token. You may also associate a single token with multiple accounts (i.e. if you have a primary and secondary active directory account; the only requirement is that your secondary account have an email address and/or phone associated with it so that token recovery may take place).

The preferred option is for you to install a smartphone token on your mobile phone. If you have an iOS, Android, or other device, please navigate to https://m.vip.symantec.com/, verify that your phone is supported, then follow the instructions to download the mobile token. The smartphone token on iOS and Android support push functionality that will allow you to authenticate to supported services by pressing accept on your phone instead of manually entering your token. This is why this method is recommended as the primary authentication method.

The alternative or additional option is to install a computer-based soft token. If you do not have a supported mobile phone, this is the next preferred option. The Windows and Mac soft tokens are available here: https://m.vip.symantec.com/ .

An alternative option – which should only be used if you do not have a smart phone but you DO have a personal, SMS-capable device is to register your phone number as your two factor device.

The final option, which is only available if you do not have a SAS-issued smartphone AND require access to VIP-protected resources from outside SAS, is the physical token. This may be requested here: VIP Physical Token Request Form.

REGISTERING YOUR TFA TOKEN (ENROLLMENT)

Once you have obtained a token via the above process, you may then register your token in order to associate it to your SAS Active Directory account. You must follow these steps to associate your token with your SAS User ID!

1. Please login using your SAS Active Directory userid and login to https://vip.sas.com. By default, CARYNT is the domain that is used and no domain is required. If you do not have a CARYNT account or have accounts in multiple domains, DOMAIN\userid may be required. For more information on logging in, please see the FAQ entry for Logging In.

2. During the registration process, you will be asked to verify your account by e-mail or phone (using information obtained from Active Directory). If you do not have an e-mail address or phone number associated with your Active Directory account, then you’ll need to contact the Employee Service Desk to have this information properly provisioned before you can register your token.

3. Next, you will need to associate your token or tokens to your account by clicking Register and select VIP Credential or SMS (if you are registering a personal, non-smartphone). Please make sure country code and area code are included if you select SMS.

2

You will also use this same site should you lose your token or should you need to re-register a phone or soft token.

FREQUENTLY ASKED QUESTIONS

Trouble Logging In

Question: I'm unable to login to the VIP portal at https://vip.sas.com. It is not taking my userid or password, what could be wrong?Answer: VIP is setup to search through multiple domains to allow global authentication. By default, CARYNT (NA) is the first domain in the search list, thus this is the credential you should use to authenticate if you have a CARYNT account. If you do not have an account in CARYNT, then it will continue searching all the other configured domains: VSP, EUROPE (EMEA), and ROW (APAC) - in that order. If you have accounts in multiple domains and wish to a different account to authenticate, then you will need to preface your login with DOMAIN\userid (where DOMAIN is either CARYNT, VSP, EUROPE, or ROW). You may also login with First.Last@sas.com if your email address is properly configured in Active Directory. If you do not have a domain account, an e-mail address or phone number associated with your domain account, then you’ll need to contact the Employee Service Desk or your SAS Sponsor to have an account properly provisioned before you can register your token.

Question: How can I access VIP-protected resources if my token/credential ID is not working, missing or lost?Answer: You may obtain a temporary token, register a new token, or unlock your existing token by logging into https://vip.sas.com using your userid and password. Once you are prompted for your token/credential click the link that says "Trouble logging in" instead of entering a credential.

Problems with the Windows or Mac Soft-Token

Question: I'm getting an error activating my client-based token OR I can no longer use my token on Mac or Windows.Answer: Please make sure your system can get to the Internet and access this

3

link: https://vipservices.verisign.com. Initial registration of the Mac or Windows client requires an Internet connection to the above site. If you have verified network connectivity and can access the URL above, we recommend uninstalling and re-installing the client from https://m.vip.symantec.com/ and re-registering it at https://vip.sas.com. If you continue to have issues after re-installing, please email gis@sas.com if you continue to have issues.

Question: If I re-install my machine or get a machine, how can I preserve my existing VIP soft token?Answer: You cannot preserve settings from an old machine to a new machine. You will need to re-install and register a new token. Please follow the registration documentation above and register a new token. Once you are prompted for your token/credential click the link that says "Trouble logging in" instead of entering a credential.

Problems with the iOS or Android Soft-Token

Question: If I re-install my phone or get a new phone, how can I preserve my existing VIP token?Answer: If you have an iPhone and plan on restoring from backup, then you need to make sure you enable the "encrypt" option for backups prior to backing up. If you have done this, then the restored VIP token will exist on your phone. If you are not restoring from backup or have an Android device, you should visit the section above and register a new token. Once you are prompted for your token/credential click the link that says "Trouble logging in" instead of entering a credential.

4

USING CISCO ANYCONNECT VPN WITH TFA

SAS PROVIDED WINDOWS AND MAC BASED COMPUTERS

A Two Factor Authentication (TFA) token is not needed when using AnyConnect to connect to SAS. Employees using AnyConnect on SAS-issued laptops will not require a token, as these devices have been provisioned with unique tokens that represent the second factor.

NON-SAS PROVIDED (PERSONALLY-OWNED) COMPUTERS

A Two Factor Authentication (TFA) Token will be required each time you connect to SAS remotely via VPN. Make sure you have obtained and registered a TFA token as listed in the document above. At connect time there is no obvious indication that a Two Factor Token is needed as you will still enter your username and password when prompted.

If you have a Push-Enabled Smartphone Device

If you have a push-enabled smartphone token mentioned here, enter your username and password in the AnyConnect dialog, then use your Smart Phone device to Approve or Deny the request. Approve to continue the connection.

5

If you do NOT have a Push-enabled Smartphone device

Once you hit connect within AnyConnect, you’ll need to retrieve your TFA token (from smartphone, soft token or physical) or have your SMS-enabled and registered phone nearby. Next, login with your SAS userid and password.

Once your credentials are validated, you should be prompted for your security code. Once you’ve submitted this, your AnyConnect connection should begin. If you use a physical/soft/virtual token, you may also append your 6 digit code to your password and the “Security code” prompt will be bypassed.

6

USING JUNIPER SSL VPN (WBI) WITH TFAThe Juniper Pulse Secure SSL VPN (aka WBI) is a web-based VPN that allows you to use a web browser to connect to resources into SAS. If you have a SAS domain account, then as of February 24, 2017, you will be required to utilize two factor authentication when connecting to a web VPN resource. This section will cover usage and expectations when connecting to Juniper SSL VPN with Two Factor Authentication.

CONNECTING TO JUNIPER SSL VPN VIA A BROWSER

When connecting to Juniper SSL VPN through common web browsers (IE, Firefox, Chrome, Safari and both Android and iOS browsers), you will be able to take advantage of Symantec’s Integrated Authentication.

1. To login, go to the standard URL you access with Juniper SSL VPN (this will depend on if you use WBI, Contractor Portal, etc.), but the most common URL is https://wbi.sas.com, however other sites exist such as https://neo.eur.sas.com for European contractors). Enter your domain user account and password.

2.a. If you have a smart phone device that supports push, your device should

receive a request to authenticate where you will click approve. Alternatively, you can click “Use a security code” and use a secondary token or SMS device.

7

b. If you don’t have any devices that support push, you will see the following.

1. If you have a registered token soft token or physical token, you can enter the numbers directly in the security code box above.

2. If you have registered an SMS device or don’t have another registered token, you should select “Don’t have a security code” and select the preferred validation method. Once you’ve received your code, enter it in the new screen.

8

3. If you run into issues connecting via Juniper SSL VPN, please see the FAQ before contacting the Employee Service Desk.

9

USING MAC NATIVE VPN WITH TFASUPPORTED VERSIONS

Mac machines running OS’s 10.10 and greater support configuration of IPSec profiles via a mobile configuration file. This configuration file will allow you to configure your personal Mac to remotely access SAS.

CONFIGURATION

1. Make sure you’ve obtained and registered a TFA token for use with the Mac native VPN configuration.

2. To configure IPSec on your Mac, you will first need to download the mobile configuration file (External Link / Internal Link) to your Mac machine. NOTE: If you attempt this installation while connected to the SAS internal network, you will be unable to test your configuration until you are outside of the SAS network.

3. Double click on the mobile configuration file:

4. Hit the continue button to accept installation of the SAS IPSec configuration.

10

5. You will have to click continue again.

6. Enter your SAS userid. You don’t have to enter your password (it won’t be saved if you enter it anyway). Then click Install.

7. Enter your Mac username and Password (required to make system changes) then click OK.

8. You have now installed the SAS IPSec VPN profile on your Mac.

11

AUTHENTICATING TO VPN VIA SMARTPHONE WITH TFA PUSH

1. To start your VPN connection, you can go to the Apple Menu ( ) -> System Preferences -> Network -> SAS IPS…ith TFA. Then enter your userid and password and press connect. You may also want to check “Show VPN Status in menu bar” which will allow you to launch VPN directly from the menu bar.

2. Once you hit connect, you’ll need to be prepared to accept the push request on your smartphone device.

3. Enter your userid and password:

4. Accept the Push request from VIP Access:

12

5. You should now be authenticated and your VPN connection should connect.

AUTHENTICATING TO VPN VIA TFA WITHOUT PUSH

1. To start your VPN connection, you can go to the Apple Menu ( ) -> System Preferences -> Network -> SAS IPS…ith TFA. Then enter your userid and press connect (leave your password blank). You may also want to check “Show VPN Status in menu bar” which will allow you to launch VPN directly from the menu bar.

13

2. Once you hit connect, you’ll need to retrieve your TFA token (from smartphone, soft token or physical) or your SMS-enabled and registered smartphone.

3. Click connect and enter your userid and password

4. Next you will be prompted for your security code:

5. If you have an SMS-enabled and registered device (and no push devices registered), you should receive a text message with your code. Otherwise, you’ll have to enter the security code from your physical/soft/virtual token.

6. You should now be connected. If you use physical/soft/virtual token, you also append your 6 digit code to your password and the “Security code” prompt will be bypassed.

14