[Last updated 10 June 2015]
This document is intended to provide quick answers to some of the common questions surrounding the use of CryptoCard security tokens with Telstra Networking Tasmania’s Internet VPN and Dialup products. It is not intended to replace the full user instructions available here, or the instructions that may have been provided to you by your own agency.
- I’ve read this FAQ but my question still isn’t answered!
- Why would I choose to have a KT-1 keychain hardware token
- What are the differences between a KT-1 and KT-2 keychain hardware token?
- Why would I choose to have a Software token
- Why would I choose to have an SMS token?
- Why would I choose to have a Smart Phone token?
- Which devices support Smart Phone tokens?
- What software do I need and where do I get it from?
- Will the CRYPTOCard software install and run under Windows 7?
- Will the CRYPTOCard software install and run under Windows 8?
- I enter the numbers from the keychain device into the Internet VPN client but it won’t connect
- I’ve forgotten my PIN, what do I do?
- I press the button on my keychain device but nothing happens
- What happens if people keep pressing the button on my keychain device?
- Do I have to include the dash “-” when I enter the numbers from my keychain device in the password field?
- Why does my keychain device say “Init” when I turn it on?
- How do I adjust the contrast on my keychain device?
- How do I know if my keychain device is out of sync and how do I get it back in sync?
- What do I do if I want to change my token type? e.g. I have a KT-1 and would like to change it to an ST-1?
- What do I do if I’ve lost my KT-1 or it is damaged and inoperable?
- What happens if my PC or laptop is lost or stolen and it has a software token installed?
- I keep pressing the button, but my keychain device won’t turn off and the numbers don’t change
- How many times can I enter an incorrect PIN or response before my token locks?
- What is the CRYPTOCard web tool and how do I access it?
If your question relates to installing or operating the Cisco VPN software or any of the CRYPTOCard software, or using the software or hardware tokens then there is a good chance that it is answered somewhere in the Internet VPN full guide available here. If that doesn’t help and your IT helpdesk isn’t able to help you then please ask them to raise a job with Telstra Networking Tasmania and we will endeavor to solve your problem.
The keychain device does not restrict you to using only the one PC. It is portable. You don’t need to install any CRYPTOCard software. You can use it at any Internet connected PC that has the Cisco Internet VPN client installed and configured.
Operationally there are no differences. The KT-1 has a metal body and replaceable batteries. The KT-2 has a plastic body and the batteries are not replaceable. Some users have reported that the word “Locked” has appeared on the display of their KT-1 token. Our vendor has reported that in rare cases the metal body of the KT-1 has allowed a static electricity charge to corrupt the token and lock it. If this happens to you then a plastic body KT-2 may be appropriate. The only way to recover from a token that displays “Locked” is to return it to Networking Tasmania.
The Software token can only be installed and operated on the one PC. This is good if you should only be accessing your network from the one place. No hardware to loose.
The SMS token does not restrict you to using only the one PC. Because it uses your mobile phone to receive the response via SMS it is portable and can never become out of sync. You don’t need to install any CRYPTOCard software. You can use it at any Internet connected PC that has the Cisco Internet VPN client installed and configured (Internet VPN product). It will work with any device that is capable of receiving and displaying a text message. The next response is sent when you authenticate so you can still connect (once) if you are out of a mobile reception area.
This is similar to a KT1/2 Keychain token in operation only it uses an application installed on your phone to generate the response.
Applications are available for Android and iPhone style devices. The Smart Phone token type is selected by the end user during the token enrollment process. The Android application has been tested on phones and tablets. The iPhone application has been tested on iPhone and iPad devices and is said to work on iPod and iTouch devices. There is an app for Blackberry but due to difficulties experienced with the installation process it is not made available. If you have a pressing need to try a Blackberry token then please request this via your IT helpdesk. Windows and Nokia (Symbian) phones are not supported at this stage.
This depends on the type of CRYPTOCard token and the type of Telstra NTP product that you have. All Internet VPN users need to have the Cisco Internet VPN client installed and configured. If you have a hardware keychain token or an SMS token then this is all you will need to connect via the Internet VPN product. If you have a Software token then you will need the CRYPTOCard authenticator software installed. The Cryptocard software token client is downloaded by the end user during the token enrolment process.
This could be caused by a number of things. Did you see the username/password box when you tried to connect with the Cisco Internet VPN client? If you did then your Internet connection is probably OK, if you didn’t then check that your Internet connection is working (try to browse to a public website) and make sure that your Cisco Internet VPN client is configured correctly. Note that you can only connect to Telstra Networking Tasmania’s VPN service from an Internet connection. You cannot connect from within the Networking Tasmania network (i.e. from your office LAN). Assuming you did see the Cisco Internet VPN client username/password box then did you enter the correct username? Did you make sure that you entered your PIN correctly in the password field, immediately followed (no space) by the numbers in the display of your keychain device? Make sure that you are using the correct PIN. If the token has been used before then don’t use the initial PIN as you would have changed it to something else the first time it was used. If all these things are correct then either the username has been locked due to too many incorrect attempts or it is out of sync with the server. There is no easy way for an end user to tell the difference. If the token is out of sync with the server then you will be prompted to enter the next response. Allow the token to power off then press the button to generate a new response and re authenticate with your PIN and this new response, if this works then you will be back in sync again. If you think your account has been locked due to too many incorrect PIN or responses then wait 10 minutes and try again, accounts automatically unlock after 10 minutes of inactivity. Still won’t connect? Is it possible someone else is already connected from somewhere else with the same username? If all else fails contact your IT helpdesk for assistance. They may have to raise a job with Telstra Networking Tasmania to check if the username or token has been locked.
There isn’t a lot that you can do other than contact your IT helpdesk. They will request a new PIN from Telstra Networking Tasmania. If you have a software token then a new token will be issued via email. You will have to re install the token. Click here for instructions. If you have a keychain device or SMS token then your IT helpdesk will be given a new PIN to use over the phone. In both cases you will have to change this PIN the first time that you try to use it. Never write your PIN or username on a hardware token. Ensure that you follow your own agencies security policies on the safe handling of secure information.
To ensure that you don’t bump the button by mistake CRYPTOCard have recessed the keychain button slightly. It also requires a firm press to activate. Make sure you are pressing the button fully. If you still see nothing in the display then the battery could be flat. CRYPTOCard tell us that the batteries are good for about five to six years. If the battery is starting to fail the display will become dim and should show the text – BATTERY!. The batteries in a plastic body KT-2 token are not replaceable. You should contact your own IT helpdesk who will request a replacement token from Telstra NTP. The batteries in a metal body KT-1 token are replaceable by the end user or your IT helpdesk. It is important that this process is followed exactly as written to avoid having your token lock. Using a small Philips head screwdriver remove the battery compartment cover. Never remove both batteries at the same time as this will lock the token. Remove one battery using a non metallic implement (a plastic BIC pen cap works well!). It is important that you do not use anything metallic as it is very easy to short the battery to the token case whilst removing it. Insert a replacement CR2016 battery ensuring that the two battery contacts inside the token are not shorted together by the new battery. You should insert one edge of the new battery into the edge contacts first and then carefully place the rest of the battery into place. Remove the other battery and replace it using the same process. Install the battery cover. If the device says “Locked” when the button is pressed then you must have shorted the battery or the terminals and it will need to be returned to Telstra Networking Tasmania via your IT helpdesk for re programming. If the device still has no display then it must be faulty. Contact your IT helpdesk who will request a replacement from Telstra Networking Tasmania. There is a charge for a replacement device.
If your workmates, your kids or anyone else (including yourself!) keeps pressing the button without actually connecting to the Telstra Networking Tasmania Internet VPN service then the device will eventually become “out of sync” with the server. The server will look ahead up to the tenth valid response after the one that it is currently expecting. If you press the button ten times without authenticating then you will be too far ahead of the server and “out of sync”. The Blackshield update in November 2012 introduced a new feature to rectify this situation. If you supply a response that is out of sync but still within the next 100 expected responses you will be prompted to enter the next response. Allow your Keychain token to turn off and then press the button to generate a new response. As long as this is the next response the server is expecting you will be authenticated and will be back in sync. You can still perform the manual resync process by following the resync instructions here to get your token back in sync with the server. If the button has been pressed a few times then it will line back up with the server the next time you connect and the window of ten look ahead responses will be reset back to zero. To help prevent this from occurring your device has been programmed to stay on for 30 seconds. If the button is pressed again within 30 seconds of the first press then the power down timer will be extended by another 30 seconds. This can be useful if you want to keep the response on the display a bit longer. Even if you wanted to intentionally put your token out of sync with the server it would take you at least five minutes of button pushing.
- Do I have to include the dash “-” when I enter the numbers from my keychain device in the password field?
This requirement has changed over time as the server infrastructure has been upgraded. If a “-” is displayed as part of your response then it must be provided. All tokens initialised after October 2012 do not have a “-” to avoid confusion.
You have held the button in for too long. It’s OK, nothings broken, just leave it for 30 seconds and it will turn off. Next time don’t hold the button down for so long (less than three seconds). If you do hold the button down for about three seconds or more you will enter a mode that allows you to test the LCD display (boring) adjust the contrast (useful, but KT-1 only) or resync the device (useful if you are out of sync).
This cannot be done on a plastic body KT-2 device. If you have a metal body KT-1 device then press and hold the button for three or four seconds until “Init” appears and then release the button. The display will cycle through Init, LCD Test, Contrast and ReSync. Press the button again when the display says Contrast. The display will cycle through a series of prompts in the form of -XX##XX where ## are numbers from 00 to 15 that represent the lowest to highest contrast settings. The display contrast will also change as the numbers change. When the desired contrast is reached press the button twice to set it.
This is explained in “I enter the numbers from the keychain device into the VPN client but it won’t connect” elsewhere in this document.
- What do I do if I want to change my token type.? e.g. I have a KT-1/KT-2/Software token and would like to change it to an SMS token?
Contact your IT helpdesk and ask them to lodge a request (SLR) with Telstra Networking Tasmania asking for the change. If you are changing from a hardware token to an SMS or software token then you will need to return your existing hardware device to Telstra Networking Tasmania 70 Collins Street Hobart Tasmania 7000. Please do not place any type of hardware token in an envelope and place in the general post as they will be damaged. When your hardware token is received an SMS or software token with the same username will be sent out to the mobile number or email address that you nominate on the SLR. If you are changing from an SMS or Software token to a hardware token then a new hardware device will be dispatched via courier from Telstra Networking Tasmania to the delivery address that you nominate on the SLR. At this time the SMS/software token will be disabled on the Telstra Networking Tasmania server. If it is important to you to retain the ability to authenticate at all times throughout this process you may be better off requesting an entirely new service with a new username and once that has been received and confirmed to authenticate then lodging another SLR to cancel the original service. There may be a cost applicable to a change of token type. Please the Telstra Networking Tasmania Customer Care Centre on 1800 813 302 or by email to email@example.com if you have any questions.
The most important thing is to notify your IT helpdesk so that they can ask Telstra Networking Tasmania to disable the token. They should then lodge a request (SLR) with Telstra Networking Tasmania requesting a replacement device. You should be able to keep the same username . There is a charge for a replacement hardware device. If the device is damaged or inoperable then consult the “I press the button on my keychain device but nothing happens” section of this FAQ.
The most important thing is to notify your IT helpdesk so that they can ask Telstra Networking Tasmania to disable the token. They should then lodge a request (SLR) with Telstra Networking Tasmania requesting a replacement token. You should be able to keep the same username. There may be a charge for a replacement token.
This is normal. Pressing the button a second time will not generate a new response and will not turn the device off. The device turns itself off thirty seconds after the last button press. If you need to generate a new response then just wait until the device turns itself off and then press the button again
If you enter a correct PIN with an incorrect response it is an incorrect response. If you enter an incorrect PIN, then it doesn’t matter if your response is correct or not, it is an incorrect PIN. Your token will lock after seven consecutive incorrect PIN entries. Your token will lock after ten consecutive incorrect responses. If your KT-1/KT-2 keychain token has been locked and Telstra NTP re enable it and reset the PIN for you, then you only have one attempt to connect. If you fail to enter the reset initial PIN correctly then your token will lock again. This is a security feature and normal behaviour. Note that since November 2012 a token that has been locked due to incorrect responses will automatically unlock after five minutes. If you suspect your token may be locked please wait five minutes and try again before seeking assistance. Since November 2014 tokens can be up to 99 responses ahead of the server before they are out of sync, previously this was only 10.
Telstra NTP have made available to IT helpdesks a web tool that allows them to do a test authentication of any CRYPTOCard token type. The web tool does not give you access to anything, it merely tells you if the response that you have entered is correct or not. If your token is locked due to too many incorrect responses it may indicate this to you. It will allow you to change the initial PIN on a KT-1, KT-2 or SMS token. It will allow you to obtain a resync challenge for either a software or hardware token. The web tool is only available to IT helpdesk staff who already have a login to the Telstra NTP website restricted area. Do not try to use your Internet VPN or dialup username to log into the Telstra NTP website restricted area as it will not work. The CRYPTOCard web tool can be accessed via https://www.nettas.com/ctoken/.