BlackShield with Internet VPN – Full Guide (OLD)

Instructions for installing, configuring and running the Cisco Internet VPN client software and the CRYPTOCard end user software and devices for use with the Telstra NTP Internet VPN service.
Ver 5.0 04/11/2014

Table of Contents

Introduction
There are four types of CRYPTOCard devices available for use with the Internet VPN product.

Keychain Token

Keychain Token

Smart Phone Token

Smart Phone Token

SMS Token

SMS Token

Software Token

Software Token

If you have been allocated a new Keychain device then you need to:

  1. Install the Cisco Internet VPN client software
  2. Change the CRYPTOCard PIN
  3. Connect to Internet VPN with Keychain token

If you have been allocated a new Smart Phone token then you need to:

  1. Install the Cisco Internet VPN client software
  2. Install Android application and token
  3. Install iPhone application and token
  4. Connect to Internet VPN with a Smart Phone token

If you have been allocated a new SMS token then you need to:

  1. Install the Cisco Internet VPN client software
  2. Connect to Internet VPN with an SMS token

If you have been allocated a new Software token then you need to:

  1. Install the Cisco Internet VPN client software
  2. Enroll a new Software token
  3. Connect to Internet VPN with Software token

 

Install the Cisco Internet VPN client software
Follow the instructions in the Cisco AnyConnect SSL Internet VPN guide

 

Enroll a new Software token
This section only applies to users with a Software token. The end user Software token client software (now badged as SafeNet) is obtained via a link provided during the enrollment process. There is no need to download this software from any other site prior to installing a new Software token on a PC. Locate the email that Telstra Networking Tasmania will have sent to the email address provided by your IT helpdesk

enrol-software-token-1

Click on the link provided to start the Enrolment process;

enrol-software-token-2

Check to ensure you have the username you were expecting then click Next;

enrol-software-token-3

NOTE: This step may not appear if you already have the current version of the software installed and is also dependant upon the browser you are using and it’s security settings. The Enrollment process will try to determine which steps are nessecary and skip any not required. This screen provides links to download the 32bit and 64bit versions of the end user client software. If you need to install the software (the older style CRYPTOCard software issued prior to Nov 2012 will NOT work!) then follow the instructions on this page and allow the software to install. The default settings may be OK for you but if in doubt please consult your IT Helpdesk. When the software has installed click Next;

enrol-software-token-4

NOTE: There may be additional steps involved here dependant upon the browser you are using and it’s security settings. The Enrollment process will try to determine which steps are nessecary and skip any not required. Most users will appear at this screen. The Enrollment process will have downloaded the software token, opened the SafeNet software client, entered your initial PIN, entered a response to ensure you have the correct token and is now ready to accept your new PIN. If you see additional screens then follow the instructions until you reach this point. Enter a new PIN with a minimum of four digits and a maximum of eight. The new PIN must not be trivial (e.g. 1111, 1234 etc). You have now activated your new Software token, changed it’s initial PIN and are ready to use it for Authentications. Click Next;

enrol-software-token-5

Click Close. Note that if you do not click close at this point your browser may grab hold of the Software token client and not allow it to be displayed. If this occurs ensure you click Close. The Self Enrollment email can be deleted once the new Software token has been succesfully activated. The link in the email can only be used to activate the token once. It cannot be saved and used again at a later stage. The token file that you downloaded will be deleted as part of the Enrollment process. If you need to re install the Software token for any reason then you should contact your IT Helpdesk who will in turn contact Telstra Networking Tasmania to have a new Self Enrollment email sent.

Enroll a new Android token
This section only applies to users who want to use their Android smart phone as a token. This is not applicable for SMS token users. From your Android smart phone open the email that Telstra Networking Tasmania will have sent to the email address provided by your IT helpdesk. Click on the link provided to start the Enrolment process. You will be taken to a website where you can select the type of token to install. Select Android and click Next. Confirm that the email address presented is correct and click Email to initiate a new email message which will contain a link to download the software application as well as your new token file.Close your browser and return to your email client to view the new email message. Note that you may have to select “show quoted text” to view the full content of the new email. If you do not already have the token software application installed on your Android smart phone click on the MP-1 image (you may have to click to show pictures if you see a broken image). Ensure you click to complete the action with Play Store and NOT Internet. This will take you to the Google Play Store. If this is the first time you have visited the Google Play Store on your phone you may have to accept the terms and conditions and you may be dropped to the default Play Store home page. If this occurs go back to the email and click on the MP-1 image again to ensure that you are taken to the MP-1 application install page. NOTE: DO NOT CLICK OPEN when the application has installed. If you do the token will fail to load. Click to download and INSTALL the application. Click Accept if nessecary. Ensure you close your browser and return to the email. DO NOT open the newly installed application.Click the link on the email to download the token file. Ensure you click to complete the action with MP-1 and NOT Internet. The token file will download and the MP-1 application will open. Enter a new PIN. This is not an initial pin, this is your new PIN that only you will know. There is no initial pin with this process. Re enter the new PIN, click Done and the application will display a response. From now on you can open the application and use it to generate new responses for use with authentications.

Enroll a new iPhone token
This section only applies to users who want to use their iPhone/iPad/iPod/iTouch as a token.From your iPhone open the email that Telstra Networking Tasmania will have sent to the email address provided by your IT helpdesk. Click on the link provided to start the Enrolment process. You will be taken to a website where you can select the type of token to install. Select iPhone and click Next. Confirm that the email address presented is correct and click Email to initiate a new email message which will contain a link to download the software application as well as your new token file.Close your browser and return to your email client to view the new email message. If you do not already have the token software application installed on your iPhone click on the MP-1 image. This will take you to the iTunes App Store. Click to download and INSTALL the application. Enter your iTunes username and password if nessecary. You should be returned to your email client.Click the link on the email to download the token file. Ensure you click to Open in MP-1 and NOT Open in …. The token file will download and the MP-1 application will open. Enter a new PIN. This is not an initial pin, this is your new PIN that only you will know. There is no initial pin with this process. Re enter the new PIN, click Done and the application will display a response. From now on you can open the application and use it to generate new responses for use with authentications.

Change the PIN
Changing an initial PIN is only applicable to Keychain tokens. Software token initial PIN’s are changed during the Enrollment process. The very first time that you attempt to generate a CRYPTO response you will be asked to change the initial PIN to one of your own choosing. The new PIN must contain only digits, be a minimum of four digits and not be trivial (eg 11111, or 12345 etc).

You must remember this PIN whilst ensuring that you follow your own agencies procedures for the secure handling of authentication information. Telstra NTP and your IT helpdesk are unable to view an unknown PIN. If you enter an incorrect PIN too many times (currently set at seven times) then the token will lock and you will be unable to use it. In this case please follow the Recover from a locked PIN instruction elsewhere in this document.

You may change your PIN at any time on a Software token.

You cannot change your PIN on a Keychain token as the PIN is stored on the server and not on the device itself, however you can ask your IT helpdesk to raise a request with Telstra NTP to have this done. Telstra NTP will set an initial deployment PIN that must be changed by the user on next use. Telstra NTP are also able to force regular PIN changes for Keychain users. If this option has been chosen by your agency then at regular intervals (e.g. three monthly) you will be prompted to change your PIN when you connect via the Cisco VPN client. Please see the relevant instruction below for your token type.

Keychain token

Start the Cisco VPN client and attempt a connection in the normal manner.

keychain-token-1

Enter your Internet VPN username into the username field of the Cisco VPN client. Enter your initial deployment PIN immediately followed by the response (including the “-“) from your KT-1 keychain device (press the KT-1 button to generate a response) into the password field of the Cisco VPN client and then click “OK”. I.E. if your initial deployment PIN was 2948 and the response in the display of your KT-1 Keychain device was 123-456 then you would enter 2948123-456 into the password field of the Cisco Internet VPN client.

keychain-token-2

You will now be prompted to change your PIN. Enter a new PIN into the Password field ensuring that you follow the PIN format rules as outlined above, and then click OK.

keychain-token-3

As long as you complied with the PIN format rules it will now be changed on the server. You will be presented with the VPN username/password authentication box again. Enter your username, and then enter your new PIN immediately followed by the response from your KT-1 Keychain token (press the button to generate a new response if necessary) and click OK. Note that the KT-1 keychain token will power off after 30 seconds. The power off period is reset every time you press the button, so the response can be left in the display for a longer period as long as the button is pressed at least once every 30 seconds. If you need to generate a new response you need to wait for the device to power off (up to 30 seconds) and press the button again.

Note that you are using a Cisco VPN client connection attempt to change your password with the Keychain device. Like any other VPN connection attempt if you take too long it may time out. If this occurs then close the Cisco VPN client, re open it and start again.

Software token

For the MP Software token the initial PIN is changed during the intial Enrollment process. To change a user selected PIN start the SafeNet token client (Start| All Programs | SafeNet | Tokens | Token) and then select Tools | Change PIN ;

software-token-1

Enter your current PIN and then enter your new PIN twice ensuring that you follow the rules mentioned above.

Connect to Internet VPN with a Keychain device
Note that this assumes the Cisco VPN client is installed and operational on your PC before reaching this point. All screen shots are from Ver 4.x of the Cisco VPN client. Anyone still using Ver3.x may see something different.Start the Cisco VPN client and attempt a connection in the normal manner.

connect-keychain-1

Your Internet VPN username is entered into the Cisco VPN client as per normal. Press the button on your Keychain device. It will power on and display your response. Note that if a “-” appears in the display it is part of the response. Tokens issued after Oct 2012 will not contain a “-“. You should then enter your PIN immediately followed (no space) by the response generated by the Keychain device into the password field. I.E. if your PIN is 2948 and the response in the display of your Keychain device is 123-456 then you would enter 2948123-456 into the password field of the Cisco Internet VPN client.

Click OK and as long as the PIN and response provided were correct the connection will progress as per normal.

The device will automatically power off approximately 30 seconds after the last button press. If you need to retain the response on the display for longer than 30 seconds then just press the button again to extend the power off timer by another 30 seconds. If the connection is not successful due to an incorrect PIN or response then the Cisco VPN client has no way of passing this information back to you so it will just present the username/password box again. Just make another connection attempt ensuring that the details provided are correct. You can re enter the same response or if the device has powered off you can press the button to generate a new response. You are able to repeat this process up to 10 times without a successful connection before the Keychain device becomes out of sync with the server requiring a manual resync to restore service. If you suspect this may be the case then see the Recover from an out of sync token process elsewhere in this document. If you suspect that you may have entered your PIN incorrectly more than 7 times then see the Recover from a locked PIN process elsewhere in this document. If all else fails then contact your IT helpdesk. All token types will lock at the server after 10 or more incorrect authentication attempts. Tokens automatically unlock on the server (new feature post Oct 2012) after five minutes however if you have reached this point and are using a software/hardware token then you are most likley out of sync or have forgotten your PIN anyway.

Connect to Internet VPN with a Smart Phone token
Note that this assumes the Cisco VPN client is installed and operational on your PC and the Smart Phone token application (MP-1) is installed with a working token on your Smart Phone device. Open the MP-1 Cryptocard application on your device (Android or iPhone/iPad/iPod/iTouch). You will be prompted to enter your PIN. Do this now and click Done. If you enter an incorrect PIN you will be warned and have to retry. If you enter an incorrect PIN too many times (currently set to 7) then the token will lock and you will have to contact your IT helpdesk for assistance. If your PIN is accepted then the CRYPTO response will be displayed.

connect-smartphone-1

You should now start the Cisco VPN client and attempt a connection in the normal manner.

connect-smartphone-2

Your Internet VPN username is entered into the Cisco VPN client as per normal and then the response generated earlier.

Click OK and as long as the response provided was the correct one the connection will progress as per normal.

Connect to Internet VPN with an SMS token
Note that this assumes the Cisco VPN client is installed and operational on your PC and you have received an intial OTP (One Time Password) SMS on your phone before reaching this point.Start the Cisco VPN client and attempt a connection in the normal manner.

connect-sms-1

Your Internet VPN username is entered into the Cisco VPN client as per normal. Go to your mobile device and note the OTP (One Time Password) from the most recent text message received from NetTasAuth. You should then enter your PIN immediately followed (no space) by the OTP from the most recent text message into the password field. I.E. if your PIN is 2948 and the OTP from your most recent text message is 123456 then you would enter 2948123456 into the password field of the Cisco Internet VPN client.

Click OK and as long as the PIN and response provided were correct the connection will progress as per normal.

If the details you provided were correct and the Internet VPN connection attempt is succesful you will receive a new text message from NetTasAuth with the OTP (One Time Password) to be used in your next connection attempt. Keep this text message for next time. Used OTP’s from previous text messages will not work, only the OTP in the most recent text message will allow you to authenticate. If you lose this text message (deleted, replacement phone etc) then you can obtain a new OTP text message by making an Internet VPN connection attempt with a blank password. If you know you will be going to a location that is not in a mobile coverage area then ensure you have an unused OTP text message before leaving. If you suspect you may need more than one OTP whilst you are in an area without mobile coverage then you should consider asking your IT helpdesk to have your mobile number changed to one that will be in a mobile coverage area at the time and then make your own arrangements to obtain the OTP’s from that mobile phone (by land line, non VPN email etc). If you regularly make Internet VPN connections from areas without mobile coverage then a Keychain token may be a better option for you.

Connect to Internet VPN with a Software token
Note that this assumes the Cisco VPN client is installed and operational on your PC before reaching this point. All screen shots are from Ver 4.x of the Cisco VPN client. Anyone still using Ver3.x may see something different. Start the SafeNet token client (Start| All Programs | SafeNet | Tokens | Token).

connect-software-1

Ensure that your username (in this case testpg1) is displayed and then click on the Generate Token Code button. You will be prompted to enter your PIN. Do this now and click OK. If you enter an incorrect PIN you will be warned and have to retry. If you enter an incorrect PIN too many times (currently set to 7) then the token will lock and you will have to contact your IT helpdesk for assistance. If your PIN is accepted then the CRYPTO response will be displayed. Note that if a – is displayed then it is part of the response and must be entered when you authenticate. You can click on the clipboard icon adjacent to the response to copy the response into the clipboard. This will allow you to paste it into the Cisco VPN client.You should now start the Cisco VPN client and attempt a connection in the normal manner.

connect-software-2

Your Internet VPN username is entered into the Cisco VPN client as per normal and then the response generated earlier is either manually typed in or pasted in from the clipboard.

Click OK and as long as the response provided was the correct one the connection will progress as per normal.

Recover from an out of sync Software or Keychain token
This section is not applicable to SMS tokens. Because you enter a OTP (One Time Password) provided to you via SMS from the authentication server you cannot be out of sync. The only issue that may occur is if you use an old OTP. As long as you use the OTP from the most recent NetTasAuth SMS you cannot be out of sync. If you do not have the most recent SMS message then connect with a blank password and one will be sent to you.All tokens used with the Internet VPN product are working in Quicklog mode. This means that the end user does not have to manually provide a server generated challenge in order to produce a response. The server and the device are in sync so the device is able to produce the next response without user intervention. As a result of this it is possible for a device to become out of sync with the server if a number of responses are generated by the device without using those responses in a successful authentication attempt. Currently a device can produce up to ten responses without providing them in a successful authentication request before it becomes out of sync with the server.

Prior to November 2012 an out of sync token would fail to authenticate requiring manual intervention to return the token to an in sync state. The November 2012 server upgrade introduces a new feature that allows a user to return their token to an in sync state without having to follow the old resync process. Note that under normal circumstances this shouldn’t occur. Only repeated generating of unused responses or a server problem can produce an out of sync situation.

If your token (any type) becomes out of sync with the server and you attempt to authenticate you will be prompted to enter the next response. If you have a Keychain token allow it to power off (wait up to 30 seconds) then generate a new response. If you are using a Software token click to generate a new response. Enter the new response. You will then be prompted to repeat this one more time. If the two new rersponses you provided are as expected by the server (two consecutive new responses within the next 100 responses expected) then your authentication attempt will succeed and your token will be back in sync with the server.

If the “two consecutive new responses” process fails then you can still follow the old process to return a token to an in sync state. This process is documented here for those that may wish to use it. This is achieved by having the server generate a challenge that is entered into either the software client or in the case of an Keychain token entered into the device itself. This forces the token to generate the correct response and as long as that response is provided back to the server the two will be back in sync again.

You should first attempt a Cisco VPN client connection by manually starting the Cisco Internet VPN client;

rsync-token-1

Enter your Internet VPN username into the username field, but leave the Password field blank. Click OK;

rsync-token-2
The Cisco Internet VPN client will now display a challenge from the server (48000794 in this case). For a Software token start the SafeNet token client (Start| All Programs | SafeNet | Tokens | Token);

rsync-token-3

Ensure that your username is shown in the Token Name field and then select Tools | Re-Sync. Enter the challenge exactly as provided by the Cisco VPN client earlier and then enter your PIN. Click OK. The client will now produce a response that will be in sync with the server.

If you have a Keychain device then a very similar procedure is followed.

Press and hold the button (approximately 3-4 seconds) on the device until the Init prompt appears, then release the button.

The device will cycle through a series of prompts: Init, LCD Test, Contrast, and ReSync. Press and release the button while ReSync is displayed.

The digits 0 through 9 will be displayed sequentially to the right of the ReSync prompt. For every digit of the resynchronization challenge provided by the Cisco Internet VPN client, press the button to accept the displayed digit. For example, if the resynchronization challenge is 16278371;

Device Displays Action
Resync 1 Press Button
16 Press Button
162 Press Button
1627 Press Button
16278 Press Button
162783 Press Button
1627837 Press Button
16278371 Press Button
16278371 Press Button

Note that for a short time after each button press a < will appear. If the button is pressed whilst the < is in the display the last digit will be erased.

When the last digit has been selected the display will remain the same (i.e. the digits will cease to cycle). If the digits displayed are the same as the challenge provided then press the button one last time to confirm. The Keychain device will then produce a response. Provide your PIN and that response in the Password field of the Cisco Internet VPN client;

rsync-token-4

Your Internet VPN connection will now proceed as per normal and your token will be back in sync with the server. If the time taken to produce the response was too long then the Internet VPN connection may have timed out. In this case just attempt the connection again. It is a good idea in this case to actually close down the Cisco VPN client and re open it to ensure that you are starting a new connection. Note that only the response generated at this time will allow the resync to take place. If the Keychain device is allowed to power down and a new response is generated then the resync will be unsuccessful. To avoid this you can press the button whilst the original resync response is still on the display to reset the 30 second idle power off timer, or alternativley you can write the response down as it is only valid for this connection attempt.

If for any reason you are unable to perform the above procedure with the Cisco Internet VPN client then you may ask your IT helpdesk to raise a job with Telstra NTP. The Telstra NTP Customer Care staff are able to provide the challenge to you over the phone. You will still need access to your Keychain device or the client software for and you will still need to know your PIN.

Recover from a locked PIN
The very first time that you attempt to generate a response you will be asked to change the initial PIN to one of your own choosing. The new PIN must contain only digits, be a minimum of four digits and not be trivial (eg 11111, or 12345 etc). You must remember this PIN whilst ensuring that you follow your own agencies procedures for the secure handling of authentication information. Telstra NTP and your IT helpdesk are unable to view an unknown PIN. If you enter an incorrect PIN too many times (currently set at seven times) then the token will lock and you will be unable to use it.If you are using a Keychain device then the Cisco Internet VPN client will not report that you have entered an incorrect PIN, the only indication of a problem will be that the connection attempt will fail. This is because the Cisco Internet VPN client does not have any mechanism to pass this information on from the server. If you suspect that you may have entered your PIN incorrectly seven or more times then you will need to contact your IT helpdesk. They will raise a request with the Telstra NTP Customer Care Centre (CCC). The Telstra NTP CCC will create a new initial PIN for your Keychain token and pass this back to your IT helpdesk. You should then follow the process described in the Change the CRYPTOCard PIN section.A Software token will display a Invalid PIN error if an incorrect PIN is entered. You should retry ensuring that you enter the correct PIN. If you continue to enter incorrect PIN’s the token will lock. In this case you must contact your IT helpdesk who will ask Telstra NTP to re issue a new token file and initial PIN. Please see the Enroll a new Software token section for details on how to load the replacement token file.

Version History
Ver 5.0 04/11/2014 – Pretty big overhaul, still a bit to do as VPN client images are still for the old version
Ver 4.2 16/11/2012 – Added Android, iPhone and SMS token instructions
Ver 4.1 30/10/2012 – Update for BlackShield server migration
Ver 4.0 17/01/2012 – Minor unpublished changes
Ver 3.0 02/05/2008 – Migrated to new website
Ver 2.2 10/12/2007 – Ammended KT-1 Resync section
Ver 2.1 18/12/2006 – Ammended KT-1 Resync section
Ver 2.0 07/11/2006 – Added instructions on how to delete software token
Ver 1.9 06/11/2006 – Changed location and added PDF download
Ver 1.8 09/10/2006 – Added link to FAQ
Ver 1.7 02/10/2006 – Added notes re plugin not connecting if VPN banner enabled
Ver 1.6 11/09/2006 – Update for version 6.4 CRYPTOCard software
Ver 1.5 14/08/2006 – Minor grammer/spelling corrections
Ver 1.3 11/08/2006 – Removed all reference to UB-1 and RB-1 devices
Ver 1.0 – 1.3 – Initial build