SAS INTERNET VPN – FULL GUIDE (NEW)

Instructions for installing, configuring and running the Cisco Internet VPN client software and the SAS end user software (MobilePASS+) and devices for use with the Telstra NTP Internet VPN service (VPNaaS).
Ver 6.0 01/03/2018

Table of Contents

 

 

 

 

Introduction
There are four types of SAS tokens available for use with the Internet VPN product.

MobilePASS+ Software Token (iOS/Android)

KT4 Hardware Token

SMS Token

MobilePASS 8 (Windows , MacOS)

If you have been allocated a new MobilePASS+ (iOS/Android) software token then you need to:

  1. Install the Cisco AnyConnect VPN Client
  2. MobilePASS+ (iOS) Install
  3. MobilePASS+ (Android Install)
  4. Connect to MobilePASS+ (iOS/Android) Software token

If you have been allocated a new MobilePASS 8 (Windows , MacOS) software token then you need to:

  1. Install the Cisco AnyConnect VPN Client
  2. Mobile Pass 8 install process (Windows/MacOS)
  3. Connect to MobilePASS 8 (Windows/MacOS) Software token

If you have been allocated a new KT4 hardware token then you need to:

  1. Install the Cisco AnyConnect VPN Client
  2. Change the KT4 hardware token PIN (SAS self service portal)
  3. Connect to the VPN with a KT4 hardware token

If you have been allocated a new SMS token then you need to:

  1. Install the Cisco AnyConnect VPN Client
  2. Connect to the VPN with an SMS based token

 

Install the Cisco AnyConnect VPN Client
Follow the instructions in the Cisco AnyConnect SSL Internet VPN guide

 

Enroll a new MobilePASS+ / MobilePASS 8 Software token
This section only applies to users with a software token.

The end user software token client software  is obtained via a link provided during the enrollment process. Depending upon whether you are installing the software token on a mobile device or PC workstation, you should open up the activation e-mail on that specific device. This will determine which type of software client you will install (Windows/iOS/Android/OSX etc). There is no need to download this software from any other site prior to installing a new software token on a .

Locate the email that Telstra Networking Tasmania will have sent to the email address provided by your IT helpdesk. This will be sent only from sasalert@nettas.com.

 

Mobile Pass 8 install process (Windows/MacOS):

Mobile Pass 8 supported operating systems: (Windows 7, 8.1, 10, Mac OSX 10.10,10.11,10.12,10.13)

  • Click on the URL link provided to start the Enrollment process.

  • Click on the “Download MobilePASS Installer” link and run the .msi file.
  • Follow the below steps to install the software onto your PC (in this case Windows)

1

  • Now register your unique token in the client software.

 

1. Use key provided earlier to auto enroll token

2. Once enrollment complete, enter your new PIN. Your token is now ready to use.

 

 

 

 

 

 

 

 

 

 

 

 

 

MobilePASS+ (iOS) Install:

  • MobilePASS+  can be distinguished from MobilePASS 8 by its purple icon.

 

1. Open up enrollment e-mail on your iPhone

2. Download and install MobilePASS+ client

3. Open MobilePASS+ client once installed

4. Go back to the enrollment e-mail and select “Enroll your MobilePASS+ token”

 

 

 

 

 

 

 

 

 

 

 

5. Your token should now be automatically enrolled

6. Enter new pin for this token.

7. Token is now active and listed along with all MobilePASS+ tokens on this device.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

If  you have any problems with the token software and/or the token installation itself,  then you should contact your IT Helpdesk who will in turn contact Telstra Networking Tasmania to have a new self enrollment email sent.

MobilePASS+ (Android) Install:

1. Open up enrollment e-mail on your Android device and select “Download and install it”.

2.  This will start the install SafeNet MobilePASS+ client process for whichever app store you use in your version of Android.

3. Open up the MobilePASS+ client that is now installed on your Android phone

4. Go back to your enrollment e-mail and select “Enroll your MobilePASS+ token”

5. Enter your new PIN and confirm.

6. Token enrolment is now complete

 

 

 

 

 

 

 

 

 

 

 

 

Enroll a new KT4 hardware token:

  • Telstra Networking Tasmania currently deploy the KT4 keychain token as its hardware token solution.
  • With the higher uptake of software tokens on smartphones, the popularity of the hardware token has decreased, but is still offered as an option to customers.
  • KT4 tokens have replaceable batteries, so if the token is faulty or the screen does not show any digits – please log a call with your local IT Helpdesk who will in turn contact the Telstra Networking Tasmania Customer Care Center for a replacement.

 

1. Open up the token enrollment e-mail and click on the self-enrollment link

2. Enter the serial number from the KT4 token you have received from Telstra Networking Tasmania (Nettas).

3. Enter a new unique PIN between 3 and 8 digits long

 

4. Enter in the current One Time Password (OTP) from your hardware token into the dialogue box. OTP will be 8 digits long.

 

 

 

 

 

 

 

 

 

 

 

 

 

Change Initial PIN/Reset PIN/Token Maintenance
Changing an initial PIN is only applicable to KT4 hardware tokens. Software and SMS token initial PIN’s are changed during the enrollment process. The very first time that you attempt to generate a challenge-response (OTP) you will be asked to change the initial PIN to one of your own choosing. The new PIN must contain only digits, be a minimum of 3 digits and not be trivial (eg 11111, or 12345 etc).

You must remember this PIN whilst ensuring that you follow your own agencies procedures for the secure handling of authentication information. Telstra NTP and your IT helpdesk are unable to view an unknown PIN. If you enter an incorrect PIN too many times (currently set at seven times) then the token will lock and you will be unable to use it. In this case you can use the self-service portal below to change your PIN number, or you can contact the Nettas service desk to help you.

 

There are a number of ways to reset pin numbers on a variety of platforms, including:

  • Software Token client (MobilePASS 8 / MobilePASS +)
  • SAS self service portal (All token types)

 

Software Token Client (MobilePASS 8):

For the MobilePASS 8 Software token the initial PIN is changed during the initial Eerollment process. To change a user selected PIN start the SafeNet token client (Start| All Programs | SafeNet | Tokens | Token) and then select Tools | Change PIN.

1. Open MobilePASS 8 client and select which token you would like to change the PIN.

2. Click the “PIN” icon on the right hand side to reset this tokens PIN.

3. Enter in the new PIN no and select continue

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Software Token Client (MobilePASS+):

For MobilePASS+ , open up the application in your iOS or Android phone.

In this instance screenshots from iOS are provided:

1. Select which token you want to change the PIN for

2. Enter in current PIN to access token.

3. Select the cog icon to view the settings of the token

4. Select the Change PIN icon to change the pin for this token only

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SAS self service portal:

You may change your PIN at any time on a software/SMS or KT4 hardware token by going to the SAS self service portal:

https://sasauth.nettas.com/blackshieldss/

Follow the process to reset your pin on either a hardware or SMS based token:

1. Sign into the portal using your token credentials.

2. Login using your SAS username and OTP from which ever token you are using.

3. Once logged in, select reset PIN.

4. Enter in new pin for the token you have selected.

5. PIN has been reset for the selected token

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Connect to the VPN:

  • As of 2018, Cisco AnyConnect is the officially supported VPN client software for the Nettas VPN service (VPNaaS)
  • Cisco VPN Client and 3rd party VPN client will work, but are not supported by the Nettas service desk.

 

MobilePASS 8 (Windows/MacOS) Software token:

Note that this assumes the Cisco AnyConnect client is installed and operational on your machine before reaching this point. All screen shots are from Ver 4.x of the Cisco AnyConnect client.

 

 

1. Start the SafeNet token client (Start| All Programs | SafeNet | Tokens | MobilePASS).

2. Enter in your token PIN

3. Copy current passcode or memorise

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

4. Open up Cisco AnyConnect = (Start Button | Cisco | Cisco AnyConnect Secure Mobility Client).

5. Enter vpn connection URL = vpn.nettas.com/vpngroupname . Contact your local helpdesk if you do not know your vpngroupname.

6. Enter in your username and password. Your password will be the 6 digit number shown in the MobilePASS 8 client you copied earlier.

7. If the password / username and VPN group name are correct, you should be presented with the following window.

8. If password negotiation finishes correctly, you will now be presented with the following window. You are now connected to the Telstra Networking Tasmania VPN.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

MobilePASS+ (iOS/Android) Software token:

1. Open up MobilePASS+ client on mobile device

2. Enter in PIN for selected token

3. Copy passcode or memorise

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

4. Open up Cisco AnyConnect = (Start Button | Cisco | Cisco AnyConnect Secure Mobility Client).

5. Enter vpn connection URL = vpn.nettas.com/vpngroupname . Contact your local helpdesk if you do not know your vpngroupname.

6. Enter in your username and password. Your password will be the 6 digit number shown in the MobilePASS+ client you copied earlier.

7. If the password / username and VPN group name are correct, you should be presented with the following window.

8. If password negotiation finishes correctly, you will now be presented with the following window. You are now connected to the Telstra Networking Tasmania VPN.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SMS based token:

1. Open up Cisco AnyConnect = (Start Button | Cisco | Cisco AnyConnect Secure Mobility Client). Enter in VPN url vpn.nettas.com/vpngroupname

2. Enter in your username and the current OTP code you have received via SMS from your mobile phone. OTP code = PIN + 6 digit token code in SMS message

 

 

 

 

 

 

 

 

3. Example of Tokencode being sent as a SMS to a mobile phone

 

4. If the password / username and VPN group name are correct, you should be presented with the following window.

5. If password negotiation finishes correctly, you will now be presented with the following window. You are now connected to the Telstra Networking Tasmania VPN.

 

KT4 hardware token:

Definition:

Token Code = Challenge response code you get when you press button on KT4 hardware token

OTP (One Time Password) = Your unique PIN + challenge response code (i.e. 1234+70880899)

1. Open up Cisco AnyConnect = (Start Button | Cisco | Cisco AnyConnect Secure Mobility Client). Enter in VPN url vpn.nettas.com/vpngroupname

2. Press button on KT4 hardware token to get latest token code

3. Enter in your username and the current token code on your KT4 hardware token

 

 

 

 

 

 

4. If the password / username and VPN group name are correct, you should be presented with the following window.

5. If password negotiation finishes correctly, you will now be presented with the following window. You are now connected to the Telstra Networking Tasmania VPN.

 

 

 

 

 

 

 

 

 

Out of sync tokens:

Sometimes your token may become out of sync. To resolve this issue, refer to the method below, to get it back in sync.

SMS tokens:

SMS tokens don’t get out of sync, as they can be easily re-synced by putting in your username in the AnyConnect dialogue box and leaving the password field blank.

1. Enter in your username, but leave password field blank

2. The VPN service will now prompt you for a new authorisation token that has been sent as an SMS to your mobile phone. Enter in the new token and click continue.

3. If you entered in the authorisation token (OTP) correctly, you should now be connected.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Software tokens (MobilePASS 8/MobilePASS+):

All tokens used with the Telstra Networking Tasmania VPN product are working in Quicklog mode. This means that the end user does not have to manually provide a server generated challenge in order to produce a response. The server and the device are in sync so the device is able to produce the next response without user intervention. As a result of this it is possible for a device to become out of sync with the server if a number of responses are generated by the device without using those responses in a successful authentication attempt. Currently a device can produce up to ten responses without providing them in a successful authentication request before it becomes out of sync with the server.

 

If you are using a Software token click you will now need to log into the self service portal to re-sync:

1. Go to http://sasauth.nettas.com/blackshieldss

2. Enter in your unique userid

3. Enter in the next two OTP (token codes) from your software token into the fields displayed. Next passcode can be generated by pressing “next passcode” or “generate passcode”, depending upon which MobilePASS version you are using.

4. Providing that you entered the responses in correctly, your software token will now be re-synchronised.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

KT-4 Hardware tokens:

Allow your KT-4 token to power off  (wait up to 30 seconds) before generating a new response.

1. Log into the self service portal (as above) and select resync token and enter your VPN username.

2. Enter in the serial number on the back of your KT-4 hardware token.

3. You will now be presented with a challenge response code.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Press and hold the button (approximately 3-4 seconds) on the device until the Init prompt appears, then release the button.

The device will cycle through a series of prompts: Init, LCD Test, Contrast, and ReSync. Press and release the button while ReSync is displayed.

The digits 0 through 9 will be displayed sequentially to the right of the ReSync prompt. For every digit of the resynchronization challenge provided by the self service , press the button to accept the displayed digit. For example, if the resynchronisation challenge is 16278371;

Device Displays Action
Resync 1 Press Button
16 Press Button
162 Press Button
1627 Press Button
16278 Press Button
162783 Press Button
1627837 Press Button
16278371 Press Button
16278371 Press Button

Note that for a short time after each button press a < will appear. If the button is pressed whilst the < is in the display the last digit will be erased.

When the last digit has been selected the display will remain the same (i.e. the digits will cease to cycle). If the digits displayed are the same as the challenge provided then press the button one last time to confirm. The Keychain device will then produce a response.

 

Provide your PIN and that response in the Password field of the self service portal

 

Your Internet VPN connection will now proceed as per normal and your token will be back in sync with the server. If the time taken to produce the response was too long then the Internet VPN connection may have timed out. In this case just attempt the connection again. Note that only the response generated at this time will allow the resync to take place. If the KT-4 hardware token is allowed to power down and a new response is generated then the resync will be unsuccessful. To avoid this you can press the button whilst the original resync response is still on the display to reset the 30 second idle power off timer, or alternatively you can write the response down as it is only valid for this connection attempt.

If for any reason you are unable to perform the above procedure with the self service portal then you may ask your IT helpdesk to raise a job with Telstra Networking Tasmania Customer Care Center. The Customer Care staff are able to provide the challenge to you over the phone. You will still need access to your KT-4 hardware token or the MobilePASS client software and you will still need to know your PIN.

 

Locked PIN:

A Software token will display a Invalid PIN error if an incorrect PIN is entered. You should retry ensuring that you enter the correct PIN. If you continue to enter incorrect PIN’s the token will lock. In this case you must contact your IT helpdesk who will ask the Customer Care Center to provide you with a new PIN.

 

 

Version History

Ver 6.0 28/02/2018 – Rewrote document from scratch. New branding , new product. SAS V3.5.5 .
Ver 5.0 04/11/2014 – Pretty big overhaul, still a bit to do as VPN client images are still for the old version
Ver 4.2 16/11/2012 – Added Android, iPhone and SMS token instructions
Ver 4.1 30/10/2012 – Update for BlackShield server migration
Ver 4.0 17/01/2012 – Minor unpublished changes
Ver 3.0 02/05/2008 – Migrated to new website
Ver 2.2 10/12/2007 – Ammended KT-1 Resync section
Ver 2.1 18/12/2006 – Ammended KT-1 Resync section
Ver 2.0 07/11/2006 – Added instructions on how to delete software token
Ver 1.9 06/11/2006 – Changed location and added PDF download
Ver 1.8 09/10/2006 – Added link to FAQ
Ver 1.7 02/10/2006 – Added notes re plugin not connecting if VPN banner enabled
Ver 1.6 11/09/2006 – Update for version 6.4 CRYPTOCard software
Ver 1.5 14/08/2006 – Minor grammer/spelling corrections
Ver 1.3 11/08/2006 – Removed all reference to UB-1 and RB-1 devices
Ver 1.0 – 1.3 – Initial build