SAS INTERNET VPN – FULL GUIDE (NEW)
Instructions for installing, configuring and running the Cisco Internet VPN client software and the SAS end user software (MobilePASS+) and devices for use with the Telstra NTP Internet VPN service (VPNaaS).
Ver 6.0 01/03/2018
Table of Contents
- Install the Cisco AnyConnect VPN Client
- Enroll a new MobilePASS+ / MobilePASS 8 Software token
- Enroll a new KT4 hardware token
- Change Initial PIN/Reset PIN/Token Maintenance
- Connect to the VPN
- Out of sync tokens
- Locked PIN
If you have been allocated a new MobilePASS+ (iOS/Android) software token then you need to:
If you have been allocated a new MobilePASS 8 (Windows , MacOS) software token then you need to:
- Install the Cisco AnyConnect VPN Client
- Mobile Pass 8 install process (Windows/MacOS)
- Connect to MobilePASS 8 (Windows/MacOS) Software token
If you have been allocated a new KT4 hardware token then you need to:
- Install the Cisco AnyConnect VPN Client
- Change the KT4 hardware token PIN (SAS self service portal)
- Connect to the VPN with a KT4 hardware token
If you have been allocated a new SMS token then you need to:
Install the Cisco AnyConnect VPN Client
Follow the instructions in the Cisco AnyConnect SSL Internet VPN guide
The end user software token client software is obtained via a link provided during the enrollment process. Depending upon whether you are installing the software token on a mobile device or PC workstation, you should open up the activation e-mail on that specific device. This will determine which type of software client you will install (Windows/iOS/Android/OSX etc). There is no need to download this software from any other site prior to installing a new software token on a .
Locate the email that Telstra Networking Tasmania will have sent to the email address provided by your IT helpdesk. This will be sent only from firstname.lastname@example.org.
Mobile Pass 8 supported operating systems: (Windows 7, 8.1, 10, Mac OSX 10.10,10.11,10.12,10.13)
- Click on the URL link provided to start the Enrollment process.
- Click on the “Download MobilePASS Installer” link and run the .msi file.
- Follow the below steps to install the software onto your PC (in this case Windows)
- Now register your unique token in the client software.
MobilePASS+ (iOS) Install:
If you have any problems with the token software and/or the token installation itself, then you should contact your IT Helpdesk who will in turn contact Telstra Networking Tasmania to have a new self enrollment email sent.
- Telstra Networking Tasmania currently deploy the KT4 keychain token as its hardware token solution.
- With the higher uptake of software tokens on smartphones, the popularity of the hardware token has decreased, but is still offered as an option to customers.
- KT4 tokens have replaceable batteries, so if the token is faulty or the screen does not show any digits – please log a call with your local IT Helpdesk who will in turn contact the Telstra Networking Tasmania Customer Care Center for a replacement.
Change Initial PIN/Reset PIN/Token Maintenance
Changing an initial PIN is only applicable to KT4 hardware tokens. Software and SMS token initial PIN’s are changed during the enrollment process. The very first time that you attempt to generate a challenge-response (OTP) you will be asked to change the initial PIN to one of your own choosing. The new PIN must contain only digits, be a minimum of 3 digits and not be trivial (eg 11111, or 12345 etc).
You must remember this PIN whilst ensuring that you follow your own agencies procedures for the secure handling of authentication information. Telstra NTP and your IT helpdesk are unable to view an unknown PIN. If you enter an incorrect PIN too many times (currently set at seven times) then the token will lock and you will be unable to use it. In this case you can use the self-service portal below to change your PIN number, or you can contact the Nettas service desk to help you.
There are a number of ways to reset pin numbers on a variety of platforms, including:
- Software Token client (MobilePASS 8 / MobilePASS +)
- SAS self service portal (All token types)
For the MobilePASS 8 Software token the initial PIN is changed during the initial Eerollment process. To change a user selected PIN start the SafeNet token client (Start| All Programs | SafeNet | Tokens | Token) and then select Tools | Change PIN.
For MobilePASS+ , open up the application in your iOS or Android phone.
In this instance screenshots from iOS are provided:
You may change your PIN at any time on a software/SMS or KT4 hardware token by going to the SAS self service portal:
Follow the process to reset your pin on either a hardware or SMS based token:
- As of 2018, Cisco AnyConnect is the officially supported VPN client software for the Nettas VPN service (VPNaaS)
- Cisco VPN Client and 3rd party VPN client will work, but are not supported by the Nettas service desk.
Note that this assumes the Cisco AnyConnect client is installed and operational on your machine before reaching this point. All screen shots are from Ver 4.x of the Cisco AnyConnect client.
5. If password negotiation finishes correctly, you will now be presented with the following window. You are now connected to the Telstra Networking Tasmania VPN.
Token Code = Challenge response code you get when you press button on KT4 hardware token
OTP (One Time Password) = Your unique PIN + challenge response code (i.e. 1234+70880899)
Sometimes your token may become out of sync. To resolve this issue, refer to the method below, to get it back in sync.
SMS tokens don’t get out of sync, as they can be easily re-synced by putting in your username in the AnyConnect dialogue box and leaving the password field blank.
All tokens used with the Telstra Networking Tasmania VPN product are working in Quicklog mode. This means that the end user does not have to manually provide a server generated challenge in order to produce a response. The server and the device are in sync so the device is able to produce the next response without user intervention. As a result of this it is possible for a device to become out of sync with the server if a number of responses are generated by the device without using those responses in a successful authentication attempt. Currently a device can produce up to ten responses without providing them in a successful authentication request before it becomes out of sync with the server.
If you are using a Software token click you will now need to log into the self service portal to re-sync:
Allow your KT-4 token to power off (wait up to 30 seconds) before generating a new response.
Press and hold the button (approximately 3-4 seconds) on the device until the Init prompt appears, then release the button.
The device will cycle through a series of prompts: Init, LCD Test, Contrast, and ReSync. Press and release the button while ReSync is displayed.
The digits 0 through 9 will be displayed sequentially to the right of the ReSync prompt. For every digit of the resynchronization challenge provided by the self service , press the button to accept the displayed digit. For example, if the resynchronisation challenge is 16278371;
|Resync 1||Press Button|
Note that for a short time after each button press a < will appear. If the button is pressed whilst the < is in the display the last digit will be erased.
When the last digit has been selected the display will remain the same (i.e. the digits will cease to cycle). If the digits displayed are the same as the challenge provided then press the button one last time to confirm. The Keychain device will then produce a response.
Provide your PIN and that response in the Password field of the self service portal
Your Internet VPN connection will now proceed as per normal and your token will be back in sync with the server. If the time taken to produce the response was too long then the Internet VPN connection may have timed out. In this case just attempt the connection again. Note that only the response generated at this time will allow the resync to take place. If the KT-4 hardware token is allowed to power down and a new response is generated then the resync will be unsuccessful. To avoid this you can press the button whilst the original resync response is still on the display to reset the 30 second idle power off timer, or alternatively you can write the response down as it is only valid for this connection attempt.
If for any reason you are unable to perform the above procedure with the self service portal then you may ask your IT helpdesk to raise a job with Telstra Networking Tasmania Customer Care Center. The Customer Care staff are able to provide the challenge to you over the phone. You will still need access to your KT-4 hardware token or the MobilePASS client software and you will still need to know your PIN.
A Software token will display a Invalid PIN error if an incorrect PIN is entered. You should retry ensuring that you enter the correct PIN. If you continue to enter incorrect PIN’s the token will lock. In this case you must contact your IT helpdesk who will ask the Customer Care Center to provide you with a new PIN.
Ver 6.0 28/02/2018 – Rewrote document from scratch. New branding , new product. SAS V3.5.5 .
Ver 5.0 04/11/2014 – Pretty big overhaul, still a bit to do as VPN client images are still for the old version
Ver 4.2 16/11/2012 – Added Android, iPhone and SMS token instructions
Ver 4.1 30/10/2012 – Update for BlackShield server migration
Ver 4.0 17/01/2012 – Minor unpublished changes
Ver 3.0 02/05/2008 – Migrated to new website
Ver 2.2 10/12/2007 – Ammended KT-1 Resync section
Ver 2.1 18/12/2006 – Ammended KT-1 Resync section
Ver 2.0 07/11/2006 – Added instructions on how to delete software token
Ver 1.9 06/11/2006 – Changed location and added PDF download
Ver 1.8 09/10/2006 – Added link to FAQ
Ver 1.7 02/10/2006 – Added notes re plugin not connecting if VPN banner enabled
Ver 1.6 11/09/2006 – Update for version 6.4 CRYPTOCard software
Ver 1.5 14/08/2006 – Minor grammer/spelling corrections
Ver 1.3 11/08/2006 – Removed all reference to UB-1 and RB-1 devices
Ver 1.0 – 1.3 – Initial build