Some important token procedures:
Important things to know:
After pressing the "PASS WORD" button to power it on, the token will display the PIN? prompt:
Enter the initial 4 digit PIN number that was distributed with the token, followed by the "ENT" button. The token will then ask for the user's chosen PIN number:
Choose and enter a 4 digit PIN number, followed by the "ENT" button. The token will ask for verification of the chosen PIN number:
Enter the chosen PIN number again, followed by the "ENT" button.The token should display acceptance of the PIN number like this:
Press either the "PASS WORD" (power) button to turn the unit off, ...
... or presss the "ENT" button to proceed to your first authentication!
If you forget your PIN number, your token needs to be reset. The PIN number is stored inside the token, the token issuers and the central OTP server have no idea what your PIN number is. Contact the NCSA help desk at help@ncsa.uiuc.edu for this.
If you enter in more than seven wrong PIN numbers in a row, your token will lock up. If that happens, there is no way for a user to unlock it, your token needs to be re-programmed. Contact the NCSA help desk at help@ncsa.uiuc.edu for this.
When a One Time Password is needed, turn on the token by pressing the "PASS WORD" (power) button.
Enter your PIN number at the prompt, followed by the "ENT" button. The token will then display an 8 character One Time Password, something like this:
Enter the displayed One Time Password as your password in your login session. If the password prompt is something like "OTP password for user" you do not have to capitalize the password letters. In that case, the above could be entered as "333df93f". In other cases you may have to enter in "333DF93F".
If multiple one time passwords are needed within a short time, the token can provide them by simply pressing the "ENT" button to get each new one time password. Remember that if more than seven passwords are cycled through in the token, without any of them being successfully authenticated by the NCSA OTP radius server, the token will have to be re-synchronized with the database. Do not let your child play with the token after you have entered your PIN number!
If the password fails, some host implementations will display a "Challenge: NNNNNNNN" line and then a "Enter Response:" prompt. Ignore this and press RETURN. In either event another one time password will be prompted for. Press the "ENT" button on the token to display the next one time password. Use that password, if that one fails also, and the user is fairly certain that they keyed in the correct passwords, perhaps the token is too far out of sequence with the authentication database and needs to be re-synchronized with the database.
Each token generates a unique series of passwords using a mathematical progression. The authentication server knows which passwords will be generated in each token's series. The server only allows each user to "jump ahead" up to ten passwords from the last successfully used password. In other words, if you turn on your token and put in the PIN successfully ten times without using any of the new passwords, the server will no longer allow you to authenticate until you re-synchronize your token. You will know when this happens when you try to login to an OTP-enabled system, and you see a "Challenge: NNNNNNNN" response after putting in your password, like this:
$ ssh systemwithotp.ncsa.uiuc.edu OTP password for user: 12345678 Challenge: 48375946 Enter Response:
Now you need to put the challenge number (in this example 48375946) into your token. Press the "PASSWORD" button to turn off your token. Wait until it turns off, then press the "MENU" button. The token will display a PIN request like this:
Enter your normal PIN number in, followed by pressing the "ENT" button. The token should display a "Contrast" prompt like this:
Ignore the Contrast prompt, and press the "MENU" button again. The Token should then display the "ReSync" prompt like this:
Press the "ENT" button , the token will then display a blank screen waiting for you to enter in the challenge number. Enter the challenge number from your screen (in this example 48375946) followed by the "ENT" button. If you mistype, press the "CLR" button and re-enter the challenge. The "CLR" button clears one character at a time, or it will clear the whole field if held down for more than one second. The token will then display a response code such as this (yes, it's the same picture as before):
Enter the displayed reponse code into your login screen after the "Enter Response:". Make sure that any letters are entered in as UPPER CASE letters. Your login screen might look like this:
$ ssh systemwithotp.ncsa.uiuc.edu OTP password for user: 12345678 Challenge: 48375946 Enter Response: 333DF93F
You can press the "PASSWORD" button to turn off your token. If everything worked your token has been re-synchronized with the server. Some systems will continue with the login normally at that point, others will log you off. If you see another "Challenge:"and "Enter Response:" the re-synchronization failed and you should do the whole sequence over, starting with another login attempt.
If you have any questions, please contact the NCSA help desk at help@ncsa.uiuc.edu.
Return to NCSA OTP for Users ( http://security.ncsa.uiuc.edu/otp/users/index.php )
Return to NCSA OTP ( http://security.ncsa.uiuc.edu/otp/index.php )
This page was last modified 10:16:48, September 09, 2005.