[Top] [Table Of Contents] [Prev] [Next] [Index]
9 out of 18 total pages

Installing and Configuring ActivCard 6

ActivCard, Inc. provides an additional level of security in user identification and authentication by using ActivCard tokens to generate codes and ActivEngine software to process the codes. This system of software and hardware authentication is often referred to as ActivCard .

This chapter is an overview of the installation and basic configuration of ActivEngine and ActivAdmin software when used with RADIUS. This chapter includes the following topics:

This information is intended to serve as a quick reference guide for the ActivEngine and ActivAdmin software. Refer to the ActivCard manual set for detailed features of ActivCard and future ActivCard software releases.

Note ¯ Lucent InterNetworking Systems Technical Support does not provide support for ActivEngine and ActivAdmin installation and configuration. See Appendix E, "Contact Information for Third-Party Products," for information on how to contact ActivCard, Inc. Lucent InterNetworking Systems Technical Support provides support for RADIUS when used with ActivCard products only after you have verified that all ActivCard components are working properly.

The ActivCard software version 2.2 has the following requirements:

Solaris 2.4 or Solaris 2.5 platform
Standard UNIX TCP/IP network protocol
5MB free disk space for the ActivEngine software

Recommended disk space is 10MB for the ActivEngine database--necessary size depends on the number of registered tokens and users

Note ¯ ActivEngine software is also supported on Windows NT platforms. RADIUS server 2.1 is currently available only on UNIX platforms.

Overview of ActivCard Components

The ActivCard authentication system (generally referred to simply as ActivCard) consists of the following components:

ActivEngine server
Processes the username (referred to as login ID in ActivCard documentation) and a token-generated dynamic password entered by the user. ActivEngine then authenticates the user and either provides or rejects access to the secured application.
ActivAdmin
Software that initializes, assigns, unlocks, and resynchronizes tokens; manages the ActivEngine database of users and tokens; and applies and revokes access privileges. ActivAdmin includes standard token profiles for Master tokens and for ActivCard server solutions. ActivAdmin functionality includes:
Token
A small, handheld device that generates dynamic (one-time-use) passwords for user authentication. ActivCard tokens can generate dynamic passwords in two modes:

¯ Asynchronous or challenge/response mode. The token generates a dynamic password based on the challenge--issued by the ActivEngine server when the user logs in--entered on the token by the user. The user then enters the password on the UNIX system to complete authentication.

¯ Synchronous mode. The token generates a dynamic password based on its authentication counter. When the user enters this password on the system, the ActivEngine server compares it with the password the server generates based on the authentication counter stored in its database for that token.

ActivCard tokens have an optical interface that enables automated authentication. ActivCard supports several token models with different features, such as secret value extraction, server authentication, and data certification.
ActivCoupler
A device--also known as the Initialization Cradle--that exchanges data between the host UNIX system and an ActivCard token via the machine's serial port. You must use the ActivCoupler to initialize tokens. The ActivCoupler can make it easier for users to access multiple services on a frequent, recurring basis.
ActivEngine API
Client software that submits user's authentication requests to the ActivEngine server. All ActivCard products are integrated with the ActivEngine client API.

How ActivCard Works with RADIUS

Note ¯

To use RADIUS for UNIX version 2.1 with ActivCard, you must run the sradiusd daemon rather than radiusd . If you are using both ActivCard and iPass, contact support@livingston.com .

Determine which token profile to apply to each user needing access to the system or application secured by ActivCard. Use ActivAdmin to do the following:

Initialize user tokens with the token profile
Assign the initialized tokens to users
Store the token data and assignment information in the ActivEngine database

You can install the ActivAdmin and ActivEngine components on the same host or on different hosts as long as the ActivEngine is accessible via TCP/IP.

When ActivCard is used with RADIUS, a connection proceeds as described below. This example assumes you have established a challenge-response keyword, enabling the user to choose between asynchronous and synchronous authentication.

1. A remote user initiates a connection by dialing in to the PortMaster.

2. The PortMaster prompts the user for a username and password.

3. The user enters the username and password.

¯ If the user chooses asynchronous authentication, the password is the challenge-response keyword.

¯ If the user chooses synchronous authentication, the password is a one-time password generated by the token. The user first enters a memorized personal identification number (PIN) on the token and presses the SECRET key on the token keypad. The token, which is synchronized with the ActivEngine, displays the one-time password.

4. The PortMaster forwards the username and password to the RADIUS server for authentication.

5. The RADIUS server examines the users file, scanning for the appropriate username. When the profile is located, it is examined to determine the user's authentication type.

6. When the RADIUS server discovers that the authentication type is ActivCard, it forwards the username and password to the ActivEngine.

7. ActivEngine examines its database for the username and verifies the user's identity based on the password expected for the token.

If the user entered the challenge-response keyword, ActivCard responds with a challenge string. The user enters a memorized personal identification number (PIN) on the token, presses the AUTH key on the token keypad, and enters the challenge. The token generates and displays a one-time password that the user enters to respond to the challenge. ActivEngine evaluates this response to verify the user.

8. ActivEngine sends the result of the database lookup (identity verified or not verified) to the RADIUS server.

9. If the user's identity has been verified by ActivEngine, the RADIUS server sends an access-accept message to the PortMaster with the session configuration information from the RADIUS user profile. If ActivEngine has rejected the user, the RADIUS server sends an access-reject message to the PortMaster.

Installing the ActivEngine Components on a UNIX Host

This section summarizes the steps you perform to install the ActivEngine components. See the ActivEngine for UNIX Systems Installation and Administration Guide for detailed instructions.

1. Determine the following information before beginning installation:

¯ Directory where you want to install ActivEngine. The default directory is /usr/aeg .

¯ ActivEngine identifier--a unique name of up to 20 characters. Valid characters are the lowercase and uppercase alphabets, numerals 0-9, and the underscore (_ ) character.

¯ IP address or Domain Name System (DNS) hostname of the system where you want to install the ActivEngine server. If you do not enter the IP address during installation, the DNS hostname of the current system is used by default.

¯ Port number for authentication client connections. The default port number is 8866.

¯ Port number for administration client connections. The default port number is 8867.

¯ Whether you want the ActivEngine server to start automatically during a system reboot. If you choose automatic start, configure the ActivEngine server for automatic startup mode. Otherwise, the system asks you to extract the secret value each time the system is rebooted. Automatic startup mode is less secure than starting the server after each system reboot.

If you choose not to configure the automatic startup mode during the installation process, you can choose to configure this mode later at any time. Refer to the ActivEngine for UNIX Systems Installation and Administration Guide for more information.

¯ Name of the serial port on the host system to which the ActivCoupler is connected. The default port is /dev/ttya .

2. Connect an ActivCoupler to the system hosting the ActivEngine server.

You initialize the Master token with the ActivCoupler.

3. Install ActivEngine.

See the ActivEngine for UNIX Systems Installation and Administration Guide for instructions.

4. Initialize the ActivEngine database with a Master token and initialize at least one Master token backup.

See the ActivEngine for UNIX Systems Installation and Administration Guide for instructions.

5. Backup the ActivEngine database.

See the ActivEngine for UNIX Systems Installation and Administration Guide for instructions.

6. Use ActivAdmin to initialize end-user tokens with the appropriate token profile.

See the ActivAdmin for UNIX Systems User Guide for instructions. A slot on each token must be assigned to RADIUS.

7. Back up the ActivEngine database.

See the ActivEngine for UNIX Systems Installation and Administration Guide for instructions.

8. Use ActivAdmin to create a user record for each user that is assigned a token.

See the ActivAdmin for UNIX Systems User Guide for instructions.

Note ¯ ActivEngine usernames are case-sensitive.

9. Assign the initialized tokens to users.

See the ActivAdmin for UNIX Systems User Guide for instructions.

10. Distribute the initialized tokens to the authorized users.

Using the ActivEngine Test Utility

You can use the ActivEngine test utility aegtest to do the following:

Verify that the RADIUS for UNIX client application is correctly configured in the ActivEngine database and can connect to the ActivEngine server.
Test asynchronous and synchronous authentication for a token with a specific application.

Refer to the ActivCard, Inc. application note, ActivEngine 2.x for UNIX Systems Test Utility for instructions on using the utility.

RADIUS Configuration for ActivCard

The RADIUS server requires minimal configuration after you have installed the ActivCard software.

1. From the ActivCard software distribution, copy the file config.aeg.example to the /etc/raddb directory on the RADIUS server host.

2. Rename the file config.aeg.

RADIUS uses the parameters described in /etc/raddb/config.aeg to connect to the ActivCard server.

3. Specify the ActivEngine configuration parameters in the config.aeg file.

4. Specify Auth-Type = ActivCard as a check item for all users to be authenticated with ActivCard.

5. Run sradiusd.

If you are using ActivCard authentication, you cannot run radiusd .

Example config.aeg File

The text of an example config.aeg file is presented below. The comments explain the parameters that you specify in the file. Substitute values relevant to your installation for the values appearing in the parameters.

# Rename this file to config.aeg after installing new ActivCard server

# -----------------------------------------------------------------

# This file contains the configuration information necessary for the

# RADIUS server to connect to the ActivEngine, which is the

# ActivCard Authentication Server.

# -----------------------------------------------------------------

# ACTIVCARD_APPLICATION: APPLICATION_ID

# ActivCards contain up to four slots. Each slot contains a set

# of independent DES keys and parameters, so that in practice an

# ActivCard is equivalent to four «Tokens». Each of those «Tokens»

# is called a slot and can be used to authenticate through an application

# to a distinct ActivEngine. The concept that the ActivEngine uses to

# decide which slot is to be used to verify a dynamic password (ultimately

# which key among the set of keys stored for this token) is

# the «Application»: Application (Server) -> Slot (Token)

# The following specifies the application to be used to determine the

# token slot associated with RADIUS authentication requests from

# the RADIUS server.

# -----------------------------------------------------------------

ACTIVCARD_APPLICATION: RADIUS

# -----------------------------------------------------------------

# ACTIVCARD_CHALLENGE: challenge_request_keyword

# The ActivCards support simultaneously two authentication codes

# for each given slot. One is a patented time/event synchronous mode

# in which the user just types the one-time password displayed by his token

# instead of the static vulnerable password he was used to. The other is

# the standard X9.9, challenge/response mode.

# ActivCard's users can choose which mode they want to use by

# typing a keyword at the RADIUS password prompt:

# login: sam

# password: challenge_request_keyword

# Upon reception of this keyword the ActivCard component embedded in the

# RADIUS server will switch to challenge/response mode and issue a

# challenge (a very good quality random number), and the user will be

# prompted for a dynamic password:

# login: sam

# password: challenge_request_keyword

# Challenge/Response Authentication requested...

# Challenge: 12345678

# Response:

# The user has to type the challenge into his token and type at the prompt

# the dynamic password produced by the token for that challenge.

# -----------------------------------------------------------------

ACTIVCARD_CHALLENGE: challenge

# -----------------------------------------------------------------

# ACTIVCARD_HOST: 192.168.15.60

# The following parameter indicates the ip address of the machine where the

# ActivEngine is located.

# -----------------------------------------------------------------

ACTIVCARD_HOST: 192.168.15.60

# -----------------------------------------------------------------

# ACTIVCARD_AUTHPORT: 8866

# The following parameter specifies the port to which the ActivEngine

# will be listening for authentication requests.

# -----------------------------------------------------------------

ACTIVCARD_AUTHPORT: 8866

# -----------------------------------------------------------------

# ACTIVCARD_SESSTIMEOUT: 25

# This parameter specifies the timeout value to use when the RADIUS

# server connects to the ActivEngine.

# -----------------------------------------------------------------

ACTIVCARD_SESSTIMEOUT: 25

# -----------------------------------------------------------------

# ACTIVCARD_SECPOLICY: 0

# This parameter specifies which type of connection will be established

# with the ActivEngine: 0(NEGOTIATE), 1(ENCRYPTED), 2(NON-ENCRYPTED).

# The ActivEngine client component and its server counterpart can establish

# a secure channel based on a Diffie-Hellman key exchange.

# -----------------------------------------------------------------

ACTIVCARD_SECPOLICY: 0

# -----------------------------------------------------------------

# ACTIVCARD_PUBKEY:

# The ActivEngine Diffie-Hellman public key used to establish a secure

# channel between the RADIUS server and the ActivEngine.

# At the time of installation of the ActivEngine, a distribution file called

# «aeg.dis» is generated. It contains the information necessary to

# establish the connection to the ActivEngine as well as the value of the

# public key of the ActivEngine

# -----------------------------------------------------------------

ACTIVCARD_PUBKEY: 4807E...get this from the ActivEngine distribution file.

Troubleshooting ActivCard

Refer to your ActivCard manuals for information on troubleshooting ActivCard. If you still have problems after trying these solutions, see Appendix E, "Contact Information for Third-Party Products," for information on how to contact ActivCard, Inc.

[Top] [Table Of Contents] [Prev] [Next] [Index]
9 out of 18 total pages

spider@livingston.com