Installing and Configuring SecurID   7

  Security Dynamics Technologies, Inc. provides an additional level of security in user identification and authentication by using SecurID tokens to generate codes and ACE/Server software to process the codes. This software and hardware authentication system is often referred to as SecurID .

  This chapter is an overview of the installation and basic configuration of ACE/Server and ACE/Client software when used with RADIUS. This chapter includes the following topics:

•  "Overview of SecurID Components" on page 7-2
•  "How SecurID Works with RADIUS" on page 7-3
•  "ACE/Server Installation on a UNIX Host" on page 7-4
•  "RADIUS Configuration for SecurID" on page 7-10
•  "Troubleshooting SecurID" on page 7-13

  This information is intended to serve as a quick reference guide for the ACE/Server and ACE/Client software. Certain terms used in this chapter--such as tokencode, PASSCODE, master server, and slave server--are taken from the Security Dynamics documentation. Refer to the Security Dynamics manual set for detailed features of SecurID and future ACE/Server software releases.

  Note ¯ Lucent InterNetworking Systems Technical Support does not provide support for the ACE/Server and ACE/Client installation and configuration. See Appendix E, "Contact Information for Third-Party Products," for information on how to contact Security Dynamics, Inc. Lucent InterNetworking Systems Technical Support provides support for RADIUS when used with ACE/Server and SecurID only after you have verified that the ACE/Server is working properly.

  The ACE/Server and ACE/Client software version 2.3 is supported on the following platforms:

•  AIX 4.1 on a PowerPC or a RISC/6000
•  HP-UX 10.01 on a Hewlett-Packard HP 9000 Series 7xx or 8xx
•  Solaris 2.5.1 on a Sun SPARCstation
•  SunOS 4.1.4 on a Sun SPARCstation

  Additionally, the ACE/Server software is supported on Windows NT platforms. RADIUS server 2.1 is currently available only on UNIX platforms.

       Overview of SecurID Components

  The Security Dynamics authentication system (generally referred to as SecurID) consists of the following components:

•  ACE/Server master

    Stores usernames and serial numbers of tokens and performs calculations to verify the identity of users.

•  ACE/Server slave

    Functions as a secondary server to the ACE/Server master.

•  ACE/Client

    A computer or other device protected by ACE/Server. ACE/Client software must be installed on these systems.

•  Token

    A device that generates a random number known as a tokencode  (the software might show this as two words: token code ). A new number is generated and displayed every 60 seconds. Five types of tokens are supported in SecurID: the standard SecurID card, the SecurID Key Fob, SecurID PINPAD card, SecurID Modem, and SoftID. The first three tokens are small, handheld devices.

    RADIUS has been tested with the standard SecurID card, the SecurID Key Fob, and the SecurID PINPAD card.

•  PASSCODE

    A two-part password, consisting of a memorized personal identification number (PIN) followed by the current tokencode displayed on the token.

    Note ¯ To use RADIUS with SecurID, you typically run the ACE/Server software on the same host as the RADIUS server. If you install the ACE/Server software on a different machine, then you must install the SecurID ACE/Server slave component on the RADIUS server host. The ACE/Server slave must then reference the ACE/Server master.

       How SecurID Works with RADIUS

  Note ¯ To use RADIUS for UNIX version 2.1 with SecurID, you must run the sradiusd  daemon rather than radiusd . If you are using both SecurID and iPass, contact support@livingston.com .

  When SecurID is used with RADIUS, a connection proceeds as follows:

  1. A remote user initiates a connection by dialing in to the PortMaster.

  2. The PortMaster prompts for the user's username and password.

  3. The user enters a username. At the password prompt, the user enters a PASSCODE (PIN followed by the currently displayed number on the token).

  4. The PortMaster forwards this information to the RADIUS server for authentication.

  5. The RADIUS server examines the users  file, scanning for the appropriate username. When the profile is located, it is examined to determine the user's authentication method.

  6. When the RADIUS server discovers that the authentication method is SecurID, it forwards the username and PASSCODE to the ACE/Server for authentication.

  7. The ACE/Server examines its database for the username and serial number of the user's token. It uses the serial number to verify the PASSCODE entered by the user. It also verifies that the time on the token is synchronized with the ACE/Server.

  8. The ACE/Server sends the result of the database lookup (identity verified or not verified) to the RADIUS server.

  9. If the user's identity was verified by the ACE/Server, the RADIUS server sends an access-accept message to the PortMaster along with the additional information from the RADIUS user profile. If the ACE/Server rejected the user's PASSCODE, the RADIUS server sends an access-reject message to the PortMaster.

       ACE/Server Installation on a UNIX Host

  The SecurID software package consists of a number of applications and utilities. This section provides guidelines for the installation and use of version 2.3 of ACE/Server and ACE/Client, and the sdadmin  utility. This is not a complete explanation of all SecurID requirements or procedures. Refer to the appropriate Security Dynamics documentation for information on other versions of ACE software.

  The master ACE/Server handles the authentication requests passed on to it by the RADIUS server configured as an ACE/Client. The master and client software can be installed on the same host.

  You can increase the reliability of the authentication process if you configure the ACE/Client and an ACE/Server slave on a separate host or hosts from the ACE/Server master. In the event the host for the ACE/Server master goes down, the ACE/Server slave handles the authentication requests from the ACE/Client.

  These instructions cover the following:

•  "Installing ACE/Server and Client Software on a UNIX Host" on page 7-6
•  "Administering ACE/Server with sdadmin" on page 7-7
•  "Authenticating with sdshell" on page 7-8

  This is not a complete explanation of all SecurID requirements or procedures. If you are upgrading an older ACE/Server installation previous to version 2.3, you must read the ACE/Server v 2.3 for UNIX Administration Manual from Security Dynamics for instructions.

  Note ¯ Read the ACE/Server v 2.3 Installation Guide before beginning installation.

  SecurID software is not shipped with the PortMaster. To order this software, see Appendix E, "Contact Information for Third-Party Products."

       Getting Started

  The server on which SecurID is installed has the following requisites. See the ACE/Server v 2.3 Installation Guide for more information. These requirements are for SecurID alone, and do not reflect the requirements for RADIUS.

 

Physical Memory

  Security Dynamics recommends 32MB of physical memory. The minimum memory feasible for SecurID is 16MB.

 

Disk Space

  Security Dynamics recommends 1GB of disk space. The minimum feasible disk space for SecurID is 400MB. At least 20 percent of the free disk space must be reserved for ACE/Server database growth.

 

Hostnames

  The ACE/Server's primary hostname--bootname--must be the first name in any list of aliases for that machine if you are using a name service such as NIS or DNS.

 

Kernel Configuration

  Your system's kernel configuration values must be set at or above the minimums specified by Security Dynamics. Table 7-1 shows the values in /etc/system  for systems running Solaris. If you are running HP-UX, AIX, or SunOS 4.1.4, refer to the ACE/Server v 2.3 Installation Guide. Refer to your operating system's manuals for instructions on setting these values.

  Table 7-1 Solaris Minimum Kernel Configuration Values 

 

Parameter	Minimum Value
shmsys:shminfo_shmmni	100
shmsys:shminfo_shmseg	16
shmsys:shminfo_shmmax	4194304
semsys:seminfo_semmni	64
semsys:seminfo_semmsl	50
semsys:seminfo_semmns	100
semsys:seminfo_semmnu	100

 

ACE/Server Service Names and Port Numbers

  The SecurID authentication service has a default name of securid  and default port number of 5500. The SecurID master/slave communication service has a default name of securidprop  and default port number of 5510. The sdsetup  utility adds the SecurID UDP and TCP service names and port numbers to the /etc/services  file.

  securid 5500/udp #ACE/Server

  securidprop 5510/tcp #ACE/Server Slave

 

NIS Map

  The SecurID authentication service has a default name of securid  and default port number of 5500. The SecurID master/slave communication service has a default name of securidprop  and default port number of 5510. If you are using NIS or NIS+, you must add these entries to the services NIS map on your NIS master and push the maps.

  securid 5500/udp #ACE/Server

  securidprop 5510/tcp #ACE/Server Slave

  Pushing the maps updates the database to include recently entered information. Use the make services  command on the NIS master. For details, consult your UNIX system documentation.

       Installing ACE/Server and Client Software on a UNIX Host

  The RADIUS 2.x server is compatible with ACE/Server versions 2.3 and higher. To install ACE/Server and ACE/Server client, complete the following steps:

  1. Log in as root.

  2. Read the ACE/Server tape into the ace_install directory of the ACE/Server machine.

  ACE/Server installs its software using the sdsetup  utility.

  3. Run sdsetup to install ACE/Server.

  Note ¯ The sdsetup  utility cannot be run while the sdconnect  process or aceserver  daemon are running. Stop these processes before attempting to run sdsetup .

  ace_install/sdsetup

  Several options can be used with sdsetup . See the ACE/Server v 2.3 Installation Guide for more information.

  The ACE/Server software is typically installed on the same machine as the RADIUS server. To run ACE/Server on a different machine, you must configure the RADIUS server as an ACE/Server slave. See the ACE/Server v 2.3 Installation Guide for instructions on configuring the ACE/Server slave.

  4. Continue to install the ACE/Server client software using sdsetup.

  Complete instructions are given in the ACE/Server v 2.3 Installation Guide.

       Administering ACE/Server with sdadmin

  ACE/Server includes the sdadmin  administration utility. Using sdadmin , you can add and delete users, assign PINs and tokens, and monitor network activity. You can run sdadmin  in GUI (the default) or character mode.

  To use sdadmin , complete the following steps:

  1. Ensure that you are in the directory that contains the ACE/Server files.

  By default, ACE/Server software is installed in the /usr/ace  directory.

  2. Start the database broker (sdconnect) as root:

  /usr/ace/sdconnect start

  To stop the database broker, use the sdconnect stop  command.

  3. Start the ACE/Server daemon using the following command:

  /usr/ace/aceserver start

  To stop ACE/Server, use the aceserver stop  command.

  4. Add the following lines to /etc/rc.local or equivalent boot file of your UNIX system.

  if [ -x /usr/ace/aceserver ]; then

  /usr/ace/aceserver stop

  /usr/ace/sdconnect stop

  /usr/ace/sdconnect start

  /usr/ace/aceserver start

  else

  echo "Cannot start aceserver"

  fi

  These lines automatically start the ACE/Server processes sdconnect  and aceserver  after the host is rebooted

  5. Run sdadmin in GUI or character mode.

  Character mode requires the use of the -c  option:

  /usr/ace/sdadmin &

  or

  /usr/ace/sdadmin -c &

  To run sdadmin  in GUI mode, the host's window environment must be an implementation of X11R5 or later. If you are running SunOS, Sun OpenWindows is an X11R4 implementation, and you must therefore install the X11R5 kit shipped with the ACE/Server software. See the ACE/Server v 2.3 Installation Guide for instructions.

  6. Using the instructions in the ACE/Server v 2.3 for UNIX Administration Manual, create the client, add users to the database, activate users on the client, and assign tokens to the users.

  7. Choose a method of PIN assignment using the instructions for PIN administration in the ACE/Server v 2.3 for UNIX Administration Manual.

  Note that you can assign PINs using RADIUS.

       Authenticating with sdshell

  You specify which users are required to authenticate with SecurID by modifying their entries in the /etc/passwd  file. Change the shell specification--typically /bin/sh  or /bin/csh -- to /usr/ace/prog/sdshell . This modification is applicable to all UNIX clients except for AIX clients that do not use a name service such as DNS or NIS. For AIX clients that do not use a name service, substitute sdshell_auth  for the sdshell  authentication shell.

  You can configure PIN assignments so that users must create their own PINs, must use PINs generated by the system, or can choose whether to create a PIN or use one provided to them. The default mode is to enable the user to select either a user-created or system-generated PIN. See the PIN administration information in the ACE/Server v 2.3 for UNIX Administration Manual for configuration instructions.

  If a user has forgotten her PIN, or you believe the PIN to be compromised, you must change the PIN for that token by setting the token into New PIN mode and clearing the old PIN.

  If the authentication shell has been specified, the following prompts appear on the user's screen after the user logs in to the system:

  Enter PASSCODE:

 

  Press <Return> to generate a new PIN and display it on the screen,

  or

  Ctrl d to leave your token in New PIN mode:

  ARE YOU PREPARED TO HAVE THE SYSTEM GENERATE A PIN? (y or n) [n]: y

 

  Your screen will automatically clear in 10 seconds.

  Your new PIN: XXXX

 

  Wait for the code on your token to change, then log in with the new PIN

  Enter PASSCODE:

  PASSCODE Accepted

  The authentication shell instructs the user to enter a new PIN or press Return  to have a PIN automatically generated. In this example, the user has a PIN generated for her.

  If the user's new PASSCODE is accepted, communication between the ACE/Server client and server is successful.

  Note ¯ Lucent InterNetworking Systems Technical Support does not provide support for the ACE/Server and ACE/Client installation and configuration. See Appendix E, "Contact Information for Third-Party Products," for information on how to contact Security Dynamics, Inc. Lucent InterNetworking Systems Technical Support provides support for RADIUS when used with ACE/Server and SecurID only after you have verified that the ACE/Server is working properly.

       RADIUS Configuration for SecurID

  Each SecurID user must have a profile in the RADIUS users  file or must use a DEFAULT profile. In the profile, the Auth-Type check item must be SecurID, as shown in the following example:

  DEFAULT Auth-Type = SecurID

  Service-Type = Framed-User,

  Framed-Protocol = PPP,

  Framed-Address = 255.255.255.254,

  Framed-Routing = None,

  Framed-MTU = 1500

  To activate and assign tokens to users authenticated with this DEFAULT profile, use the sdadmin  utility, as discussed under "Administering ACE/Server with sdadmin" on page 7-7.

  When user bob dials in to the PortMaster, the following prompts are displayed:

  login: <enter username>

  Password: <enter PIN number followed by a token code>

       PIN Assignment

  When a new user is added to the ACE/Server database, a token is assigned to the user. How the authentication is completed depends on how you have specified PIN generation. You can require the ACE/Server to generate PINs for all users, you can force all users to provide their own PINs, or you can enable specified users to choose the generation method.

  Users must provide their PINs in New PIN mode. You can also force other users into New PIN mode if they have forgotten their PINs or if an attacker has learned their PINs.

  A user in New PIN mode can create the PIN using RADIUS when dialing in to the network. Refer to information on PIN administration in the ACE/Server v 2.3 for UNIX Administration Manual  for more information on New PIN mode.

 

User-Created PIN

  When a user in New PIN mode is forced to create a PIN via RADIUS, the user is prompted to enter a new PIN:

  login: bob

  Password: xxxxx

  Enter PASSCODE: <token code>

  Enter your new PIN, containing 4 to 8 digits,

  or

  <Ctrl d> to cancel the new PIN procedure:

  In this example, when user bob dials in to the network, he logs in with his username and UNIX password. When prompted for the PASSCODE--a PIN followed by the token code--bob enters the token code displayed on his SecurID device. The PortMaster sends an access-request to the RADIUS server. The ACE/Server searches its database and recognizes user bob as a New PIN mode user. It sends an access-challenge to the PortMaster, and bob is prompted to enter a new PIN.

  After bob enters his new PIN, the RADIUS server responds with the following message:

  Please re-enter new PIN:

  Wait for the code on your token to change, then log in with the new PIN

  Enter PASSCODE:

  PASSCODE accepted

  User bob re-enters the new PIN. After a few seconds, the token code on his SecurID device changes. User bob enters the PIN and the token code, and is authenticated. For subsequent logins, bob enters his PIN followed by the currently displayed token code when prompted for the PASSCODE.

 

System-Generated PIN

  When you specify that the PIN is generated by the system, the user is prompted to initiate PIN generation. The new PIN is displayed on the screen for the user to memorize.

  Note ¯  The system-generated PIN appears for only 10 seconds. After the PIN disappears, it cannot be viewed again.

  In the following example, keiko logs in with her username and UNIX password for the first time. When prompted for the PASSCODE--a PIN followed by the token code--keiko enters the token code displayed on her SecurID device.

  login: keiko

  Password:

  Enter PASSCODE: <token code>

  Press <Return> to generate a new PIN and display it on the screen,

  or

  <Ctrl d> to leave your token in New PIN mode:

  ARE YOU PREPARED TO HAVE THE SYSTEM GENERATE A PIN? (y or n) (n): y

  When prompted, keiko indicated that she wants the system to generate her PIN. As shown in the following example, the PIN is displayed, and keiko is prompted to enter the new PASSCODE.

  Your screen will automatically clear in 10 seconds.

  Your new PIN: NNNNN

  Wait for the code on your token to change, then log in with the new PIN

  Enter PASSCODE:

  PASSCODE Accepted.

  For subsequent logins, keiko enters her system-generated PIN followed by the currently displayed token code when prompted for the PASSCODE.

       Entering an Invalid Token Code

  If a user enters a valid PIN and an invalid token code, the token goes into Next Tokencode mode. The user is prompted to enter the next code from the token. This prompt also appears if the user's token is not synchronized with the ACE/Server.

  The user must wait until the token code changes and then enter the new token code number at the prompt. After the system verifies the second token code, the user is authenticated.

  If an unauthorized user enters a stolen PIN followed by a guessed token code, the person is given three opportunities to enter the correct token code. If three invalid token codes are entered, the unauthorized user is disconnected.

  In the following example, paolo has entered a valid PIN followed by an invalid token code. The prompt appears, indicating that paolo's token is not synchronized with the ACE/Server, or that paolo has entered an invalid token code. User paolo must wait for 60 seconds for a new token code and then must enter this code at the prompt. In this example, paolo has entered the next code and it has been accepted.

  login: paolo

  Password: <PIN number followed by invalid token code>

  Please Enter the Next Code from Your Token: <PIN number followed by next valid token code>

  PASSCODE Accepted

       Troubleshooting SecurID

  Refer to your SecurID manuals for information on troubleshooting SecurID. If you still have problems after trying these solutions, see Appendix E, "Contact Information for Third-Party Products," for information on how to contact Security Dynamics, Inc.