This chapter is an overview of the installation and configuration of SecurID when used with RADIUS 2.0. It serves as a quick reference guide for the ACE/Server and ACE/Client software. Refer to the Security Dynamics manual set for future ACE/Server software releases and detailed features of SecurID.
Note - Livingston Technical Support does not provide support for the ACE/Server and ACE/Client installation and configuration. Please contact Security Dynamics Technical Support at (617) 547-7820. Livingston Technical Support provides support for RADIUS when used in conjunction with SecurID after the sdshell utility has verified that the ACE/Server is working properly.
The ACE/Server and ACE/Client software version 2.1.1 is supported on the following platforms:
The Security Dynamics authentication system (generally referred to as SecurID) consists of the following components:
Note - In order to use RADIUS with SecurID, the ACE/Server software must be running on the same UNIX host as the RADIUS server. If the ACE/Server software is installed on a different machine, then the RADIUS server must be an ACE/Server slave.
When SecurID is used with RADIUS, a connection proceeds as follows:
The SecurID software package consists of a number of applications and utilities. This section covers the installation and use of two components, Progress and ACE/Server, and two utilities, sdshell and sdadmin.
SecurID software is not shipped with the PortMaster. This software must be ordered directly from Security Dynamics at (617) 547-7820.
Progress is an application development environment; this software must be installed before any additional SecurID software may be installed. In order to run Progress software with ACE/Server version 2.1.1, the Progress software version must be V7.3C01 or later.
Progress requires serial and control numbers for installation. Have these numbers available before beginning the installation.
To install Progress, follow the instructions in the Progress Installation Notes shipped with the Progress software. Note that Progress installs its software using the proinst utility, which must be run in an xterm window. To display an xterm on SunOS or Solaris, use the following command:
/usr/openwin/bin/xterm &
The RADIUS 2.0 server is compatible with ACE/Server version 1.3 or higher. To install ACE/Server and the ACE/Server client software, complete the following steps:
Change the check_os_version subroutine of sdsetup to contain the following lines:
case "$SUN_OS" in
`4.1.3' | `4.1.4' ) VALID_OS=TRUE;;
* ) VALID_OS=FALSE;;
case "$SOL_OS" in
`5.3' | `5.4' | `5.5' ) VALID_OS=TRUE;;
* ) VALID_OS=FALSE;;
sdsetup cannot be run while the sdconnect process or aceserver daemon are running. Stop these processes before attempting to run sdsetup.
ace_install/sdsetup
The ACE/Server software is typically installed on the same machine as the RADIUS server. To run ACE/Server on a different machine, the RADIUS server must be configured as an ACE/Server slave. See the ACE/Server Installation and Configuration Guide from Security Dynamics for instructions on configuring the ACE/Server Slave.
securid 5500/udp #ACE/Server securidprop 5100/udp #ACE/Server Slave
To configure a slave server in addition to a master server, add the securidprop entry. If you are using NIS or NIS+, add these entries to the services NIS map on your NIS master and push the maps.
Note - Pushing the maps updates the database to include recently-entered information. Use the make services command on the NIS Master. For more details, consult your UNIX system documentation.
sdadmin is an ACE/Server administration utility. Using sdadmin, a system administrator can add and delete users, assign PINs and tokens, and monitor network activity. sdadmin may be run in GUI (the default) or character mode.
To use sdadmin, complete the following steps:
/usr/ace/sdconnect start
To stop the database broker, use the sdconnect stop command.
/usr/ace/aceserver start
To stop ACE/Server, use the aceserver stop command.
if [ -x /usr/ace/aceserver ]; then /usr/ace/aceserver stop /usr/ace/sdconnect stop /usr/ace/sdconnect start /usr/ace/aceserver start else echo "Cannot start aceserver" fi
/usr/ace/sdadmin & or /usr/ace/sdadmin -c &
To run sdadmin in GUI mode, the host's window environment must be an implementation of X11R5 or later. If you are running SunOS on a SPARCstation, Sun OpenWindows is an X11R4 implementation, therefore, the GUI sdadmin utility cannot be displayed. To use the GUI sdadmin, the X11R5 kit (shipped with the ACE/Server software) must be installed. See Part 1 of the ACE/Server Installation and Configuration Guide for instructions.
sdshell is an ACE/Server client utility used to assign new PINs to users. It can also be used as a troubleshooting method to verify ACE/Server client/server communication before configuring RADIUS.
To execute sdshell, the sdconnect and aceserver daemons must be running.
To use sdshell, assign tokens to each user (see the previous section) and instruct a user to log into his or her account and run sdshell. sdshell runs through a PIN assignment sequence, as displayed in the next example.
Instruct the user to enter a new PIN or press Return to have a PIN automatically generated. The user-generated PIN or system-generated PIN must be configured for the user when adding the user to the ACE/Server database.
% sdshell Enter PASSCODE: Enter your new PIN, containing 4 to 8 digits, or Return to generate a new PIN and display it on the screen, or Ctrl d to cancel the new PIN procedure: Please re-enter new PIN: Wait for the code on your token to change, then log in with the new PIN Enter PASSCODE: PASSCODE Accepted
The PIN options in sdshell (user-selected or system-generated) may vary, depending on how the PIN mode is configured. See the "Pin Administration" chapter of the ACE/Server Administration Manual for configuration instructions.
If the user's new PASSCODE is accepted, communication between the ACE/Server client and server is successful. Proceed to the next section, "RADIUS Configuration."
Note - Livingston Technical Support does not provide support for the ACE/Server and ACE/client installation and configuration problems. Please contact Security Dynamics Technical Support at (617) 547-7820. Livingston Technical Support provides support for RADIUS when used in conjunction with SecurID after the sdshell utility has verified that the ACE/Server is working properly.
Each SecurID user must have an entry in the RADIUS users file or must use a DEFAULT entry. In the entry, the Auth-Type check item must be SecurID, as shown in the following example:
DEFAULT Auth-Type = SecurID Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 255.255.255.254, Framed-Routing = None, Framed-MTU = 1500
Users authenticated using this DEFAULT entry must be activated and assigned a token card using the ACE/Server sdadmin utility, as discussed in the previous section.
When user bob dials into the PortMaster, the following prompts are displayed:
login: <enter username> Password: <enter PIN number followed by a token code>
When a new user is added to the ACE/Server database, a token card is assigned to the user. If the token card does not have a PIN number, the user is put in a New PIN mode by the ACE/Server during the first connection attempt. To be authenticated in this mode, the user must select a PIN number.
Users may be forced into New PIN mode by the ACE administrator if the user has forgotten the PIN number or an attacker has learned the PIN number.
A New PIN mode user can assign the PIN number using RADIUS when he is dialing into the network. Refer to the "Pin Administration" chapter of the ACE/Server Administration Manual for more information on New PIN mode.
When a user in New PIN mode is forced to create a PIN number via RADIUS, the "New PIN required" prompt appears to instruct the user to enter a PIN number.
login: bob Password: <token code> New PIN required: 1234
In the above example, when user bob dials into the network, he enters his login name at the login prompt. At the Password prompt, he enters the token code number and the PortMaster sends an access-request to the RADIUS server. The ACE/Server looks in its database and recognizes that user bob is a new PIN mode user. It sends an access-challenge to the PortMaster, and the New PIN required prompt is displayed prompting bob to enter a PIN number.
After bob enters his PIN number, the RADIUS server responds with the following message:
New PIN Accepted: Wait for the next card code to login Password:
In the subsequent login, at the Password prompt, bob's password would be a PIN number followed by a token code.
The ACE/Server provides a system-generated PIN using the sdshell utility described above. sdshell displays the number on the screen for the user to memorize.
Note - sdshell displays the system-generated PIN for only 10 seconds. After the PIN number disappears, it cannot be viewed again.
When dialing into the network, the user enters his system-generated PIN at the "New PIN required:" prompt.
If a user enters a valid PIN and an invalid token code, the Next Cardcode prompt is displayed. This prompt also appears if the user's token card is not synchronized with the ACE/Server.
If an authorized user's token card is not synchronized with the ACE/Server, the user must wait until the token code changes, then enter the new token code number at the Next Cardcode prompt. After the system verifies the second token code, the user is authenticated.
If an unauthorized user enters a stolen PIN followed by a guessed token code, he is given three opportunities to enter the correct token code. If three invalid token codes are entered, the unauthorized user is disconnected.
login: bob Password: <PIN number followed by invalid token code> Next Cardcode:
In the above example, bob has entered a valid PIN number followed by an invalid token code. The Next Cardcode prompt appears, indicating that bob's token card is not synchronized with the ACE/Server. Bob must wait for 60 seconds for a new token code, then enter this code at the Next Cardcode prompt.
Progress version V7.3C01 has some known bugs that may cause problems during SecurID installation. This section covers the three bugs that you are most likely to encounter and suggests solutions for them. If you still have problems after trying these solutions, contact Security Dynamics Technical Support at (617) 547-7820.
When sdadmin is launched for the first time, the error message "cannot find first token, database may be empty" may appear. To correct this problem, complete the following steps:
/usr/ace/sdnewdb
/usr/ace/sdimport filename.asc
/usr/ace/sdadmin & or /usr/ace/sdadmin -c &
The sdserv.bi and sdlog.bi files (located in the /usr/ace directory) occasionally need to be truncated. If they are not truncated, they may consume too much disk space and cause problems for the ACE/Server database. To truncate these files, use the following commands:
/usr/dlc/bin/_proutil -c truncate sdserv.bi /usr/dlc/bin/_proutil -c truncate sdlog.bi
When sdadmin is executed on Solaris 2.4 or HP/UX 9.03 hosts, an "out of memory" message is displayed. To correct this problem, complete the following steps:
set semsys:seminfo_semmni=64 set semsys:seminfo_semmns=200 set semsys:seminfo_semmnu=100 set semsys:seminfo_semmsl=50 set shmsys:shminfo_shmmax=16777216 set shmsys:shminfo_shmmni=100 set shmsys:shminfo_shmseg=16
reboot -rv
/ Prev / Next / Preface / Overview / Server / Client / User / Menu / SecurID / Accounting / Troubleshooting /