RSA Security Home Security System 3.6.0 User's Manual
Contents
1. Defined 4 8 Alphanumeric User Defined 5 7 Numeric User Selectable Deny 4 and 8 Digit PIN Deny Alphanumeric PIN PASSCODE 16 Digit PASSCODE 4 Digit Password Next Tokencode Mode Next Tokencode Mode Load Balancing Reliability Testing Failover 3 10 Replicas Name Locking Enabled No RSA Authentication Manager RADIUS Protocol Force Authentication After New PIN System Generated PIN User Defined 4 8 Alphanumeric User Defined 5 7 Numeric User Selectable Deny 4 and 8 Digit PIN Deny Alphanumeric PIN 16 Digit PASSCODE 4 Digit Password Next Tokencode Mode Failover Name Locking Enabled No RSA Authentication Manager Additional Functionality RSA Software Token API Functionality System Generated PIN User Defined 8 Digit Numeric User Selectable Next Tokencode Mode Domain Credential Functionality Determine Cached Credential State Set Domain Credential Retrieve Domain Credential PAR SWA System Generated PIN User Defined 8 Digit Numeric User Selectable Next Tokencode Mode Determine Cached Credential State Set Domain Credential Retrieve Domain Credential w Pass Fail N A Non Available Function SecurID 142. Runtime Environment 1 4 2 plugin or later 2 Download f Applet comconsoleAspApplet started O E E D nemne 2 Login to the LX unit Username InReach Password La cancer 3 Click the Admin button on the upper tool bar 2 Superuser Login X Please enter password E ok Cancel SecurID 12 4 Select TACACS under the Authentication Folder from the navigation tool bar on the left Enter the desired ie cu Locs upoate information for your site Configuration Console 140 179 169 191 CurrentUser Database UserSession E r OO IDAP Notification eroe esene ooo o IA KI D Address f http auto search msn zj nbox E mv_ac accounting Address 0 0 0 0 Accounting Port Accounting Timeout sec 5 pod Accounting Retry INot configured d Secondary Wg Port 49 Timeout sec Retry 3 Secret Accounting Port ago Accounting Timeout sec 5 Accounting Retry Bod Accounting Secret Not configured om conem amy sias EF SecurlD 13 rt r 4 Certification Checklist Date Tested March 8 2006 Certification Environment Product Name Version Information Operating System RSA Authentication Manager 6 1 Windows 20000 6 1 3 6 0 LX Series 36 00 XL X 4000 LX 8000 Mandatory Functionalit RSA Native Protocol New PIN Mode Force Authentication After New PIN System Generated PIN User
3. authentication server secret STRING AAA 0 gt gt tacacs secondary authentication server retransmit 3 AAA 0 gt gt tacacs secondary authentication server timeout 7 TACACS Secondary Accounting Server Commands AAA 0 gt gt tacacs Secondary accounting server address AAA 0 gt gt tacacs secondary accounting server port 164 AAA 0 gt gt tacacs secondary accounting server port 181 AAA 0 gt gt tacacs secondary accounting server secret S AAA 0 gt gt tacacs secondary accounting server retransm AAA 0 gt gt tacacs secondary accounting server timeout 7 U2 247 tole bo gt l 6 3 7 gt RI NG t3 gt gt Port Commands Config 0 gt gt port async Async 0 gt gt authentication outbound tacacs enable Async 0 gt gt authentication inbound tacacs t enable Async 0 gt gt tacacst accounting enable Interface Commands Config 0 gt gt interface Intf 0 gt gt authentication tacacs enable Intf 0 gt gt tacacs accounting enable SecurID 11 Setting Up TACACS Web Interface 1 Point your browser to the LX IP address s T LX Series Console Access Page Microsoft Internet Explorer File Edit View Favorites Tools Help T X 7 A a d Eo S By Address http 140 179 169 191 Go Links Back Fonverd Stop Refresh Home Search Favorites Media History Mail BZMRV In Reach Welcome to the LX Series Console Ge The console requires Java
4. command to specify the RSA Authentication Manager authentication version for the LX unit You can specify the authentication version as Version 5 or pre Version 5 legacy for example Login InReach Password access InReach 0 gt enable Password system InReach 0 gt gt configuration AAA 0 gt gt securid authentication version version_5 AAA 0 gt gt securid authentication version legacy 4 Use the securid authentication port command to specify the socket your RSA Authentication Manager server is listening to for example AAA 0 gt gt securid authentication port 1687 EP Note The LX listens to port 5500 by default 5 Use the securid primary authentication server address command to specify the IP address of the RSA Authentication Manager Primary for example AAA 0 gt gt securid primary authentication server address 10 242 131 11 6 Use the securid authentication encryption command to specify the RSA SecurlD encryption method for the LX unit You can specify DES or SDI as the encryption method for example AAA 0 gt gt securid authentication encryption des AAA 0 gt gt securid authentication encryption sdi 7 To verify the LX configuration execute the show securid characteristics command at the superuser command prompt for example AAA 0 gt gt show securid characteristics Ep Note To clear the node secret from the LX unit use the zero securid secret command SecurID 4 RSA SecurlD A
5. fd Bod Secret Configured Accomting Mkea Accounting Port a3 Ae T po Accounting Secret Not configured Port 19812 Secret Not configured Accounting Address 0 0 0 0 Acenta Port fag o i d Not configured SecurlID 10 Setting Up TACACS You can implement TACACS authentication and TACACS accounting at the server level and for specific interfaces and asynchronous ports on the LX unit Access the AAA Configuration mode on the LX TACACS Primary Authentication Server Commands AAA 0 gt gt tacacs primary authentication server address 10 242 131 15 AAA 0 gt gt tacacs primary authentication server port 49 AAA 0 gt gt tacacs primary authentication server secret STRING AAA 0 gt gt tacacs primary authentication server retransmit 3 AAA 0 gt gt tacacs primary authentication server timeout 7 TACACS Primary Accounting Server Commands AAA 0 gt gt tacacs primary accounting server address 10 242 131 15 AAA 0 gt gt tacacs primary accounting server port 49 AAA 0 gt gt tacacs primary accounting server secret STRING AAA 0 gt gt tacacsS primary accounting server retransmit 3 AAA 0 gt gt tacacs primary accounting server timeout 7 TACACS Secondary Authentication Server Commands AAA 0 gt gt tacacs secondary authentication server address 10 242 131 15 AAA 0 gt gt tacacs secondary authentication server port 49 AAA 0 gt gt tacacs secondary
6. gt radius secondary accounting server timeout 7 022492 1314 13 S55 D gt Port Commands Config 0 gt gt port async Async 0 gt gt authentication outbound radius enable Async 0 gt gt authentication inbound radius enable Async 0 gt gt radius accounting enable Interface Commands Config 0 gt gt interface Intf 0 gt gt authentication radius enable Intf 0 gt gt radius accounting enable SecurID 8 Setting Up RADIUS Web Interface 1 Point your browser to the LX IP address E LX Series Console Access Page Microsoft Internet Explorer File Edit View Favorites Tools Help ee f A Q E7 Eo 3S B A Address hep 7140 173 168 131 z Go tinker Back Forverd Stop Refresh Home Search Favorites Media History Mail Print EZMRV In Reach Welcome to the LX Series Console 2 The console requires Java Runtime Environment 1 4 2 plugin or later 3 Download j Applet com console Asp pplet stated l E E D nene 2 Login to the LX unit Username InReach Password tan cance 3 Click the Admin button on the upper tool bar 2 Superuser Login x Please enter password pee ok Cancel SecurID 4 Select RADIUS under the Authentication Folder from the navigation tool bar on the left Enter the desired information for your site CurrentUser Usersession SecurlD C Notification 10 242 131 13 a82
7. Manager account with the attributes of the default InReach account Use the securid local subscriber enable command to configure the RSA Authentication Manager Local Subscriber Feature for the LX unit for example AAA 0 gt gt securid local subscriber enable When the RSA Authentication Manager Local Subscriber Feature is set to only the subscriber can only be logged in if the subscriber account is configured on both the LX unit and the RSA Authentication Manager server and the subscriber account on the LX server has the same name as the subscriber account on the RSA Authentication Manager server Use the securid local subscriber only command to set the RSA Authentication Manager Local Subscriber Feature to only for example AAA 0 gt gt securid local subscriber only RSA SecurlD sdconf rec The LX software now supports the import of sdconf rec files To use the sdconf rec file download it into the LX config directory If this file is present on the LX the RSA Authentication Manager system characteristics included within the sdconf rec file will be used and configuration of the RSA Authentication Manager attributes will be blocked at the CLI command level To download the sdconf rec file 1 Go to the shell 2 Change to the directory cd config directory 3 From config perform an FTP and retrieve the sdconf rec file SecurID 5 Setting Up RSA SecurlD Authentication Web Interface 1 Point your browser to the L
8. Out Of Band Network applications LX Series Console and Terminal Servers in conjunction with RSA SecurlID two factor authentication coupled with the power of RADIUS accounting capabilities provide administrators not only with a strong sense of security but also a high level of accountability and logging capabilities Native RSA SecurID Authentication RADIUS Ful Replica Suppor Designated Users All Users Ne Use of Cached Domain Credentials No Product Requirements Partner Product Requirements LX OS 3 6 0 CPU Memory 128MB DRAM Storage No hard drive 16MB Flash Firmware Version 3 6 0 or higher es Operating System LX OS 3 6 0 or later 3 6 0 or later Additional Software Requirements Java JRE SecurID 2 Agent Host Configuration To facilitate communication between the LX Product line and the RSA Authentication Manager RSA SecurlD Appliance an Agent Host record must be added to the RSA Authentication Manager Database and RADIUS Server Database when using RADIUS The Agent Host record identifies the LX Product line within its database and contains information about communication and encryption To create the Agent Host record you will need the following information e Hostname e P Addresses for all network interfaces e RADIUS Secret When using RADIUS Authentication Protocol When adding the Agent Host Record you should configure the LX Series as a Communication Server This setting is used by t
9. RTE RSA SecurlD Ready Implementation Guide Last Modified March 8 2006 Partner Information Product Information Partner Name MRV Communication Inc Product Name LX Series LX OS 3 6 0 or later Product Description MRV Communications is a leading provider of network access solutions for the enterprise edge the seam where corporate networks meet the wide area public network and the service provider edge The LX Series advance security protects access to your network The LX Series authenticates local and remote users while providing a secure network dialup access for remote offices and home users Product Category Remote Access SecurID 1 Solution Summary The MRV LX Series Secure Console Terminal Servers have been specifically designed with a focus on security The LX Series multi processor platforms have the processing horsepower to handle the FIPS approved encryption and cipher algorithms required to meet demands of today s high security environments LX Series platforms provide the highest and most comprehensive set security and encryption support of any Console or Terminal Server on the market today The RSA SecurlD Authentication support is one of many authentication mechanisms available in the LX Series products RSA SecurlID in conjunction with RADIUS Authentication and Accounting provides a very powerful means by which to manage all aspects of security for traditional Terminal Server Console Server and
10. X IP address Browser must have Java 1 4 2 or higher installed E LX Series Console Access Page Microsoft Internet Explorer File Edit View Favorites Tools Help e Q A Que gs B amp Address http 7140 179 169 191 v Go Links Back Fonverd Stop Refresh Home Search Favorites Media History Mail Print EZMRV In Reach Welcome to the LX Series Console Gi The console requires Java Runtime Environment 1 4 2 plugin or later 2 Download j Applet com console Asp pplet stated l E E D nene 2 Login to the LX unit Username InReach Password team cancer 3 Click the Admin button on the upper tool bar 2 Superuser Login x Please enter password 1 ok Cancel SecurID 6 4 Configuration Console 140 179 169 191 peace _jPorts ad gt CurrentUser Database UserSession ame a SecurID Select SecurlD under the Authentication Folder from the navigation tool bar on the left Enter the desired information for your site n K Setting Up RADIUS Command Line Interface RADIUS Primary Authentication Server Commands Login InReach Password access I nReach 0 gt enable Password I nReach 0 gt gt configuration Config 0 gt gt aaa AAA 0 gt gt radius primary authentication server address 10 242 131 13 AAA 0 gt gt radius primary authentication server port 1645 AAA 0 gt gt radius p
11. he RSA Authentication Manager to determine how communication with the LX Series will occur EP Note Hostnames within the RSA Authentication Manager RSA SecurlD Appliance must resolve to valid IP addresses on the local network Please refer to the appropriate RSA Security documentation for additional information about Creating Modifying and Managing Agent Host records SecurID 3 Partner Authentication Agent Configuration Setting Up RSA SecurlD Authentication Command Line Interface You can implement SecurlD authentication at the server level and for specific interfaces and asynchronous ports on the LX unit You must implement RSA SecurlD Authentication at the server level before you can implement it on specific interfaces and asynchronous ports on the LX unit The basic steps for configuring SecurlD authentication on the LX unit are 1 Specifying the RSA Authentication Manager Server settings on the LX 2 Installing and configuring the SecurlD server on a Network based Host 3 Configuring a RSA Authentication Manager Local Subscriber optional Specifying the RSA Authentication Manager Server Settings on the LX Perform the following operations to specify the RSA Authentication Manager settings on the LX unit 1 Check the primary RSA Authentication Manager Server host to ensure that the RSA Authentication Manager application is running 2 Access the AAA Command Mode on the LX 3 Use the securid authentication version
12. rimary authentication server port 1812 AAA 0 gt gt radius primary authentication server secret STRING ae gt gt radius primary authentication server retransmit 3 AAA 0 gt gt radius primary authentication server timeout 7 RADIUS Primary Accounting Server Commands AAA 0 gt gt radius secondary accounting server address 1 AAA 0 gt gt radius secondary accounting server port 1646 AAA 0 gt gt radius secondary accounting server port 1813 AAA 0 gt gt radius secondary accounting server secret STRING gt gt radius secondary accounting server retransmt 3 gt gt radius secondary accounting server timeout 7 0 242 131 be 0 0 RADIUS Secondary Authentication Server Commands AAA 0 gt gt radius secondary authentication server address 1 0 gt gt radius secondary authentication server port 1645 AAA 0 gt gt radius secondary authentication server port 1812 0 gt gt radius secondary authentication server secret STRING AAA 0 gt gt radius secondary authentication server retransmit 3 0 gt gt radius secondary authentication server timeout 7 0 242 131 13 RADIUS Secondary Accounting Server Commands AAA 0 gt gt radius secondary accounting server address 1 AAA 0 gt gt radius secondary accounting server port 1646 AAA 0 gt gt radius secondary accounting server port 1813 AAA 0 gt gt radius secondary accounting server secret STRING AAA 0 gt gt radius secondary accounting server retransmit 3 AAA 0 gt
13. uthentication Command Examples This section provides examples of all of the commands that are used to specify settings for the RSA Authentication Manager servers AAA 0 gt gt securid primary authentication server address 10 242 131 11 AAA 0 gt gt securid authentication port 4500 AAA 0 gt gt securid primary authentication server name bigskyl com AAA 0 gt gt securid authentication encryption des AAA 0 gt gt securid authentication retransmit 7 Ae gt gt securid authentication timeout 3 AAA 0 gt gt securid authentication version version 5 Ep Note If you do not specify a UDP port retransmit value timeout version encryption or name for the RSA Authentication Manager server the LX unit will use the default values for these settings RSA SecurlD Local Subscriber Feature Under the RSA Authentication Manager Local Subscriber Feature a subscriber can be logged on in one of two ways e As an LX subscriber with the attributes of that subscriber if the LX subscriber account exists e Or if the LX subscriber account does not exist as the default InReach subscriber Under either scenario the subscriber must have an account on the RSA Authentication Manager server If the subscriber account also exists on the LX unit the subscriber is logged on under that account and given the attributes of that account If the subscriber account does not exist on the LX unit the subscriber is logged on under his RSA Authentication
Download Pdf Manuals
Related Search