Enterasys Networks CSX6000, CSX5500, CSX7000 manual User Level Security

CONFIGURING SECURITY LEVEL

User Level Security

The following sections provide information regarding authentication via SecurId cards, system requirements for user level security, and the authentication process with user level security.

AUTHENTICATION USING A SECURITY TOKEN CARD

The CyberSWITCH supports interactive, user level security through the TACACS or ACE server programmed for use with security token cards. Token cards are credit card-sized devices. These cards are widely used throughout the computer industry for authentication. This concept of authentication is now available to ISDN connections via the CyberSWITCH. The CyberSWITCH version of user level security supports a security token card called SecurID, provided by Security Dynamics.

The SecurID card works on a “passcode” concept, which consists of two factors:

•a known value (the device’s password)

•a dynamically-generated value (from the SecurID card)

Note: For more information specific to the SecurID card, refer to the documentation provided by Security Dynamics Technologies Inc.

The user is prompted for the passcode value at login. The following description illustrates how the user level authentication process works:

The CyberSWITCH provides user level security by having the remote user establish a Telnet connection to the system. While the remote user is being authenticated, a data filter is placed on the connection. This filter only allows the Telnet session traffic to flow over the connection between the user and the CyberSWITCH. During the Telnet session, the system collects user information (user Id, password and maybe dynamic password) and requests authentication from the configured server. Once the user is authenticated, the data filter is removed from that connection. All remote user data is now forwarded on the connection.

If the user fails to be authenticated, the connection is released. The user must establish a new connection and perform validation again.

If the ISDN connection is released by either the ISDN network or by the remote device, the system treats this as a new authentication session and starts the validation sequence over.

Note that when a user establishes the Telnet connection to the CyberSWITCH, the user needs to Telnet into a special TCP port configured for the type of authentication the user wishes to use. For example, to get validated through the TACACS authentication server, the user needs to Telnet into port 7000 (the default value for the TACACS port). Different port numbers are used for other types of authentication servers such as RADIUS or ACE.

The following picture shows the relationship between the security server, an end user, and the computer that prompts for the input. The security clients and the security server communicate with each other using some special protocol, such as TACACS.

Central Site Remote Access Switch 169