HP NetRider Managing SecurID

Managing SecurID

Managing SecurID

Introduction

The Security Dynamics ACE/Server software performs dynamic two-factor SecurID authentication. Dynamic two-factor authentication combines something the user knows—a memorized personal identification number (PIN)—with something the user possesses—a randomly generated access code that changes every 60 seconds. The second factor is the tokencode generated by the SecurID token. This combination of PIN and tokencode represents a one-time passcode and is transmitted to the ACE/ Server software for verification.

The ACE/Server security environment is composed of four components. These are:

1ACE/Server software running on a UNIX platform

2(Optional) slave ACE/Server software running on a UNIX platform

3Access server running DNAS V2.0 or greater

4SecurID tokens utilized by users when they attempt to access the ACE/Server protected ACE/Clients

SecurID utilizes two types of hosts: master and slave. When setting up a SecurID realm, specify the master host by using the command SET PRIMARY host-name.You can specify the slave host using the command SET HOST host-name. Although the access server does allow you to configure multiple slave hosts, you should not do this.

Using the SECRET Keyword

The SECRET in the SecurID REALM is not specified by the user, but rather is filled in the first time the realm is used to authenticate a user. After that, you can clear it by using the NOSECRET qualifier in the CHANGE SECURID REALM command. If you clear it or if you delete the realm and then re-create it, you must reset the client on the authentication server side using the SecurID server administrator program.

SecurID Prompts

The default prompt for SecurID is ENTER PASSCODE>. This default is set when you create a new realm. This is the standard SecurID prompt.

SecurID Ports

Normally, you do not need to change the SecurID master and slave SERVICE PORT. If the default values do not match with those assigned on your hosts, then change the values in the access server to match those on the hosts.

Managing Access Server Security 22-23

Contents

Page Page Preface 1 DNAS Management 2 Management Tools 3 User Interface 4 Managing Load Hosts 5 Initializing the Access Server 6 Configuring LAT Characteristics Page 7 TCP/IP Network Characteristics 8 Managing AppleTalk 9 Configuring Basic Device Characteristics 10 Configuring Modem Signals 11 Configuring and Managing Interactive Devices Page 12 Configuring and Managing LAT Services 13 Configuring and Managing Telnet Servers 14 Configuring LPD Printers 15 Configuring and Managing SLIP Ports 16 Configuring for SNMP Access 17 Managing the Access Server 18Configuring and Managing 3270 Terminal Emulation (TN3270) 19Configuring and Managing Point-to-PointProtocol (PPP) Ports 20 Managing IPX 21 Managing Dial Services 22 Managing Access Server Security Page 23 Accounting A Cable and Adapter Recommendations Glossary Index Page Overview Purpose TSM Users Using This Manual Conventions Associated Documents How to Order Additional Documentation Correspondence Documentation Comments Online Services Page Introduction In This Chapter Configuration Tasks for System Administrators Configuration Tasks Management Tasks for System Administrators System Management Tasks User Tasks Accessing Online Help Storage of Configuration Settings and Changes in Memory Memory Types Power Loss Commands to Display and Change Configuration Settings Types of Commands That Operate on Configuration Settings Page Access Server Commands Levels of Access Server Commands User Groups Command Definitions Privileged Commands Help HELP TUTORIAL Command HELP Command Console Port Displaying Port Parameters Example: SHOW SERVER Command Remote Console Port Features of the Remote Console Port Communications Utilities for Remote Console Sessions Network Control Program (NCP) Use of SET HOST/MOP from a DECnet/OSI OpenVMS Node Use of CCR from an ULTRIX DECnet Node Telnet Remote Console Characteristics of the Telnet Remote Console Port Access Server Manager Functions Related Information Page Page Command Groups and Menus Using Command Groups Creating a Command Group Executing a Command Group Displaying a Command Group Purging a Command Group Using Menus Displaying a List of Enabled Menus Entering Menu Mode Assigning a Default Menu to a Port Menu Windows Page Defining Menus Main Menu Main Menu Display Defining Menu Choices Displaying a Selected Menu Exiting from a Menu Using Menus to Set Up a Captive Port Displaying a Menu Definition Purging Menu Lines and Entire Menus Page Load Host Procedures DSV$CONFIGURE Backward Compatibility of DSV$CONFIGURE Executing DSV$CONFIGURE ADD Command MODIFY and SET Commands DELETE Command LIST and SHOW Commands CONNECT and USE Commands Page Page DSVCONFIG DECserver Configuration Procedure DSVCONFIG Menu Using a BOOTP/TFTP Server IP Address Configuration Via BOOTP Remote Connection Password Upline Dumping Upline Dumps with MOP Hosts Upline Dumps with BOOTP/TFTP Hosts Terminal Server Manager (TSM) Page Page Preparing LAT Services for Initialization Do This Preparing Telnet Listeners for Initialization Initializing the Access Server Using the INITIALIZE Command Default Mode for the INITIALIZE Command Specifying Initialization from a Load Host Specifying an Image Name When Initializing Updating Flash RAM Specifying a Delay Value with INITIALIZE Using the DIAGNOSE Option with INITIALIZE INITIALIZE DIAGNOSE Option Tests Specifying the DISABLE OPTION with INITIALIZE Using NCP to Initialize the Access Server NCP Initialization Commands NCP Reference Booting from the Network Loading the Software Image Determining Boot Protocols Booting Using Console Commands Procedure Boot Command Options Page Page Page LAT Characteristics Preparing to Change LAT Characteristics LAT Characteristic Summary Page Displaying LAT Characteristics Command To Use LAT Characteristics Display Example ANNOUNCEMENTS Characteristic Configure Announcements Example CIRCUIT TIMER Characteristic Changing the CIRCUIT TIMER IDENTIFICATION Characteristic Changing the Server Identification String Removing an Identification String Identification String in a Login Procedure Display KEEPALIVE TIMER Characteristic Keepalive Timer Default Values Keepalive Timer Example MULTICAST TIMER Characteristic Multicast Timer Default Values Changing Multicast Timer Values Example ACCESS SERVER NAME Characteristic Default Access Server Name Changing the ACCESS SERVER NAME NODE LIMIT Characteristic Changing the Access Server NODE LIMIT Access SERVER NUMBER Characteristic Access SERVER NUMBER Values Changing the Access SERVER NUMBER PASSCHECK Characteristic Changing the PASSCHECK Characteristics PASSCHECK Characteristic Example QUEUE LIMIT Characteristic Special QUEUE LIMIT Values Changing the QUEUE LIMIT RETRANSMIT LIMIT Characteristic RETRANSMIT LIMIT Values Changing the RETRANSMIT LIMIT Characteristic RESPONDER Characteristic Access Server Mapping Datagram Types Changing the RESPONDER Characteristic Service Groups Viewing Service Groups Changing Access Server Service Groups Changing Service Groups Examples Page Page Configuring the Internet Address and Subnet Mask Tasks Alternative: Learning IP Information Setting the Internet Address Setting an Internet Subnet Mask Page Displaying the Internet Address and Subnet Mask Configuring Domain Name System (DNS) Characteristics Displaying DNS Characteristics Page Displaying the DNS Counters Configuring the Default Name Resolution Domain Page Changing the Time Limit Changing the Retry Limit Changing the Name Resolution Mode Configuring a List of Commonly Used Internet Hosts Configuring a List of Internet Name Servers Page Assigning DNS Server Addresses Automatically Configuring a List of Internet Gateway Addresses Displaying a List of Gateway Addresses Configuring a Default Gateway Defining Networks Available Through a Specific Gateway Defining Subnets Available Through a Specific Gateway Defining Hosts Available Through a Specific Gateway Configuring a List of Internet ARP Entries Displaying the List of Internet ARP Entries Defining an ARP Entry Setting the TCP Keepalive Timer What the Timer Does Setting the Timer Disabling the Timer Setting Timer Retries Displaying Timer Characteristics Displaying the Internet Counters Using the SHOW Command Internet Counters Display Example Internet Counter Display Fields Page Page Learning IP Information From a BOOTP Server BOOTP Server Configuration Learning Operation Setting Up IP Configuration Learning Learning IP Information From a DHCP Server BOOTP and DHCP Differences DHCP Client Operation DHCP Proxy Operation Enabling and Disabling DHCP Displaying the DHCP Setting Configuring Default Values Overriding DHCP-LearnedValues Assigning WINS Server Addresses What Does WINS Do What Is WINS Autoconfigure Operation Assigning WINS Addresses Displaying WINS Characteristics Page Page Page Configuring AppleTalk on an Access Server AppleTalk Address Format Enabling AppleTalk Disabling AppleTalk Setting AppleTalk Address Cache Size Page Displaying AppleTalk Characteristics Commands Displaying AppleTalk Characteristics Example Fields in the AppleTalk Characteristics Display Displaying AppleTalk Counters Displaying AppleTalk Counters Example Fields in the AppleTalk Counters Display Page Page AARP Values Displaying AppleTalk Status Displaying AppleTalk Status Example Fields in the AppleTalk Status Display Page Displaying AppleTalk Routes Displaying AppleTalk Routes Example Fields in the AppleTalk Routes Display Page Displaying AppleTalk ARP Entries Displaying AppleTalk ARP Entries Example Fields in the AppleTalk ARP Display Page Page Page Configuring Basic Device Characteristics Basic Device Characteristic Summary Page Displaying Basic Device Characteristics Displaying Port Characteristics Example Configuring the ACCESS Characteristic Defining the ACCESS Characteristic Example Matching the Port and Device Characteristics AUTOBAUD CHARACTER SIZE PARITY SPEED STOP BITS TYPE Configuring the FLOW CONTROL Characteristic Flow Control Types XON/XOFF DSR CTS FLOW CONTROL Direction Specifying the Automatic Logout Characteristics Specifying DSRLOGOUT Specifying LONGBREAK LOGOUT Specifying INACTIVITY LOGOUT Specifying the INACTIVITY TIMER Page DTE/DCE Device Configuration Port Configuration Determining the Supported Modem Signals Access Servers and MODEM CONTROL Access Server Types and Supported Modem Signals Page Modem Signals Description Types of Modem Signal Page Specifying MODEM CONTROL and SIGNAL CONTROL Logging Out the Port with DSRLOGOUT or LONGBREAK LOGOUT Computer Interface Page Specifying SIGNAL SELECT Determining When to Use a Signal Set Specifying SIGNAL CHECK Specifying DTRWAIT Enabling DTRWAIT Example Specifying RING Specifying ALTERNATE SPEED Specifying DIALUP Sample Modem Configurations Configuring a Dial-InModem on a Full MODEM CONTROL Server Configuring a Dial-InModem on a MODEM CONTROL Server Configuring a Dial-OutModem on a Full MODEM CONTROL Server Configuring a Dial-Inand Dial-OutModem on a Full MODEM CONTROL Server Configuring a Dial-OutModem on a MODEM CONTROL Server Configuring a Dial-Inand Dial-OutModem on a MODEM CONTROL Server MODEM CONTROL Sequences Establishing a Connection Response to Momentary Loss of CTS Disconnecting Configuring DTR and DSR Signals Port Characteristic Effects on the DTR and DSR Signals Page Page Page Page Configuring an Interactive Device for LAT Sessions Configuring an Interactive Device for LAT Sessions Sample Network Configuration Configuring LAT Group Codes for Interactive Devices Specifying AUTOCONNECT Specifying AUTOPROMPT Specifying the Default Protocol Specifying Failover Configuring Port Queuing Displaying Access Server Queue Entries SHOW QUEUE ALL Display Example Removing Entries from the Access Server Queue Configuring Port Characteristics Configuring an Interactive Device for Telnet Sessions Configuring a Device on Port 6 for Internet Hosts Example Page Configuring a Session Management (TD/SMP) Terminal How to Configure Benefits and Restrictions Summary Local Mode Command Restrictions During Session Management Logging In with Multisessions Configuring On-DemandLoading for Asian Terminals On-DemandLoading Configuration Example Disable Switch Character Configuring for Block-ModeTerminals Buffer Size Specifying the Telnet Client Session Profile Profiles Types Profile Characteristics Telnet Client Session Characteristics Predefined for Each Profile Page Configuring Individual Telnet Client Session Characteristics Modifying Telnet Session Characteristics Specifying ECHO Characteristics Specifying the BINARY Characteristic Specifying CHARACTER SIZE Mapping Keyboard Characters to Telnet Functions Telnet Keymapping Functions Specifying AUTOFLUSH Specifying AUTOSYNCH Specifying Telnet Client Newline Specifying FLOW CONTROL Specifying MESSAGE VERIFICATION Specifying the SWITCH CHARACTER Specifying a Preferred Terminal Type Managing Access Server User Accounts Minimal Setup for Local User Accounts Optional Setup for Local User Accounts SHOW/LIST/MONITOR USERACCOUNT Display Service Types and Access Levels Service Permissions Access User Account Command Parameters Access Command Variables Managing Users Providing a Contact Name and Access Server Location Specifying Preferred Service for LAT or Telnet Resources Specifying the Port USERNAME Specifying Keys to Switch Between Sessions Defining the Break Key Specifying a Key to Switch to Local Mode Specifying BROADCAST Specifying LOSS NOTIFICATION Specifying Message Codes Specifying VERIFICATION Specifying Lock Displaying Information About the Users Specifying User Groups Page Managing Sessions Initiating a Session to a LAT Service Initiating a Session to an Internet Host Sending Telnet Functions to a Remote Telnet Server Controlling the Number of Sessions Displaying Session Information Page Displaying Session Characteristics Displaying Session Status Page Page Terminating Sessions Page Page Configuring a Port to Offer a LAT Service Configuration Parameters Configuring Access to a LAT Service Assigning a Service Name Enabling Announcements Assigning an Identification String Assigning a Port Name Specifying the Service Password Configuration of Specific Types of Devices As LAT Services Configuring a Personal Computer As a Terminal and LAT Service Configuring a Computer As a LAT Service Configuring a Modem As a LAT Service Configuring a Printer As a LAT Service Setting Up a LAT Remote Print Queue on an OpenVMS Host Page Setting Up a LAT Remote Print Queue on an ULTRIX System Page Configuring a Printer with Unannounced Availability Configuring a Printer with Unannounced Availability Page Verifying the LAT Service Problem Solving Managing Your Access Server As a LAT Node Offering a Service Displaying Information About a Service Displaying Services Characteristics Page Displaying Services Status Page Displaying Services Summary Page Page Page Sample Device Configurations Configuring a Printer for Access Through a Telnet Listener Configuring a Computer for Access Through a Telnet Listener Configuring a Modem for Access Through a Telnet Listener Page Sample Configuration Configuring Personal Computer Access to a Printer Setting User Priority for Devices Using Dynamic Access Configuring a File Transfer Partner Configuring a Remote Print Queue Configuring a TCP/IP Remote Print Queue on an ULTRIX System Printer Port Telnet Server Characteristics Page Configuring a TCP/IP Remote Print Queue on a UNIX System Configuring a Telnet Listener Configuring Telnet Server Session Characteristics Mapping Event Indications to Keyboard Characters Specifying Newline Characteristics Specifying Character Size Page Managing Your Access Server As a Telnet Listener Node Displaying Telnet Listeners Displaying Telnet Server Characteristics Removing a Telnet Listener Removing One of Many Devices Assigned to a Telnet Listener Reassigning a Port Supplying User Location Data to Telnet Servers Configuring a Raw TCP Listener When To Use Raw TCP Configuring Raw TCP Displaying Raw TCP Characteristics Page LPD Operation Supported File Types Control and Data Files Page Page Configuring LPD Configuring Remote Hosts Associating a Printer With a Port Setting Port Characteristics Printer Configuration Example Displaying Printer Characteristics Page Page Page Packet Forwarding to and from SLIP Hosts Network Configuration Containing SLIP Hosts Displaying SLIP Characteristics Displaying SLIP Characteristics Example Managing Internet Addresses for SLIP Hosts How an Access Server Port Obtains the SLIP Host Internet Address Page Managing the Maximum Transmission Unit Changing the MTU Relationship of the TCP Maximum Segment Size and the MTU Fragmentation Configuring a Port So That a PC Can Function as a Terminal or SLIP Host Configuring a Dedicated SLIP Port Configuring a Device As a Dedicated SLIP Host Configuring a Dial-InModem for Use with a SLIP Host Configuring a Dial-InModem on Port 6 for Use with a SLIP Host Establishing Terminal Sessions with a PC Prerequisites Establishing a SLIP Session Enabling a SLIP Session from the PC After Making a Connection Compressed SLIP Enabling CSLIP Disabling CSLIP Automatic CSLIP Compression States Displaying SLIP Counters SHOW PORT SLIP COUNTERS Display SLIP COUNTERS Display Fields Disabling SLIP Disable SLIP Example Page Page Supported SNMP Features Supported Specifications SNMP Community Names Supported SNMP Operations Supported MIBs Supported MIB Variables Page Configuring the Access Server for SNMP Access Enabling and Disabling SNMP Displaying Information About SNMP Default Community Name PUBLIC Configuring a Community Name for Access by Any NMS Configuring a Community Name with an Address Configuring Community Names to Send TRAP Messages Sample SNMP Configuration Disabling TRAP Messages for a Community Name Removing Community Names Removing an Address from a Community Name Configuring the NMS Page Managing Your Access Server As Part of the LAT Network Distributing Devices on Access Servers Controlling the Number of Known Service Nodes Checking LAT Service Accessibility Reducing Memory Usage Viewing LAT Node Status Information Page Viewing LAT Node Counters Information Page Page Viewing LAT Node Summary Information Page Displaying Information About the Access Server Specifying the Prompt Displaying Access Server Counters Page Page Page Page Page Displaying Access Server Status Page Page Page Page Page Displaying Access Server Summary Information Page Checking Port Status and Counters Displaying Port Characteristics Displaying Port Counters Page Displaying Port Status Page Displaying Port Summary SHOW/LIST/MONITOR PORT SUMMARY Display Fields Page Supported ASCII Terminals Definition Definition and Description of a Keyboard Map 3278 Keyboards Server-SpecificKeyboard Maps Configuring Basic 3270 Terminal Emulation Setting Up an ASCII Terminal Terminal Setup Parameters Indicating the 3270 Model Number Specifying the Type of ASCII Terminal Used for Emulation IBM Host Communications Connecting to an IBM Host Entering and Editing Data Status Line Indicator Page Status Line Indicator Display Displaying and Customizing Keyboard Maps Server-WideKeyboard Maps Customization Default Server-WideTerminal Types and Keyboard Maps Defining New Server-WideTerminal Types and Keyboard Maps Customizing Server-WideKeyboard Maps Page Selecting and Customizing Keyboard Maps for a Port Keyboard Map and Terminal Type Customizing a Default Keyboard Map for a Port Page ASCII-to-EBCDICand EBCDIC-to-ASCIITranslation Tables Guidelines for Managing the Use of NVRAM for TN3270 Storage Requirements for TN3270 Definitions in NVRAM TN3270 Commands That Free NVRAM Space Limiting NVRAM Usage Commands to Manage TN3270 Terminal Emulation TN3270 Access Server Characteristics TN3270 Port Characteristics SHOW Commands Page Page Enabling PPP on an Access Server Port Enabling PPP for Mixed Traffic Enabling Dedicated PPP Traffic Enabling Ports with Modems for PPP Establishing and Ending a PPP Session Using the CONNECT PPP Command Displaying PPP Characteristics Displaying LCP Characteristics Page Displaying IPCP Characteristics Page Page ATCP Characteristics Page Displaying PPP Status Displaying LCP Status Page Displaying IPCP Status Page Displaying ATCP Status Page Displaying PPP Counters Displaying LCP Counters Page Displaying IPCP Counters Page Displaying ATCP Counters Page Page Page IPX Description Access Server Configuration Page Getting Started Checklist Hardware and Software Requirements Software Requirements Hardware Requirements Setting Up Your PC PC Remote Access Software Novell Workstation Software Novell Utilities for Local Execution Setting Up the Network Access Server Enabling IPX Configuring the Port for an Attached Device Configuring the Port for the Login Method Configuring the Port for Login to the Local Prompt Configuring the Port Dedicated to PPP Configuring the Port for PPP/IPXCP Data Link Page Summary of DECserver IPX Management Commands Port PPP IPX Commands for LCP Port PPP IPX Commands for IPXCP Port PPP Commands for PPP Negotiation Status Server IPX Commands Page Modem Considerations Dial-InModems Dial-OutPC Modems Page Novell Client/Server Operation Establishing Remote Node Access Connection to Novell Network Novell Operation Page Operational Checkout and Diagnosis Verifying Configuration Disabling IPX Using the DEFINE Command Frame Types Standard Ethernet RAW802 SAP802 SNAP802 Displaying IPX Characteristics Using the SHOW command IPX Characteristics Display IPX Characteristics Display Fields Page Displaying IPX Status Using the SHOW IPX Command IPX Status Display Fields in the IPX Status Display Displaying IPX Counters Use the SHOW IPX COUNTERS command IPX Counters Display IPX Counters Display Fields Page Page Displaying IPX Routes Using the SHOW IPX ROUTES Command IPX Routes Display IPX Routes Display Fields Resetting Counters Using the ZERO Command ZERO Command Options Page Page Dial Services Command Groups Command Groups Entering the SET PRIVILEGED command Checking the Current Server Settings Server Configuration Display Defining a Dialer Script Defining Dialer Script Strings Page Assigning the Dialer Script to a Port Steps Determining the Current Dialer Script Assigning a Dialer Script to a Port Verifying Dialer Script Configuration Defining the Dialer Service Showing the Current Dialer Service Characteristics Showing Dialer Service Status Page Displaying Dialer Counters Modifying the Dialer Service Page Page Configuring Interactive Dial Requests Configuring for Interactive Dial-Back Interactive Dial-Back(Dial Service) Example Framed Dial Requests Changing PPP Characteristics Examples Guidelines Page Page Page Security Type Descriptions Kerberos RADIUS SecurID User Accounts Common Terminology Across Security Realms Accounting Host Authentication Host Default Realm Login Retries and Timeouts Security Server UDP Ports Managing Kerberos Configuration Prerequisites Configuration of User Authentication Page Page User Authentication Procedure Changing a User Name and Password User Authentication Counters Page Managing RADIUS Minimal Setup for RADIUS Optional Setup for RADIUS RADIUS User Authorizations User Access to the Access Server Setting User Permissions Additional RADIUS Attributes Page Page Page Page Optional RADIUS User Attributes Managing SecurID Minimal Setup for SecurID Optional Setup for SecurID SecurID User Authorizations Page Managing Local Access Server Security Defining the Realm Determining Security Configuration Displaying RADIUS, SECURID, and KERBEROS Characteristics Page Displaying Security Summary Showing the Authentication Counters Showing the User Port Authorization Profile Showing Security Counters Managing Dial-UpAccess Security with AUTOLINK and AUTOLINK Authentication Activating AUTOLINK Enabling AUTOLINK Authentication Specifying an Authentication Method Setting AUTOLINK Timers Timeouts Using a Login Script Specifying Other Security Features Specifying Dedicated Service for LAT or Telnet Resources Specifying Passwords Specifying PASSWORD LIMIT Page Page Page Accounting Description Accounting Log File What Events Are Logged Contents of Log Entry Types Event Field Descriptions Page Page Page Page When Events Are Logged Login Events Logout Events Session Connect Attempt Events Session Disconnect Events Password Modified Events User Privilege Level Modified Events SNMP Community Modified Events Managing Accounting Defining the Accounting Log Size Changing the Accounting Threshold Changing the Accounting Console Displaying Accounting Characteristics Displaying the Accounting Log Using the Accounting Console Logging Feature LAT Remote View of the Accounting Log Page Cable and Adapter Hardware Cable and Adapter Table Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Symbols Numbers