Enterasys Networks CSX6000 User Guide
Central Site Remote Access Switch 169
C
ONFIGURING
S
ECURITY
L
EVEL
User Level Security
The following sections provide information regarding authentication via SecurId cards, system
requirements for user level security, and the authentication process with user level security.
requirements for user level security, and the authentication process with user level security.
A
UTHENTICATION
U
SING
A
S
ECURITY
T
OKEN
C
ARD
The CyberSWITCH supports interactive, user level security through the TACACS or ACE server
programmed for use with security token cards. Token cards are credit card-sized devices. These
cards are widely used throughout the computer industry for authentication. This concept of
authentication is now available to ISDN connections via the CyberSWITCH. The CyberSWITCH
version of user level security supports a security token card called SecurID, provided by Security
Dynamics.
programmed for use with security token cards. Token cards are credit card-sized devices. These
cards are widely used throughout the computer industry for authentication. This concept of
authentication is now available to ISDN connections via the CyberSWITCH. The CyberSWITCH
version of user level security supports a security token card called SecurID, provided by Security
Dynamics.
The SecurID card works on a “passcode” concept, which consists of two factors:
•
•
a known value (the device’s password)
•
a dynamically-generated value (from the SecurID card)
Note:
For more information specific to the SecurID card, refer to the documentation provided by
Security Dynamics Technologies Inc.
Security Dynamics Technologies Inc.
The user is prompted for the passcode value at login. The following description illustrates how the
user level authentication process works:
user level authentication process works:
The CyberSWITCH provides user level security by having the remote user establish a Telnet
connection to the system. While the remote user is being authenticated, a data filter is placed on the
connection. This filter only allows the Telnet session traffic to flow over the connection between the
user and the CyberSWITCH. During the Telnet session, the system collects user information (user
Id, password and maybe dynamic password) and requests authentication from the configured
server. Once the user is authenticated, the data filter is removed from that connection. All remote
user data is now forwarded on the connection.
connection to the system. While the remote user is being authenticated, a data filter is placed on the
connection. This filter only allows the Telnet session traffic to flow over the connection between the
user and the CyberSWITCH. During the Telnet session, the system collects user information (user
Id, password and maybe dynamic password) and requests authentication from the configured
server. Once the user is authenticated, the data filter is removed from that connection. All remote
user data is now forwarded on the connection.
If the user fails to be authenticated, the connection is released. The user must establish a new
connection and perform validation again.
connection and perform validation again.
If the ISDN connection is released by either the ISDN network or by the remote device, the system
treats this as a new authentication session and starts the validation sequence over.
treats this as a new authentication session and starts the validation sequence over.
Note that when a user establishes the Telnet connection to the CyberSWITCH, the user needs to
Telnet into a special TCP port configured for the type of authentication the user wishes to use. For
example, to get validated through the TACACS authentication server, the user needs to Telnet into
port 7000 (the default value for the TACACS port). Different port numbers are used for other types
of authentication servers such as RADIUS or ACE.
Telnet into a special TCP port configured for the type of authentication the user wishes to use. For
example, to get validated through the TACACS authentication server, the user needs to Telnet into
port 7000 (the default value for the TACACS port). Different port numbers are used for other types
of authentication servers such as RADIUS or ACE.
The following picture shows the relationship between the security server, an end user, and the
computer that prompts for the input. The security clients and the security server communicate with
each other using some special protocol, such as TACACS.
computer that prompts for the input. The security clients and the security server communicate with
each other using some special protocol, such as TACACS.