SecurID Installation

Introduction

This chapter is an overview of the installation and configuration of SecurID when used with RADIUS 2.0. It serves as a quick reference guide for the ACE/Server and ACE/Client software. Refer to the Security Dynamics manual set for future ACE/Server software releases and detailed features of SecurID.

Note - Livingston Technical Support does not provide support for the ACE/Server and ACE/Client installation and configuration. Please contact Security Dynamics Technical Support at (617) 547-7820. Livingston Technical Support provides support for RADIUS when used in conjunction with SecurID after the sdshell utility has verified that the ACE/Server is working properly.

The ACE/Server and ACE/Client software version 2.1.1 is supported on the following platforms:

The Security Dynamics authentication system (generally referred to as SecurID) consists of the following components:

ACE/Server authentication server
Stores usernames and serial numbers of tokens and performs calculations to verify the identity of users.
ACE/Server client
Machine generating the SecurID authentication attempt.
Token
A small, handheld device that generates a random number. A new number is generated and displayed every 60 seconds. There are three types of tokens supported in SecurID: the standard SecurID card, the SecurID Key Fob, and the SecurID PINPAD.
PASSCODE
A two-part password, consisting of a memorized personal identification number (PIN) followed by the current number displayed on the token.

Note - In order to use RADIUS with SecurID, the ACE/Server software must be running on the same UNIX host as the RADIUS server. If the ACE/Server software is installed on a different machine, then the RADIUS server must be an ACE/Server slave.

When SecurID is used with RADIUS, a connection proceeds as follows:

  1. A remote user initiates a connection by dialing into the PortMaster.
  2. The PortMaster prompts for the user's username and password.
  3. The user enters a username. At the password prompt, the user enters a PASSCODE (PIN followed by the currently displayed number on the token).
  4. The PortMaster forwards this information to the RADIUS server for authentication.
  5. The RADIUS server examines the user file, scanning for the appropriate username. When the entry is located, it is examined to determine the user's authentication method.
  6. When the RADIUS server discovers that the authentication method is SecurID, it forwards the username and PASSCODE to the ACE/Server for authentication.
  7. The ACE/Server examines its database for the username and serial number of the user's token. It uses the serial number to verify the PASSCODE entered by the user. It also verifies that the time on the token is synchronized with the ACE/Server.
  8. The ACE/Server sends the result of the database lookup (identity verified or not verified) to the RADIUS server.
  9. If the user's identity was verified by the ACE/Server, the RADIUS server sends an access-accept message to the PortMaster along with the additional information from the RADIUS user entry. If the ACE/Server rejects the user's PASSCODE, the RADIUS server sends an access-reject message to the PortMaster.

SecurID Installation

The SecurID software package consists of a number of applications and utilities. This section covers the installation and use of two components, Progress and ACE/Server, and two utilities, sdshell and sdadmin.

SecurID software is not shipped with the PortMaster. This software must be ordered directly from Security Dynamics at (617) 547-7820.

Progress

Progress is an application development environment; this software must be installed before any additional SecurID software may be installed. In order to run Progress software with ACE/Server version 2.1.1, the Progress software version must be V7.3C01 or later.

Progress requires serial and control numbers for installation. Have these numbers available before beginning the installation.

To install Progress, follow the instructions in the Progress Installation Notes shipped with the Progress software. Note that Progress installs its software using the proinst utility, which must be run in an xterm window. To display an xterm on SunOS or Solaris, use the following command:

/usr/openwin/bin/xterm &

ACE/Server

The RADIUS 2.0 server is compatible with ACE/Server version 1.3 or higher. To install ACE/Server and the ACE/Server client software, complete the following steps:

  1. Log in as root.
  2. Read the ACE/Server tape into the ace_install directory of the ACE/Server machine.
  3. ACE/Server installs its software using the sdsetup utility. If you are installing ACE/Server 2.0.1 on SunOS 4.1.4 or Solaris 2.5, the check_os_version subroutine of sdsetup must be modified to add the 4.1.4 or 2.5 string. If the appropriate string is not added, sdsetup aborts and displays an "unsupported OS" message.

    Change the check_os_version subroutine of sdsetup to contain the following lines:

    case "$SUN_OS" in
    `4.1.3' | `4.1.4' ) VALID_OS=TRUE;;
           *      ) VALID_OS=FALSE;;
    
    case "$SOL_OS" in
    `5.3' | `5.4' | `5.5' ) VALID_OS=TRUE;;
           *      ) VALID_OS=FALSE;;
    
  4. Run sdsetup to install ACE/Server.

    sdsetup cannot be run while the sdconnect process or aceserver daemon are running. Stop these processes before attempting to run sdsetup.

    ace_install/sdsetup

    The ACE/Server software is typically installed on the same machine as the RADIUS server. To run ACE/Server on a different machine, the RADIUS server must be configured as an ACE/Server slave. See the ACE/Server Installation and Configuration Guide from Security Dynamics for instructions on configuring the ACE/Server Slave.

  5. The sdsetup utility stops during the installation; at this point, add the SecurID UDP port number to the /etc/services file as follows:
    securid		5500/udp		#ACE/Server
    securidprop	5100/udp		#ACE/Server Slave
    

    To configure a slave server in addition to a master server, add the securidprop entry. If you are using NIS or NIS+, add these entries to the services NIS map on your NIS master and push the maps.

    Note - Pushing the maps updates the database to include recently-entered information. Use the make services command on the NIS Master. For more details, consult your UNIX system documentation.

  6. Continue sdsetup to install the ACE/Server client software. Complete instructions are given in Part 2 of the ACE/Server Installation and Configuration Guide.

sdadmin

sdadmin is an ACE/Server administration utility. Using sdadmin, a system administrator can add and delete users, assign PINs and tokens, and monitor network activity. sdadmin may be run in GUI (the default) or character mode.

To use sdadmin, complete the following steps:

  1. Ensure that you are in the directory that contains the ACE/Server files. By default, ACE/Server software is installed in the /usr/ace directory.
  2. Start the database broker (sdconnect) as root.
    /usr/ace/sdconnect start

    To stop the database broker, use the sdconnect stop command.

  3. Start the ACE/Server daemon using the following command:
    /usr/ace/aceserver start

    To stop ACE/Server, use the aceserver stop command.

  4. To automatically start the ACE/Server processes (sdconnect and aceserver) after the host is rebooted, add the following lines to /etc/rc.local or equivalent boot file of your UNIX system:
    if [ -x /usr/ace/aceserver ]; then
    	/usr/ace/aceserver stop
    	/usr/ace/sdconnect stop
    	/usr/ace/sdconnect start
    	/usr/ace/aceserver start
    else
    	echo "Cannot start aceserver"
    fi
    
  5. Launch sdadmin in GUI or character mode. Character mode requires the use of the -c switch, shown below.
    /usr/ace/sdadmin &
    or
    /usr/ace/sdadmin -c &
    

    To run sdadmin in GUI mode, the host's window environment must be an implementation of X11R5 or later. If you are running SunOS on a SPARCstation, Sun OpenWindows is an X11R4 implementation, therefore, the GUI sdadmin utility cannot be displayed. To use the GUI sdadmin, the X11R5 kit (shipped with the ACE/Server software) must be installed. See Part 1 of the ACE/Server Installation and Configuration Guide for instructions.

  6. Using the instructions in the ACE/Server Administration Manual, add users to the database, activate users on the client, and assign tokens to the users.
  7. Choose a method of PIN assignment using the instructions in the "Pin Administration" chapter of the ACE/Server Administration Manual. Note that PINs may be assigned using RADIUS.

sdshell

sdshell is an ACE/Server client utility used to assign new PINs to users. It can also be used as a troubleshooting method to verify ACE/Server client/server communication before configuring RADIUS.

To execute sdshell, the sdconnect and aceserver daemons must be running.

To use sdshell, assign tokens to each user (see the previous section) and instruct a user to log into his or her account and run sdshell. sdshell runs through a PIN assignment sequence, as displayed in the next example.

Instruct the user to enter a new PIN or press Return to have a PIN automatically generated. The user-generated PIN or system-generated PIN must be configured for the user when adding the user to the ACE/Server database.

% sdshell
Enter PASSCODE:

Enter your new PIN, containing 4 to 8 digits,
	or
Return to generate a new PIN and display it on the screen,
	or
Ctrl d to cancel the new PIN procedure:

Please re-enter new PIN:

Wait for the code on your token to change, then log in with the new PIN

Enter PASSCODE:
PASSCODE Accepted

The PIN options in sdshell (user-selected or system-generated) may vary, depending on how the PIN mode is configured. See the "Pin Administration" chapter of the ACE/Server Administration Manual for configuration instructions.

If the user's new PASSCODE is accepted, communication between the ACE/Server client and server is successful. Proceed to the next section, "RADIUS Configuration."

Note - Livingston Technical Support does not provide support for the ACE/Server and ACE/client installation and configuration problems. Please contact Security Dynamics Technical Support at (617) 547-7820. Livingston Technical Support provides support for RADIUS when used in conjunction with SecurID after the sdshell utility has verified that the ACE/Server is working properly.

RADIUS Configuration

Each SecurID user must have an entry in the RADIUS users file or must use a DEFAULT entry. In the entry, the Auth-Type check item must be SecurID, as shown in the following example:

DEFAULT		Auth-Type = SecurID
		Service-Type = Framed-User,
		Framed-Protocol = PPP,
		Framed-Address = 255.255.255.254,
		Framed-Routing = None,
		Framed-MTU = 1500

Users authenticated using this DEFAULT entry must be activated and assigned a token card using the ACE/Server sdadmin utility, as discussed in the previous section.

When user bob dials into the PortMaster, the following prompts are displayed:

login: <enter username>
Password: <enter PIN number followed by a token code>

New PIN Assignment Using RADIUS

When a new user is added to the ACE/Server database, a token card is assigned to the user. If the token card does not have a PIN number, the user is put in a New PIN mode by the ACE/Server during the first connection attempt. To be authenticated in this mode, the user must select a PIN number.

Users may be forced into New PIN mode by the ACE administrator if the user has forgotten the PIN number or an attacker has learned the PIN number.

A New PIN mode user can assign the PIN number using RADIUS when he is dialing into the network. Refer to the "Pin Administration" chapter of the ACE/Server Administration Manual for more information on New PIN mode.

User-Generated PIN

When a user in New PIN mode is forced to create a PIN number via RADIUS, the "New PIN required" prompt appears to instruct the user to enter a PIN number.

login: bob
Password: <token code>
New PIN required: 1234

In the above example, when user bob dials into the network, he enters his login name at the login prompt. At the Password prompt, he enters the token code number and the PortMaster sends an access-request to the RADIUS server. The ACE/Server looks in its database and recognizes that user bob is a new PIN mode user. It sends an access-challenge to the PortMaster, and the New PIN required prompt is displayed prompting bob to enter a PIN number.

After bob enters his PIN number, the RADIUS server responds with the following message:

New PIN Accepted:  Wait for the next card code to login
Password:

In the subsequent login, at the Password prompt, bob's password would be a PIN number followed by a token code.

System-Generated PIN

The ACE/Server provides a system-generated PIN using the sdshell utility described above. sdshell displays the number on the screen for the user to memorize.

Note - sdshell displays the system-generated PIN for only 10 seconds. After the PIN number disappears, it cannot be viewed again.

When dialing into the network, the user enters his system-generated PIN at the "New PIN required:" prompt.

Next Cardcode

If a user enters a valid PIN and an invalid token code, the Next Cardcode prompt is displayed. This prompt also appears if the user's token card is not synchronized with the ACE/Server.

If an authorized user's token card is not synchronized with the ACE/Server, the user must wait until the token code changes, then enter the new token code number at the Next Cardcode prompt. After the system verifies the second token code, the user is authenticated.

If an unauthorized user enters a stolen PIN followed by a guessed token code, he is given three opportunities to enter the correct token code. If three invalid token codes are entered, the unauthorized user is disconnected.

login: bob
Password: <PIN number followed by invalid token code>
Next Cardcode:

In the above example, bob has entered a valid PIN number followed by an invalid token code. The Next Cardcode prompt appears, indicating that bob's token card is not synchronized with the ACE/Server. Bob must wait for 60 seconds for a new token code, then enter this code at the Next Cardcode prompt.

Troubleshooting

Progress version V7.3C01 has some known bugs that may cause problems during SecurID installation. This section covers the three bugs that you are most likely to encounter and suggests solutions for them. If you still have problems after trying these solutions, contact Security Dynamics Technical Support at (617) 547-7820.

sdadmin Cannot Find First Token

When sdadmin is launched for the first time, the error message "cannot find first token, database may be empty" may appear. To correct this problem, complete the following steps:

  1. Log in as root.
  2. Execute sdnewdb, located in the /usr/ace directory:
    /usr/ace/sdnewdb
  3. Choose the Select All option to create a new server and log databases.
  4. Each batch of token cards from Security Dynamics is accompanied by a file. The file name consists of a 6-digit number and the .asc suffix. Run the sdimport utility to read the serial numbers of the token cards into the database.
    /usr/ace/sdimport filename.asc
  5. Re-launch sdadmin using either of the following commands:
    /usr/ace/sdadmin &
    or
    /usr/ace/sdadmin -c &
    

sdserv.bi and sdlog.bi Consume Too Much Disk Space

The sdserv.bi and sdlog.bi files (located in the /usr/ace directory) occasionally need to be truncated. If they are not truncated, they may consume too much disk space and cause problems for the ACE/Server database. To truncate these files, use the following commands:

/usr/dlc/bin/_proutil -c truncate sdserv.bi
/usr/dlc/bin/_proutil -c truncate sdlog.bi

sdadmin Runs out of Memory

When sdadmin is executed on Solaris 2.4 or HP/UX 9.03 hosts, an "out of memory" message is displayed. To correct this problem, complete the following steps:

  1. Add the kernel parameters shown in the following example to the /etc/system file on the ACE/Server host.
    set semsys:seminfo_semmni=64
    set semsys:seminfo_semmns=200
    set semsys:seminfo_semmnu=100
    set semsys:seminfo_semmsl=50
    
    set shmsys:shminfo_shmmax=16777216
    set shmsys:shminfo_shmmni=100
    set shmsys:shminfo_shmseg=16
    
  2. Reboot the host using the following command:
    reboot -rv

/ Prev / Next / Preface / Overview / Server / Client / User / Menu / SecurID / Accounting / Troubleshooting /


© Copyright 1996, Livingston Enterprises, Inc. Revised Wednesday January 28, 1998 18:12 EST