Specifications
23-23
Managing Access Server Security
Managing SecurID
Introduction
The Security Dynamics ACE/Server software performs dynamic two-factor
SecurID authentication. Dynamic two-factor authentication combines something
the user knows—a memorized personal identification number (PIN)—with
something the user possesses—a randomly generated access code that changes
every 60 seconds. The second factor is the tokencode generated by the SecurID
token. This combination of PIN and tokencode represents a one-time passcode
and is transmitted to the ACE/Server software for verification.
The ACE/Server security environment is composed of four components. These
are:
1. ACE/Server software running on a UNIX platform
2. (Optional) slave ACE/Server software running on a UNIX platform
3. Access server running CNAS V2.0 or greater
4. SecurID tokens utilized by users when they attempt to access the ACE/Server
protected ACE/Clients
SecurID utilizes two types of hosts: master and slave. When setting up a SecurID
realm, specify the master host by using the command SET PRIMARY host-name.
You can specify the slave host using the command SET HOST host-name.
Although the access server does allow you to configure multiple slave hosts, you
should not do this.
Using the SECRET Keyword
The SECRET in the SecurID REALM is not specified by the user, but rather is
filled in the first time the realm is used to authenticate a user. After that, you can
clear it by using the NOSECRET qualifier in the CHANGE SECURID REALM
command. If you clear it or if you delete the realm and then re-create it, you must
reset the client on the authentication server side using the SecurID server
administrator program.
SecurID Prompts
The default prompt for SecurID is ENTER PASSCODE>. This default is set when
you create a new realm. This is the standard SecurID prompt.