Manualshelf

HP-UX AAA Server A.07.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software
261262263264265266267268269270
23 Using SecurID
IMPORTANT: The SecurID authentication is deprecated in this release and will be
obsolete in the next release of the HP-UX AAA Server. The SecurID authentication can
be replaced by Open AuTHentication (OATH) standards-based One-Time Password
(OTP) authentication. OATH is an industry-wide collaboration to develop
open-reference architecture for strong authentication. The OATH standards-based OTP
authentication solution supports hardware and software tokens from multiple vendors.
For more information on OATH standards-based OTP authentication solution, see
Chapter 16 (page 162).
The AAA Server provides support for RSA SecurID® authentication to users configured
with SecurID authentication type. SecurID authentication requests are forwarded to
an ACE/Server by the AAA server.
Authentication Of Users
To gain access to a SecurID protected system, a user must enter a valid SecurID
PASSCODE. A SecurID PASSCODE consists of the following parts.
A Personal Identification Number (PIN)
The current code generated by a token assigned to the user
The RSA ACE/Server works with SecurID tokens to authenticate the identity of users.
Most SecurID tokens are small, handheld devices containing microprocessors that
calculate and display unpredictable codes. These codes change at specified intervals,
typically 60 seconds. User tokens are time synchronized with the ACE/Server so that
the pseudo random code displayed by a user's token is the same code the ACE/Server
software has generated for that time interval. To determine if an access attempt is valid,
the ACE/Server compares the code it has generated with the code a user enters as the
user's current SecurID code. If the codes do not match or if the wrong PIN is entered,
the user is denied access. For further information on SecurID tokens, refer to your
ACE/Server documentation.
When a user configured for SecurID authentication is being authenticated by a NAS,
the NAS will send an Access-Request message to the AAA Server. The SecurID AATV
provides ACE/Agent functionality for the AAA server. The SecurID AATV translates
RADIUS protocol messages from the AAA server into SecurID requests and forwards
these requests on to the ACE/Server. The SecurID AATV translates SecurID responses
from the ACE/Server to RADIUS protocol messages and forwards these messages back
to the AAA server.
262 Using SecurID