Using and Configuring Features Version 3.4

Using Local or Remote Authentication

Authentication is the process of determining who a user (or entity) is. Authenticating user access for the PPP protocol on the 2216 extends the flexibility of user profile management as it relates to PPP authentication protocols PAP, MSCHAP, CHAP, and SPAP. See 'PPP Authentication Protocols' in Nways Multiprotocol Access Services Software User's Guide for additional information about configuring PAP, MSCHAP, CHAP, and SPAP.

Authentication can be configured locally or can be configured to consolidate user configuration using authentication servers that are available on the network to service authentication requests for the entire network. The IBM 2216 implements locally maintained authentication as well as the following authentication server protocols:

Radius
TACACS
TACACS+

Using Authentication, Authorization, and Accounting (AAA) Security

Authentication, Authorization, and Accounting (AAA) Security are configurable protocols that allow you to control access to your services. You can configure AAA to perform for local or remote authentication.

You can configure a security protocol for the following types of functions:

PPP links
Login users (Telnet/Console Login)
Tunnels

The configuring is done by setting a primary and secondary server. The server information is configured and stored separately from the AAA configuration. You use a server profile by a name that is provided at configuration time.

Under all circumstances accounting cannot be done locally and must be either Radius or TACACS+.

Authorization can only be done locally, or through remote authentication that uses Radius or TACACS+.

What is AAA Security?

AAA Security is the name of the security system for this device. It includes:

Authentication

The process of identifying a user. Authentication utilizes a name and a password for access.

Authorization

The process of determining the services to which a user is allowed access.

Accounting

The process of recording when a user has started or stopped a session. There are two types of accounting records supported.

Start records: Indicates that a service is about to begin.
Stop records: Indicates that a service has ended.

Using PPP

For the Point-to-Point Protocol (PPP) you can configure the following:

Authentication
Authorization
Accounting

Each function can have its own security protocol that you configure independently.

Setting the authentication protocol will have no effect on authorization or accounting.
Setting the authorization protocol will have no effect on authentication or accounting.
Setting the accounting protocol will have no effect on authentication or authorization.
Setting AAA to remote will set authentication to remote, authorization to remote and set accounting to remote.
Setting AAA to local will set authentication to local and authorization to local. You cannot disable authentication or authorization.

See Point-to-Point Configuration Commands in Nways Multiprotocol Access Services Software User's Guide for details about the PPP configuration commands that you use in this environment.

Valid PPP Security Protocols

The following are valid PPP security protocols:

Authentication Methods: Local, RADIUS, TACACS+, TACACS
Authorization Methods: Local, RADIUS, TACACS+
Accounting Methods: RADIUS, TACACS+

Table 27. Set PPP Security Protocols

Action	Authent	Author	Acct
set AAA local	local	local	ignore
set AAA remote	remote	remote	remote
set AUTHENT local	local	ignore	ignore
set AUTHOR local	ignore	local	ignore
set AUTHENT remote	remote	ignore	ignore
set AUTHOR remote	ignore	remote	ignore
set ACCOUNTING remote	ignore	ignore	remote
disable ACCOUNTING	ignore	ignore	disabled

Using Login

For AAA login configuration, either remote or local can be selected. If local authentication is desired, then Local authorization must also be used. If remote authentication is selected, then, remote authorization must be used. Accounting is not supported locally, so when authenticating and authorizing locally you must disable accounting.

Attention:

If a remote authentication server does not respond, it is possible to use a local login userid and password when login-of-last-resort is enabled. This allows a single local login attempt if the remote authentication times out. Also, if tech-support-bypass is enabled, the tech support id and password can be used to login and will not transmit the request to the authentication server.

It is important to specify a privilege level when using remote authentication. Login users can enter a correct userid and password, but without a privilege specified the user cannot access the console. Three privilege levels can be set: administrator, operator, and monitor. For RADIUS, either use the SERVICE-TYPE attribute number 6 or add a vendor attribute number 216. See Appendix A, Remote AAA Attributes for details about specific RADIUS attributes.

When configuring remote authentication, you can set authorization to another remote authorization protocol Radius or TACACS+, and set accounting to use Radius or TACACS+.

Setting AAA to local sets authentication to local, authorization to local, and accounting to disabled.
Setting AAA to remote sets authentication to remote, authorization to remote, and accounting to remote.
Setting the authentication protocol to local automatically sets the authorization protocol to the same and disables accounting.
Setting the authentication protocol to remote automatically sets the authorization protocol to the same only if the authorization protocol is set to local and ignores the accounting protocol.
Setting the authorization protocol to remote automatically sets the authentication protocol to the same only if the authentication protocol is set to local and ignores the accounting protocol.
Setting the accounting protocol to remote automatically sets authentication protocol to same only if the authentication protocol is set to local, and sets the authorization protocol to the same only if authorization is set to local.
Setting the accounting protocol to disable has no effect on the authentication or authorization protocol.
Disabling authentication or authorization is not allowed.

Valid Login/Admin Security Protocols

The following are valid Login/Admin security protocols.

Authentication/Authorization Methods: Local, RADIUS, TACACS Plus
Accounting Methods: RADIUS, TACACS Plus

Table 28. Set Login Security Protocols

Action	Authent	Author	Acct
set AAA local	local	local	disabled
set AAA remote	remote	remote	remote
set AUTHENT local	local	local	disabled
set AUTHOR local	local	local	disabled
set AUTHENT remote	remote	remote, if local else ignore	ignore
set AUTHOR remote	remote, if local else ignore	remote	ignore
set ACCOUNTING remote	remote, if local else ignore	remote, if local else ignore	remote
disable ACCOUNTING	ignore	ignore	disabled

Using Tunnels

Set tunnel authentication the same as tunnel authorization. When you set tunnel authentication to either local or remote, you can then enable accounting. The tunnel authorization and authentication server must be the same.

The tunnel configuration for accounting also applies to IPSec tunnels. The tunnel authentication and authorization does not apply to IPSec tunnels. You cannot do authentication or authorization for IPSec tunnels using AAA.

Valid Tunnel Security Protocols

The following are valid Tunnel security protocols:

Authentication/Authorization Methods: Local, RADIUS
Accounting Methods: RADIUS, TACACS Plus

Table 29. Set Tunnel Security Protocols

Action	Authent	Author	Acct
set AAA local	local	local	ignore
set AAA remote	remote	remote	remote
set AUTHENT local	local	local	ignore
set Author local	local	local	ignore
set AUTHENT remote	remote	remote	ignore
set AUTHOR remote	remote	remote	ignore
set ACCOUNTING remote	ignore	ignore	remote
disable ACCOUNTING	ignore	ignore	disabled

Password Rules

Local authentication allows you to use a password to control login access. The password can be checked against any or all of the following rules.

Note:

The following rules only apply for PPP user login and not console login.

Be a minimum number of characters in length. You set the number of characters required.
Contain at least one alphabetic character.
Contain at least one non-alphabetic character.
Contain a non-numeric character in the first position.
Contain a non-numeric character in the last position.
Contain no more than three identical consecutive characters that were used in the previous password.
Contain no more than two consecutive characters.
Not contain the userid as a part of the password.
Not the same as any of the previous three passwords.
Be changed after a certain number of days. You set the number of days between password changes.
Locked out after a specific number of login failures. You set the number of failures.

Understanding Authentication Servers

An authentication server is a server in the network that validates userids and passwords for the network. If a device is configured for authentication through an authentication server and the device receives a packet from an authentication protocol, the device passes a userid and password to the server for authentication. If the userid and password are correct, the server responds positively. The device can then communicate with the originator of the request. If the server does not find the userid and password that it receives from the device, it responds negatively to the device. The device then rejects the session from which it got the authentication request.

SecurID Support

The 2216 can authenticate dial-in clients that use SecurID with a Security Dynamics ACE/Server. This support uses TACACS, TACACS+, or RADIUS on the ACE/Server for authentication of the client. Configure the dial-in client the same as other dial-in clients on the 2216.

The dial-in client logs on as usual, but uses the SecurID passcode for the password. The SecurID passcode consists of a 4 to n-digit PIN number that is followed by the number from the SecurID token card. (The maximum number of digits in the PIN depends on the server.) The userid and password could appear as:

Figure 25. SecurID Username and Passcode

               .--------------------------.
     Username: | John Customer            |
               '--------------------------'
               .--------------------------.
     Password: | 1234098765               |
               '--------------------------'

When the ACE/Server authenticates the logon, it may request the next token from the client. The next token is the next token on the token card. The maximum number of digits in the next token depends on the SecurID token card the client is using. The client can enter the passcode and the next token when prompted for the password by using the format passcode*token as in the following:

Figure 26. SecurID Passcode with Next Token

               .----------------------.
     Username: | John Customer        |
               '----------------------'
 
               .----------------------.
     Password: | 1234098765*111111    |
               '----------------------'

Note:

When the server requests the client to enter the next token, the client must:

Enter the PIN
Wait for a new token from the card and enter that token
Enter * followed by the next token from the card

The ACE/Server administrator configures the conditions that cause the server to request the next token or new PIN.

The dial-in clients should use SPAP so they can receive alerts from the authentication system when they need to enter the next token. If the client is not using SPAP and they are not successful logging on, they should try entering a new passcode using the passcode*token format. If the client is still not successful, there could be other problems between the client and the ACE/Server.

SecurID Limitations

The following limitations exist:

Security Dynamics Inc. (SDI) and DES encryption are not supported.
The SecurID "New PIN" function is not supported.
TACACS does not support the "New PIN" or "Next-Token" functions. The client can specify a next-token when logging in, but the server will not use it.
Clients configured for callback are not supported.
When using CHAP with TACACS or TACACS+, set the CHAP rechallenge interval to 0.
Do not use CHAP when using RADIUS authentication and SecurID.
Your clients can obtain the best results by using TACACS+ and SPAP.
Windows 3.1 DIALs client with SecurID authentication using multilink is not supported.
When using SecurID authentication, it is highly recommended to use the latest client software (for example, Windows 95 or OS/2).

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]