How it Works
RSA Security
Loading...
MRV
User Manual
14 pgs507.2 Kb0
Table of contents
Loading...

RSA Security MRV User Manual

RSA SecurID Ready Implementation Guide
Last Modified: March 8, 2006

Partner Information

Product Information
Partner Name Web Site www.mrv.com Product Name Version & Platform Product Description
Product Category
MRV Communication, Inc.
LX Series LX OS 3.6.0 or later MRV Communications is a leading provider of network access solutions for the enterprise edge, the seam where corporate networks meet the wide­area public network and the service provider edge. The LX-Series advance security protects access to your network. The LX-Series authenticates local and remote users while providing a secure network dialup access for remote offices and home users. Remote Access
1

Solution Summary

The MRV LX-Series Secure Console/Terminal Servers have been specifically designed with a focus on security. The LX Series multi-processor platforms have the processing horsepo wer to handle the FIPS approved encryption and cipher algorithms required to meet demands of today’s high security environments. LX-Series platforms provide the highest and most comprehensive set security and encryption support of any Console or Terminal Server on the market today.
The RSA SecurID Authentication support is one of many authentication mechanisms available in the LX­Series products. RSA SecurID (in conjunction with RADIUS Authentication and Accounting) provides a very powerful means by which to manage all aspects of security for traditional Terminal Server, Console Server, and Out Of Band Network applications.
LX-Series Console and Terminal Servers (in conjunction with RSA SecurID two factor authentication), coupled with the power of RADIUS accounting capabilities provide administrators not only with a strong sense of security, but also a high level of accountability and logging capabilities.
Partner Integration Overview
Authentication Methods Supported List Library Version Used RSA Authentication Manager Name Locking RSA Authentication Manager Replica Support Secondary RADIUS Server Support Location of Node Secret on Agent RSA Authentication Agent Host Type RSA SecurID User Specification RSA SecurID Protection of Administrative Users RSA Software Token API Integration Use of Cached Domain Credentials
Native RSA SecurID Authentication, RADIUS
5.0.3.2 Yes Full Replica Support Yes, up to 2 Stored in Flash Communication Server Designated Users, All Users Yes No No

Product Requirements

Partner Product Requirements: LX OS 3.6.0
CPU Memory Storage Firmware Version
Operating System
LX OS LX Firmware
Additional Software Requirements
Java JRE
Motorola PQ 133MHz 128MB DRAM No hard drive; 16MB Flash
3.6.0 or higher
3.6.0 or later
3.6.0 or later
1.4.2 or later
2

Agent Host Configuration

To facilitate communication between the LX Product line and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager Database and RADIUS Server Database when using RADIUS. The Agent Host record identifies the within its database and contains information about communication and encryption.
To create the Agent Host record, you will need the following information.
Hostname
IP Addresses for all network interfaces
RADIUS Secret (When using RADIUS Authentication Protocol)
When adding the Agent Host Record, you should configure the LX Series as a Communication Server. This setting is used by the RSA Authentication Manager to determine how communication with the
will occur.
Series
Note: Hostnames within the RSA Authentication Manager / RSA SecurID
Appliance must resolve to valid IP addresses on the local network.
Please refer to the appropriate RSA Security documentation for additional information about Creating, Modifying and Managing Agent Host records.
LX Product line
LX
3

Partner Authentication Agent Configuration

Setting Up RSA SecurID Authentication (Command Line Interface)

You can implement SecurID authentication at the server level and for specific interfaces and asynchronous ports on the LX unit. You must implement RSA SecurID Authentication at the server level before you can implement it on specific interfaces and asynchronous ports on the LX unit.
The basic steps for configuring SecurID authentication on the LX unit are:
1. Specifying the RSA Authentication Manager Server settings on the LX.
2. Installing and configuring the SecurID server on a Network-based Host.
3. Configuring a RSA Authentication Manager Local Subscriber. (optional)

Specifying the RSA Authentication Manager Server Settings on the LX

Perform the following operations to specify the RSA Authentication Manager settings on the LX unit:
1. Check the primary RSA Authentication Manager Server host to ensure that the RSA Authentication Manager application is running.
2. Access the AAA Command Mode on the LX
3. Use the securid authentication version command to specify the RSA Authentication Manager authentication version for the LX unit. You can specify the authentication version as Version 5, or pre- Version 5 (legacy); for example:
Login: InReach Password: access InReach:0> enable Password: system InReach:0>> configuration AAA:0 >>securid authentication version version_5 AAA:0 >>securid authentication version legacy
4. Use the securid authentication port command to specify the socket your RSA Authentication Manager server is listening to; for example:
AAA:0 >>securid authentication port 1687
Note: The LX listens to port 5500 by default.
5. Use the securid primary authentication server address command to spe cify the IP address of the RSA Authentication Manager Primary; for example:
AAA:0 >>securid primary authentication server address 10.242.131.11
6. Use the securid authentication encryption command to specify the RSA SecurID encryption method for the LX unit. You can specify DES or SDI as the encryption method; for example:
AAA:0 >>securid authentication encryption des AAA:0 >>securid authentication encryption sdi
7. To verify the LX configuration, execute the show securid characteristics command at the superuser command prompt; for example:
AAA:0 >>show securid characteristics
Note: To clear the node secret from the LX unit, use the ‘zero securid
secret’ command.
4

RSA SecurID Authentication Command Examples

This section provides examples of all of the commands that are used to specify settings for the RSA Authentication Manager servers.
AAA:0 >>securid primary authentication server address 10.242.131.11 AAA:0 >>securid authentication port 4500 AAA:0 >>securid primary authentication server name bigsky1.com AAA:0 >>securid authentication encryption des AAA:0 >>securid authentication retransmit 7 AAA:0 >>securid authentication timeout 3 AAA:0 >>securid authentication version version_5
Note: *If you do not specify a UDP port, retransmit value, timeout, version, encryption, or name for the RSA Authentication Manager server, the LX unit will use the default values for these settings.

RSA SecurID Local Subscriber Feature

Under the RSA Authentication Manager Local Subscriber Feature, a subscriber can be logged on in one of two ways:
As an LX subscriber with the attributes of that subscriber (if the LX subscriber account exists)
Or, if the LX subscriber account does not exist, as the default (InReach) subscriber.
Under either scenario, the subscriber must have an account on the RSA Authentication Manager server. If the subscriber account also exists on the LX unit, the subscriber is logged on under that account and given the attributes of that account. If the subscriber account does is logged on under his RSA Authentication Manager account with the attributes of the default (InReach) account.
not exist on the LX unit, the subscriber
Use the securid local subscriber enable command to configure the RSA Authentication Manager Local Subscriber Feature for the LX unit; for example:
AAA:0 >>securid local subscriber enable
When the RSA Authentication Manager Local Subscriber Feature is set to only, the subscriber can only be logged in if the subscriber account is configured on both the LX unit and the RSA Authentication Manager server
and the subscriber account on the LX server has the same name as the subscriber
account on the RSA Authentication Manager server. Use the securid local subscriber only command to set the RSA Authentication Manager Local
Subscriber Feature to only; for example:
AAA:0 >>securid local subscriber only

RSA SecurID sdconf.rec

The LX software now supports the import of sdconf.rec files. To use the sdconf.rec file, download it into the LX / config directory. If this file is present on the LX, the RSA Authentication Manager system characteristics included within the sdconf.rec file will be used, and configuration of the RSA Authentication Manager attributes will be blocked at the CLI command level.
To download the sdconf.rec file:
1. Go to the shell.
2. Change to the directory cd / config directory.
3. From /config, perform an FTP and retrieve the sdconf.rec file.
5
Loading...
+ 9 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use