Rsa-security 6.1 User Manual

RSA RADIUS Server 6.1Administrator’s GuidePowered by Steel-Belted Radius®

x About This Guide September 2005X Chapter 4, “Administering RADIUS Clients,” describes how to set up remote access server (RAS) devices as RSA RADIUS

88 Using the LDAP Configuration Interface September 2005Figure 29 LDAP Schema (Slide 4 of 4)While the LDAP virtual schema diagram shows as much of the

RSA RADIUS Server 6.1 Administrator’s Guide Using the LDAP Configuration Interface 89X Substrings – There are several places where a list of strings i

90 Using the LDAP Configuration Interface September 2005LDAP Command ExamplesThis section explains how to use the LDAP commands ldapdelete, ldapmodify

RSA RADIUS Server 6.1 Administrator’s Guide Using the LDAP Configuration Interface 91Modifying RecordsYou can use the ldapmodify command to modify the

92 Using the LDAP Configuration Interface September 2005NOTE: You can also use the -h option with ldapmodify to specify the name of a remote host on w

RSA RADIUS Server 6.1 Administrator’s Guide Using the LDAP Configuration Interface 93The following syntax is valid if the same keyword applies through

94 Using the LDAP Configuration Interface September 2005changetype: add. Once your editing is complete, run an ldapmodify -f command that references t

RSA RADIUS Server 6.1 Administrator’s Guide Using the LDAP Configuration Interface 95This file can be passed to the ldapmodify command as follows:ldap

96 Using the LDAP Configuration Interface September 2005high-auth-threads: 2high-acct-threads: 0high-total-threads: 2stattype: authenticationdn: statt

RSA RADIUS Server 6.1 Administrator’s Guide Using the LDAP Configuration Interface 97Rate StatisticsRate statistics are derived from other statistics

RSA RADIUS Server 6.1 Administrator’s Guide About This Guide xiX Angle brackets < > enclose a list from which you must choose an item in format

98 Using the LDAP Configuration Interface September 2005

RSA RADIUS Server 6.1 Administrator’s Guide Glossary 99Glossary802.1X The IEEE 802.1X standard defines a mechanism that allows a supplicant (client) t

100 Glossary September 2005CA Certificate authority. A trusted entity that registers the digital identity of a site or individual and issues a digital

RSA RADIUS Server 6.1 Administrator’s Guide Glossary 101IETF Internet Engineering Task Force. Technical subdivision of the Internet Architecture Board

102 Glossary September 2005information about users and administering multiple security systems across complex networks.RAS Remote Access Server. Netwo

RSA RADIUS Server 6.1 Administrator’s Guide Glossary 103tokencode The pseudorandom number that is displayed on the LCD of a hardware token or generate

104 Glossary September 2005

RSA RADIUS Server 6.1 Administrator’s Guide Index 105IndexNumerics802.1X 1Aaccess client 3accounting 2Acct-Authentic 79Acct-Delay-Time 79Acct-Status-T

106 Index September 2005Protected Extensible Authentication Protocol (PEAP)1Protected One-Time Password (POTP) 1Protected One-Time Password, see POTPR

xii About This Guide September 2005X Internet-Draft, “The Protected One-Time Password Protocol (EAP-POTP)”, M. Nystrom, June 2005. ftp://ftp.rsasecuri

RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server 1Chapter 1About RSA RADIUS ServerRSA RADIUS Server is a complete implementation of

2 About RSA RADIUS Server September 2005X Centralized configuration management (CCM) provides simplified configuration management and automatic data d

RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server 3Figure 1 RSA RADIUS Authentication1A RADIUS access client, who could be a dial-in

4 About RSA RADIUS Server September 2005If the user ID is not found or if the passcode is not appropriate for the specified user, the RSA Authenticati

RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server 5Each RADIUS packet supports a specific purpose: authentication or accounting. A p

6 About RSA RADIUS Server September 2005X The RADIUS shared secret to be used by the RSA RADIUS Server and the client device. For information on RADIU

RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server 7RADIUS SecretA RADIUS shared secret is a case-sensitive password used to validate

Contact InformationSee our web site for regional Customer Support telephone and fax numbers.RSA Security Inc. RSA Security Ireland Limitedwww.rsasecur

8 About RSA RADIUS Server September 2005The RSA Authentication Manager software views the RSA RADIUS Server service as a host agent. Communication bet

RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server 9AccountingTo understand the RSA RADIUS Server accounting sequence, you need an ov

10 About RSA RADIUS Server September 2005Accounting SequenceA RAS can issue an Accounting-Request whenever it chooses, for example upon establishing a

RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server 11Tunneled AccountingDuring authentication, a user is typically identified by attr

12 About RSA RADIUS Server September 20056 The server processes the accounting request locally.To implement tunneled accounting, you must configure th

RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server 13nonstandard attributes that it encounters in the packet. Standard RADIUS attribu

14 About RSA RADIUS Server September 2005During authentication, RSA RADIUS Server filters the checklist based on the dictionary for the RADIUS client

RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server 15Framed-Compression attribute to appear twice in the return list: once with the v

16 About RSA RADIUS Server September 2005If an attribute appears once in the checklist marked as default, and the same attribute appears in the return

RSA RADIUS Server 6.1 Administrator’s Guide About RSA RADIUS Server 17The Primary RADIUS Server maintains a list of the Replica RADIUS Servers that ha

• Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation

18 About RSA RADIUS Server September 2005Recovering a Replica After a Failed DownloadIf a Replica RADIUS Server fails during the download of a configu

RSA RADIUS Server 6.1 Administrator’s Guide Installing the RSA RADIUS Server 19Chapter 2Installing the RSA RADIUS ServerThe RSA RADIUS Server software

20 Installing the RSA RADIUS Server September 2005attributes, and return list attributes; and RSA SecurID prompts used to format messages to users.Dat

RSA RADIUS Server 6.1 Administrator’s Guide Installing the RSA RADIUS Server 21Installing the RSA RADIUS ServerTo install the RSA RADIUS Server softwa

22 Installing the RSA RADIUS Server September 2005click the Browse button to locate the directory containing the sdconf.rec, radius.cer, server.cer, a

RSA RADIUS Server 6.1 Administrator’s Guide Installing the RSA RADIUS Server 23Installing on SolarisThis section describes how to install and uninstal

24 Installing the RSA RADIUS Server September 2005-identitySpecifies whether you are installing a Primary or Replica RADIUS Server.Valid values are PR

RSA RADIUS Server 6.1 Administrator’s Guide Installing the RSA RADIUS Server 25Installing the RSA RADIUS Server SoftwareThe following procedure descri

26 Installing the RSA RADIUS Server September 20055 Specify the directory where you want to install the RSA RADIUS Server files.By default, the instal

RSA RADIUS Server 6.1 Administrator’s Guide Installing the RSA RADIUS Server 27Enter primary host secret:13 If you are installing a Primary RADIUS Ser

Sun Microsystems, Solaris, and all Sun-based trademarks and logos, Java, HotJava, JavaScript, the Java Coffee Cup Logo, and all Java-based trademarks

28 Installing the RSA RADIUS Server September 20055 Type y when you are asked to confirm that you want to uninstall the RSA RADIUS Server software.Con

RSA RADIUS Server 6.1 Administrator’s Guide Installing the RSA RADIUS Server 29Installing on LinuxThis section describes how to install and uninstall

30 Installing the RSA RADIUS Server September 2005-identitySpecifies whether you are installing a Primary or Replica RADIUS Server.Valid values are PR

RSA RADIUS Server 6.1 Administrator’s Guide Installing the RSA RADIUS Server 31Installing the RSA RADIUS Server SoftwareThe following procedure descri

32 Installing the RSA RADIUS Server September 20055 Specify the directory where you want to install the RSA RADIUS Server files.By default, the instal

RSA RADIUS Server 6.1 Administrator’s Guide Installing the RSA RADIUS Server 3312 Specify the host secret used to authenticate communication between t

34 Installing the RSA RADIUS Server September 2005Uninstalling the RSA RADIUS Server SoftwareTo uninstall the RSA RADIUS Server software:1 Stop the RA

RSA RADIUS Server 6.1 Administrator’s Guide Using RSA RADIUS Administrator 35Chapter 3Using RSA RADIUS AdministratorThe RSA RADIUS Administrator is a

36 Using RSA RADIUS Administrator September 2005Navigating in RSA RADIUS AdministratorFigure 4 illustrates the RSA RADIUS Administrator user interface

RSA RADIUS Server 6.1 Administrator’s Guide Using RSA RADIUS Administrator 37Panel MenuTable 9 describes the functions of each entry in the Panel menu

RSA RADIUS Server 6.1 Administrator’s Guide Contents vContentsAbout This GuideAudience ...

38 Using RSA RADIUS Administrator September 2005Web MenuTable 10 describes the functions of each entry in the Web menu in the RSA RADIUS Administrator

RSA RADIUS Server 6.1 Administrator’s Guide Using RSA RADIUS Administrator 39Figure 5 RSA RADIUS Administrator ToolbarRSA RADIUS Administrator Windows

40 Using RSA RADIUS Administrator September 2005RSA RADIUS Administrator displays an Add window. A sample Add window appears in Figure 6.Figure 6 Samp

RSA RADIUS Server 6.1 Administrator’s Guide Using RSA RADIUS Administrator 41Figure 7 Sample Edit WindowCutting/Copying/Pasting RecordsPanels displayi

42 Using RSA RADIUS Administrator September 2005Figure 8 Sample Paste WindowResizing ColumnsYou can resize columns in an RSA RADIUS Administrator tabl

RSA RADIUS Server 6.1 Administrator’s Guide Using RSA RADIUS Administrator 43If you right-click a blank area in an RSA RADIUS Administrator window, th

44 Using RSA RADIUS Administrator September 20053 When the Add a License for Server window (Figure 10) opens, enter the license key and click OK.When

RSA RADIUS Server 6.1 Administrator’s Guide Administering RADIUS Clients 45Chapter 4Administering RADIUS ClientsA RADIUS client is a network device or

46 Administering RADIUS Clients September 2005Adding a RADIUS ClientTo add a RADIUS client:1 Open the RADIUS Clients panel.2 Click the Add button.The

RSA RADIUS Server 6.1 Administrator’s Guide Administering RADIUS Clients 474 Enter the IP address or DNS name of the RADIUS client in the IP Address f

vi Contents September 2005Chapter 2 Installing the RSA RADIUS ServerBefore You Begin...

48 Administering RADIUS Clients September 2005d Click OK.You must enter the same accounting shared secret when you configure the RADIUS client. 8 Opti

RSA RADIUS Server 6.1 Administrator’s Guide Administering RADIUS Clients 492 Select the RADIUS client entry you want to delete.3 Click the Delete butt

50 Administering RADIUS Clients September 2005

RSA RADIUS Server 6.1 Administrator’s Guide Administering Profiles 51Chapter 5Administering ProfilesThis chapter describes how to set up and administe

52 Administering Profiles September 2005Resolving Profile and User AttributesIf user-specific attributes are stored in the RSA Authentication Manager

RSA RADIUS Server 6.1 Administrator’s Guide Administering Profiles 53Setting Up ProfilesThe Profiles panel (Figure 15) lets you define standard sets o

54 Administering Profiles September 20054 Optionally, enter a description for the profile in the Description field.5 Add checklist and return list att

RSA RADIUS Server 6.1 Administrator’s Guide Administering Profiles 55f When you are finished adding attribute/value pairs, click Close to return to th

56 Administering Profiles September 2005

RSA RADIUS Server 6.1 Administrator’s Guide Displaying Statistics 57Chapter 6Displaying StatisticsThe Statistics panel lets you display statistics for

RSA RADIUS Server 6.1 Administrator’s Guide Contents viiChapter 5 Administering ProfilesAbout Profiles ...

58 Displaying Statistics September 2005Figure 18 Statistics Panel: System Authentication Statistics Table 13 explains the fields on the Authentication

RSA RADIUS Server 6.1 Administrator’s Guide Displaying Statistics 59Silent Discards The number of requests in which the client could not be identified

60 Displaying Statistics September 2005Displaying Server Accounting StatisticsAccounting statistics provide information such as the number of transact

RSA RADIUS Server 6.1 Administrator’s Guide Displaying Statistics 61Table 14 describes the accounting statistics and suggested actions in italics (if

62 Displaying Statistics September 2005Resetting Server StatisticsTo reset authentication and accounting statistics for an RSA RADIUS server to zero:1

RSA RADIUS Server 6.1 Administrator’s Guide Displaying Statistics 635 Optionally, sort the messages by clicking a column header.NOTE: The RADIUS clien

64 Displaying Statistics September 2005

RSA RADIUS Server 6.1 Administrator’s Guide Administering RADIUS Servers 65Chapter 7Administering RADIUS ServersRSA RADIUS Server supports the replica

66 Administering RADIUS Servers September 2005Replication PanelThe Replication panel (Figure 21) lists your Primary and Replica RADIUS Servers and ind

RSA RADIUS Server 6.1 Administrator’s Guide Administering RADIUS Servers 67Figure 22 Add Server Window3 Enter the name of the RADIUS server in the Nam

viii Contents September 2005Appendix A Using the LDAP Configuration InterfaceLDAP Configuration Interface File ...

68 Administering RADIUS Servers September 2005Enabling a RADIUS ServerTo enable a RADIUS server:1 Open the Replication panel.2 Select the RADIUS serve

RSA RADIUS Server 6.1 Administrator’s Guide Administering RADIUS Servers 69Publishing Server Configuration InformationIf you change the configuration

70 Administering RADIUS Servers September 2005Designating a New Primary RADIUS ServerYou can change which server within a realm is designated as the P

RSA RADIUS Server 6.1 Administrator’s Guide Administering RADIUS Servers 712 Log into the Replica RADIUS Server as root (Solaris/Linux) or administrat

72 Administering RADIUS Servers September 20054 Run the rsainstalltool (Windows) or rsaconfiguretool (Solaris/Linux) utility with the identity option.

RSA RADIUS Server 6.1 Administrator’s Guide Administering RADIUS Servers 73To regenerate the node secret for a a Replica RADIUS Server, enter the foll

74 Administering RADIUS Servers September 2005

RSA RADIUS Server 6.1 Administrator’s Guide Logging 75Chapter 8LoggingThis chapter describes how to set up and use logging functions in RSA RADIUS Ser

76 Logging September 2005Level of Logging DetailYou can control the level of detail recorded in the system log files with LogLevel, LogAccept, and Log

RSA RADIUS Server 6.1 Administrator’s Guide Logging 77By default, RADIUS system log files are located in the RADIUS database directory. You can specif

RSA RADIUS Server 6.1 Administrator’s Guide About This Guide ixAbout This GuideThe RSA RADIUS Server 6.1 Administrator’s Guide describes how to instal

78 Logging September 2005You can edit the account.ini initialization file to add, remove or reorder the standard RADIUS or vendor-specific attributes

RSA RADIUS Server 6.1 Administrator’s Guide Logging 79aligned with their headings. For example, based on the “first line” of headings described above,

80 Logging September 2005Acct-Input-PacketsNumber of packets received by the port over the connection; present only in STOP records.Acct-Output-Packet

RSA RADIUS Server 6.1 Administrator’s Guide Using the LDAP Configuration Interface 81Appendix AUsing the LDAP ConfigurationInterfaceThe LDAP Configura

82 Using the LDAP Configuration Interface September 2005About the LDAP Configuration InterfaceThe LDAP Configuration Interface (LCI) consists of an LD

RSA RADIUS Server 6.1 Administrator’s Guide Using the LDAP Configuration Interface 83in a specified file. Because ldapmodify uses LDIF update statemen

84 Using the LDAP Configuration Interface September 2005Z nsldapssl32v30.dll (if you are on a Windows host)Z libldap30.so (if you are on a Solaris hos

RSA RADIUS Server 6.1 Administrator’s Guide Using the LDAP Configuration Interface 85199.198.197.196196.197.198.199If the [LDAPAddresses] section is o

86 Using the LDAP Configuration Interface September 2005Figure 27 LDAP Schema (Slide 2 of 4)cn=adminradiusstatus=sessions_by_calling_stationcalling-st

RSA RADIUS Server 6.1 Administrator’s Guide Using the LDAP Configuration Interface 87Figure 28 LDAP Schema (Slide 3 of 4)Available Attributes:accept &