Avocent Corporation ACS6000 Series Advanced Console Server

RSA SecurID Ready Implementation Guide Last Modified: June 1, 2009

Partner Information Product Information Partner Name Web Site Product Name Version & Platform Product Description

Product Category

Avocent Corporation http://www.avocent.com/ ACS 6000 Series Advanced Console Server Series F.W. 2.0.0.5 (Apr 15 2009 - 11:52:12) Linux 2.6.24.2 The ACS 6000 series of advanced console servers integrates cutting edge technologies, adaptive services and secure enterprise communications. They offer IT professionals and network operations center (NOC) personnel the ability to perform secure, remote data center management and out-of-band management of IT assets from anywhere in the world. Remote Access

1

Solution Summary The ACS6000 Console Server supports RSA SecurID Authentication via RADIUS. Remote (Ssh and telnet) and local access to the appliance and the serial ports can be secured using a combination of a hardware token and a user/system supplied PIN.

Partner Integration Overview Authentication Methods Supported

RADIUS

List Library Version Used

NA

RSA Authentication Manager Replica Support

Full Replica Support

Secondary RADIUS Server Support

Yes, no limit (requires manual edit of server list)

RSA Authentication Agent Host Type

Linux

RSA SecurID User Specification

Designated Users

RSA SecurID Protection of Administrative Users

Yes

RSA Software Token and RSA SecurID 800 Automation

No

2

Product Requirements Partner Product Requirements: ACS6000 Console Server Version Firmware version 1.0.0 and above

Operating System Platform All major Operating Systems with networking support

Required Patches

Additional Software Requirements Application Internet Explorer 6.0 and higher or Firefox 2.0 and higher JRE 1.50 or higher Ssh/telnet

Additional Patches

3

Agent Host Configuration To facilitate communication between the ACS6000 Console Server and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies the ACS6000 Console Server within its database and contains information about communication and encryption. To create the Agent Host record, you will need the following information. • • •

Hostname IP Addresses for all network interfaces RADIUS Secret (When using RADIUS Authentication Protocol)

When adding the Agent Host Record, you should configure the ACS6000 Console Server as a UNIX agent. This setting is used by the RSA Authentication Manager to determine how communication with the ACS6000 Console Server will occur. Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network.

Please refer to the appropriate RSA Security documentation for additional information about creating, modifying and managing Agent Host records.

RSA SecurID files RSA SecurID Authentication Files Files sdconf.rec Node Secret sdstatus.12 sdopts.rec

Location ‘None stored’ \etc\raddb\servers “Not implemented” “Not implemented”

Partner Product Configuration Before You Begin This section provides instructions for integrating the ACS6000 Console Server with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved as well as the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All vendor products/components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding.

4

Overview You will use the ACS6000 WebUI and edit some configuration files manually to enable RSA SecurID twofactor Radius authentication. The following section describes and illustrates the settings required to accomplish the task. Avocent ACS6000 Configuration 1. Using a supported web browser, log into the ACS6000 Console Server. 2. Select the “Authentication” directory in the left column. 3. Select the “Authentication Servers” subdirectory in the left column. 4. Select “RADIUS” and enter the details of the RSA SecurID server: First Authentication Server – the hostname or IP address of the RSA server (required). First Accounting Server – the hostname or IP address of the RSA server (required). Second Authentication Server – the hostname or IP address of the RSA server. Second Accounting Server – the hostname or IP address of the RSA server. Secret – The shared secret stored on the RSA server for this appliance. Confirm Secret – Re-enter the “Secret” from above. Timeout – The default setting can be used in most cases. Retry – The default setting can be used in most cases, as seen below.

5

5.

To add more failover servers (the WebUI only handles one), edit the file

"/etc/raddb/servers” from the shell. Add additional lines to the end of the file as seen in the image below. In this example, “216.162.248.26” was added to the list of RSA servers.

6.

To disable Radius Accounting requests (in the event that accounting isn’t implemented), you must edit the “/etc/pam.d/radius” file. Replace the default entry for account and session, with the following: “account required pam_permit.so” “session required pam_permit.so”

6

7. To enable RSA SecurID two-factor authentication for the appliance, select “Appliance Authentication” in the left column and “RADIUS” from the dropdown list on the right. 1

8. The Web appliance doesn’t currently support RSA SecurID authentication and must be configured to disable it. In order to do this, open the “/etc/init.d/set_pam.sh” file from the shell and locate the line that begins with “ln –s” and contains the ${PAM_WEB} variable. Change this line to: “ln –s local {PAM_WEB}”.2

1

The pull down labeled “PCMCIA-PPP Authentication” defines the authentication type used for dial-in PPP access to the appliancation. This connection supports RSA SecurID two-factor authentication. 2 For example, in the above screenshot, “ln –s $UNIT_AUTH $PAM_WEB” was changed to “ln –s local $PAM_WEB”

7

9. After saving the change in step 8, you will need to execute the updated file. From the shell type “/etc/init.d/set_pam.sh”. To confirm the change was performed correctly, in the shell type “ls –l /etc/pam.d/web”. You should see that the file “web” is linked to the file “local” as seen below.

10. To enable RSA SecurID two-factor authentication for the serial port, select “Ports” and “Serial Ports” in the left-hand frame. Click on the number(s) in the “Port” column on the “Serial Ports” table for each port you wish to modify. Each time you do, the GUI will display the“CAS” configuration screen displayed in step 11.

8

11. Select “RADIUS” from the “Authentication Type” dropdown list.

9

Certification Checklist For RSA Authentication Manager v6.x Date Tested: June 1, 2009 Product Name RSA Authentication Manager ACS6000 Console Server

Certification Environment Version Information

Operating System

6.1 F.W. 2.0.0.5

Windows 2003 Linux 2.6.24.2

Mandatory Functionality RSA Native Protocol

RADIUS Protocol

New PIN Mode Force Authentication After New PIN

N/A

Force Authentication After New PIN

System Generated PIN

N/A

System Generated PIN

User Defined (4-8 Alphanumeric)

N/A

User Defined (4-8 Alphanumeric)

User Defined (5-7 Numeric)

N/A

User Defined (5-7 Numeric)

User Selectable

N/A

User Selectable

Deny 4 and 8 Digit PIN

N/A

Deny 4 and 8 Digit PIN

Deny Alphanumeric PIN Passcode 16 Digit Passcode

N/A

Deny Alphanumeric PIN

N/A

16 Digit Passcode

4 Digit Password Next Tokencode Mode Next Tokencode Mode Load Balancing / Reliability Testing Failover (3-10 Replicas)

N/A

4 Digit Password

N/A

Next Tokencode Mode

N/A

Failover

Name Locking Enabled

N/A

Name Locking Enabled

No RSA Authentication Manager

N/A

No RSA Authentication Manager

Additional Functionality RSA Software Token Automation System Generated PIN

N/A

System Generated PIN

N/A

User Defined (8 Digit Numeric)

N/A

User Defined (8 Digit Numeric)

N/A

User Selectable

N/A

User Selectable

N/A

Next Tokencode Mode RSA SecurID 800 Token Automation System Generated PIN

N/A

Next Tokencode Mode

N/A

N/A

System Generated PIN

N/A

User Defined (8 Digit Numeric)

N/A

User Defined (8 Digit Numeric)

N/A

User Selectable

N/A

User Selectable

N/A

Next Tokencode Mode Credential Functionality Determine Cached Credential State

N/A

Next Tokencode Mode

N/A

N/A

Determine Cached Credential State

Set Credential

N/A

Set Credential

Retrieve Credential

N/A

Retrieve Credential

JGS / PAR

= Pass

= Fail N/A = Non-Available Function

10

Certification Checklist For RSA Authentication Manager 7.x Date Tested: June 1, 2009 Product Name RSA Authentication Manager ACS6000 Console Server

Certification Environment Version Information

Operating System

7.1 F.W. 2.0.0.5

Windows 2003 Server Linux 2.6.24.2

Mandatory Functionality RSA Native Protocol

RADIUS Protocol

New PIN Mode Force Authentication After New PIN

N/A

Force Authentication After New PIN

System Generated PIN

N/A

System Generated PIN

User Defined (4-8 Alphanumeric)

N/A

User Defined (4-8 Alphanumeric)

User Defined (5-7 Numeric)

N/A

User Defined (5-7 Numeric)

Deny 4 and 8 Digit PIN

N/A

Deny 4 and 8 Digit PIN

Deny Alphanumeric PIN

N/A

Deny Alphanumeric PIN

Deny Numeric PIN

N/A

Deny Numeric PIN

PIN Reuse Passcode 16 Digit Passcode

N/A

PIN Reuse

N/A

16 Digit Passcode

4 Digit Fixed Passcode Next Tokencode Mode Next Tokencode Mode Load Balancing / Reliability Testing Failover (3-10 Replicas)

N/A

4 Digit Fixed Passcode

N/A

Next Tokencode Mode

N/A

Failover

No RSA Authentication Manager

N/A

No RSA Authentication Manager

Additional Functionality RSA Software Token Automation System Generated PIN

N/A

System Generated PIN

N/A

User Defined (8 Digit Numeric)

N/A

User Defined (8 Digit Numeric)

N/A

Next Tokencode Mode RSA SecurID 800 Token Automation System Generated PIN

N/A

Next Tokencode Mode

N/A

N/A

System Generated PIN

N/A

User Defined (8 Digit Numeric)

N/A

User Defined (8 Digit Numeric)

N/A

Next Tokencode Mode

N/A

Next Tokencode Mode

N/A

JGS / PAR

= Pass

= Fail N/A = Non-Available Function

11

Known Issues Current web configuration does not allow for more than one assigned failover server and does not provide the option to disable Radius accounting. Future versions should have these options available. The web browser login page for the ACS6000 Console Server does not support RSA SecurID two-factor Radius authentication at this time.

12