Avocent Corporation ACS6000 Series Advanced Console Server
RSA SecurID Ready Implementation Guide Last Modified: June 1, 2009
Partner Information Product Information Partner Name Web Site Product Name Version & Platform Product Description
Product Category
Avocent Corporation http://www.avocent.com/ ACS 6000 Series Advanced Console Server Series F.W. 2.0.0.5 (Apr 15 2009 - 11:52:12) Linux 2.6.24.2 The ACS 6000 series of advanced console servers integrates cutting edge technologies, adaptive services and secure enterprise communications. They offer IT professionals and network operations center (NOC) personnel the ability to perform secure, remote data center management and out-of-band management of IT assets from anywhere in the world. Remote Access
1
Solution Summary The ACS6000 Console Server supports RSA SecurID Authentication via RADIUS. Remote (Ssh and telnet) and local access to the appliance and the serial ports can be secured using a combination of a hardware token and a user/system supplied PIN.
Partner Integration Overview Authentication Methods Supported
RADIUS
List Library Version Used
NA
RSA Authentication Manager Replica Support
Full Replica Support
Secondary RADIUS Server Support
Yes, no limit (requires manual edit of server list)
RSA Authentication Agent Host Type
Linux
RSA SecurID User Specification
Designated Users
RSA SecurID Protection of Administrative Users
Yes
RSA Software Token and RSA SecurID 800 Automation
No
2
Product Requirements Partner Product Requirements: ACS6000 Console Server Version Firmware version 1.0.0 and above
Operating System Platform All major Operating Systems with networking support
Required Patches
Additional Software Requirements Application Internet Explorer 6.0 and higher or Firefox 2.0 and higher JRE 1.50 or higher Ssh/telnet
Additional Patches
3
Agent Host Configuration To facilitate communication between the ACS6000 Console Server and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies the ACS6000 Console Server within its database and contains information about communication and encryption. To create the Agent Host record, you will need the following information. • • •
Hostname IP Addresses for all network interfaces RADIUS Secret (When using RADIUS Authentication Protocol)
When adding the Agent Host Record, you should configure the ACS6000 Console Server as a UNIX agent. This setting is used by the RSA Authentication Manager to determine how communication with the ACS6000 Console Server will occur. Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network.
Please refer to the appropriate RSA Security documentation for additional information about creating, modifying and managing Agent Host records.
RSA SecurID files RSA SecurID Authentication Files Files sdconf.rec Node Secret sdstatus.12 sdopts.rec
Location ‘None stored’ \etc\raddb\servers “Not implemented” “Not implemented”
Partner Product Configuration Before You Begin This section provides instructions for integrating the ACS6000 Console Server with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved as well as the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All vendor products/components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding.
4
Overview You will use the ACS6000 WebUI and edit some configuration files manually to enable RSA SecurID twofactor Radius authentication. The following section describes and illustrates the settings required to accomplish the task. Avocent ACS6000 Configuration 1. Using a supported web browser, log into the ACS6000 Console Server. 2. Select the “Authentication” directory in the left column. 3. Select the “Authentication Servers” subdirectory in the left column. 4. Select “RADIUS” and enter the details of the RSA SecurID server: First Authentication Server – the hostname or IP address of the RSA server (required). First Accounting Server – the hostname or IP address of the RSA server (required). Second Authentication Server – the hostname or IP address of the RSA server. Second Accounting Server – the hostname or IP address of the RSA server. Secret – The shared secret stored on the RSA server for this appliance. Confirm Secret – Re-enter the “Secret” from above. Timeout – The default setting can be used in most cases. Retry – The default setting can be used in most cases, as seen below.
5
5.
To add more failover servers (the WebUI only handles one), edit the file
"/etc/raddb/servers” from the shell. Add additional lines to the end of the file as seen in the image below. In this example, “216.162.248.26” was added to the list of RSA servers.
6.
To disable Radius Accounting requests (in the event that accounting isn’t implemented), you must edit the “/etc/pam.d/radius” file. Replace the default entry for account and session, with the following: “account required pam_permit.so” “session required pam_permit.so”
6
7. To enable RSA SecurID two-factor authentication for the appliance, select “Appliance Authentication” in the left column and “RADIUS” from the dropdown list on the right. 1
8. The Web appliance doesn’t currently support RSA SecurID authentication and must be configured to disable it. In order to do this, open the “/etc/init.d/set_pam.sh” file from the shell and locate the line that begins with “ln –s” and contains the ${PAM_WEB} variable. Change this line to: “ln –s local {PAM_WEB}”.2
1
The pull down labeled “PCMCIA-PPP Authentication” defines the authentication type used for dial-in PPP access to the appliancation. This connection supports RSA SecurID two-factor authentication. 2 For example, in the above screenshot, “ln –s $UNIT_AUTH $PAM_WEB” was changed to “ln –s local $PAM_WEB”
7
9. After saving the change in step 8, you will need to execute the updated file. From the shell type “/etc/init.d/set_pam.sh”. To confirm the change was performed correctly, in the shell type “ls –l /etc/pam.d/web”. You should see that the file “web” is linked to the file “local” as seen below.
10. To enable RSA SecurID two-factor authentication for the serial port, select “Ports” and “Serial Ports” in the left-hand frame. Click on the number(s) in the “Port” column on the “Serial Ports” table for each port you wish to modify. Each time you do, the GUI will display the“CAS” configuration screen displayed in step 11.
8
11. Select “RADIUS” from the “Authentication Type” dropdown list.
9
Certification Checklist For RSA Authentication Manager v6.x Date Tested: June 1, 2009 Product Name RSA Authentication Manager ACS6000 Console Server
Certification Environment Version Information
Operating System
6.1 F.W. 2.0.0.5
Windows 2003 Linux 2.6.24.2
Mandatory Functionality RSA Native Protocol
RADIUS Protocol
New PIN Mode Force Authentication After New PIN
N/A
Force Authentication After New PIN
System Generated PIN
N/A
System Generated PIN
User Defined (4-8 Alphanumeric)
N/A
User Defined (4-8 Alphanumeric)
User Defined (5-7 Numeric)
N/A
User Defined (5-7 Numeric)
User Selectable
N/A
User Selectable
Deny 4 and 8 Digit PIN
N/A
Deny 4 and 8 Digit PIN
Deny Alphanumeric PIN Passcode 16 Digit Passcode
N/A
Deny Alphanumeric PIN
N/A
16 Digit Passcode
4 Digit Password Next Tokencode Mode Next Tokencode Mode Load Balancing / Reliability Testing Failover (3-10 Replicas)
N/A
4 Digit Password
N/A
Next Tokencode Mode
N/A
Failover
Name Locking Enabled
N/A
Name Locking Enabled
No RSA Authentication Manager
N/A
No RSA Authentication Manager
Additional Functionality RSA Software Token Automation System Generated PIN
N/A
System Generated PIN
N/A
User Defined (8 Digit Numeric)
N/A
User Defined (8 Digit Numeric)
N/A
User Selectable
N/A
User Selectable
N/A
Next Tokencode Mode RSA SecurID 800 Token Automation System Generated PIN
N/A
Next Tokencode Mode
N/A
N/A
System Generated PIN
N/A
User Defined (8 Digit Numeric)
N/A
User Defined (8 Digit Numeric)
N/A
User Selectable
N/A
User Selectable
N/A
Next Tokencode Mode Credential Functionality Determine Cached Credential State
N/A
Next Tokencode Mode
N/A
N/A
Determine Cached Credential State
Set Credential
N/A
Set Credential
Retrieve Credential
N/A
Retrieve Credential
JGS / PAR
= Pass
= Fail N/A = Non-Available Function
10
Certification Checklist For RSA Authentication Manager 7.x Date Tested: June 1, 2009 Product Name RSA Authentication Manager ACS6000 Console Server
Certification Environment Version Information
Operating System
7.1 F.W. 2.0.0.5
Windows 2003 Server Linux 2.6.24.2
Mandatory Functionality RSA Native Protocol
RADIUS Protocol
New PIN Mode Force Authentication After New PIN
N/A
Force Authentication After New PIN
System Generated PIN
N/A
System Generated PIN
User Defined (4-8 Alphanumeric)
N/A
User Defined (4-8 Alphanumeric)
User Defined (5-7 Numeric)
N/A
User Defined (5-7 Numeric)
Deny 4 and 8 Digit PIN
N/A
Deny 4 and 8 Digit PIN
Deny Alphanumeric PIN
N/A
Deny Alphanumeric PIN
Deny Numeric PIN
N/A
Deny Numeric PIN
PIN Reuse Passcode 16 Digit Passcode
N/A
PIN Reuse
N/A
16 Digit Passcode
4 Digit Fixed Passcode Next Tokencode Mode Next Tokencode Mode Load Balancing / Reliability Testing Failover (3-10 Replicas)
N/A
4 Digit Fixed Passcode
N/A
Next Tokencode Mode
N/A
Failover
No RSA Authentication Manager
N/A
No RSA Authentication Manager
Additional Functionality RSA Software Token Automation System Generated PIN
N/A
System Generated PIN
N/A
User Defined (8 Digit Numeric)
N/A
User Defined (8 Digit Numeric)
N/A
Next Tokencode Mode RSA SecurID 800 Token Automation System Generated PIN
N/A
Next Tokencode Mode
N/A
N/A
System Generated PIN
N/A
User Defined (8 Digit Numeric)
N/A
User Defined (8 Digit Numeric)
N/A
Next Tokencode Mode
N/A
Next Tokencode Mode
N/A
JGS / PAR
= Pass
= Fail N/A = Non-Available Function
11
Known Issues Current web configuration does not allow for more than one assigned failover server and does not provide the option to disable Radius accounting. Future versions should have these options available. The web browser login page for the ACS6000 Console Server does not support RSA SecurID two-factor Radius authentication at this time.
12