Cabletron Systems Cabletron CyberSWITCH CSX5500 User Manual

Also see for CyberSWITCH 5500: Quick start Manual

Contents

Central Site Remote Access Switch 169CONFIGURING S ECURITY L EVELUser Level SecurityThe following sections provide information regarding authentication via SecurId cards, systemrequirements for user level security, and the authentication process with user level security.A UTHENTICATION U SING A S ECURITY TOKEN C ARDThe CyberSWITCH supports interactive, user level security through the TACACS or ACE serverprogrammed for use with security token cards. Token cards are credit card-sized devices. Thesecards are widely used throughout the computer industry for authentication. This concept ofauthentication is now available to ISDN connections via the CyberSWITCH. The CyberSWITCHversion of user level security supports a security token card called SecurID, provided by SecurityDynamics.The SecurID card works on a “passcode” concept, which consists of two factors:• a known value (the device’s password)• a dynamically-generated value (from the SecurID card)Note: For more information specific to the SecurID card, refer to the documentation provided bySecurity Dynamics Technologies Inc.The user is prompted for the passcode value at login. The following description illustrates how theuser level authentication process works:The CyberSWITCH provides user level security by having the remote user establish a Telnetconnection to the system. While the remote user is being authenticated, a data filter is placed on theconnection. This filter only allows the Telnet session traffic to flow over the connection between theuser and the CyberSWITCH. During the Telnet session, the system collects user information (userId, password and maybe dynamic password) and requests authentication from the configuredserver. Once the user is authenticated, the data filter is removed from that connection. All remoteuser data is now forwarded on the connection.If the user fails to be authenticated, the connection is released. The user must establish a newconnection and perform validation again.If the ISDN connection is released by either the ISDN network or by the remote device, the systemtreats this as a new authentication session and starts the validation sequence over.Note that when a user establishes the Telnet connection to the CyberSWITCH, the user needs toTelnet into a special TCP port configured for the type of authentication the user wishes to use. Forexample, to get validated through the TACACS authentication server, the user needs to Telnet intoport 7000 (the default value for the TACACS port). Different port numbers are used for other typesof authentication servers such as RADIUS or ACE.The following picture shows the relationship between the security server, an end user, and thecomputer that prompts for the input. The security clients and the security server communicate witheach other using some special protocol, such as TACACS.