Authentication Of User's

To gain access to a SecurID protected system, a user must enter a valid SecurID PASSCODE. A SecurID PASSCODE consists of the two following parts.

The RSA ACE/Server works with SecurID tokens to authenticate the identity of users. Most SecurID tokens are small, handheld devices containing microprocessors that calculate and display unpredictable codes. These codes change at specified intervals, typically 60 seconds. User tokens are time synchronized with the ACE/Server so that the pseudo random code displayed by a user's token is the same code the ACE/Server software has generated for that time interval. To determine if an access attempt is valid, the ACE/Server compares the code it has generated with the code a user enters as the user's current SecurID code. If the codes do not match or if the wrong PIN is entered, the user is denied access. For further information on SecurID tokens, refer to your ACE/Server documentation.

When a user configured for SecurID authentication is being authenticated by a NAS, the NAS will send an Access-Request message to the AAA Server. The SecurID AATV provides ACE/Agent functionality for the AAA server. The SecurID AATV translates RADIUS protocol messages from the AAA server into SecurID requests and forwards these requests on to the ACE/Server. The SecurID AATV translates SecurID responses from the ACE/Server to RADIUS protocol messages and forwards these messages back to the AAA server.

	NOTE: When SecurID users are prompted to enter their password, the user must enter a SecurID PASSCODE. To support the SecurID authentication, a NAS must support RADIUS Access-Challenge messages.