Configuring SecurID Authentication

Copy the file sdconf.rec from its usual location on the ACE/Server ( /ACE/data) to the AAA server configuration directory ( /etc/opt/aaa by default).

	IMPORTANT: If you copy the sdconf.rec file after the AAA server has been started, then you must stop and start the AAA server before SecurID will work.

Identify the user profiles that are stored on the SecurID server after you copy the sdconf.rec file to the AAA server configuration directory.

	NOTE: You may identify these user profiles by user name or by realm. It is not necessary to do both. If you have identified a realm that a group of SecurID users belong to, it is not necessary to also identify them by user name.

For each individual user that will be authenticated through the ACE/Server, you will need to add a user profile to the RADIUS server. Select the Users link from the Navigation Tree.

Select the New User link from the Define Users screen. The Users Attributes screen appears.

In the User Name field identify, identify the user profile by user name and the user's realm.

From the Authentication Type drop-down list, select SecurID.

Complete any of the remaining optional fields as necessary for your configuration.

Select the Create button.

Repeat steps 2 to 6 for as many users as needed.

Select the Save Configuration link from the Navigation Tree. If you have multiple remote servers, you will prompted to select and confirm which servers you wish to add the access device entry to.

	CAUTION: Save Configuration will save the entire server configuration (access devices, proxies, local realms, users, and server properties) to the servers you specify.

For each realm using SecurID, you must associate the realm name with the ACE/Server that will perform the authentication. Select the Local Realms link from the Navigation Tree.

Select the New Realm link from the Local Realms screen. The Realm Attributes screen appears.

In the Name field, enter the name of the realm to map to the defined SecurID location. This name does not have to be a DNS host name, although it is highly recommended that the realm name match a domain name so the user recognizes the user@realm syntax that resembles their e-mail address.

From the Authentication Type drop-down list, select SecurID.

From the Protocol drop-down list, select PAP.

	IMPORTANT: Only PAP authentication is supported with the SecurID authentication type.

Complete any of the remaining optional fields as necessary for your configuration.

Select the Create button.

Repeat steps 2 to 8 as necessary for your configuration.

Select Save Configuration from the Navigation Frame. If you have multiple remote servers, you will prompted to select and confirm which servers you wish to add the access device entry to.

	CAUTION: Save Configuration will save the entire server configuration (access devices, proxies, local realms, users, and server properties) to the servers you specify.

Start the ACE/Server Administration program and verify that the AAA server has an entry on the list of clients.

If there is no corresponding entry, from the Client menu, select Add Client. Complete the Client dialog box, giving the AAA server a Client type of Net OS Client as shown in the following figure:

Figure 13-1 SecurID Add Client Screen

Use SecurID documentation to add user profiles to the SecurID server.

From the Client menu, select Edit Client.

Select the client that you need to edit

From the Edit Client screen, make sure that the check box for Sent Node Secret is deselected as shown in the following figure. When this check box is deselected, the ACE/Server sends the securid file in the AAA server during the next SecurID authentication attempt initiated by the AAA server.

Figure 13-2  SecurID Edit Client Screen

Select the OK button.