Chapter 6 - Basic Configuration Guide 27
Setting up SecurID Authentication
If you are using Security Dynamic’s ACE/Server software for user authentication, you must set
up the IntraPort Enterprise-8 to communicate with the ACE/Server.
The Security Dynamics ACE/Server software performs dynamic two-factor SecurID authenti-
cation. Dynamic two-factor authentication combines something the user knows – a memorized
personal identification number (PIN) – with something the user possesses – a SecurID token
which generates an unpredictable code every 60 seconds. This combination of PIN and
SecurID tokencode represents a one-time PASSCODE and is transmitted to the ACE/Server
software for verification. See Appendix C for information on how to obtain ACE/Server soft-
ware and SecurID tokens.
To use ACE/Server software with the IntraPort Enterprise-8, you will need the following:
• ACE/Server software running on a supported platform (see the ACE/Server Installa-
tion Guide or README document for a current list of ACE/Server-supported plat-
forms and other server requirements)
• The VPN Client software, which functions as an ACE/Agent, running on a supported
platform
• SecurID tokens, distributed to appropriate personnel who will use them to access the
ACE/Server-protected ACE Agents, including the VPN Client
Setting the IntraPort Enterprise-8 for an ACE/Server
Just a few basic settings are required for the IntraPort Enterprise-8 to communicate with an
ACE/Server.
• SecurID on
• Encryption method
• ACE/Server IP address
• Enable SecurID for a group of IntraPort users
CV: Use the SecurID Configuration Dialog Box (under Global/SecurID) to enable SecurID
and set the encryption method and server address.
Use the SecurID tab in the VPN Group Configuration Dialog Box to enable SecurID
for a group of users.
TB: Use the configure command and set the Enabled, EncryptMeth and PrimaryServer
keywords in the SecurID section, then set the SecurIDRequired keyword in a VPN
Group Name section.
ACE/Server Settings
To configure the ACE/Server for communication with the IntraPort Enterprise-8, consult the
ACE/Server Installation Guide. You should consult the ACE/Server Administration Manual on
the ACE/Server CD-ROM for instructions on adding and removing users in the ACE/Server
database.
v Note: The IntraPort Enterprise-8 should be configured as a communication server in the
Client Type pull-down menu in the ACE/Server’s Add Client dialog box (under Client/Add
Client).
v Note: The first time the IntraPort Enterprise-8 contacts the ACE/Server, they exchange a
secret based in part on the IntraPort’s IP address. After the first exchange, the Sent Node
Secret checkbox in the ACE/Server’s Add Client dialog box (which can be accessed using the
Add Client option under the Client menu) will be checked. The checkbox will be grayed out
until this initial exchange has taken place. Any major changes to the IntraPort Enterprise-8’s
configuration (such as changing its IP address) will mean that the IntraPort and the
ACE/Server will no longer be able to communicate. To get around this, simply uncheck the
Sent Node Secret checkbox on the ACE/Server and issue the reset securid secret command in
the IntraPort. Remember to save the changes to both devices. The two devices will do a new
secret exchange and will be able to communicate again.