Filter
Top Products
XEROX WorkCentre
3550
Information Assurance Disclosure Paper
21
Ver. 1.3, March 2011 Page 21 of 32
3. System Access
3.1. Authentication Model
The authentication model allows for the following:
• Local Authentication: Provides access to the scan to network and scan to email services. User account
information is kept in a local accounts database and the authentication process will take place
locally.
• Network Authentication: Provides access to the scan to network and scan to email services. User
network credentials are used to authenticate the user at the network domain controller.
• Authorization: Provides three levels of access to the CentreWare Internet Services and to the Local User
Interface: system administrator, key user and all users.
3.2. Login and Authentication Methods
There are a number of methods for different types of users to be authenticated. In addition, the
connected versions of the product also log into remote servers. A description of these behaviors follows.
3.2.1. System Administrator Login [All product configurations]
Users must authenticate themselves to the device. To access the User Tools via the Local UI, a PIN is
required. The customer can set the PIN to anywhere from 4 to 32 alphanumeric characters in length.
This PIN is stored in the controller NVM and is inaccessible to the user. Xerox strongly recommends that
this PIN be changed from its default value immediately upon product installation. The PIN should be set
to a minimum of 8 characters in length and changed at least once per month. Longer PINs can be
changed less frequently; a 9-character PIN would be good for a year. The same PIN is used to access the
Administration screens in the Web UI.
3.2.2. User authentication
Users may authenticate to the device using Kerberos, LDAP or SMB Domain authentication protocols.
Once the user is authenticated to the device, the user may proceed to use the scan to network and scan
to email features.
The WebUI allows an SA to set up a default authentication domain and as many as 6 additional
alternate authentication domains. The device will attempt to authenticate the user at each domain
server in turn until authentication is successful, or the list is exhausted.
3.2.2.1. Kerberos Authentication (Solaris or Windows 2000/Windows 2003)
This is an option that must be enabled on the device, and is used in conjunction with scan to network and
scan to email features. The authentication steps are:
1) A User enters a user name and password at the device in the Local UI. The device sends an
authentication request to the Kerberos Server.
2) The Kerberos Server responds with the encrypted credentials of the user attempting to sign on.
3) The device attempts to decrypt the credentials using the entered password. The user is
authenticated if the credentials can be decrypted.
4) The device then logs onto and queries the LDAP server trying to match an email address against the
user’s Login Name.