Manualshelf

Technical data

ManualsBrandsMeru Networks ManualsComputer equipmentOAP180
161162163164165166167168169170
RSA SecurID Authentication
© 2012 Meru Networks, Inc. Configuring Security 139
RSA SecurID Server (Authentication Manager)
RSA Authentication Agent
RSA SecurID Authenticator Token and Code
Each RSA SecurID token includes a factory-encoded, unique ‘seed.’ The token uses
this unique seed to generate an authentication code at fixed intervals (for example
60 seconds). By utilizing the built-in-clock time and the unique seed, the authenti-
cation code keeps changing at fixed intervals. Since the token's clock and the server's
clock are synchronized. the server generates authentication codes at the same fixed
intervals as the token. Possession of the resulting code is then combined with knowl-
edge of a PIN number to produce secure authentication.
RSA SecurID Server
Users are authenticated against the RSA SecurID Server with the username and the
passcode, which is the combination of the authentication code generated/displayed
by the token and the PIN (see above).
The first time a user uses the token, they are asked to choose a new PIN. The server
also requests a new time-synchronous PIN regularly or whenever the timing between
a token and a server ‘drifts.’ If the drift is more than 3 minutes, then the Server
requests the user to enter the next authentication code generated by the token in
the next interval to verify the possession of the token. If the next authentication
mode has the same clock drift, then token is assumed valid by the Server.
RSA SecurID Agent
This authentication is similar to the standard username-passcode authentication, but
the passcode is not a single word. It is a numeric combination of the authentication
code in the token and the PIN known to the user.
The RSA SecurID can be achieved two ways:
EAP-RSA based authentication - implemented currently
Native SecurID Authentication - not in use at this time
Configure RSA SecurID
Communication between an RSA server and a controller is the same as communication
between a controller and any other radius server (IAS or Free radius). The only differ-
ence is in the way the client authenticates to the RSA Server, by means of two factor
authentication in which Meru does not interfere. Configure an RSA server on a
controller using the CLI command radius-profile. For example:
default# configure terminal
default(config)# radius-profile <RSA>