3.33. <AuthBy ACE>

The <AuthBy ACE> module performs authentication directly to an RSA Security Authentication manager (formerly SecurID ACE/Server). For more information, see RSA website Opens in new window. RSA Security Authentication Manager provides a token-based one-time password system. <AuthBy ACE> requires the Authen::ACE4 Perl module from CPAN. Compile it for your chosen Perl distribution. For more information, see Section 2.1.2. CPAN. You can also contact Radiator Software in case you need help with your Authen::ACE4 setup.
<AuthBy ACE> works with RSA Authentication Manager 7.1 and later. If you have AM 7.1 or later you might consider using <AuthBy RSAAM>, since it is more capable and more portable.
Before using this AuthBy method ensure that you have the following things:
<AuthBy ACE> works also with EAP-Generic-Token-Card and EAP-PEAP-Generic-Token-Card authentication, as well as RADIUS PAP and TTLS-PAP.
There are more detailed installation and testing instructions in the goodies/ace.txt file in your distribution.
An alternative to using <AuthBy ACE> is to proxy requests to the optional RADIUS server that comes with Authentication Manager (although that RADIUS server has many fewer features and supported platforms than Radiator).
There is an example Radiator configuration file for <AuthBy ACE> in goodies/ace.cfg in your Radiator distribution.
<AuthBy ACE> uses the State reply item to get the RADIUS client to carry the context from one step of authentication to the next. If you wish to test <AuthBy ACE> with radpwtst, use the -interactive flag.
radpwtst -interactive -user fred -password 1234574424

3.33.1. Using RSA Security token cards to log in with AuthBy ACE

RSA Security produce 2 main types of hardware tokens. ’Standard cards’ and ’key fobs’ tokens have an LCD display that changes every 60 seconds, but no other buttons or switches. ’Pinpad’ cards have an LCD display, and also 0-9 keys, a diamond button and a ‘P’ button. The way you generate your password depends on the type of token you have.
In RSA terminology, the number displayed by a token is called the ’tokencode’ The number is typically 6 or 8 digits long and changes every 60 seconds. The ’PIN’ is a secret 4 digit or longer number that you will be assigned (or may have selected) and which you must remember. The ’passcode’ is what you use as your password to log in, and consists of the PIN followed by the tokencode.
For standard tokens, the passcode is formed from the PIN followed by the tokencode displayed on the token at that time. So, for example, if the PIN you have remembered that was assigned to you is ‘1234’, and the token is currently displaying the tokencode ‘627351’, then the passcode that you will use as your password is ‘1234627351’ (that is 10 digits). See Figure 1. Making a password from an RSA Security Token Code (not for Pinpads).

Figure 1. Making a password from an RSA Security Token Code (not for Pinpads)

When a standard token is set to New PIN Mode by the ACE administrator, you must first login in with your PIN and the current tokencode, and you will then be prompted by Radiator for your new PIN. If the token is set to New PIN mode and also has a Cleared PIN, you must omit your PIN.
For Pinpad tokens, you have to enter the PIN into the token to generate the passcode. If for example, your remembered PIN is 1234, enter the PIN into the Pinpad one digit at a time (press 1 - 2 - 3 - 4), then press the diamond button. The token will then display a new tokencode, say ‘736284’. You would then use 736284 (that’s only 6 digits) as your password. When a Pinpad token is set to New Pin Mode by the ACE administrator, you must create your passcode in the usual way and then the system will prompt them for their new PIN., When a Pinpad is in New Pin Mode and also has a cleared PIN, the user must enter the tokencode showing on the token (without using a PIN) first, and then the system will prompt them for their new PIN.
Note that some types of tokens display an 8 digit tokencode, rather than a 6 digit tokencode. AuthBy ACE understands the following parameters as well as those described in Section 3.32. <AuthBy xxxxxx>.

3.33.2. ConfigDirectory

This optional parameter specifies the location of the ACE Agent sdconf.rec file, which the ACE Agent client libraries use to find the location of the ACE server(s). It is also the directory where the node secret files will be saved. The user ID that runs Radiator must have read and write access to this directory. The file sdconf.rec must be present on the machine where AuthBy ACE is running. Defaults to the value of the VAR_ACE environment variable, if set, else /var/ace/. This parameter has no effect on Windows.
ConfigDirectory /opt/ace/data

3.33.3. Timeout

This optional parameter specifies the maximum time that a single ACE authentication is allowed to take. A typical ACE authentication will require several RADIUS transactions, involving multiple requests and challenges until the final Access-Accept is sent, and there is no guarantee that the user will complete the authentication process. If the total time for the authentication exceeds this number of seconds, the authentication will be abandoned. Defaults to 300 seconds (5 minutes).

3.33.4. EnableFastPINChange

Some NASs, notably some Juniper devices, have non-standard behaviour in New Pin Mode: when the user is asked whether they want to set their PIN, the NAS automatically gets the new PIN from the user and returns it to the Radiator server, which is expected to use it to set the PIN immediately. This flag enables compatibility with this behaviour if the user/device enters a PIN instead of ‘y’ or ‘n’. If EnableFastPINChange is enabled and the token is in New PIN mode and the users response does not look like ‘y’ or ‘n’, then the response will be used to set the new PIN, bypassing the PIN confirmation dialogues. Defaults to disabled.