For a more restrictive security policy, a one-time password would be used.
One-time passwords are a unique combination of something a person knows (like a PIN or password) and something a person possesses (like a token card).
A one-time password is more secure than a simple password since it changes every time the user tries to login, and it can only be used once—therefore, it is safe against spoofing and replay attacks.
There are three commonly used ways to create one-time passwords:
– Token cards are the most common way. The 2 most common token cards are the SecurID card by Security Dynamics and the DES Gold card by Enigma Logic. In one, the user enters a PIN into the card and the card displays the one-time password, which the user types in at their terminal. In the other, the user appends a PIN to the random number displayed on the token card, and enters this new password at their terminal.
– Soft tokens are the same as token cards except the user doesn’t have to carry around a physical card. Software runs on the user’s PC that performs the same function as the token card, and the user need only enter a PIN.
– S-key is a PC application that presents a dialog box to the user upon login into which the user must enter the correct combination of six key words.
The process used to send the one-time password to the NAS is virtually the same as that used for the password example described in the previous slide. When the NAS receives the one-time password, it forwards it to the AAA server using either TACACS+ or RADIUS protocol. When the AAA server receives the one-time password, it forwards it to a token server for authentication. The accept or reject message flows back to the NAS through the AAA server.
Authentication, Authorization, and Accounting (AAA)
We’ve mentioned AAA servers. What does this mean. AAA stands for Authentication, authorization, and accounting.
Authentication is to provide exact end user verification. I need to know exactly who this person is, and how they prove it to me
Authorization is the second step. Now that I know who you are, what can you do. I need to assign IP addresses, provide routes, block access to certain resources. All the things I can do to a local user, I should be able to control with a remote user.
Accounting is the last step. I need to create an accurate record of the transactions of this user. How long were they connected? How much data did they FTP? What was the cause of there disconnection. This allows me to not only bill my customers accurately, but understand my user base.
A AAA server provides a centralized security database that offers per-user access control.It supports services such as TACACS+ and RADIUS that we’ll discuss in a minute as well as service such as:
- – Per-User access-lists – load per user acls after authentication
- – Per-User static routes
- – Lock&Key
- – AutoCommand – links user to user profile, so preferences take effect – adds efficiency and provides limits to their access/use.