Lantronix SCS Reference Manual page 189

Security
If someone eavesdrops on a connection attempt and obtains a passcode, the passcode will not be
useful; a new passcode will be required in a few minutes. This enhances the security of Telnet
connections.
Disadvantages include:
If the caller attempts to use CHAP for authentication, SecurID cannot be used.
Users are required to carry the token card.
SecurID cannot be used for LAN to LAN connections, as the SCS has no way to generate passcodes.
The SecurID server must be configured.
SecurID authentication is case-sensitive.
Note:
The Security Dynamics SecurID system requires communication between the ACE/Server and the end-user.
For example, the user must enter a new PIN when a SecurID card is first used, and a second passcode when
locked out.
PAP does not allow for these types of messages or additional user input. Therefore, it is strongly
recommended that SecurID be run from character mode only. It is possible to use SecurID with PAP,
provided that situations like those mentioned above are either prevented or handled in text mode on the next
call.
11.4.4.1 Configuring SecurID
To log into the SCS, the user must enter a username at the username prompt, and the passcode at the
password prompt.
To specify the SecurID ACE/Server for authentication of username/passcodes, use the Set/Define
Authentication SecurID command:
Local>> DEFINE AUTHENTICATION SECURID PRECEDENCE 4
Local>> DEFINE AUTHENTICATION SECURID PRIMARY 192.0.1.50
Local>> DEFINE AUTHENTICATION SECURID SECONDARY 192.0.1.51
After SecurID is configured on the SCS, the SCS will receive further configuration information from the
ACE/Server. However, this only happens the first time that the SCS and ACE/Server communicate. If you
purge the authentication information on the SCS or change the precedence of SecurID, this learned
information will be lost. You will need to have your ACE/Server administrator reinitialize the SCS with
ACE/Server for SecurID to function properly again.
If SecurID receives repeated authentication requests for an invalid username/password pair, it assumes that
a login attack is taking place. SecurID will react by continually slowing its responses to the SCS. This
problem can be avoided by ensuring that SecurID has the highest precedence number. For example, if
you're using SecurID, Kerberos, and a UNIX password file, set SecurID's precedence to 3.
For additional SecurID configuration instructions, see Set/Define Authentication SecurID on page 12-
159.
Figure 11-33: Configuring the SCS to Use SecurID
11-18
Database Configuration