Installing and Configuring GTSecure(TM) Login

GTSecure Login protects routers by requiring a challenge handshake before a user can access the router operating system. The challenge handshake uses a secret based on the RSA Data Security, Inc. MD5 Message-Digest Algorithm. The secret is never sent over the LAN or WAN.

GTSecure Login includes a utility for either Microsoft® Windows(TM) NT, Windows 95, or UNIX® platforms. The GTSecure Login utility calculates responses to GTSecure challenges.

This document provides instructions for installing and configuring GTSecure Login. It includes the following sections:

Installing and Compiling the GTSecure Login Utility

Configuring and Using GTSecure Login

User Account Configuration Commands

Installing and Compiling the GTSecure Login Utility

There are two versions of the GTSecure Login utility available, one for UNIX platforms and one for Intel-based 386, or above, PCs.

UNIX Platforms

The UNIX version of the GTSecure Login utility comes compiled for SunOS(TM) version 4.1.x or greater. If you are using a different UNIX operating system, you must compile the GTSecure Login utility files.

Installing the GTSecure Login Utility on a UNIX Platform

The UNIX version of the GTSecure Login utility comes on a 3.5-inch disk in .tar format. To install the GTSecure Login utility on a UNIX platform, follow these steps:

1. Create a directory for the GTSecure Login utility and go to that directory.

2. Insert the 3.5-inch disk in the appropriate drive.

3. To copy the files to your directory, enter:

tar xvf /dev/device-name

4. To extract the files, enter:

tar xvf secure_login.tar

This generates two directories, src and obj, and places them in the directory you created. These directories contain the files necessary to compile and run the GTSecure Login utility.

Compiling the GTSecure Login Utility in UNIX

If you are using a UNIX operating system other than SunOS version 4.1.x or greater, you must compile the GTSecure Login utility files. To do so, you may be able to use any ANSI C compiler. Nx Networks has tested the GNU compiler (version 2.5.6 or greater) and the SunOS compiler (cc).

To compile the GTSecure Login utility, change to the obj directory and enter the following command:

make seclogin

This creates a new executable file called seclogin and places the file in the obj directory.

PC Platforms

The PC version of the GTSecure Login utility is a DOS utility that runs on Intel-based 386, or above, PCs. You can run GTSecure Login from the DOS command prompt in Microsoft Windows NT or from the MS-DOS prompt in Windows 95.

Installing the GTSecure Login Utility on a PC

The PC version of the GTSecure Login utility comes in a self-extracting ZIP file. To install it, follow these steps:

1. Create a directory for the GTSecure Login utility and go to that directory.

2. Insert the disk in the appropriate drive and copy the secstart.exe file to your hard drive.

3. To extract the files, enter:

secstart.exe

Configuring and Using GTSecure Login

After you have installed the GTSecure Login utility, follow these steps to configure and use GTSecure Login.

1. On your router, set up user accounts to control who can configure and monitor the router. The first account you set up should be for yourself as an administrative user.

Use the add user command.

Assign a user name, set the type of authentication to Challenge, enter an MD5 secret text string, and assign a permission level.

Config> add user
Enter user name: ? NewAdmin
Enter authentication type: (N)one, (P)assword, (C)hallenge, or (Q)uit [P]? c
Enter MD5 secret:
Enter MD5 secret again:
Enter permission: (A)dmin, (O)perations, (M)onitor, or (Q)uit [A]? a
User `NewAdmin' has been added

The console login is automatically enabled once you add an administrative user.

2. Create a technical support access account. This is optional.

After you add the first user, the router prompts you for adding technical support access.

Do you want to add Technical Support access? (Y)es, (N)o, or (Q)uit [Y]? yes

When you enter yes, the router prompts for adding a new account, as in step 1. Nx Networks personnel know the technical support password. Assign the Administrator permission level.

3. Restart the router for the console login to take effect.

Config>Ctrl P
*restart

4. Run Telnet to the GTSecure router.

5. Enter a user name. GTSecure displays a challenge in brackets along with the password prompt.

login: Admin
Password [kPn7SrFs]:

6. In the directory where the GTSecure Login utility resides, enter seclogin followed by the user name and secret that are configured on the GTSecure router and the challenge that GTSecure displayed.

seclogin user-name secret router-challenge

For example:

seclogin Admin adminsecret kPn7SrFs

The GTSecure Login utility calculates and displays a response to the challenge.

cm1/0C02

7. Enter the response into the GTSecure Telnet session.

Password [kPn7SrFs]:cm1/0C02

If the response is correct, GTSecure displays the * prompt.

User Account Configuration Commands

This section describes the user account configuration commands. Enter these commands at the Config> prompt.

Note: You must have Administrator permission level to create a new user account, to change or display user accounts, or to enable the console login.

Table 1 User Account Configuration Commands
Command	Function
Add User	Creates a new user account, including type of authentication and permission level.
Change Password	Changes a user's password or MD5 secret.
Change User	Changes a user's authentication type, password, MD5 secret, or permission level.
Delete User	Removes a user account from the router database.
Disable Console-login	Disables the console login.
Enable Console-login	Enables the console login.
List Users	Displays a list of current user accounts and the assigned permission levels and authentication types. Also, shows whether the console login is currently enabled or disabled.

Add User

Adds a new user account to the router. You can create up to 50 user accounts and one technical support access account. User names, passwords, and secrets can be up to 250 characters and are case sensitive.

Table 2 describes the permission levels. You must assign one of these permission levels to each user account:

Table 2 Access Permission Levels

Permission Access Level

Administrator (A)

Sets up, changes, and views user accounts. The administrator can perform all operations, including router configuration.

Operator (O)

Modifies operations of the router from the Monitor> monitoring prompt but cannot configure the router. Views router configuration and statistics, runs potentially disruptive tests, dynamically changes router operation, and restarts the router. All operator actions are undone with a system restart. Operators cannot view user accounts. Operators can change their own current password.

Monitor (M)

Views router configuration and statistics but cannot modify or disrupt the operation of the router. Monitors cannot view user accounts. Monitors can change their own current password.

Tech Support

Allows a Technical Support engineer to gain access to the router if a user forgets a password. You cannot assign this permission level to users.

Table 2 Access Permission Levels
Permission	Access Level
Administrator (A)	Sets up, changes, and views user accounts. The administrator can perform all operations, including router configuration.
Operator (O)	Modifies operations of the router from the `Monitor>` monitoring prompt but cannot configure the router. Views router configuration and statistics, runs potentially disruptive tests, dynamically changes router operation, and restarts the router. All operator actions are undone with a system restart. Operators cannot view user accounts. Operators can change their own current password.
Monitor (M)	Views router configuration and statistics but cannot modify or disrupt the operation of the router. Monitors cannot view user accounts. Monitors can change their own current password.
Tech Support	Allows a Technical Support engineer to gain access to the router if a user forgets a password. You cannot assign this permission level to users.

Syntax: add user

Example: add user

Enter user name: ? NewAdmin
Enter authentication type: (N)one, (P)assword, (C)hallenge, or (Q)uit  [C]? c
Enter MD5 secret:
Enter MD5 secret again:
Enter permission: (A)dmin, (O)perations, (M)onitor, or (Q)uit  [A]? a
User `NewAdmin' has been added


Enter user name	The name that identifies the user.
Enter authentication type	The type of authentication for the user: N (None), P (Password), or C (Challenge).
Enter MD5 secret	If the authentication type is Challenge, prompts for the MD5 secret for the user.
Enter MD5 secret again	If the authentication type is Challenge, confirms the MD5 secret.
Enter password	If the authentication type is Password, prompts for the user's password. The password is case sensitive.
Enter password again	If the authentication type is Password, confirms the password.
Enter permission	The category of access privilege for the user: A (Administrator), O (Operator), or M (Monitor). (See Table 2 above.)

Change Password

Changes the current user's password or MD5 secret. Any currently logged in user, with any permission level, can change the password or MD5 secret for their own account.

Syntax: change password

Example: change password

Enter current MD5 secret:
Enter new MD5 secret: 
Enter new MD5 secret again: 
Current user's MD5 secret has been changed

Change User

Changes a user account that you previously added.

Syntax: change user

Example: change user

Enter user name: ? NewAdmin
Change authentication type? (Y)es, (N)o, or (Q)uit [N]? y
Enter authentication type: (N)one, (P)assword, (C)hallenge, or (Q)uit [P]? c
Enter MD5 secret: 
Enter MD5 secret again: 
Change permission? (Y)es, (N)o, or (Q)uit [N]? n
User `NewAdmin' has been changed

Delete User

Removes a user account from the router database.

Syntax: delete user

Example: delete user

Enter user name: ? NewAdmin
Delete user `NewAdmin'? (Y)es, (N)o, or (Q)uit [N]? y
User `NewAdmin' has been deleted

Disable Console-login

Turns off prompts for logging in of user name and password. Creating an administrative user account automatically enables console login.

Syntax: disable console-login

Example: disable console-login

Enable Console-login

Enables prompts for logging in of user name and password. You must have defined at least one administrator for this command to take effect. Until you add an administrator, at each startup the system displays a message that console login is not activated. Creating an administrator account automatically enables console login. You need to use the enable console-login command only if you previously disabled it.

Syntax: enable console-login

Example: enable console-login

List Users

Displays a list of all user accounts, showing the permission level, authentication type, and user name of each account. Also shows whether console-login is enabled or disabled.

Syntax: list users

Example: list users

PERMISSION    AUTHENTICATION      USER
Admin         None                nadmin
Tech Support  Challenge/Response  Proteon
Monitor       None                xx
Monitor       Challenge/Response  cmon
Monitor       Password            pmon
Admin         Challenge/Response  NewAdmin

Console login is enabled

Installing and Configuring GTSecure(TM) Login

Configuring and Using GTSecure Login

User Account Configuration Commands

Installing and Compiling the GTSecure Login Utility

Configuring and Using GTSecure Login

User Account Configuration Commands

Table 1 User Account Configuration Commands

Table 2 Access Permission Levels

Change User

Delete User

Disable Console-login