To configure tokens for a particular vendor, you must perform a series of procedures. Use the following list to ensure you perform all the required procedures:
Create an Authentication Container object.
You must create at least one Authentication Container object for each vendor you support.
Initialize the tokens.
You must initialize or program each token with the profile parameters.
The initialization information must also be stored in NDS or eDirectory in an Authentication Device object. There are three methods to initialize tokens, create an Authentication object, and store the data in eDirectory:
Import factory initialization data (device images) on preinitialized tokens from a disk into NDS or eDirectory.
Locally initialize the token by selecting the parameters in NetWare Administrator and downloading the data to the token using special initialization hardware.
Manually initiailize the token by selecting the parameters in NetWare Administrator and manually keying in the initialization codes from the keypad.
Assign the tokens.
You can assign tokens to users from the Authentication Device object page or from the User object page.
Configure token authentication in the Dial Access System object.
You must configure the Dial Access System object policy to allow token authentication as a method.
Grant rights to access token objects.
You must grant the appropriate rights to the Dial Access System object to access the token objects.
Authentication Container Object
The Authentication Container object contains the Authentication Device objects (tokens or smart cards) from a single vendor and manages the common configuration tasks for these objects. All Authentication Device objects must be contained within an Authentication Container object. Therefore, you must create at least one Authentication Container object for each vendor you support. You may create multiple Authentication Container objects if you would like to store the Authentication Device objects from a vendor in more than one location in eDirectory. This object consists of the following pages:
Identification---Identifies the name of the Authentication Container object and the type of tokens (from what vendor) that are contained in the object.
Import Device Images---Lets you to import the device images containing the initialization information of a series of factory-preinitialized tokens. For each device image you import, a device object in eDirectory is automatically created.
Manual Initialization---Lets you to initialize a token by generating and displaying the necessary initialization codes for you to enter manually into the token keypad. When you manually initialize a token, if the device object does not already exist in eDirectory, one is automatically created.
Local Initialization---Lets you to initialize a token which you have placed in the token initializer hardware attached locally to your administration workstation. When you locally initialize a token, if the device object does not already exist in eDirectory, one is automatically created.
Token Assignment---Lets you to assign devices to users. You can use this page to assign a single token to a user, or quickly assign a series of serialized tokens to a series of users.
Authentication Device Object
The Authentication Device object contains information about a single token or other device. When you import or initialize a token, an Authentication Device object is created. This object contains the following pages:
Identification---Identifies the token name, assigned user, type, and status.
Assignment---Lets you assign the token to a user and enable or disable the token.
Synchronize---Lets you synchronize the token. You have the option of synchronizing the token manually or automatically the next time the token is used. For manual synchronization, you must specify the event, clock value, or both.
Password Tests---Lets you test the token to verify that it can correctly generate a password. You can test both the synchronous and asynchronous methods of password generation.
Protecting Device Data in NDS or eDirectory
The authentication device data stored in NDS or eDirectory is critical to system security. This data should be carefully protected and access to it should be restricted to authentication servers and administrators who require access.
Sensitive information stored on authentication device objects is encrypted automatically; however, additional measures should be taken to protect this data. We recommend the following:
Create a partition at the authentication device container
Restrict replication of authentication device partitions to a few servers that are well controlled
Ensure that backup copies of authentication device objects are protected
Create access controls to allow administrators and Dial Access System objects to read and write these objects
Block inherited rights and ensure access control lists (ACLs) are only for objects that should have access
