| |
Each remote access service has its own security-related options. You must configure the service-specific security options to provide a secure system on your network.
To configure PPPRNS security, complete the following steps:
Select Configure Services from the Remote Access Options window.
The Remote Access Services window is displayed.
Select PPPRNS.
The PPPRNS Configuration Options window is displayed.
Select Configure Security.
The PPPRNS Configuration window is displayed.
Select Enable Security and specify Yes or No to enable or disable PPPRNS security.
NOTE: When security is disabled, callers can establish a connection successfully by entering a valid username without a password. However, callers still must log in to the network.
Specify Yes or No to enable or disable the NetWare Connect Authentication Protocol (NWCAP).
This method is supported by the Dialer remote access dialer. NWCAP allows the NetWare password to be used as the Remote Client password (the default).
Specify Yes or No to enable or disable the Password Authentication Protocol.
The default is No. If you enable this protocol, callers configured for PAP must specify the Remote Client password to successfully establish a connection. This method is supported by the remote access dialer. Enable this option if you have UNIX clients that support PAP.
Specify Yes or No to enable or disable the Challenge Handshake Authentication Protocol.
This method is not supported by the remote access dialer shipped with Novell Internet Access Server 4.1. This method requires callers to specify a Remote Client password to establish a connection. To set Remote Client passwords, refer to Setting Remote Client Passwords.
NOTE: Enable this option if you have the native Windows 95 or Windows NT dialers. If you want PAP or CHAP users to authenticate if they do not have a Remote Client password, enter Set PPPRNS AdmitNoConfig=ON at the server console. The default is OFF. Setting this option to ON is not recommended.
With NASI Connection Service (NCS), security requires users to specify passwords for network workstations or specify usernames and passwords for remote workstations.
To configure NCS security, complete the following steps:
Select Configure Services from the Remote Access Options window.
The Remote Access Services window is displayed.
Select NCS.
The NCS Configuration Options window is displayed.
Select Enable NCS Dial-In Security, then specify Yes or No to enable or disable this option.
This security option applies to the remote workstation dialing in through the Service Selector (using the shared DIALIN port) to access host sessions on the network. The default (Yes) requires users to specify the Remote Client password. If this field is disabled, users are prompted only for a username.
If the user is accessing a private session on the network, the dial-in username must be the same one used when NASI, Win2NCS, or Mac2NCS are loaded on the network workstation. If the user is accessing a public session on the network, the dial-in username can be different from the username used on the network workstation.
Select Enable NASI Security, then specify Yes or No to enable or disable the option.
This security option applies only to the NASI workstation on the network dialing out. The default (Yes) forces users to specify the NetWare password. If the user is not logged in to the network, NCS will also prompt for a username. If the field is disabled, users are not prompted for a username or password.
To enhance network security, you can prevent callers from accessing specific AppleTalk zones on the network in the following ways:
Restrict global access to AppleTalk zones. Limit all users to specified AppleTalk zones on the network.
Restrict user access to AppleTalk zones. Limit individual users to specific AppleTalk zones on the network.
Automate the connection. Allow AppleTalk Remote Access Client 2.0 users to automate the connection process by sending a stored password instead of manually entering the password every time.
To set default zone restrictions, complete the following steps:
Select Configure Services from the Remote Access Options window.
The Services Options window is displayed.
Select ARAS.
The ARAS Configuration Options window is displayed.
Select Set Default Zone Restriction.
A restricted zone list is displayed. Initially, the Any Zone option is displayed and users have access to all zones.
Press Ins to add zones to the list, or press Del to delete zones from the list.
A list of other known zones is displayed.
Select the zone to which you want to restrict access.
Press F5 to select multiple zones.
If the zone to which you want to restrict access does not appear in the Other Zone List window, press Ins, then enter the zone name.
A valid zone name can contain up to 32 characters, including all printable characters.
Press Esc to save your changes.
All users are now limited to accessing the AppleTalk zone or zones in the restricted zone list.
To restrict individual users to specific AppleTalk zones, complete the following steps:
Select Configure Services from the Remote Access Options window.
The Services Options window is displayed.
Select ARAS.
The ARAS Configuration Options window is displayed.
Select Set User Zone Restriction.
A list of ARAS users is displayed.
If users are distributed over multiple contexts, select the double period (.) to move up the Directory tree to a common branch. Select any other container object to move down the tree.
If the CONNECT object does not have Browse rights to move up the Directory tree, press Ins and enter the new Directory context. This allows you to jump to another branch of the tree where the CONNECT object does have rights.
Select a username.
A restricted zone list for that user is displayed. Initially, the Any Zone option is displayed and the user has access to all zones. You can use F4 and F6 to copy access settings to or from another user.
NOTE: The Any Zone option is also displayed when default zones are defined. Select this option to select the default zone specification.
The remote access server administrator can set zone restrictions for the user if the CONNECT object, in addition to having Browse and Read attribute rights, has Write attribute rights to the container in which the username resides.
Press Ins to add zones to the list, or press Del to delete zones from the list.
A list of other known zones is displayed.
Select the zone to which you want to restrict access.
Press F5 to select multiple zones from the list.
If the zone to which you want to restrict access does not appear in the Other Zone list, press Ins, then enter the zone name.
Press Esc to save your changes.
The users now are limited to accessing only the zones in the restricted zone list.
You can let AppleTalk Remote Access Client 2.0 callers automate the connection process by sending a stored password instead of manually entering the password every time.
To automate the connection, complete the following steps:
Select Configure Services from the Remote Access Options window.
The Services Options window is displayed.
Select ARAS.
The ARAS Configuration Options window is displayed.
Select Setup Options.
The Setup Options window is displayed.
Select Prompt User for Remote Client Password, then specify Yes to have the user enter the password manually or No to have the client use the stored password.
Press Esc to save the changes.
| |