When you configure services on the firewall that require strong user authentication (such as S/Key or digital signatures), you need to provide the users in question with authentication agent programs to handle the authentication requests that are generated by the firewall.
When the firewall receives a request for a service (such as a TCP connection attempt) that requires such authentication, it attempts to make a connection back to the client host. The authentication agents are responsible for listening for and handling such connections. If an authentication agent is running on the client machine, then the connection will be accepted. The firewall then provides the authentication agent with the address and port details of the service request. The authentication agent in turn provides the firewall with a user name and authentication method. The firewall then issues a challenge to the agent, in the form of an S/Key seed and sequence number (for S/Key), or random challenge string (for digital signatures). The agent then sends back an S/Key password or the challenge signature. In order to do this, the agent may need to request a password from the user, for example by popping up a dialog box (in a GUI environment) or issuing a text-mode prompt (for UNIX systems in a non-GUI environment).
Authentication callbacks are done by default on port 1507. The agents can be configured to use a different port. To change the port used by the firewall you will need to edit the /etc/cequrux.cfg file directly, and change the value in the line:
authport 1507
Authentication agents are available for both MS-Windows and UNIX platforms. We now describe each of these briefly. The tools can be found on your CD-ROM, together with additional information on requirements, installation and usage.