ace server client install notes:

unix clients (normal)

	CLIENT SIDE:

	see RSA ACE/Server 4.1 for UNIX Install Guide for details (p. 88)
	
	scp sol8_aceClientInstall to /tmp .  *do not* use the regular 
	solaris client software from the cdrom, since this has not been 
	patched to work on solaris 8.  also scp the sdconf.rec from ace1 
	to /tmp .
	
	untar the client file and copy /tmp/sdconf.rec to the 
	sol8_aceClientInstall/sol directory.
	
	make sure the client hostname can be resolved from the ace 
	servers, also insert ace1 and ace2 into the local hosts file.
	
	copy the following into /etc/services:
	
		securid 5500/udp 
		securidprop 5510/tcp 
		sdlog 5520/tcp 
		sdserv 5530/tcp 
		sdadmind 5550/tcp 
		sdreport 5540/tcp 
		sdxauthd 5540/udp 
		tacacs 49/tcp 
		#TACACS+ 
		radius 1645/udp 
		radacct 1646/udp 
	
	cd to /tmp/sol8_aceClientInstall/sol and run ./sdsetp -client, 
	answering all questions as default except for /usr/local being 
	the install direct.
	
	the install should proceed without error.  the usable shell will
	be located in /usr/local/ace/prog/sdshell.  it can be inserted 
	into the password file as the shell argument.
	
	note: the hostname listing in /etc/hosts must be the same as the 
	expected ip number seen by the ace server.  if not, there will 
	be a non-obvious error.
	
	SERVER SIDE:
	
	make sure the client ip can be resolved by the ace server
	
	open the admin tool and go to client | add client.  enter the 
	client name (hostname), IP address, and the site designator 
	(fgWest).  don't use individual user activations, but rather group 
	activations since the users are already placed in them based on 
	function and access level.
	
	this should be all you need for the client activation.  if you 
	change the sdconf.rec file, you may need to re-issue the shared 
	secret on the client.  to do this, uncheck the "Sent Node Secret" 
	box on the client window.
	
unix clients (multihomed)

	for multihomed clients, you follow the same directions as above 
	except that you need to add the possible secondary interfaces.  
	to access these, use the "Secondary Nodes" button and provide a 
	name/IP number for the alternate interface.
	
	if you do not do this, and the primary interface/pathway fails, 
	client authentication will also fail.

cisco clients (optional multihomed)

	cisco clients should be handled in exactly the same way as unix 
	clients, except that we use a shared secret to encrypt data 
	communications between the client and server.  this is because 
	we use tacacs+ as the authentication protocol which requires a 
	shared secret for this functionality.
	
	to set this secret, use the "Assign/Change Encryption Key" button 
	and fill in the provided blank.