Manual Chapter : RSA SecurID Authentication

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.5.1
Manual Chapter

About RSA SecurID authentication

RSA SecurID is a two-factor authentication mechanism based on a user PIN or password and code that an authenticator generates and provides to the user.

A token is an authentication code generated every 60 seconds by an authenticator (hardware or software) assigned to the user.

How RSA SecurID works How Access Policy Manager works with RSA SecurID
  1. The client submits the user name and PIN code to Access Policy Manager.
  2. Access Policy Manager sends the user-specified inputs to the RSA authentication server.
  3. Based on the authentication results, Access Policy Manager grants or denies access to the client.

About RSA SecurID configuration requirements for APM AAA

Before you can use a SecurID AAA server in Access Policy Manager (APM), you need to meet specific requirements for configuration elements and settings on RSA SecurID, as described here.

Authentication agent

To provide RSA SecurID authentication for APM, the RSA Authentication Manager requires an authentication agent for APM in its database.

To create an authentication agent from the RSA Security Console, you need:

  • Hostname
  • IP addresses for all network interfaces
  • Agent Type (set to Standard Agent)

RADIUS client

To provide RSA SecurID authentication for APM, RSA Authentication Manager requires a RADIUS client that corresponds to the authentication agent for APM.

To create a RADIUS client from the RSA Security Console, you need:

  • Hostname
  • IP addresses for all network interface
  • RADIUS secret (this RADIUS secret must match the corresponding RADIUS secret on the APM system).

Character requirements setting in a SecurID token policy

To avoid a problem in the RSA SDK with alphabetic-only PIN policies, do not use them. When you set up a SecurID token policy, set the character requirements to one of these values:

  • Require numeric PINs
  • Allow alpha-numeric PINs

Task summary for configuring for RSA SecurID authentication

This task list includes all steps required to set up this configuration and provides an example access policy that uses both RSA SecurID and Active Directory authentication. It is only an example. If you are adding RSA SecurID authentication to an existing access policy, you do not need to create another access profile.

Task list

Configuring a SecurID AAA server in APM

Configure a SecurID AAA server for Access Policy Manager (APM) to request RSA SecurID authentication from an RSA Manager authentication server.
  1. On the Main tab, click Access Policy > AAA Servers. The AAA Servers list screen opens.
  2. On the menu bar, click AAA Servers By Type, and select SecurID. The SecurID screen opens and displays the servers list.
  3. Click Create. The New Server properties screen opens.
  4. In the Name field, type a unique name for the authentication server.
  5. In the Configuration area, for the Agent Host IP Address (must match the IP address in SecurID Configuration File) setting, select an option as appropriate:
    • Select from Self IP List: Choose this when there is no NAT device between APM and the RSA Authentication Manager. Select an IP from the list of those configured on the BIG-IP system (in the Network area of the Configuration utility).
    • Other: Choose this when there is a NAT device in the network path between Access Policy Manager and the RSA Authentication Manager server. If selected, type the address as translated by the NAT device.
  6. For the SecurID Configuration File setting, browse to upload the sdconf.rec file. Consult your RSA Authentication Manager administrator to generate this file for you.
  7. Click Finished. The new server displays on the list.
This adds a new RSA SecurID server to the AAA Servers list.

Creating an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click Create. The New Profile screen opens.
  3. Type a name for the access profile.
  4. From the Profile Type list, select one:
    • APM-LTM - Select for a web access management configuration.
    • SSO - Select only when you do not need to configure an access policy.
    • SWG - Explicit - Select to configure access using Secure Web Gateway explicit forward proxy.
    • SWG - Transparent - Select to configure access using Secure Web Gateway transparent forward proxy.
    • SSL-VPN - Select for other types of access, such as network access, portal access, application access. (Most access policy items are available for this type.)
    • ALL - Select for any type of access.
    Additional settings display.
  5. In the Language Settings area, add and remove accepted languages, and set the default language. A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished.
This creates an access profile with a default access policy.

Configuring RSA SecurID authentication in an access policy

Before you add RSA SecurID authentication to an access policy, you must have at least one AAA SecurID server configured in Access Policy Manager (APM). You might need an AAA server configured for another type of authentication, depending on the number of authentication actions that you plan to add to this access policy. This access policy uses Active Directory authentication in addition to SecurID; in this case, an Active Directory AAA server is required.
You add RSA SecurID authentication to an access policy so that APM can request RSA SecurID authentication using the AAA SecurID server that you specify.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item. A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. On the Logon tab, select Logon Page and click the Add Item button. The Logon Page Agent properties screen opens.
  5. To customize the Logon Page to prompt for a token code in addition to a password, perform these substeps: Add a second password field to the logon page and supply the appropriate prompts for both password fields.
    1. From the Type list in row 3, select password.
    2. In the Post Variable Name field in row 3, type password1. The name password1 is an example.
    3. From the Session Variable Name field in row 3, type password1. The name password1 is an example. If you type password1, the name password1 becomes part of the session variable name, session.logon.last.password1. APM stores user input for the field in this session variable. You now have two fields that accept passwords on this Logon Page. Next you must set the prompts that display for each password field. This access policy runs RSA SecurID authentication first and another type of authentication afterward.
    4. In the Customization area in Logon Page Input Field #2, in place of the text Password type RSA Token or the wording of your choice,
    5. In Logon Page Input Field #3, type a prompt for the other type of authentication, for example Password.
    6. Click Save. The properties screen closes and the visual policy editor is displayed.
  6. Click the (+) icon anywhere in the access policy to add a new action item. A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  7. On the Authentication tab, select RSA SecurID and click Add Item. A properties popup screen opens.
  8. From the AAA Server list in the properties popup screen, select the SecurID AAA server that you want to associate to the agent.
  9. Set Max Logon Attempts to a value from from 1 to 5.
    Note: To use this access policy for Citrix Receiver client access, you must set Max Logon Attempts to 1.
  10. Click Save. The properties screen closes and the visual policy editor displays.
  11. Add a Variable Assign action after the Logon Page action. Authentication actions use the password in the session.last.logon.password session variable. When the access policy runs and reaches this point, the RSA token code is stored in that session variable. After you add the Variable Assign action, a Properties popup screen displays.
  12. On the Properties screen, add an entry to replace the contents of the session.last.logon.password session variable with the password stored in the session.last.logon.password1 session variable:
    1. Click Add new entry. An empty entry appears in the Assignment table.
    2. Click the change link in the new entry. A popup screen opens.
    3. From the left-side list, select Custom Variable (the default), and type session.logon.last.password.
    4. From the right-side list, select Custom Expression (the default), and type expr { "[mcget -secure session.logon.last.password1] }.
    5. Click Finished. The popup screen closes.
    6. Click Save. The properties screen closes and the visual policy editor is displayed.
    This example adds an AD Auth access policy item as a second type of authentication. You can add an authentication access policy item other than AD Auth. The session.logon.last.password session variable now contains the user-entered password.
  13. On the fallback branch after the previous action, click the (+) icon to add an item to the access policy. A popup screen opens.
  14. On the Authentication tab, select AD Auth. A properties screen displays.
  15. From the Server list, select a server.
  16. To support Citrix Receiver clients, you must set Max Logon Attempts to 1.
  17. Click Save. The properties screen closes and the visual policy editor displays.
  18. Add another authentication action and any other actions you require.
  19. Click Apply Access Policy to save your configuration.
This adds RSA SecurID AAA authentication to the access policy and a second type of authentication.

Creating a virtual server

When creating a virtual server for an access policy, specify that the virtual server is a host virtual server, and not a network virtual server.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, select Host and in the Address field, type the IP address for the virtual server.
  5. In the Service Port field, type a port number or select a service name from the Service Port list.
  6. From the HTTP Profile list, select http.
  7. If you use server SSL for this connection, from the SSL Profile (Server) list, select a server SSL profile.
  8. If you use client SSL for this profile, from the SSL Profile (Client) list, select a client SSL profile.
  9. In the Access Policy area, from the Access Profile list, select the access profile.
  10. From the Connectivity Profile list, select a connectivity profile. You can select the default connectivity profile, connectivity if you have not defined a specific profile for the traffic that is directed to this virtual server.
  11. Click Finished.
You have configured a host virtual server and associated an access profile with it.

Access policy example for RSA and AD authentication

Typically, when you configure an authentication action, you precede it with a Logon Page action to collect credentials. This example describes how to include more than one authentication item (RSA and AD authentication) in an access policy and present a Logon Page only once.

Access policy with RSA SecurID and AD Auth actions

Access policy with: Logon Page, RSA SecurID, Variable Assign, AD Auth, and Full Reosource Assign actions

In this example, if the Logon Page action is not customized, the access policy passes the same credentials to both the RSA SecurID and AD Auth authentication agents. But RSA SecurID accepts a user name and a token at logon, while Active Directory accepts a user name and password. To accommodate these differences, customize the Logon Page item.

Logon Page customization: how to collect a token and a password

Logon Page access policy item properties screen

The first highlighted entry defines a second password field. The second password is stored in the session.variable.last.password1 variable.

Note: Although the second password is stored in a session variable, it is not the session variable, session.variable.last.password, from which an authentication agent accepts the password.

The highlighted entries in the Customization area change the labels that the Logon Page displays, from Password to RSA Token Code for the first password and to AD Password for the second password.

Variable Assign action: How to pass the AD Password to the AD Auth action

Use the Variable Assign action to provide the appropriate password before the AD Auth action occurs.

Variable Assign access policy item popup screen for adding a new entry

The Variable Assign action moves the AD Auth password, stored in session.variable.last.password1, to the session.variable.last.password variable.

RSA SecurID session variables for access policy rules

When the RSA SecurID access policy item runs, it populates session variables which are then available for use in access policy rules. The tables list the session variables for the RSA SecurID access policy item and a logon access policy item.

Session variables for RSA SecurID

Session Variable Description
session.securid.last.result Provides the result of the RSA SecurID authentication. The available values are:
  • 0: Failed
  • 1: Passed

Common session variables

Session Variable Description
session.logon.last.username Provides user credentials. The username string is stored after encrypting, using the system's client key.
session.logon.last.password Provides user credentials. The password string is stored after encrypting, using the system's client key.

RSA SecurID on Windows using RADIUS configuration troubleshooting tips

You might run into problems with RSA SecurID on Windows using RADIUS configuration. Follow these tips to try to resolve any issues that you encounter.

RSA SecurID on Windows using RADIUS configuration troubleshooting

Possible error messages Possible explanations and corrective actions
The RADIUS server is inactive Even if the RADIUS server was started from the SecurID options window on the Windows SecurID server, the server might not be active. In Windows Services Manager, make sure that the server is set to start each time the server boots, and is currently running. RSA SecurID authentication using RADIUS takes place on a different port than the native securid ID.
The SecurID is configured incorrectly for RADIUS authentication While using RSA SecurID over RADIUS, the SecurID server is a client of itself. The RADIUS service functions as a standalone process, and if the SecurID server is not set up as a client of itself, it rejects the Access Policy Manager authentication request and does not store anything in the logs.
No response from the RSA SecurID server Check that RSA Authentication Manager is configured properly. To facilitate communication between Access Policy Manager and the RSA Authentication Manager, you must add an Authentication Agent record to the RSA Authentication Manager database. The Authentication Agent record identifies the Access Policy Manager within its database, and contains information about communication and encryption. To create the Authentication Agent record, you need this information.
  • Host name
  • IP addresses for all network interfaces
When adding the Authentication Agent record, you should configure the Access Policy Manager as a Standard Agent. The RSA Authentication Manager uses this setting to determine how to communicate with Access Policy Manager. You must also add a RADIUS client that corresponds to the Authentication Agent. To create the RADIUS client, you need this information.
  • Host name
  • IP addresses for all network interfaces
  • RADIUS secret (This RADIUS secret must match the corresponding RADIUS secret on the Access Policy Manager.)