RSA SecurID is a two-factor authentication mechanism based on a user PIN or password and code that an authenticator generates and provides to the user.
A token is an authentication code generated every 60 seconds by an authenticator (hardware or software) assigned to the user.
Before you can use a SecurID AAA server in Access Policy Manager (APM), you need to meet specific requirements for configuration elements and settings on RSA SecurID, as described here.
To provide RSA SecurID authentication for APM, the RSA Authentication Manager requires an authentication agent for APM in its database.
To create an authentication agent from the RSA Security Console, you need:
To provide RSA SecurID authentication for APM, RSA Authentication Manager requires a RADIUS client that corresponds to the authentication agent for APM.
To create a RADIUS client from the RSA Security Console, you need:
To avoid a problem in the RSA SDK with alphabetic-only PIN policies, do not use them. When you set up a SecurID token policy, set the character requirements to one of these values:
This task list includes all steps required to set up this configuration and provides an example access policy that uses both RSA SecurID and Active Directory authentication. It is only an example. If you are adding RSA SecurID authentication to an existing access policy, you do not need to create another access profile.
Typically, when you configure an authentication action, you precede it with a Logon Page action to collect credentials. This example describes how to include more than one authentication item (RSA and AD authentication) in an access policy and present a Logon Page only once.
In this example, if the Logon Page action is not customized, the access policy passes the same credentials to both the RSA SecurID and AD Auth authentication agents. But RSA SecurID accepts a user name and a token at logon, while Active Directory accepts a user name and password. To accommodate these differences, customize the Logon Page item.
The first highlighted entry defines a second password field. The second password is stored in the session.variable.last.password1 variable.
The highlighted entries in the Customization area change the labels that the Logon Page displays, from Password to RSA Token Code for the first password and to AD Password for the second password.
Use the Variable Assign action to provide the appropriate password before the AD Auth action occurs.
The Variable Assign action moves the AD Auth password, stored in session.variable.last.password1, to the session.variable.last.password variable.
When the RSA SecurID access policy item runs, it populates session variables which are then available for use in access policy rules. The tables list the session variables for the RSA SecurID access policy item and a logon access policy item.
|session.securid.last.result||Provides the result of the RSA SecurID authentication. The available values are:
|session.logon.last.username||Provides user credentials. The username string is stored after encrypting, using the system's client key.|
|session.logon.last.password||Provides user credentials. The password string is stored after encrypting, using the system's client key.|
You might run into problems with RSA SecurID on Windows using RADIUS configuration. Follow these tips to try to resolve any issues that you encounter.
|Possible error messages||Possible explanations and corrective actions|
|The RADIUS server is inactive||Even if the RADIUS server was started from the SecurID options window on the Windows SecurID server, the server might not be active. In Windows Services Manager, make sure that the server is set to start each time the server boots, and is currently running. RSA SecurID authentication using RADIUS takes place on a different port than the native securid ID.|
|The SecurID is configured incorrectly for RADIUS authentication||While using RSA SecurID over RADIUS, the SecurID server is a client of itself. The RADIUS service functions as a standalone process, and if the SecurID server is not set up as a client of itself, it rejects the Access Policy Manager authentication request and does not store anything in the logs.|
|No response from the RSA SecurID server||Check that RSA Authentication Manager is configured properly. To facilitate
communication between Access Policy Manager and the RSA Authentication Manager, you must add
an Authentication Agent record to the RSA Authentication Manager database. The Authentication
Agent record identifies the Access Policy Manager within its database, and contains
information about communication and encryption. To create the Authentication Agent record,
you need this information.