Secured by RSA Implementation Guide for SecurID Authenticators Last Modified: December 4, 2013 Partner Information Product Information Partner Name McAfee Web Site www.mcafee.com Product Name (EEPC) Version & Platform 7.0.2 McAfee delivers encryption integrated with Product Description centralized management that helps prevent unauthorized access and loss or theft of sensitive data. Product Category Disk/File Encryption
Solution Summary McAfee and the RSA SID800 smart card combine seamlessly to provide end-users with a single form factor for enterprise two-factor authentication. Users can store the keys necessary to unlock the encrypted data on their hard drive on the same device used to provide RSA SecurID authentication throughout the enterprise. Partner Integration Overview Interoperable through RSA Authentication Client Pre-Boot Authentication If Pre-Boot, which tokens are supported? No Yes SID800 Rev D4-2 -
Product Configuration for Interoperability Interoperability between the RSA Authenticators and McAfee requires the installation of McAfee. Before You Begin This section provides instructions for integrating RSA Authenticators with McAfee. The document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All vendor products/components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Configuration There are two methods of RSA SID800 integration available for use with McAfee. RSA PKI smart card PKI smart card authentication requires a Certificate Authority integrated with a Microsoft Windows Domain. The Certificate Authority issues the PKI certificate to a Windows Domain user. The private key is stored on the RSA SID800 smart card and associated with the Windows Domain user. Authentication with PKI smart card requires the following actions; Enabling LDAP Synchronization for the Domain is required. Associate an User to a computer is required. Create policy and policy assignment rule for PKI Authentication. Enable UBP Enforcement is required. RSA Stored Value Token A stored value is written to the RSA SID800 smart card by the McAfee pre-boot environment. Authentication with a Stored Value Token requires the following actions; Enabling LDAP Synchronization for the Domain is not required for users not managed by a Windows Domain. Associate an User to a computer is required. Create policy and policy assignment rule for Stored Value Authentication. Enable UBP Enforcement is required. Note: If you require both PKI and Stored Value authentication types within your environment you must create separate policies. - 3 -
Enable LDAP Synchronization for the Domain 1. Select Menu > Automation > Server Tasks to create an LDAP synchronization task. 2. Select New Task. - 4 -
3. Name the task and select Next. 4. Select EE LDAP Server User/Group Synchronization within the Actions drop down list and set your LDAP Server then select Next. - 5 -
5. Set the frequency of the LDAP synchronization server task as needed then select Next. 6. Complete the creation of the task by selecting Save. - 6 -
7. Click the Run link under the Actions column to verify LDAP synchronization. 8. The task must complete successfully to continue. - 7 -
Associate an User to a computer 1. Associate a user with a computer by selecting Menu > Data Protection > Encryption Users. 2. Select the system to associate the user and click Actions > and Add User(s). - 8 -
3. Select the button to associate the User to the computer. 4. Search for the user to associate and add by selecting the checkbox next to the users name and click OK. 5. Click OK once you have selected the user. - 9 -
Create policy and policy assignment rule for PKI Authentication 1. Create a PKI Policy Catalog by selecting Menu > Policy and Policy Catalog. 2. Select the Duplicate Action for the McAfee Default User Based Policies Catalog. - 10 -
3. Set the Policy Name of the User Based policy then click OK. 4. Select the New Policy by clicking RSA SID800 PKI Policy. - 11 -
5. Select RSA PKI Smart Card from the Token Type list. 6. Select Save. - 12 -
7. Create a PKI Policy Assignment to enable PKI authentication with the SID800 smart card. Select Menu > Policy > Policy Assignment Rules. 8. Create a new Policy Assignment Rule by selecting New Assignment Rule. - 13 -
9. Enter the name for the assignment rule and set the Rule Type to User Based then select Next. 10. Select Add Policy. - 14 -
11. Select 7.0.2 from the Product list, User Based Policies from the Category list and RSA SID800 PKI Policy from the Policy list, the select Next. 12. Select User from the User Criteria and to associate a user to the PKI smart card rule. b - 15 -
13. Search for the domain user by selecting Search and entering the name of the user in the Search Users field, then select Search. b 14. Select the user and then select OK. - 16 -
15. Select Next. 16. Select Save. - 17 -
Create policy and policy assignment rule for Stored Value Authentication 1. Create a Stored Value Policy Catalog by selecting Menu > Policy and Policy Catalog. 2. Select the Duplicate Action for the McAfee Default User Based Policies Catalog. - 18 -
3. Set the Policy Name of the User Based policy. 4. Select the New Policy by clicking RSA SID800 Stored Value Policy. - 19 -
5. Select RSA Stored Value Smart Card from the Token Type list. 6. Select Save. - 20 -
7. Create a Stored Value smart card Policy Assignment to enable Stored Value authentication with the SID800 smart card. Select Menu > Policy > Policy Assignment Rules. 8. Create a new Policy Assignment Rule by selecting New Assignment Rule. - 21 -
9. Enter the name for the assignment rule and set the Rule Type to User Based then select Next. 10. Select Add Policy. - 22 -
11. Select 7.0.2 from the Product list, User Based Policies from the Category list and RSA SID800 Stored value Policy from the Policy list, the select Next. 12. Select User from the User Criteria and to associate a user to the Stored Value smart card rule. b - 23 -
13. Search for the domain user by selecting Search and entering the name of the user in the Search Users field, then select Search. b 14. Select the user and then select OK. - 24 -
15. Select Next. 16. Select Save. - 25 -
Enable UBP Enforcement 1. Set UBP enforcement for users by selecting Menu > Reporting > Queries and Reports. 2. Perform a Quick find to locate and run the EE: Users report. - 26 -
3. Select the AD users to enable UBP enforcement and from the Actions menu select and Configured UBP enforcement. 4. Select Enable from the Configure UBP enforcement options then select OK. - 27 -
5. Select Close to complete setting UBP enforcement. Client Synchronization 1. To complete setup of smart card authentication with the SID800 the client computer needs to be updated by synchronizing with the epo server. A synchronization will push the recently created policies associated with that user and their token data to the client computer. 2. A synchronization can be forced from epo using an Agent Wake-Up call or the synchronization can be forced from the client using the McAfee Agent user interface or simply by waiting for the next ASCI + Policy Enforcement interval. Note: During the synchronization log will show an entry for Enforcing User (<name>) Policies for EE_Admin1000 where <name> = username. Restart the System and Authenticate 1. When the system is restarted the EEPC pre boot will be displayed. At this stage the user is prompted to authenticate. Ensure that the token is inserted either before booting the system or before attempting to authenticate. 2. Enter the username and click Next. 3. The user will be prompted for the PIN, enter the smart card PIN and click OK. 4. If the client is configured as a PKI smart card user the client is authenticated. 5. If the client is configured as a Stored Value token user the user will be prompted to enter the McAfee epo default password and then the smart card PIN. The smart card will then be initialized with the stored value and the client computer will boot Windows. Note: The RSA SID800 smart card is now ready for use and is successfully assigned to the user. - 28 -
Certification Checklist for 3 rd Party Applications Date Tested: December 5, 2013 Product Operating System Tested Version McAfee epolicy Orchestrator Windows 2003 R2 SP2 4.6 RSA Authentication Client Windows 8 3.6 McAfee EEPC Windows 8 7.0.2 RSA SecurID 800 Windows 8 Rev D4 Test Cases Symmetric Keys Asymmetric Keys RSA SecurID 800 Preboot Authentication Disk/File Encryption N/A N/A 1024 Certificate N/A 2048 Certificate N/A Write Key/Certificate Delete Key/Certificate Token Management RAC API Modify Token PIN Verify Token PIN N/A N/A Initialize Token N/A N/A DRP = Pass = Fail N/A = Non-Available Function - 29 -