RSA Two Factor Authentication

Similar documents
NTLM NTLM. Feature Description

Packet Trace Guide. Packet Trace Guide. Technical Note

VMware vcenter Log Insight Manager. Deployment Guide

Migration Tool. Migration Tool (Beta) Technical Note

Moodle. Moodle. Deployment Guide

LoadMaster VMware Horizon (with View) 6. Deployment Guide

Splunk. Splunk. Deployment Guide

Adobe Connect. Adobe Connect. Deployment Guide

Epic. Epic Systems. Deployment Guide

Hyper-V - Windows 2012 and 8. Virtual LoadMaster for Microsoft Hyper-V on Windows Server 2012, 2012 R2 and Windows 8. Installation Guide

KEMP Driver for Red Hat OpenStack. KEMP LBaaS Red Hat OpenStack Driver. Installation Guide

LoadMaster Clustering

RSA Two Factor Authentication. Feature Description

Edge Security Pack (ESP)

LoadMaster for Azure (Marketplace Classic Interface)

SDN Adaptive Load Balancing. Feature Description

Configuring Real Servers for DSR

LoadMaster Clustering (Beta)

LoadMaster VMware Horizon Access Point Gateway

Kerberos Constrained Delegation. Kerberos Constrained Delegation. Feature Description

Web Application Firewall (WAF) Feature Description

MS Lync MS Lync Deployment Guide

MS Skype for Business. Microsoft Skype for Business Deployment Guide

VMware Horizon Workspace. VMware Horizon Workspace 1.5. Deployment Guide

GEO. Feature Description GEO VERSION: 1.4 UPDATED: MARCH Feature Description

Health Checking. Health Checking. Feature Description

SSL Accelerated Services. SSL Accelerated Services for the LM FIPS. Feature Description

Condor for Cisco UCS B-Series Blade Servers

Content Switching with Exchange and Lync-related Workloads

Virtual LoadMaster for Xen (Para Virtualized)

Virtual LoadMaster for KVM (Para Virtualized)

DirectAccess. Windows Server 2012 R2 DirectAccess. Deployment Guide

Web User Interface (WUI) LM5305 FIPS

Bar Code Discovery. Administrator's Guide

RADIUS Authentication and Authorization Technical Note

iwrite technical manual iwrite authors and contributors Revision: 0.00 (Draft/WIP)

Open Source Used In Cisco Configuration Professional for Catalyst 1.0

Exchange 2016 Deployment Guide. Exchange Deployment Guide

Web User Interface (WUI) LM FIPS

IETF TRUST. Legal Provisions Relating to IETF Documents. Approved November 6, Effective Date: November 10, 2008

Tenable Hardware Appliance Upgrade Guide

Enterprise Payment Solutions. Scanner Installation April EPS Scanner Installation: Quick Start for Remote Deposit Complete TM

Web User Interface (WUI)

IETF TRUST. Legal Provisions Relating to IETF Documents. February 12, Effective Date: February 15, 2009

Simba Cassandra ODBC Driver with SQL Connector

Ecma International Policy on Submission, Inclusion and Licensing of Software

Ecma International Policy on Submission, Inclusion and Licensing of Software

Open Source Used In TSP

MyCreditChain Terms of Use

Cover Page. Video Manager User Guide 10g Release 3 ( )

Juniper Networks Steel-Belted Radius Carrier

Mile Terms of Use. Effective Date: February, Version 1.1 Feb 2018 [ Mile ] Mileico.com

Command Line Interface (CLI)

Installing the Shrew Soft VPN Client

DoD Common Access Card Authentication. Feature Description

US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Trimble. ecognition. Release Notes

ColdFusion Builder 3.2 Third Party Software Notices and/or Additional Terms and Conditions

Control4/HomeKit Appliance User Manual. User Manual. June Version Varietas Software, LLC.

User Guide. Calibrated Software, Inc.

Conettix Universal Dual Path Communicator B465

SDLC INTELLECTUAL PROPERTY POLICY

Documentation Roadmap for Cisco Prime LAN Management Solution 4.2

Panasonic Audio Player 2 User Guide

PageScope Box Operator Ver. 3.2 User s Guide

LoadMaster Deployment Guide

Copyright PFU LIMITED

Azure Multi-Factor Authentication. Technical Note

Technics Audio Player User Guide

Management Software Web Browser User s Guide

Cover Page. Site Studio Tutorial Setup Guide 10g Release 3 ( )

User Manual. Date Aug 30, Enertrax DAS Download Client

Sophos Endpoint Security and Control standalone startup guide

Additional License Authorizations for HPE OneView for Microsoft Azure Log Analytics

Table of Contents Overview...2 Selecting Post-Processing: ColorMap...3 Overview of Options Copyright, license, warranty/disclaimer...

PRODUCT SPECIFIC LICENSE TERMS Sybase Enterprise Portal Version 5 Application Edition ( Program )

Intel Stress Bitstreams and Encoder (Intel SBE) 2017 AVS2 Release Notes (Version 2.3)

ANZ TRANSACTIVE MOBILE for ipad

This file includes important notes on this product and also the additional information not included in the manuals.

HALCoGen TMS570LS31x Help: example_sci_uart_9600.c

Quick Start Guide. BlackBerry Workspaces app for Android. Version 5.0

Bar Code Discovery. Administrator's Guide

PRODUCT SPECIFIC LICENSE TERMS Sybase Enterprise Portal Version 5 Enterprise Edition ( Program )

CA File Master Plus. Release Notes. Version

Fujitsu ScandAll PRO V2.1.5 README

KEMP LoadMaster. KEMP LoadMaster. Product Overview

End User License Agreement

MERIDIANSOUNDINGBOARD.COM TERMS AND CONDITIONS

Terms of Use. Changes. General Use.

MarkLogic Server. Common Criteria Evaluated Configuration Guide. MarkLogic 6 September, 2012

Open Source Used In c1101 and c1109 Cisco IOS XE Fuji

NetApp Cloud Volumes Service for AWS

Release Notes. BlackBerry Enterprise Identity

Open Source and Standards: A Proposal for Collaboration

MSDE Copyright (c) 2001, Microsoft Corporation. All rights reserved.

This file includes important notes on this product and also the additional information not included in the manuals.

Data Deduplication Metadata Extension

HIS document 2 Loading Observations Data with the ODDataLoader (version 1.0)

About This Guide. and with the Cisco Nexus 1010 Virtual Services Appliance: N1K-C1010

Preface. Audience. Cisco IOS Software Documentation. Organization

Transcription:

RSA Two Factor Authentication Feature Description VERSION: 6.0 UPDATED: JULY 2016

Copyright Notices Copyright 2002-2016 KEMP Technologies, Inc.. All rights reserved.. KEMP Technologies and the KEMP Technologies logo are registered trademarks of KEMP Technologies, Inc.. KEMP Technologies, Inc. reserves all ownership rights for the LoadMaster product line including software and documentation. The use of the LoadMaster Exchange appliance is subject to the license agreement. Information in this guide may be modified at any time without prior notice. Microsoft Windows is a registered trademarks of Microsoft Corporation in the United States and other countries. All other trademarks and service marks are the property of their respective owners. Limitations: This document and all of its contents are provided as-is. KEMP Technologies has made efforts to ensure that the information presented herein are correct, but makes no warranty, express or implied, about the accuracy of this information. If any material errors or inaccuracies should occur in this document, KEMP Technologies will, if feasible, furnish appropriate correctional notices which Users will accept as the sole and exclusive remedy at law or in equity. Users of the information in this document acknowledge that KEMP Technologies cannot be held liable for any loss, injury or damage of any kind, present or prospective, including without limitation any direct, special, incidental or consequential damages (including without limitation lost profits and loss of damage to goodwill) whether suffered by recipient or third party or from any action or inaction whether or not negligent, in the compiling or in delivering or communicating or publishing this document. Any Internet Protocol (IP) addresses, phone numbers or other data that may resemble actual contact information used in this document are not intended to be actual addresses, phone numbers or contact information. Any examples, command display output, network topology diagrams, and other figures included in this document are shown for illustrative purposes only. Any use of actual addressing or contact information in illustrative content is unintentional and coincidental. Portions of this software are; copyright (c) 2004-2006 Frank Denis. All rights reserved; copyright (c) 2002 Michael Shalayeff. All rights reserved; copyright (c) 2003 Ryan McBride. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE ABOVE COPYRIGHT HOLDERS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The views and conclusions contained in the software and documentation are those of the authors and should not be interpreted as representing official policies, either expressed or implied, of the above copyright holders.. Portions of the LoadMaster software are copyright (C) 1989, 1991 Free Software Foundation, Inc. -51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA- and KEMP Technologies Inc. is in full compliance of the GNU license requirements, Version 2, June 1991. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Copyright 2002-2015 KEMP Technologies, Inc. All Rights Reserved. 2

Portions of this software are Copyright (C) 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Portions of this software are Copyright (C) 1998, Massachusetts Institute of Technology Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Portions of this software are Copyright (C) 1995-2004, Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Portions of this software are Copyright (C) 2003, Internet Systems Consortium Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Used, under license, U.S. Patent Nos. 6,473,802, 6,374,300, 8,392,563, 8,103,770, 7,831,712, 7,606,912, 7,346,695, 7,287,084 and 6,970,933. Copyright 2002-2015 KEMP Technologies, Inc. All Rights Reserved. 3

Table of Contents 1 Introduction... 5 1.1.1 Next Token Mode... 6 1.1.2 New PIN Mode... 6 1.2 Document Purpose... 6 1.3 Intended Audience... 6 1.4 Prerequisites... 6 2... 7 2.1 Generate an Authentication Agent Entry... 7 2.2 Export the Authentication Manager Configuration... 9 2.3 Generate a Node Secret File... 11 2.4 Configure the LoadMaster... 13 2.4.1 Upload a Node Secret File for the LoadMaster... 15 2.4.2 Set the L7 Client Token Timeout Value... 15 References... 17 Document History... 18 Copyright 2002-2015 KEMP Technologies, Inc. All Rights Reserved. 4

Introduction 1 Introduction As part of the KEMP Edge Security Pack (ESP), the LoadMaster supports the RSA SecurID authentication scheme. This scheme authenticates the user on an RSA SecurID Server. When RSA is enabled as the authentication method, during the login process the user is prompted to enter a password that is a combination of two numbers a Personal Identification Number (PIN) and a token code which is the number displayed on the RSA SecurID authenticator (dongle). There are two additional challenge-response modes: next token and new PIN. These are described in the sections below. Figure 1-1: Authentication flow The above diagram shows both next token and new pin modes which are only applicable under the conditions described below. This flow allows for three login attempts, after which login failure is final. The actual number of login attempts users are allowed to have is configurable. Copyright 2002-2015 KEMP Technologies, Inc. All Rights Reserved. 5

Introduction 1.1.1 Next Token Mode Next token mode is applied in cases where the authentication process requires additional verification of the token code. The user is asked to enter the next token code, i.e. wait for the number that is currently displayed on the authenticator to change, and enter the new number (without the PIN). When using RSA and Kerberos Constrained Delegation (KCD), the user password will not be authenticated which may result in unsecured access particularly if RSA operates in token code only mode. While many RSA implementations use token code and PIN, others just use token code. 1.1.2 New PIN Mode New PIN mode is applied in cases where the authentication process requires additional verification of the PIN. In this case, the user must use a new PIN. Depending on the configuration of the RSA ACE/Server, the user is prompted to select and enter a new PIN, or the server supplies the user with a new PIN. The user then re-authenticates with the new PIN. The use of new PIN mode is optional and can be enabled or disabled in the authentication server. 1.2 Document Purpose This document describes how to configure the LoadMaster to use the RSA two factor authentication method. The RSA Security Console screenshots and steps in this document are examples. KEMP will not be notified of any changes made in the RSA Security Console so please refer to the RSA documentation for the latest information, if needed. 1.3 Intended Audience This document is intended to be read by anyone who is interested in finding out how to use RSA authentication with the KEMP LoadMaster. 1.4 Prerequisites The following are required in order to use RSA as an authentication method: A configured RSA SecurID Server The LoadMaster can only use one RSA server at a time. RSA Authentication Manager 8.1 SecurID dongles Copyright 2002-2015 KEMP Technologies, Inc. All Rights Reserved. 6

2 You need to complete three steps in order to configure RSA multi-factor authentication on the LoadMaster. These are outlined in the sections below. If multiple domains are configured, sign-on can then be authenticated all at once. More information on this option can be found in ESP, Feature Description. 2.1 Generate an Authentication Agent Entry An Authentication Agent Entry needs to be generated for the LoadMaster in the RSA Authentication Manager. To do this, in the RSA Security Console, follow the steps below: Figure 2-1: Add New 1. Select Access > Authentication Agents and click Add New. Copyright 2002-2015 KEMP Technologies, Inc. All Rights Reserved. 7

Figure 2-2: Add New Authentication Agent 2. Enter the LoadMaster IP address in the IP Address text box. For a HA cluster, the primary LoadMaster IP address should be entered here. The IP address of the second unit should be added as an alternate IP address. If the source IP address of traffic from the LoadMaster to the RSA server changes as a result of interface IP changes or routing changes, please note that a new RSA-Config file will need to be generated. 3. Click the Resolve Hostname button. The Hostname field will auto-populate. 4. Fill out the remaining fields as required on the form. 5. Click Save. Copyright 2002-2015 KEMP Technologies, Inc. All Rights Reserved. 8

Figure 2-3: Agent added A message will appear confirming that the agent was added. 2.2 Export the Authentication Manager Configuration Before uploading the Authentication Manager configuration it needs to be exported from the RSA Security Console. To do this, follow the steps below: Figure 2-4: Generate Configuration File 1. Select Access > Authentication Agents and click Generate Configuration File. Copyright 2002-2015 KEMP Technologies, Inc. All Rights Reserved. 9

2. Click Generate Config File. Figure 2-5: Generate Configuration File Figure 2-6: Generate Configuration File 3. Click Download Now to download the configuration file. Copyright 2002-2015 KEMP Technologies, Inc. All Rights Reserved. 10

2.3 Generate a Node Secret File First, generate a Node Secret in the RSA Security Console and by following the steps below: Figure 2-7: Manage Existing 1. Select Access > Authentication Agents > Manage Existing. Figure 2-8: Manage Node Secret 2. Right click the LoadMaster entry and click Manage Node Secret. Figure 2-9: Enter Encryption Password Copyright 2002-2015 KEMP Technologies, Inc. All Rights Reserved. 11

3. Select the Create a new random node secret, and export the node secret to a file check box. 4. Enter an Encryption Password for the node secret file. 5. Confirm the encryption password. 6. Click Save. 7. Click Download Now. Figure 2-10: Manage Node Secret Download 8. Save the file. Figure 2-11: Save file Copyright 2002-2015 KEMP Technologies, Inc. All Rights Reserved. 12

2.4 Configure the LoadMaster The LoadMaster can only use one RSA server at a time. In the LoadMaster Web User Interface (WUI), follow the steps below: 1. In the main menu, select Virtual Services and Manage SSO. Figure 2-12: Single Sign On Domains For steps on how to configure an SSO domain and ESP, refer to the ESP, Feature Description document. 2. Click Modify on the relevant SSO domain. 3. Select RSA-SecurID as the Authentication protocol. It is also possible to select RSA-SecurID and LDAP as the Authentication Protocol. If this is selected, the RSA-SecurID and LDAP Configuration Type will also need to be selected. 4. In the RSA-SecurID Server(s) text box, enter the address(es) of the RSA-SecurID server(s) that are used to validate this domain. Copyright 2002-2015 KEMP Technologies, Inc. All Rights Reserved. 13

5. Click Set RSA-SecurID Server(s). 6. In the RSA Authentication Manager Config File field, click Choose File. 7. Browse to and select the file exported in Section 2.2. 8. Click Set RSA AM Config. 9. Enter the login domain to be used in the Domain/Realm text box. This is also used with the logon format to construct the normalized username, for example; Principalname: <username>@<domain> Username: <domain>\<username> If the Domain/Realm field is not set, the Domain name set when initially adding an SSO domain will be used as the Domain/Realm name. 10. Select the relevant option for Logon Format (Phase 1 RSA-SecurID). 11. Select the relevant option for Logon Format (Phase 2). The different logon formats are described below: Not Specified: The username will have no normalization applied to it - it will be taken as it is typed. Principalname: Selecting this as the Logon format means that the client does not need to enter the domain when logging in, for example name@domain.com. The SSO domain added in the corresponding text box will be used as the domain in this case. Username: Selecting this as the Logon format means that the client needs to enter the domain and username, for example domain\name@domain.com. Username Only: Selecting this as the Logon Format means that the text entered will be normalized to the username only (the domain will be removed). 12. Enter the Test User and click Set Test User. 13. Enter the Test User Password and click Set Test User Password. The LoadMaster will use this test information in a health check of the SecurID Server. These details are static and should be set in the RSA management WUI. This health check is performed every 20 seconds. Copyright 2002-2015 KEMP Technologies, Inc. All Rights Reserved. 14

2.4.1 Upload a Node Secret File for the LoadMaster Upload the node secret in the LoadMaster. In the Manage SSO screen on the LoadMaster WUI, follow the steps below: Figure 2-13: Manage domain 1. In the RSA Node Secret File field, click Choose File. 2. Browse to and select the Node Secret file generated in Section 2.3. It is not possible to upload the RSA node secret file until the RSA Authentication Manager configuration file is uploaded. The node secret file is dependent on the configuration file. 3. Enter the Decryption Password. 4. Click Set RSA Node Secret. 2.4.2 Set the L7 Client Token Timeout Value The L7 Client Token Timeout is the duration of time (in seconds) to wait for the client token while the process of authentication is ongoing. The default L7 client token timeout is set to 120 seconds. This can be modified as needed in the LoadMaster WUI. The range of valid values is 60 to 300. To configure the timeout value, follow the steps below: 1. In the main menu, go to System Configuration > Miscellaneous Options > L7 Configuration. Copyright 2002-2015 KEMP Technologies, Inc. All Rights Reserved. 15

Figure 2-14: L7 Configuration 2. Enter the new value in the L7 Client Token Timeout text box and click Set Timeout. Copyright 2002-2015 KEMP Technologies, Inc. All Rights Reserved. 16

References References Unless otherwise specified, the following documents can be found at http://kemptechnologies.com/documentation. ESP, Feature Description Web User Interface, Configuration Guide Copyright 2002-2015 KEMP Technologies, Inc. All Rights Reserved. 17

Document History Document History Date Change Reason for Change Version Resp. Mar 2014 Initial draft First draft of document 1.0 LB May 2014 Improvements made General improvements 1.1 LB Sep 2014 Release updates Updates for 7.1-20 release 1.2 LB Oct 2014 Release updates Updates for 7.1-22 release 1.3 LB Feb 2015 Minor updates Enhancements made 1.4 LB June 2015 Release updates Updates for 7.1-28 release 1.5 LB Sep 2015 Screenshot updates WUI Reskin 3.0 KG Jan 2016 Minor updates Updated Copyright Notices 4.0 LB Mar 2016 Release updates Updates for 7.1-34 release 5.0 LB July 2016 Release updates Updates for 7.1.35 release 6.0 LB Copyright 2002-2015 KEMP Technologies, Inc. All Rights Reserved. 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback