RSA SecurID Ready Implementation Guide Last Modified: March 3, 2014 Partner Information Product Information Partner Name HOB Web Site www.hobsoft.com Product Name Version & Platform 2.1 Product Description software solution is specially designed for secure remote access over IP based networks, i.e., Internet, WiFi / WLAN or UMTS, to diverse resources in enterprise networks. This is a universal softwarebased solution for secure remote access from the corporate network all the way through to the front end.
Solution Summary is a software solution that is specially designed to give you secure remote access. allows you to connect from a client machine over the web to access your desired target system and servers. HOB RD VPN serves as the access gateway into your system analyzing and authenticating the connection. supports RSA SecurID two factor authentication via the RADIUS protocol. RSA Authentication Manager supported features 2.1 RSA SecurID Authentication via Native RSA SecurID Protocol RSA SecurID Authentication via RADIUS Protocol On-Demand Authentication via Native SecurID Protocol On-Demand Authentication via RADIUS Protocol Risk-Based Authentication Risk-Based Authentication with Single Sign-On RSA Authentication Manager Replica Support Secondary RADIUS Server Support RSA SecurID Software Token Automation RSA SecurID SD800 Token Automation RSA SecurID Protection of Administrative Interface Yes Yes Yes - 2 -
Authentication Agent Configuration Authentication Agents are records in the RSA Authentication Manager database that contain information about the systems for which RSA SecurID authentication is provided. All RSA SecurID-enabled systems require corresponding Authentication Agents. Authentication Agents are managed using the RSA Security Console. The following information is required to create an Authentication Agent: Hostname IP Addresses for network interfaces Set the Agent Type to Standard Agent when adding the Authentication Agent. This setting is used by the RSA Authentication Manager to determine how communication with will occur. A RADIUS client that corresponds to the Authentication Agent must be created in the RSA Authentication Manager in order for to communicate with RSA Authentication Manager. RADIUS clients are managed using the RSA Security Console. The following information is required to create a RADIUS client: Hostname IP Addresses for network interfaces RADIUS Secret te: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network. Please refer to the appropriate RSA documentation for additional information about creating, modifying and managing Authentication Agents and RADIUS clients. - 3 -
Partner Product Configuration Before You Begin This section provides instructions for configuring the with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Verify the Install 1. Verify that the install was successful by launching a secure browser session to the address. 2. Login with any user account. 3. The user s home page will display options based on their user s role. - 4 -
Configure for RADIUS can support multiple domains. A Domain consists of two components, an Authentication Service and a Configuration Storage. In this example we will use the integrated directory service for both authentication service and configuration storage. For details on using an external LDAP server please refer to the documentation. 1. Launch a browser to https://<ip address>:10000. 2. Login with an administrator account and select EA admin from the left menu. 3. After installation dc=hobsoft,dc=root is the default domain used as authentication service and configuration storage. - 5 -
4. Expand dc=internal and select ou=servers then click on the directory content item cn=websecureproxy. 5. Click button and select 2.1 > WebSecureProxy blue then click Configure. - 6 -
6. Expand Domains and select Radius. 7. Click Add and enter a name for the domain. 8. Click Add and enter the Radius Server values for the Host IP address, Port, Shared Secret. 9. Click Add again to add a secondary Radius server. 10. Select Domains from the left menu. - 7 -
11. Click Add in the Domains window. 12. In the Type field, select Radius from the pull down list. 13. In the Name field, select the Radius server you created in step 9. 14. In the Administrative Account fields, enter the credentials for the Global Administrative account. 15. Select the check box for Create user automatically. 16. Click Add & Close. - 8 -
17. Click File >Save in the top main menu. 18. Launch a browser to the. 19. Select the Radius domain from the pull down and enter the user s credentials. 20. The first attempt will create the user account but will fail because the user has not been assigned a role. - 9 -
21. Log back in to the EA-Admin WebSecureProxy configuration. 22. Navigate to Roles > User and select the Members tab. 23. Click Add and assign the Radius user to the user s member list. 24. Click Select. 25. Click File >Save in the top main menu. - 10 -
RSA SecurID Login Screens Login screen: User-defined New PIN: - 11 -
System-generated New PIN: Next Tokencode: - 12 -
Certification Checklist for RSA Authentication Manager Date Tested: March 3, 2014 Certification Environment Product Name Version Information Operating System RSA Authentication Manager 8.1 Virtual Appliance blue edition 2.1 Windows 7 Enterprise 64bit HOB EA Server 10.5329 Windows 2012 64bit Mandatory Functionality RSA Native Protocol RADIUS Protocol New PIN Mode Force Authentication After New PIN N/A Force Authentication After New PIN System Generated PIN N/A System Generated PIN User Defined (4-8 Alphanumeric) N/A User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) N/A User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN N/A Deny 4 and 8 Digit PIN Deny Alphanumeric PIN N/A Deny Alphanumeric PIN Deny PIN Reuse N/A Deny PIN Reuse Passcode 16-Digit Passcode N/A 16-Digit Passcode 4-Digit Fixed Passcode N/A 4-Digit Fixed Passcode Next Tokencode Mode Next Tokencode Mode N/A Next Tokencode Mode On-Demand Authentication On-Demand Authentication N/A On-Demand Authentication On-Demand New PIN N/A On-Demand New PIN Load Balancing / Reliability Testing Failover (3-10 Replicas) N/A Failover RSA Authentication Manager N/A RSA Authentication Manager GLS = Pass = Fail N/A = t Applicable to Integration - 13 -