<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Cisco Adaptive Security Appliance 9.5(2)

Similar documents
<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. CyberArk Enterprise Password Vault

RSA Ready Implementation Guide for

VMware Identity Manager vidm 2.7

Barracuda Networks NG Firewall 7.0.0

<Partner Name> <Partner Product> RSA SECURID ACCESS. Pulse Secure Connect Secure 8.3. Standard Agent Client Implementation Guide

RSA Ready Implementation Guide for. GlobalSCAPE EFT Server 7.3

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Cyber Ark Software Ltd Sensitive Information Management Suite

Cisco Systems, Inc. Aironet Access Point

Barracuda Networks SSL VPN

Caradigm Single Sign-On and Context Management RSA Ready Implementation Guide for. Caradigm Single Sign-On and Context Management 6.2.

Security Access Manager 7.0

Pulse Secure Policy Secure

Microsoft Unified Access Gateway 2010

Avocent DSView 4.5. RSA SecurID Ready Implementation Guide. Partner Information. Last Modified: June 9, Product Information Partner Name

RSA Ready Implementation Guide for. Checkpoint Mobile VPN for ios v1.458

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

Citrix Systems, Inc. Web Interface

Cisco Systems, Inc. Wireless LAN Controller

Cisco Systems, Inc. IOS Router

<Partner Name> RSA SECURID ACCESS Standard Agent Implementation Guide. WALLIX WAB Suite 5.0. <Partner Product>

RSA SecurID Implementation

RSA SecurID Access SAML Configuration for Datadog

RSA Ready Implementation Guide for. VMware vsphere Management Assistant 6.0

Microsoft Forefront UAG 2010 SP1 DirectAccess

RSA SecurID Access SAML Configuration for Kanban Tool

Dell SonicWALL NSA 3600 vpn v

Attachmate Reflection for Secure IT 8.2 Server for Windows

Vanguard Integrity Professionals ez/token

Infosys Limited Finacle e-banking

Rocket Software Strong Authentication Expert

SSH Communications Tectia 6.4.5

RSA SecurID Ready Implementation Guide. Last Modified: March 27, Cisco Systems, Inc.

HOB HOB RD VPN. RSA SecurID Ready Implementation Guide. Partner Information. Product Information Partner Name. Last Modified: March 3, 2014 HOB

RSA Ready Implementation Guide for. HelpSystems Safestone DetectIT Security Manager

Cisco Systems, Inc. Catalyst Switches

Open System Consultants Radiator RADIUS Server

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Cisco ASA

Apple Computer, Inc. ios

RSA Ready Implementation Guide for

RSA Ready Implementation Guide for

RSA SecurID Access SAML Configuration for Samanage

RSA SecurID Access SAML Configuration for StatusPage

RSA SecurID Ready Implementation Guide

Barron McCann Technology X-Kryptor

SecureW2 Enterprise Client

Integration Guide. LoginTC

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

<Partner Name> <Partner Product> RSA SECURID ACCESS. NetMove SaAT Secure Starter. Standard Agent Client Implementation Guide

RSA SecurID Ready Implementation Guide. Last Modified: November 19, 2009

TalariaX sendquick Alert Plus

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

<Partner Name> RSA SECURID ACCESS. VMware Horizon View Client 6.2. Standard Agent Implementation Guide. <Partner Product>

050-v71x-CSESECURID RSA. RSA SecurID Certified Systems Engineer 7.1x

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

RSA Ready Implementation Guide for

RSA SECURID ACCESS PAM Agent Implementation Guide

How to RSA SecureID with Clustered NATIVE

RSA SecurID Access WS-Fed Configuration for Microsoft SharePoint

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

RSA SecurID Ready Implementation Guide

4TRESS AAA. Out-of-Band Authentication (SMS) and Juniper Secure Access Integration Handbook. Document Version 2.3 Released May hidglobal.

User Manual. SSV Remote Access Gateway. Web ConfigTool

Configuring Confluence

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

RSA Exam 050-v71-CASECURID02 RSA SecurID Certified Administrator 7.1 Exam Version: 6.0 [ Total Questions: 140 ]

Two factor authentication for Cisco ASA SSL VPN

MyFloridaNet-2 (MFN-2) Remote Access VPN Reference Guide

How to Integrate RSA SecurID with the Barracuda Web Application Firewall

SailPoint IdentityIQ 6.4

Hitachi ID Systems Inc Identity Manager 8.2.6

Firepower Threat Defense Remote Access VPNs

QUESTION: 1 An RSA SecurID tokencode is unique for each successful authentication because

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

RSA Two Factor Authentication. Feature Description

Configuring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler as the SAML IDP (Identity Provider)

Management Access. Configure Management Remote Access. Configure ASA Access for ASDM, Telnet, or SSH

WebVPN. WebVPN Security Precautions CHAPTER

Okta Integration Guide for Web Access Management with F5 BIG-IP

RSA SecurID Ready Implementation Guide

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Configure Unsanctioned Device Access Control

McAfee Endpoint Encryption

Implementing Core Cisco ASA Security (SASAC)

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Authentication. August 17, 2018 Version 9.4. For the most recent version of this document, visit our documentation website.

Two factor authentication for Cisco ASA IPSec VPN Alternative

Transcription:

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide Cisco Peter Waranowski, RSA Partner Engineering Last Modified: January 9 th, 2018

Solution Summary Cisco Adaptive Security Appliance can be integrated with RSA SecurID Access using native SecurID integration (SDI), RADIUS and/or SAML to provide strong authentication. Cisco AnyConnect/VPN client profiles can be integrated using SDI or RADIUS. ASDM can be integrated using SDI or RADIUS. AAA Firewall rules can be integrated using SDI or RADIUS. Clientless SSL VPN Portal can be integrated using SDI, RADIUS or SAML. Administrative access can be integrated using SDI or RADIUS. On Premise Methods RSA SecurID On Demand Authentication Risk-Based Authentication (AM) Cloud Authentication Service Methods Authenticate App FIDO Token SSO SAML SSO RSA SecurID Access Features Cisco HFED SSO - Identity Assurance Collect Device Assurance and User Behavior -- 2 -

Supported Authentication Methods by Integration Point This section indicates which authentication methods are supported by integration point. The next section (Configuration Summary) contains links to the appropriate configuration sections for each integration point. Cisco ASA integration with RSA Cloud Authentication Service Authentication Methods REST IDR SAML Cloud SAML HFED RADIUS RSA SecurID - n/t - LDAP Password - n/t - Authenticate Approve - n/t - Authenticate Eyeprint ID - n/t - Authenticate Fingerprint - n/t - Authenticate Tokencode - n/t - SMS Tokencode - n/t - Voice Tokencode - n/t - FIDO Token n/t - Cisco ASA integration with RSA Authentication Manager Authentication Methods REST RADIUS UDP Agent TCP Agent RSA SecurID - - AM RBA Supported - Not supported n/t Not yet tested or documented, but may be possible -- 3 -

Configuration Summary All of the supported use cases of RSA SecurID Access with Cisco ASA require both server-side and clientside configuration changes. This section of the guide includes links to the appropriate sections for configuring both sides for each use case. RSA Cloud Authentication Service Cisco ASA can be integrated with RSA Cloud Authentication Service in the following ways: SAML via RSA Identity Router (IdP) Cloud Authentication Service Identity Router IdP Configuration Cisco ASA SAML Configuration RADIUS Client Cloud Authentication Service RADIUS Configuration Cisco ASA RADIUS Configuration RSA Authentication Manager Cisco ASA can be integrated with RSA Authentication Manager in the following ways: RADIUS Client Authentication Manager RADIUS Configuration Cisco ASA RADIUS Configuration UDP Agent Authentication Manager UDP Agent Configuration Cisco ASA UDP Agent Configuration Risk-Based Authentication Authentication Manager Risk-Based Configuration Cisco ASA Risk-Based Authentication Configuration -- 4 -

RSA SecurID Access Server Side Configuration RSA Cloud Authentication Service Configuration SAML via RSA Identity Router (IdP) To configure a SAML Service Provider in RSA Identity Router, you must deploy the connector for Cisco ASA in the RSA SecurID Access Console. During configuration of the IdP you will need some information from the SP. This information includes (but may not be limited to) Assertion Consumer Service URL and Service Provider Entity ID. 1. Logon to the RSA SecurID Access console and browse to Applications > Application Catalog, search for Cisco ASA SSL VPN Portal and click +Add to add the connector. -- 5 -

2. On the Basic Information page, specify the Name of the connector as it should be displayed in the application portal and click Next Step. 3. On the Connection Profile page choose IDP -initiated and scroll down to the SAML Identity Provider (Issuer) section. -- 6 -

4. Configure the SAML Identity Provider settings and then scroll down to the Service Provider section. In the Identity Provider URL field, copy the URL which will be needed later to configure the Service Provider configuration. Take note of the Issuer Entity ID. Select Choose File to locate and import a private key to sign the SAML assertion. The private key must correspond to the public signing certificate loaded in the SP application. If a private/public key pair is not readily available, you can click Generate Certificate Bundle. -- 7 -

5. Enter the Assertion Consumer Service URL and Audience and then scroll down to the User Identity section. 6. Select the attribute from your user store which contains your users account names from the Property drop-down menu and then click Next Step. 7. Select the desired Access Policy and click Next Step. -- 8 -

8. Mark the Display in Portal checkbox and click Save and Finish. 9. Click Save and Finish. 10. Click Publish Changes. Your application is now enabled for SSO. Refer to the Cisco ASA SAML SP Configuration section for instructions on how to configure the service provider for SAML SSO. RADIUS To configure RADIUS for Cloud Authentication Service for use with a RADIUS client, you must first configure a RADIUS client in the RSA SecurID Access Console. Logon to the RSA SecurID Access console and browse to Authentication Clients > RADIUS > Add RADIUS Client and enter the Name, IP Address and Shared Secret of your Cisco ASA. Click Publish to push your configuration change to the RADIUS server. RSA Cloud Authentication RADIUS server listens on port UDP 1812. Refer to the Cisco ASA RADIUS Configuration section for instructions on how to configure the Cisco ASA s RADIUS client. -- 9 -

RSA Authentication Manager Configuration RADIUS To configure your RSA Authentication Manager for use with a RADIUS Agent, you must configure a RADIUS client and a corresponding agent host record in the Authentication Manager Security Console. The relationship of agent host record to RADIUS client in the Authentication Manager can be 1 to 1, 1 to many or 1 to all (global). RSA Authentication Manager RADIUS server listens on ports UDP 1645 and UDP 1812. UDP Agent To configure your RSA Authentication Manager for use with a UDP-based agent, you must create an agent host record in the Security console of your Authentication Manager and download its configuration file (sdconf.rec). Hostname: Configure the agent host record name to match the hostname of the agent. IP Address: Configure the agent host record to match the IP address of the agent. Important: Authentication Manager must be able to resolve the IP address from the hostname. Risk-Based Authentication To configure your RSA Authentication Manager for risk-based authentication with Cisco ASA, you must create an agent host record and enable it for risk-based authentication in the RSA Authentication Manager Security Console. You will need to download the sdconf.rec and the risk-based authentication integration script for the appropriate device type to configure the agent. RSA Authentication Manager can integrate risk-based authentication with UDP-based or RADIUS agents only. The latest risk-based authentication script template is at the following link. https://sftp.rsa.com/human.aspx?username=partner&password=rsas3cur3d!&arg01=688653577&arg12=d ownloaddirect&transaction=signon&quiet=true Download this file and copy it to the following directory in your primary RSA Authentication Manager server. /opt/rsa/am/utils/rba-agents Please refer to RSA documentation for more information on RBA integration scripts. -- 10 -

Partner Product Configuration Before You Begin This section provides instructions for configuring the Cisco ASA with RSA SecurID Access. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All Cisco ASA components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Overview Configure Authentication Server Settings SAML RADIUS UDP Agent Configure Services with RSA SecurID Access Network (Client) Access using IPsec (IKEv1) Network (Client) Access using AnyConnect Firewall ASDM Clientless SSL VPN Portal -- 11 -

Cisco ASA SAML SP Configuration Complete the steps in this section to integrate with RSA SecurID Access using SAML authentication protocol. 1. Logon to the Cisco ASA ASDM, browse to Configuration > Certificate Management > CA Certificates and click Add. 2. Enter the Trustpoint Name for the IdP s certificate, add the IdP s signing certificate by file or text and click Install Certificate. -- 12 -

3. Browse to Configuration > Clientless SSL VPN Access > Advanced > Single Signon Servers and click Add. 4. Configure the SSO Server, mark the checkbox to Enable the Signature and click OK. Server Name Enter the Issuer Entity ID from step 4 in the SAML via RSA Identity Router (IdP) section. Sign In URL Enter the Identity Provider URL from step 4 in the SAML via RSA Identity Router (IdP) section. Base URL Enter the URL of the ASA SSL VPN Portal. Identity Provider Certificate Select the identity provider trustpoint you created in steps 1-2 of this section. Service Provider Certificate Select the service provider trustpoint. Request Timeout Set the request timeout as appropriate for your environment. Note: This configuration example shows the same certificate/trustpoint being used for both the identity provider and service provider. While this does work, the service provider should have its own certificate/trustpoint in a production environment. -- 13 -

Cisco ASA RADIUS Client Configuration Complete the steps in this section to integrate with RSA SecurID Access using RADIUS authentication protocol. 1. Browse to Configuration > Device Management > Users/AAA > AAA Server Groups and click Add. 2. Enter Server Group name, select RADIUS from the Protocol drop-down menu and click OK. -- 14 -

3. Select the AAA Server Group and click Add to add a server to the group. 4. Select the appropriate interface from the Interface Name drop-down menu, enter the Server Name or IP Address of the RSA RADIUS server, enter the Server Secret Key and click Message Table under SDI Messages. -- 15 -

5. If you are integrating with RSA Authentication Manager, set the Message Text in the Message table as shown in the following image and click OK. This step is not necessary if you are integrating with RSA Cloud Authentication service. Note: Repeat steps 3-5 to add failover RADIUS servers. 6. Click Apply to complete the configuration. -- 16 -

Cisco ASA UDP Agent Configuration Complete the steps in this section to integrate with RSA SecurID Access using UDP-based agent protocol. 1. Browse to Configuration > Device Management > Users/AAA > AAA Server Groups and click Add. 2. Enter Server Group name, select SDI from the Protocol drop-down menu and click OK. 3. Select the AAA Server Group and click Add to add a server to the group. -- 17 -

4. Select the appropriate interface from the Interface Name drop-down menu, enter the Server Name or IP Address of the primary RSA Authentication Manager server and click OK. Important: ONLY ADD THE PRIMARY RSA AUTHENTICATION MANAGER. DO NOT ADD REPLICAS. The Cisco ASA will learn about any RSA Authentication Manager replica servers, and prioritize them at the time of the first authentication. This SDI server list is in memory, and lost when the ASA is shut down. If the primary RSA Authentication Manager server is not available for authentication after the system boots, the ASA will not have knowledge of the RSA Authentication Manager replica servers. 5. Click Apply to complete the configuration. -- 18 -

Network (Client) Access using IPsec (IKEv1) 1. Browse to Configuration > Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools and click Add. 2. Enter the Name, Starting IP Address, Ending IP Address and Subnet Mask for your IP Pool and click OK. 3. Browse to Configuration > Remote Access VPN > Network (Client) Access > IPsec(IKEv1) Connection Profiles and mark the Allow Access checkboxes for the interfaces on which you are enabling IPSec VPN access. 4. Browse to Configuration > Remote Access VPN > Network (Client) Access > IPsec(IKEV1) Connection Profiles and click Add under Connection Profiles. -- 19 -

5. Choose a Name, Pre-shared Key, User Authentication - Server Group (SDI or RADIUS), Client Address Pool and Group Policy for this connection profile. Click OK. 6. Click Apply to complete the configuration. -- 20 -

Network (Client) Access using AnyConnect 1. Browse to Configuration > Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools and click Add. 2. Enter the Name, Starting IP Address, Ending IP Address and Subnet Mask for your IP Pool and click OK. 3. Browse to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles. Mark the checkboxes for the following items: Enable Cisco AnyConnect VPN Client access to the interfaces selected in the table below Interface(s) on which you are enabling AnyConnect VPN Client access. -- 21 -

4. Click Yes to designate an AnyConnect image. 5. Browse Flash or Upload the AnyConnect image and click OK. 6. Browse to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and click Add under Connection Profiles. -- 22 -

7. Enter Name, Alias, AAA Server Group (SDI or RADIUS), Client Address Pool, DNS Servers and click Manage next to Group Policy. 8. Click Add > Internal Group Policy to add a group policy. -- 23 -

9. Enter a Name for the Group Policy and click OK. 10. If enabling SecurID Authentication via RADIUS, browse to Advanced > Group Alias/Group URL, mark the checkbox next to Enable the display of SecurId messages on the login screen and click OK. 11. Click Apply to complete the configuration. -- 24 -

Firewall 1. Browse to Configuration > Firewall > AAA Rules and click Add > Add Authentication Rule 2. Make the appropriate selections, select an (SDI or RADIUS) AAA Server Group and click OK. 3. Click Apply to complete the configuration. Important: Although the ASA can be configured to require authentication for network access to any protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must first authenticate with one of these services before the ASA allows other traffic requiring authentication. Telnet is the only service in which new PIN and Next Tokencode functions are supported. -- 25 -

ASDM 1. Browse to Device Management > Users/AAA > AAA Access. 2. Mark the checkbox next to HTTP/ASDM and select the AAA Server Group (SDI or RADIUS) from the drop-down menu and click Apply. -- 26 -

Clientless SSL VPN Portal 1. Browse to Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles and mark the Allow Access checkboxes for the interfaces on which you are enabling Clientless SSL VPN access. 2. Browse to Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles and click Add under Connection Profiles. -- 27 -

3. Configure the Connection Profile and then browse to Advanced > Clientless SSL VPN. 3a. If you are integrating using an SDI or RADIUS Server Group, select the AAA Authentication Method and then choose the AAA Server Group from the drop-down menu. 3b. If you are integrating using SAML, select the Saml Authentication Method and choose the SAML server from the drop-down menu in the SAML Identity Provider section. (Not shown) 4. If you are integrating with RSA Authentication Manager, mark the checkbox for Enable the display of SecurID messages on the login screen and click OK. 5. Click Apply to complete the configuration. -- 28 -

Risk Based Authentication Configuration An SDI or RADIUS AAA Server Group and Clientless SSL VPN Portal must be configured for SecurID authentication prior to configuring with Risk-Based authentication. Refer to the sections in this guide for information on configuring the AAA Server Group and Clientless SSL VPN Portal for SecurID authentication: 1. Browse to Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Web Contents and click Import. 2. Browse Local Files to the location of the RBA integration script, for Require authentication to access its content select No and click Import Now. -- 29 -

3. Browse to Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Customization and click Add. 4. Enter a Customization Object Name and mark the Use checkbox for your Connection Profile. 5. From the Add Customization Object window browse to Logon Page > Informational Panel. Mark the Display informational panel checkbox, and then copy/paste the following line into the Text: field and click OK. <script src='/+cscou+/am_integration.js' type="text/javascript"></script> <script>window.onload=redirecttoidp;</script> -- 30 -

6. Browse to Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles, select the connection profile for which you are enabling Risk-Based Authentication and click Edit. 7. Expand the Advanced menu tree and select Clientless SSL VPN. Select the Customization Object you created earlier in this section from the Login and Logout Page Customization drop-down menu, enter a Group URL to automatically select your connection profile and click OK. -- 31 -

8. Click Apply to complete the configuration. Important: Depending on which versions of AM and ASA you are integrating, you may get the error Wrong URL after RBA logon. See the Known Issues section of this guide for more information and a work-around. -- 32 -

Login Screenshots Login screen: User-defined New PIN: -- 33 -

System-generated New PIN: Next Tokencode: -- 34 -

Certification Checklist for RSA SecurID Access Remote Access: IPsec / Cisco VPN Client Certification Environment Details: RSA Authentication Manager 8.0, Virtual Appliance RSA Authentication Software Token 4.1.1, Windows 7 Enterprise 64bit RSA Remote Authentication Client 3.5.5, Windows 7 Enterprise 64bit Cisco ASA 9.5(1) Cisco VPN Client 5.0.7.0440, Windows 7 Enterprise 64bit RSA Cloud Authentication Service Authentication Method Date Tested: Not tested REST RADIUS Client Client RSA SecurID - - LDAP Password - - Authenticate Approve - - Authenticate Eyeprint ID - - Authenticate Fingerprint - - Authenticate Tokencode - - SMS Tokencode - Voice Tokencode - FIDO Token - RSA Authentication Manager Authentication Method Date Tested: February 5 th, 2013 REST UDP TCP RADIUS Client Agent Agent Client RSA SecurID - - RSA SecurID Software Token Automation - - On Demand Authentication - - Risk-Based Authentication = Passed, X = Failed, - = N/A -- 35 -

Certification Checklist for RSA SecurID Access Remote Access: AnyConnect VPN Client Certification Environment Details: RSA Authentication Manager 8.0, Virtual Appliance RSA Authentication Software Token 5.0, Windows 7 Enterprise 64bit RSA Remote Authentication Client 3.6, Windows 7 Enterprise 64bit Cisco ASA 9.5(1) Cisco AnyConect 4.2.04.39, Windows 7 Enterprise 64bit RSA Cloud Authentication Service Authentication Method Date Tested: April 4 th, 2017 REST RADIUS Client Client RSA SecurID - LDAP Password - Authenticate Approve - Authenticate Eyeprint ID - Authenticate Fingerprint - Authenticate Tokencode - SMS Tokencode - Voice Tokencode - FIDO Token - RSA Authentication Manager Authentication Method Date Tested: October 20 th, 2016 REST UDP TCP RADIUS Client Agent Agent Client RSA SecurID - - RSA SecurID Software Token Automation - - On Demand Authentication - - Risk-Based Authentication - - = Passed, X = Failed, - = N/A -- 36 -

Certification Checklist for RSA SecurID Access Remote Access: Clientless SSL VPN Portal Certification Environment Details: RSA Authentication Manager 8.2, Virtual Appliance Cisco ASA 9.5(2) RSA Cloud Authentication Service Authentication Method Date Tested: April 4 th, 2017 REST RADIUS Client Client RSA SecurID - LDAP Password - Authenticate Approve - Authenticate Eyeprint ID - Authenticate Fingerprint - Authenticate Tokencode - SMS Tokencode - Voice Tokencode - FIDO Token - RSA Authentication Manager Authentication Method Date Tested: October 13 th, 2016 REST UDP TCP RADIUS Client Agent Agent Client RSA SecurID - - RSA SecurID Software Token Automation - - - - On Demand Authentication - - Risk-Based Authentication = Passed, X = Failed, - = N/A -- 37 -

Certification Checklist for RSA SecurID Access Firewall Certification Environment Details: RSA Authentication Manager 8.2, Virtual Appliance Cisco ASA 9.5(2) RSA Cloud Authentication Service Authentication Method Date Tested: April 6 th, 2017 REST RADIUS Client Client RSA SecurID - LDAP Password - Authenticate Approve - Authenticate Eyeprint ID - Authenticate Fingerprint - Authenticate Tokencode - SMS Tokencode - Voice Tokencode - FIDO Token - RSA Authentication Manager Authentication Method Date Tested: October 13 th, 2016 REST UDP TCP RADIUS Client Agent Agent Client RSA SecurID - - RSA SecurID Software Token Automation - - - - On Demand Authentication - - Risk-Based Authentication - - = Passed, X = Failed, - = N/A -- 38 -

Certification Checklist for RSA SecurID Access ASDM Certification Environment Details: RSA Authentication Manager 8.2, Virtual Appliance Cisco ASA 9.5(2) RSA Cloud Authentication Service Authentication Method Date Tested: April 6 th, 2017 REST RADIUS Client Client RSA SecurID - LDAP Password - Authenticate Approve - Authenticate Eyeprint ID - Authenticate Fingerprint - Authenticate Tokencode - SMS Tokencode - Voice Tokencode - FIDO Token - RSA Authentication Manager Authentication Method Date Tested: October 13 th, 2016 REST UDP TCP RADIUS Client Agent Agent Client RSA SecurID - - RSA SecurID Software Token Automation - - - - On Demand Authentication - - Risk-Based Authentication - - = Passed, X = Failed, - = N/A -- 39 -

Known Issues Wrong URL. After RBA Logon Depending on which versions of AM and ASA you are using, you may receive the error Wrong URL when you logon with RBA. To work-around the issue, make the following change to the am_integration.js file before uploading it to the Web Contents section in ASA: Change line #41 of the am_integration.js file from: origactionurl.setattribute('value', toabsolutepath(logonform.action)); To: origactionurl.setattribute('value', 'https://<asa_hostname>/%2bwebvpn%2b/index.html'); Change <ASA_HOSTNAME> to your ASA s IP or hostname. Potential Replica issue when using Native SecurID Authentication The Cisco ASA 5500 will learn about any RSA Authentication Manager replica servers, and prioritize them at the time of the first authentication. This SDI server list is stored in memory, and lost when the ASA is shut down. If the primary RSA Authentication Manager server is not available for authentication after the system boots, the ASA will not have knowledge of the RSA Authentication Manager replica servers. Firewall AAA rule Although you can configure the ASA to require authentication for network access to any protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must first authenticate with one of these services before the ASA allows other traffic requiring authentication. Telnet is the only service in which new PIN and Next Tokencode functions are supported. -- 40 -

RSA SecurID Protection of ASDM ASDM 7.x when configured with SecurID via native SDI variable names for new PIN data are displayed rather than their values. This may cause some difficulty with setting a user-defined PIN, but will make system-generated PINs unusable. -- 41 -

Appendix RSA SecurID AccessIntegration Details Partner Integration Details RSA Authentication Agent API (UDP) RSA Authentication Agent API (TCP) RSA SecurID Authentication API (REST) RSA SecurID User Specification Display RSA Server Info Perform Test Authentication Agent Tracing Custom build N/A N/A All Users No Yes Yes RSA Authentication Agent Files (C and Java Agents only) RSA SecurID Authentication Files UDP Agent Files sdconf.rec sdopts.rec Node secret sdstatus.12 / jastatus.12 Location N/A Not Implemented On Flash In Memory TCP Agent Files rsa_api.properties sdconf.rec sdopts.rec Node secret Location N/A N/A N/A N/A API Details: Cisco ASA implements a modified version of the RSA Authentication API. Important modifications include: sdconf.rec not utilized sdopts.rec not utilized server list stored in memory rather than file system Refer to Cisco documentation for additional information. -- 42 -

Node Secret: The Node Secret file is stored in flash memory on the Cisco ASA. The node secret file has its name based on the primary Authentication Manager server s IP address with.sdi appended. (e.g. 10-10-10-2.sdi.) Delete this file to remove the node secret. sdconf.rec: Not implemented. sdopts.rec: Not implemented. sdstatus.12: Not implemented. The SDI Server List can be viewed by entering the following command from the console: # show aaa-server Agent Tracing: Agent Tracing info can be enabled by entering the following command from the console: # debug sdi -- 43 -

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback