<Partner Name> <Partner Product> RSA SECURID ACCESS Standard Agent Client Implementation Guide Pulse Secure John Sammon, Dan Pintal, RSA Partner Engineering Last Modified: July 11, 2018
Solution Summary The Pulse Secure Connect Secure platform provides comprehensive SSL-based VPN services that allow a wide range of devices to access secured resources without requiring additional client software. Pulse Connect Secure can be configured to support RSA SecurID over the RSA Authentication Manager native protocol native SecurID protocol and the RADIUS standard protocol. Both Pulse Connect Secure integrations allow organizations to further secure their resources by requiring end-users to authenticate with RSA SecurID hardware or software tokens. Both may also be configured to enable token automation for RSA Software token users and SID800 hardware users. During the token automation login process, a user only needs to submit a username and static PIN, and the system provides the RSA SecurID tokencode in the background. The Pulse Secure Connect Secure Platform also supports RSA Risk-Based Authentication (RBA). Risk- Based Authentication strengthens RSA SecurID authentication and traditional password-based authentication by analyzing a user s behavior and device to identify potentially risky or fraudulent authentication attempts. If the assessed risk is unacceptable, RSA Authentication Manager will challenge the user with a secondary authentication method to further confirm the user s identity. RSA SecurID Access Features Pulse Secure Connect Secure 8.x Authentication Manager Methods RSA SecurID On Demand Authentication Risk-Based Authentication Cloud Authentication Service Methods Authenticate App FIDO Token Yes Yes Yes Yes No Identity Assurance Collect Device Assurance and User Behavior No Software Token Automation Windows Mac Android ios No No No No -- 2 -
Partner Product Configuration Before You Begin This section provides instructions for configuring the Pulse Secure Connect Secure client to work with RSA SecurID Access. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All Pulse Secure Connect Secure components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Pulse Secure Connect Secure Client Configuration 1. Configuration of the Windows and mobile clients are the same. The screen captures below provide an example of each configuration. The user or administrator will be required to enter the IP address or the DNS name of the Pulse Secure Connect Secure SSL-VPN host. Pulse Secure Desktop Client -- 3 -
Pulse Secure Client for macos Pulse Secure Client for ios -- 4 -
Pulse Secure Client for Android -- 5 -
RSA SecurID Login Screens - Web Standard Login Screen New PIN -- 6 -
System-generated PIN -- 7 -
RSA RBA Login Screens RBA User ID Logon Prompt RBA Password Logon Prompt -- 8 -
RBA Challenge Question Logon Prompt RBA Device-Binding Option Prompt -- 9 -
Pulse Secure Desktop Client Standard Login Screen New PIN -- 10 -
System-generated PIN Next Tokencode -- 11 -
Pulse Secure Client for macos Standard Login Screen New PIN Next Tokencode -- 12 -
RADIUS New PIN RADIUS Confirm New PIN -- 13 -
RADIUS Next Tokencode -- 14 -
Pulse Secure Client for ios Standard Login Screen System-generated PIN -- 15 -
New PIN Next Tokencode -- 16 -
Pulse Secure Client Mobile for Android Standard Login Screen New PIN -- 17 -
System-generated PIN Display System-generated PIN -- 18 -
Next Tokencode -- 19 -
Certification Checklist for RSA SecurID Access Cloud Authentication Service Certification Environment Details: RSA Authentication Manager 8.2, Virtual Appliance RSA Authentication API 8.1 RSA Authentication Software Token 4.1.2, Windows 2010 Enterprise SP1 Pulse Secure, Virtual Appliance REST Date Tested: April 17, 2017 Windows macos Android ios Other RSA SecurID N/A N/A N/A N/A N/A LDAP Password N/A N/A N/A N/A N/A Authenticate Approve N/A N/A N/A N/A N/A Authenticate Fingerprint N/A N/A N/A N/A N/A Authenticate Tokencode N/A N/A N/A N/A N/A FIDO Token N/A N/A N/A N/A N/A = Pass = Fail N/A = Non-Available Function RADIUS Date Tested: April 17, 2017 Windows macos Android ios Other RSA SecurID N/A N/A LDAP Password N/A N/A Authenticate Approve N/A N/A Authenticate Tokencode N/A N/A = Pass = Fail N/A = Non-Available Function -- 20 -
Certification Checklist for RSA SecurID Access RSA Authentication Manager Certification Environment Details: RSA Authentication Manager 8.2, Virtual Appliance RSA Authentication API 8.1 RSA Authentication Software Token 4.1.2, Windows 2010 Pulse Secure, Virtual Appliance Pulse Secure Desktop Client 5.3 Pulse Secure macos Client 5.3 Pulse Secure Client Mobile for ios 6.5 Pulse Secure Client Mobile for Android 6.5 RSA SecurID Authentication Dates Tested: June 11-12, July 11, 2018 Windows macos Android ios Other REST N/A N/A N/A N/A N/A UDP Agent N/A TCP Agent N/A N/A N/A N/A N/A RADIUS N/A = Pass = Fail N/A = Non-Available Function Software Token Automation Date Tested: December 16, 2013 Windows macos Android ios Other REST N/A N/A N/A N/A N/A UDP Agent N/A N/A N/A N/A N/A TCP Agent N/A N/A N/A N/A N/A RADIUS N/A N/A N/A N/A N/A = Pass = Fail N/A = Non-Available Function -- 21 -
Known Issues Pulse Secure Desktop Client 5.3: When a Pulse Secure Desktop Client 5.3 user sets a new PIN that violates the PIN reuse policy, the client submits the PIN and continues the authentication process by prompting the user to authenticate with the new passcode. When the user submits the passcode, the client displays the error below. Pulse Secure macos Client 5.3: The Pulse Secure macos client doesn t support system generated-pins, whether authenticating over the native SecurID or RADIUS protocols. When a user authenticates and enters system-generated PIN mode, the client doesn t display the PIN and instead displays an authentication failure message. -- 22 -