RSA Ready Implementation Guide for

Similar documents
RSA Ready Implementation Guide for. GlobalSCAPE EFT Server 7.3

VMware Identity Manager vidm 2.7

Cyber Ark Software Ltd Sensitive Information Management Suite

Cisco Systems, Inc. Aironet Access Point

Barracuda Networks NG Firewall 7.0.0

Caradigm Single Sign-On and Context Management RSA Ready Implementation Guide for. Caradigm Single Sign-On and Context Management 6.2.

Cisco Systems, Inc. Wireless LAN Controller

<Partner Name> RSA SECURID ACCESS Standard Agent Implementation Guide. WALLIX WAB Suite 5.0. <Partner Product>

Avocent DSView 4.5. RSA SecurID Ready Implementation Guide. Partner Information. Last Modified: June 9, Product Information Partner Name

Dell SonicWALL NSA 3600 vpn v

RSA SecurID Ready Implementation Guide. Last Modified: March 27, Cisco Systems, Inc.

Vanguard Integrity Professionals ez/token

Attachmate Reflection for Secure IT 8.2 Server for Windows

RSA Ready Implementation Guide for. VMware vsphere Management Assistant 6.0

Citrix Systems, Inc. Web Interface

Cisco Systems, Inc. Catalyst Switches

SSH Communications Tectia 6.4.5

Barracuda Networks SSL VPN

SecureW2 Enterprise Client

HOB HOB RD VPN. RSA SecurID Ready Implementation Guide. Partner Information. Product Information Partner Name. Last Modified: March 3, 2014 HOB

Rocket Software Strong Authentication Expert

RSA Ready Implementation Guide for. Checkpoint Mobile VPN for ios v1.458

RSA Ready Implementation Guide for. HelpSystems Safestone DetectIT Security Manager

RSA SecurID Implementation

Cisco Systems, Inc. IOS Router

Infosys Limited Finacle e-banking

Microsoft Forefront UAG 2010 SP1 DirectAccess

Pulse Secure Policy Secure

Security Access Manager 7.0

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Cisco Adaptive Security Appliance 9.5(2)

RSA SecurID Ready Implementation Guide. Last Modified: November 19, 2009

Open System Consultants Radiator RADIUS Server

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

RSA SECURID ACCESS PAM Agent Implementation Guide

Microsoft Unified Access Gateway 2010

Barron McCann Technology X-Kryptor

<Partner Name> RSA SECURID ACCESS. VMware Horizon View Client 6.2. Standard Agent Implementation Guide. <Partner Product>

Apple Computer, Inc. ios

RSA Ready Implementation Guide for

<Partner Name> <Partner Product> RSA SECURID ACCESS. Pulse Secure Connect Secure 8.3. Standard Agent Client Implementation Guide

RSA SecurID Ready Implementation Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. CyberArk Enterprise Password Vault

How to RSA SecureID with Clustered NATIVE

RSA SecurID Ready Implementation Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

RSA SecurID Ready Implementation Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS. NetMove SaAT Secure Starter. Standard Agent Client Implementation Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

RSA Ready Implementation Guide for

How to Integrate RSA SecurID with the Barracuda Web Application Firewall

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

RSA Ready Implementation Guide for

050-v71x-CSESECURID RSA. RSA SecurID Certified Systems Engineer 7.1x

How to Configure the RSA Authentication Manager

Fischer International Identity Fischer Identity Suite 4.2

Hitachi ID Systems Inc Identity Manager 8.2.6

RSA Exam 050-v71-CASECURID02 RSA SecurID Certified Administrator 7.1 Exam Version: 6.0 [ Total Questions: 140 ]

TalariaX sendquick Alert Plus

SailPoint IdentityIQ 6.4

QUESTION: 1 An RSA SecurID tokencode is unique for each successful authentication because

Technical Note: RSA SecurID /SA Integration

Data Structure Mapping

AT&T Global Smart Messaging Suite

McAfee Endpoint Encryption

Data Structure Mapping

Authentify SMS Gateway

Data Structure Mapping

Advantage Cloud Two-Factor Security Process

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Intel Security Drive Encryption 7.1.3

Data Structure Mapping

Data Structure Mapping

Data Structure Mapping

Intel Security/McAfee Endpoint Encryption

Secured by RSA Implementation Guide for Software Token Authenticators

Symantec Encryption Desktop

Data Structure Mapping

Pass4sure CASECURID01.70 Questions

SOFTEL Communications Password Reset and Identity Management Suite

Citrix Access Gateway Implementation Guide

Vendor: RSA. Exam Code: CASECURID01. Exam Name: RSA SecurID Certified Administrator 8.0 Exam. Version: Demo

<Partner Name> RSA SECURID ACCESS Authenticator Implementation Guide. Intel Authenticate & Intel IPT based Token Provider for RSA SecurID

RSA Authentication Manager 7.1 Administrator s Guide

RSA Authentication Manager 8.2

Integration Guide. LoginTC

RSA Authentication Manager 6.1 to 8.0 Migration Guide

Security Cooperation Information Portal

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Check Point SmartEndpoint Security

RSA Authentication Manager 7.1 Help Desk Administrator s Guide

RSA Ready Implementation Guide for

Authentication. August 17, 2018 Version 9.4. For the most recent version of this document, visit our documentation website.

Configuring the Client Adapter through the Windows XP Operating System

Lab Configuring LEAP/EAP using Cisco Secure ACS (OPTIONAL)

<Partner Name> <Partner Product> RSA Ready Implementation Guide for

Configuring 802.1X Settings on the WAP351

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Remote Support Security Provider Integration: RADIUS Server

STRS OHIO F5 Access Client Setup for ChromeBook Systems User Guide

Transcription:

<Partner Name> <Partner Product> RSA Ready Implementation Guide for Cisco Peter Waranowski, RSA Partner Engineering Last Modified: October 14 th, 2016

Solution Summary Cisco Secure Access Control Server (ACS) is an access control server that provides an identity-based networking solution to enterprise customers for network access (wired, wireless, remote access) and device administration. Cisco Secure ACS can be configured to communicate with RSA Authentication Manager via both RADIUS and RSA native SecurID protocols. This integration enables RSA s two factor authentication for users accessing Cisco Secure ACS protected network resources. RSA Authentication Manager supported features Cisco RSA SecurID Authentication via Native RSA SecurID UDP Protocol RSA SecurID Authentication via Native RSA SecurID TCP Protocol RSA SecurID Authentication via RADIUS Protocol RSA SecurID Authentication via IPv6 On-Demand Authentication via Native SecurID UDP Protocol On-Demand Authentication via Native SecurID TCP Protocol On-Demand Authentication via RADIUS Protocol Risk-Based Authentication RSA Authentication Manager Replica Support Secondary RADIUS Server Support RSA SecurID Software Token Automation RSA SecurID SD800 Token Automation RSA SecurID Protection of Administrative Interface -- 2 -

RSA Authentication Manager Configuration Agent Host Configuration To facilitate communication between Cisco Secure ACS and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies Cisco Secure ACS and contains information about communication and encryption. Include the following information when configuring a UDP-based agent host record. Hostname IP addresses for network interfaces Important: The UDP-based authentication agent s hostname must resolve to the IP address specified. Set the Agent Type to Standard Agent when adding the Authentication Agent. This setting is used by the RSA Authentication Manager to determine how communication with Cisco Secure ACS will occur. If Cisco Secure ACS will be communicating with RSA Authentication Manager via RADIUS, then a RADIUS client that corresponds to the agent host record must be created in the RSA Authentication Manager. RADIUS clients are managed using the RSA Security Console. The following information is required to create a RADIUS client: Hostname IP Addresses for network interfaces RADIUS Secret Important: The RADIUS client s hostname must resolve to the IP address specified. Please refer to the appropriate RSA documentation for additional information about creating, modifying and managing Authentication Agents and RADIUS clients. -- 3 -

Partner Product Configuration Before You Begin This section provides instructions for configuring Cisco Secure ACS with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All Cisco Secure ACS components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Configuring the Cisco ACS for SecurID Authentication Cisco Secure ACS supports RSA SecurID authentication using both RADIUS and RSA s native SecurID protocol. Configure SecurID Authentication using native SecurID protocol 1. Browse to Users and Identity Stores > External Identity Stores > RSA SecurID Token Servers and click Create. 2. Specify a name for your RSA SecurID Token Server, the path to sdconf.rec configuration file and click Submit. -- 4 -

3. Browse to Access Policies > Access Services. Edit the Identity Policy within the Access Service for which you are implementing SecurID authentication. 4. Set the Identity Source to the RSA SecurID Token Server created in Step 1, and click Save Changes. Cisco Secure ACS is now configured for authentication with the RSA SecurID Token Server over the RSA native SecurID protocol. -- 5 -

Configure SecurID Authentication using RADIUS protocol 1. Browse to Users and Identity Stores > External Identity Stores > RADIUS Identity Servers and click Create. 2. Specify a Name for the SecurID Authentication Server. Enter the Hostname and Shared Secret for the primary server. Enter Hostname and Shared Secret for the Secondary Server if applicable. Click Submit. 3. Browse to Access Policies > Access Services. Edit the Identity Policy within the Access Service for which you are implementing SecurID authentication. -- 6 -

4. Set the Identity Source to the RSA SecurID Token Server created in Step 1 and click Save Changes. Cisco Secure ACS is now configured for authentication with the RSA SecurID Token Server over the RADIUS protcol. -- 7 -

Certification Checklist for RSA Authentication Manager Date Tested: October 14 th, 2016 Certification Environment Product Name Version Information Operating System RSA Authentication Manager 8.2 Virtual Appliance Cisco.032 Virtual Appliance RSA SecurID Authentication Date Tested: October 14 th, 2016 Mandatory Functionality New PIN Mode Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny PIN Reuse Passcode Native Native RADIUS UDP TCP Client 16 Digit Passcode 4 Digit Fixed Passcode Next Tokencode Mode Next Tokencode Mode On-Demand Authentication On-Demand Authentication On-Demand New PIN Load Balancing / Reliability Testing Failover (3-10 Replicas) RSA Authentication Manager = Pass = Fail = n-available Function -- 8 -

Appendix RSA SecurID Authentication Files RSA SecurID Authentication Files UDP Agent Files sdconf.rec sdopts.rec de secret sdstatus.12 / jastatus.12 Location In Memory In Memory In Memory In Memory TCP Agent Files rsa_api.properties sdconf.rec sdopts.rec de secret Location Partner Integration Details Partner Integration Details RSA SecurID UDP API 6.1; 8.1.1 starting in 5.3 Patch 1 RSA SecurID TCP API RSA Authentication Agent Type Standard Agent RSA SecurID User Specification Designated Users Display RSA Server Info Perform Test Authentication Agent Tracing API Details: Cisco Secure ACS 5.3 includes RSA Authentication API 6.1 to perform Native RSA SecurID Authentication. Cisco Secure ACS 5.3 Patch 1 includes the RSA Authentication API 8.1.1. The node secret format is updated to work with the new API as part of the patch installation without user interaction. This process should be completely seamless to the user, but should it fail, it will necessary to clear and create a new node secret using the new libraries. Cisco Secure ACS 5.4 and newer include the RSA Authentication API 8.1.1 as part of the base install. Important: The RSA authentication libraries are updated during the installation of ACS 5.3 Patch 1. -- 9 -

de Secret: After the agent initially communicates with the RSA SecurID server, the server provides the agent with a node secret file called securid. The de Secret is used for encrypting traffic between the RSA server and the authentication agent. At times, you might have to reset the node secret. To reset the node secret: 1. The RSA SecurID server administrator must uncheck the de Secret Created check box on the Agent Host record in the RSA SecurID server. 2. The ACS administrator must remove the securid file from ACS. To remove the secured file from ACS: Browse to User and Identity Stores > External Identity Stores > RSA SecurID Token Servers 1. Edit your specified RSA SecurID Token Server. 2. Open the ACS Instance Settings tab, and Edit the ACS Instance. 3. Open the Reset Agent Files tab. Mark the checkbox next to Remove securid file on submit, and click Submit. sdopts.rec: You can enable the RSA options file (sdopts.rec) on each ACS instance to control routing priorities for connections between the RSA agent and the RSA servers in the realm. To enable RSA options: Browse to User and Identity Stores > External Identity Stores > RSA SecurID Token Servers 1. Edit your specified RSA SecurID Token Server. 2. Open the ACS Instance Settings tab, and Edit the ACS Instance 3. From the RSA Options File tab, browse to the location of the sdopts.rec file, and click OK. sdstatus.12: When an RSA SecurID server is down, the automatic exclusion mechanism does not always work quickly. To speed up this process, you can remove the sdstatus.12 file from ACS. To remove the sdstatus.12 file: Browse to User and Identity Stores > External Identity Stores > RSA SecurID Token Servers 1. Edit your specified RSA SecurID Token Server. 2. Open the ACS Instance Settings tab, and Edit the ACS Instance. 3. Open the Reset Agent Files tab. 4. Mark the checkbox next to Remove sdstatus.12 file on submit, and click Submit. -- 10 -

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback