Walk-through for RSA SecurID Authentication for IAG 2007 – Part 2 of 2

edgeaccessblog — Wed, 23 Jul 2008 03:27:00 GMT

Last post we reviewed the RSA Agent configuration, now we are going to cover the IAG.

IAG 2007 Configuration

• Install the RSA Authentication Agent on the IAG server.

• IAG 2007 uses the RSA supplied authentication agent to communicate with and verify credentials against, the RSA Authentication Manager. The RSA Authentication Agent is typically supplied with your RSA software package. It is also available directly from RSA.

• NOTE: The installation of the RSA Authentication Agent on the IAG server will update the GINA on the server. However, you can still provide AD credentials when logging in to the IAG 2007 server.

• Test authentication and create the Node Secret

• After installing the RSA Authentication Agent, and rebooting the server, launch the RSA Security Center application on the IAG server. In RSA Security Center, select ‘Authentication Test’ and click the ‘Test’ button. In the Authenticator drop-down list, select ‘Key fob, standard card, PINPad. For User name, enter a user name that has been created on the RSA Authentication Manager. For Passcode, enter the Passcode shown on the token that is currently associated with the user name entered.

This test will:

1. Verify the connection between the IAG server and the RSA Authentication Manger

2. Verify that the credentials and Passcode supplied are valid

3. Establish the Node Secret between the IAG server and the RSA Authentication Manager. The established Node Secret is stored in the registry on the IAG server.

Figure 1

• Configure RSA SecurID authentication on the IAG server

• In the IAG Configuration application, under HTTPS Connections, select the relative Portal/Trunk. Under the ‘Security & Networking’ section, click Configure next to ‘Advanced Trunk Configuration’.

• In the Advanced Trunk Configuration dialog, select the Authentication tab and click ‘Add’. In the ‘Authentication and User/Group Servers dialog, click ‘Add’.

• In the ‘Add Server’ dialog, select ‘ACE’ in the Type drop-down list. Enter a name to represent this authentication server (i.e. SecurID). Enter the IP address of the RSA Authentication Manager server. The default port for SecurID authentication is 5500. If the RSA Authentication Manager has been configured with an alternate/non-default port, enter the port number here. Click OK. Activate the Configuration.

Figure 2

• The Portal login page will now have the SecurID authentication type available. Note that if you have configured multiple Authentication servers in your Portal, when logging into the Portal, you will need to make sure you select the RSA SecurID authentication type from the available choices in the ‘Directory’ drop-down list.

Figure 3

Author

Richard Barker

Security Support Engineer – ISA/IAG Team

Microsoft – NC

Walk-through for RSA SecurID Authentication for IAG 2007 – Part 1 of 2

edgeaccessblog — Tue, 22 Jul 2008 16:58:00 GMT

RSA Authentication Manager Server Configuration

Disclaimer: Many of the steps outlining the configuration of the RSA Authentication Manager software are not directly supported by Microsoft. They should be used as a guideline to help familiarize and guide you in this configuration. For additional assistance in directly configuring the RSA Authentication Manager Software, please review your RSA SecurID documentation.

Creating Users and Agent Hosts

• Import Tokens from Seeds files

The seed can be an *.asc or *.xml file and is typically supplied with the token<s>. The seed is the tokens’ factory encoded random key. Each token has a unique key (seed). The seed file is imported into the associated RSA Authentication Manager server.

• Add users and assign a Token to each user

User accounts information is added to the RSA Authentication Manager. These accounts can be AD accounts or manually created. Each account created is assigned a Token.

Figure 1

• Synchronize the Token

Each Token has a built-in clock that must be in sync with the RSA Authentication Managers’ clock. If the Tokens’ clock is out of sync, authentication will fail. It is typically a good idea to synchronize the Token after assigning it to a user.

• Create Agent Host

Agent Hosts are servers or devices that directly authenticate against the RSA Authentication Manager. In this case, the Agent Host is the IAG server.

• Use the resolvable FQDN for the Agent Host

When creating the Agent Host entry, make sure to use the Fully Qualified Domain Name of the IAG server. Also make sure that the RSA Authentication Manager server can correctly resolve this FQDN to the correct internal IP address of the IAG server.

• Select “Net OS Agent” as the Agent Type

Figure 2

• Activate Users on the Agent Host.

For any Agent Host to successfully authenticate a user, that users account must be Activated on that Agent Host.

Figure 3

Create Configuration Files and Node Secrets

• Create SDCONF.REC file for the Agent Host

The SDCONF.REC can be generated for each Agent Host. Or a single SDCONF.REC can be generated for all Agent Hosts. The SDCONF.REC contains RSA Authentication Manager configuration information. This includes ports, processes, etc., essential to the authentication service.