How to configure multi-factor authentication with RSA SecurID

How to configure multi-factor authentication with RSA SecurID

Setting up RSA SecurID authentication

You can set up RSA SecurID as an authenticator in ADSelfService Plus in two steps:

  1. Include the ADSelfService Plus server in the SecurID SECURITY CONSOLE as an authentication agent.
  2. Configure ADSelfService Plus for RSA SecurID.

Prerequisites

  1. Ensure that you have installed a supported version of RSA Authentication Manager.
    1. For SDK integration: RSA Authentication Manager 8.0 or higher
    2. For REST API integration: RSA Authentication Manager 8.2 SP1 or higher

Including ADSelfService Plus as an authentication agent in the RSA SecurID SECURITY CONSOLE

  1. Log in to your RSA admin console (e.g., https://adssp-rsa.mydomain.com/sc ).
  2. Navigate to Access > Authentication Agents. Click Add New.
  3. RSA SecurID

  4. Enter the hostname of the ADSelfService Plus server in the Hostname field and click Resolve IP to establish a connection between the SecurID SECURITY CONSOLE and the ADSelfService Plus server.
  5. Click Save to add the ADSelfService Plus server as an authentication agent.
  6. RSA SecurID

Configuring ADSelfService Plus for RSA SecurID

RSA SecurID configuration can be done using either of these methods:

Note: It is recommended to configure RSA authentication using REST API as RSA SecurID no longer supports SDK Integration.

Steps to configure RSA SecurID with REST API integration

  1. Log into the RSA admin console and navigate to Setup > System Settings.
  2. Under Authentication Settings, click RSA SecurID Authentication API.
  3. Copy the Access ID, Access Key, and Communication Port details.
  4. Log into the ADSelfService Plus admin console and navigate to Admin > Configuration > Self-Service > Multi-factor Authentication > RSA SecurID.
  5. From the Choose the Policy drop-down, select a policy.
  6. Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.

  7. Click RSA SecurID.
  8. For Integration Type, select REST API.
  9. RSA SecurID

  10. Enter the hostname of RSA Authentication Manager in the API Host Name field.
  11. Paste the port number and access key obtained in Step 3 in the Port and Access Key fields, respectively.
  12. Enter the authentication agent's name (i.e., the hostname or access URL of the ADSelfService Plus server) in the Client Id field.
  13. Check the Secure API requests to RSA server with HMAC Authentication box to verify the integrity of the authentication requests. Please follow the steps mentioned under HMAC prerequisites before enabling HMAC authentication.
  14. RSA SecurID

  15. Enter the access ID copied in Step 3, in the Access Id field.
  16. Select a Username Pattern that matches the User Account Format in the RSA admin console.
  17. Note: Users across different domains can have the same username, causing ambiguity during RSA mapping. To ensure secure authentication, we strongly recommend using a username pattern that includes the domain. This Username Pattern needs to match the RSA User Account Format in the RSA admin console, to accurately map domain user accounts to RSA user accounts.

  18. Click Test Connection and Save.

Steps to configure RSA SecurID with SDK integration

  1. Ensure that the required JAR files listed below are present in the <ADSelfService_Plus_install_directory>/lib folder.
    • authapi-8.6.jar
    • log4j-1.2.12rsa-1.jar
    • cryptojcommon-6.1.3.3.jar
    • jcmFIPS-6.1.3.3.jar
    • cryptojce-6.1.3.3.jar
  2. Note: These JAR files pertain to the latest version of Authentication Agent SDK for Java (version 8.6). If they are not present in the <ADSelfService_Plus_install_directory>/lib folder, please download them from RSA Community.

  3. In the RSA admin console, navigate to Access > Authentication Agents > Generate Configuration File.
  4. Click Generate Config File to download the AM_Config.zip file.
  5. Extract the sdconf.rec file from the ZIP file.
  6. Log into the ADSelfService Plus admin portal and navigate to Admin > Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup > RSA SecurID.
  7. From the Choose the Policy drop-down, select a policy.
  8. Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.

  9. Click RSA SecurID.
  10. For Integration Type, select SDK.
  11. RSA SecurID

  12. Click Browse and select the sdconf.rec file downloaded from the SecurID SECURITY CONSOLE.
  13. Select a Username Pattern that matches the User Account Format in the RSA admin console.
  14. Note: Users across different domains can have the same username, causing ambiguity while matching RSA accounts to ADSelfService Plus user accounts during MFA. To ensure secure authentication, we strongly recommend using a Username Pattern that includes the domain name (domain_dns_name) or email (email_id) to accurately map domain user accounts to RSA User Accounts, which need to be in the same format. Utilizing only the username (user_name) in the Username Pattern is discouraged for security reasons.

  15. Click Save.
  16. Once enabled, users belonging to the policy for which RSA authentication has been enabled will be asked to verify their identity with their SecurID tokens while logging in.

Note:Please ensure that all the users are associated with the configured authentication agent (the ADSelfService Plus server) and have enrolled in RSA Authentication Manager with the same username and SecurID tokens assigned to them.

If you experience problems while authenticating via RSA, log in to your RSA admin console and go to the Reporting tab. Under Real-time Activity Monitors, go to Authentication Activity Monitor > Start Monitor to troubleshoot.

HMAC prerequisites

Hash-based message authentication code (HMAC) is used to validate the authentication requests that are exchanged between authentication agents and the RSA SecurID Authentication API.

  1. Log on to the appliance with the Secure Shell client or access the appliance on a virtual machine with the VMware vSphere Client, Hyper-V Virtual Machine Manager, or Hyper-V Manager.
  2. To verify authentication requests by implementing HMAC, type the following:
    1. ./rsautil store –a update_config
    2. auth_manager.rest_service.authorization.mode 1 GLOBAL 501
  3. To use only the RSA SecurID Authentication API's access key for authentication, type the following:
    1. ./rsautil store –a update_config
    2. auth_manager.rest_service.authorization.mode 0 GLOBAL 501

Steps to enable multi-factor authentication for ADSelfService Plus' end-user portal login

  1. Navigate to Configuration → Self-Service → Multi-factor Authentication → MFA for Reset/Unlock.

    Steps to enable MFA for ADSelfService Plus

  2. Choose the Policy from the drop-down.
    Note: ADSelfService Plus allows you to create OU- and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
  3. Use the Enable _ authentication factors option next to MFA for ADSelfService Plus Login,
  4. Select RSA SecurID and other necessary authenticators from the Select the authenticators required drop-down.
  5. Click Save Settings.

Once configured, RSA SecurID will be one of the authenticators that verifies a user's identity when they login to ADSelfService Plus.

Steps to enable multi-factor authentication for password reset/account unlock

  1. Navigate to Configuration → Self-Service → Multi-factor Authentication → MFA for Reset/Unlock.

    Steps to enable MFA for ADSelfService Plus

  2. Choose the Policy from the drop-down.
    Note: ADSelfService Plus allows you to create OU- and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
  3. Enable the Select the authenticators required checkbox
  4. Use the Enable _ authentication factors option next to MFA for Password Reset/Account Unlock to select the number of authenticators
  5. Select RSA SecurID and other necessary configured authenticators from the drop-down.
  6. Click Save Settings.

Once configured, RSA SecurID will be one of the authenticators that verifies a user's identity when they try to reset their password, or unlock their account in ADSelfService Plus.

Steps to enable multi-factor authentication for endpoints

  1. Navigate to Configuration → Self-Service → Multi-factor Authentication → MFA for Endpoints..

    Steps to enable MFA for ADSelfService Plus

  2. Choose the Policy from the drop-down.
    Note: ADSelfService Plus allows you to create OU- and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
  3. MFA can be configured so additional factors of authentication are required at the login screens of Windows, macOS, and Linux machines or systems, during VPN or Outlook Web Access (OWA) logins.
    • For machine logins:
      • Go to MFA for Endpoints.
      • Enable the Select the authenticators required checkbox.
      • Use the Enable _ authentication factors option next to MFA for Machine Login to select the number of authenticators.
      • Select RSA SecurID and other necessary configured authenticators from the drop-down.
      • Click Save Settings.
    • For OWA logins:
      • Select the Enable second factor authentication option next to MFA for OWA Login, and choose RSA SecurID from the drop-down.
      • Click Save Settings.

                  New to ADSelfService Plus?

                    • Related Articles

                    • Multi-factor authentication techniques in ADSelfService Plus

                      Let's take a look into the various authentication methods supported by ADSelfService Plus for enterprise multi-factor authentication (MFA). Why should you use MFA? Authentication based solely on usernames and passwords is no longer considered secure. ...
                    • How to enable offline MFA in ADSelfService Plus

                      ManageEngine ADSelfService Plus supports offline multi-factor authentication (MFA) for Windows machine logins, User Account Control (UAC) prompt elevation, and Remote Desktop Protocol (RDP) server authentication when the product server is ...
                    • How to enable multi-factor authentication for RDP

                      Generally, remote employees use Microsoft Remote Desktop Protocol (RDP) to connect to their work devices from an external network, using only a password to authenticate their devices. This makes RDP-based access highly vulnerable to password-based ...
                    • How to set up multi-factor authentication (MFA) for macOS

                      When employees are forced to manage multiple passwords, they tend to reuse the same password across multiple applications or create simple, easy-to-remember passwords that are not strong enough. This makes them an easy target for attackers who use ...
                    • Configuring MFA for FTD VPN using RADIUS

                      This guide provides steps for enabling multi-factor authentication (MFA) using RADIUS for Cisco's Firepower Threat Defense (FTD) product using ManageEngine ADSelfService Plus' MFA for VPN feature. To enable RADIUS-based authentication for Cisco FTD, ...