Sudarsan Kannan

Recent RADIUS specific improvements in RSA SecurID® Access

Blog Post created by Sudarsan Kannan Employee on Dec 6, 2018

During 2018, RSA has made several improvements to better support your ability to protect RADIUS-based resources using RSA SecurID® Access Cloud Authentication Service capabilities.  In this way, RSA SecurID® Access becomes even more pervasive, supporting access across a variety of traditional and cloud use cases.

 

For RADIUS-based applications we delivered the following improvements to customers through our cloud offering:

  • Expanded the choice of authenticators (e.g., SMS, Voice support) to provide more flexibility
  • Helped customers meet the latest PCI 3.2 guidance by supporting multi-method mode for supported VPN clients
  • Enabled Auto-push for mobile MFA to reduce end-user friction during authentication
  • Improved end-user experience for application-specific clientless SSL VPN (e.g., VPN for OWA) when users access VPN through browsers
  • Provided MFA only option to achieve passwordless behavior where primary trust is established through certificates or SSH keys between end-user devices and RADIUS clients

Looking ahead into 2019...you may want to use Active Directory (AD) user attributes in making granular authentication decisions for your RADIUS-based applications, all controlled by RSA SecurID®  Access policies.  We will continue to improve your ability to protect RADIUS based applications and make it more powerful through granular controls and policies.

 

Below is a deep dive into RADIUS specific features that were delivered in 2018.

 

Auto-Push for RADIUS logins 

Auto-push for RADIUS, when configured for a user, can send a push notification on a registered phone, after the user enters User ID and password. The extra step (Fig 1.) of selecting an authentication method at each RADIUS-based login is not required.  (Note:  this Auto-Push capability is available ONLY if passwords are used for primary authentication).  

How and where to configure Auto-Push: Add a RADIUS Client for the Cloud Authentication Service 

RADIUS for the Cloud Authentication Service Overview  

Users always have the flexibility to choose other authentication options if their mobile device is not handy during the time of authentication (e.g., lost, left at home, the RSA Authenticate app not registered).

 

Fig.1 Auto-push for RADIUS (a sample screenshot using Cisco ASA AnyConnect desktop client)

 

Password-less / step-up only RADIUS

If the RADIUS client (e.g., a VPN, a privileged access management solution) is configured to perform primary (e.g., a password) authentication, RSA SecurID Access no longer prompts for the user to enter their password a second (redundant) time thereby improving end-user experience.

 

If certificates or SSH keys are used to establish trust in lieu of passwords (as primary authentication), the step-up only RADIUS becomes more beneficial as the user is only challenged once (for step-up) for proving the user’s identity.  This feature enables customers to have a password-less MFA experience for RADIUS based logins. A classic example could be your Privileged Account Management (PAM) systems where primary trust is established through SSH keys for your admins and RSA SecurID® Access used as secondary authentication.

 

The step-up only feature helps customers comply with the latest PCI DSS 3.2 guidance. Under this configuration (multi-method mode), RSA SecurID®  Access prompts for password and MFA in a single screen and doesn’t act on a second authentication factor sequentially, based on the outcome of the primary authentication. This approach to verification is consistent with the latest Payment Card Industry Data Security Standard (PCI DSS) guidelines. Any VPN application (e.g., Cisco, Palo Alto) that supports the multi-method mode could start using this feature to help be PCI DSS 3.2 compliant. 

 

For more information on these capabilities, refer to:  https://community.rsa.com/docs/DOC-75832#RADIUS5 

 

 

Fig.2 Sample RADIUS Multi-method mode & passwordless end-user screens

 

Improving end-user experience for Cisco Clientless SSL VPN (RADIUS)

This feature enhances the user experience for application-specific VPN access - when logging in through a RADIUS-based clientless SSL VPN portal. RSA SecurID® Access now provides end-users with an improved user experience for Cisco’s clientless SSL-based VPN portals. Administrators can download the new web toolkit from RSA SID Access Cloud authentication console and deploy the toolkit in Cisco ASDM as part of configuring the clientless SSL VPN.

Typically, clientless SSL VPN solutions are used to provide application specific VPN access, create captive portals on a wireless network for secure access. Most customers prefer RADIUS based integration for these type of integrations due to inherent flexibility and power of configuring security policies but at the expense of reduced user experience. With our new web toolkit, customers can continue to use RADIUS based integration all while providing a great user experience for their end users. You can provide better user experience whether a user is trying to access OWA (as an example) or a business partner trying to gain access to a wireless network.

You can also continue to use the Auto-Push notification and provide a passwordless experience to RADIUS-based applications using this new web toolkit and elevate your end-users experience.

 

Fig 3. Cisco ASA Clientless SSL VPN step-up authentication end-user experience

 

Adding Flexibility: SMS and Voice authentication comes to RADIUS

Although hardware tokens (and then software tokens) are the classic protection for RADIUS-based resources, RSA now supports a wide variety of additional modern mobile authentication methods. Mobile Push has been available for some time, as has a mobile application (RSA’s Authenticate app) OTP.  The RSA SecurID® Access Cloud Authentication Service added SMS and Voice authentication options for RADIUS in early 2018, so now even users without a token and without the Authenticate app on their mobiles can authenticate to RADIUS based resources via SMS (or voice) delivered OTP. This can be much more convenient for infrequent and external users.

 

 

Fig 4.  SMS used for RADIUS authentication

 

For more information on these capabilities and others, please see the product documentation here:

https://community.rsa.com/community/products/securid/securid-access

All of these enhancements make RSA SecurID® Access and even more convenient and secure solution for your authentication needs

Outcomes