SonicWALL SMA 100 Series 9.0- RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development on May 21, 2019Last modified by RSA Information Design and Development on May 29, 2019
Version 2Show Document
  • View in full screen mode

SonicWALL Inc.

Secure Mobile Access 100 Series 9.0

Certified: April 29, 2019

 

Solution Summary

This section describes the ways that SonicWALL SMA 100 Series can integrate with RSA SecurID Access. Use this information to determine which use case and integration type to use.

Use Cases

When integrated, users must authenticate with RSA SecurID Access in order to access SMA web portal or to establish remote connection using SMA clients. SMA web portal or clients can be integrated with RSA SecurID Access using RADIUS.

 

Integration Types

RADIUS integrations provide a text driven interface for RSA SecurID Access within the partner application. RADIUS provides support for most RSA SecurID Access authentication methods and flows.

Supported Features

This section shows all of the supported features by integration type and by RSA SecurID Access component. Use this information to determine which integration type and which RSA SecurID Access component to use. The next section in this guide contains the instructions for integrating RSA SecurID Access with SonicWALL SMA 100 Series using each integration type.

 

SonicWALL SMA 100 Series Integration with RSA Cloud Authentication Service

                                                                         
Authentication Methods

Authentication API

RADIUS

Relying Party

SSO Agent

RSA SecurID----
LDAP Password----
Authenticate Approve----
Authenticate Tokencode----
Device Biometrics----
SMS Tokencode----
Voice Tokencode----
FIDO Tokenn/an/a--

 

SonicWALL SMA 100 Series Integration with RSA Authentication Manager

                                 
Authentication Methods

Authentication API

RADIUSAuthentication Agent
RSA SecurID--
On Demand Authentication--
Risk-Based Authenticationn/a--

 

                 
Supported
- Not supported
n/tNot yet tested or documented, but may be possible.

Configuration Summary

This section contains instructions for integrating SonicWALL SMA 100 Series with RSA SecurID Access using RADIUS. First configure the integration type then configure the use case.

This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All RSA SecurID Access and SonicWALL SMA 100 Series components must be installed and working prior to the integration.

Integration Configuration

RADIUS with AM Configuration - SonicWALLSMA 100 Series9.0 - RSA Ready SecurID Access Implementation Guide

This section contains instructions on how to integrate SonicWALL SMA 100 Series with RSA Authentication Manager using RADIUS.

Architecture Diagram

 

Configure RADIUS Client and Host Record in RSA Authentication Manager

To configure your RSA Authentication Manager for use with a RADIUS Agent, you must configure a RADIUS client and a corresponding agent host record in the RSA Authentication Manager Security Console.

The relationship of agent host record to RADIUS client in the Authentication Manager can be 1 to 1, 1 to many, or 1 to all (global).

RSA Authentication Manager listens on ports UDP 1645 and UDP 1812.

 

Configure SonicWALL SMA 100 Series

Follow the steps in this section to configure SonicWALL SMA 100 Series as a RADIUS client to RSA Authentication Manager.

Procedure

1. Login to SMA web portal using an administrator account.

2. Click Portals > Domains and click ADD DOMAIN

 

 

3. In the Add Domain page, from the Authentication type drop-down list, select RADIUS option.

4. Specify a name in  the Domain name field and configure Primary Radius server and Backup Radius server as mentioned below

  • Primary Radius server
    • Radius server address: Enter the hostname or IP address of the primary RSA Authentication Manager server.
    • Radius server Port: Enter 1812 or 1645.
    • Secret password: Enter the RADIUS shared secret as specified when adding a Radius client in the RSA Authentication Manager server.
  • Backup Radius server
    • Radius server address: Enter the hostname or IP address of the replica RSA Authentication Manager server.
    • Radius server Port: Enter 1812 or 1645.
    • Secret password: Enter the RADIUS shared secret as specified when adding a Radius client in the RSA Authentication Manager server.

 

5. Click ACCEPT

Use Case Configuration

SMA web portal or clients Configuration - SonicWALLSMA 100 Series9.0 - RSA Ready SecurID Access Implementation Guide

By default, all RSA SecurID authenticated users are allowed to sign in. No additional configuration is required unless "Only allow users listed locally" option was enabled when adding a domain. If this option was enabled, you need to add the users manually to the domain through the web portal. Also if the user is trying to sign into the secure virtual assist as technician, you need to assign technician role to the user. Refer to the SonicWALL documentation for complete instructions.

User Experience

                            
Web portal
RSA SecurID OperationWeb Portal Image
Sign-in  
System-generated new PIN  
User-defined new PIN  
Next tokencode  

 

                            
NetExtender client(windows)
RSA SecurID Operation NetExtender Client Image
Sign-in  
System-generated new PIN  
User-defined new PIN  
Next tokencode  

 

Certification Details

Date of testing:March 28, 2019

RSA Authentication Manager 8.3, Virtual Appliance

SonicWALL SMA 100 Series 9.0, SMA 500v

SMA Clients:

  • NetExtender 9.0.274, Widnows 10 64 bit
  • NetExtender 9.0.803, RHEL 7.6
  • SonicWall Mobile Connect 5.0.4, IOS 10.2.1
  • Secure Virtual Assist 9.0.0.8, Windows 10 64 bit

 

Known Issues

NetExtender on Linux - Missing letters in text in authentication prompts

Problem: There are missing letters in some of the words on RSA SecurID authentication prompts. Because to this, during new PIN mode authentication, sometimes system generated PIN might not display properly and authentication might fail.

Workaround: As a workaround, perform new PIN mode authentication using the web portal, and then use the PIN for normal authentication.

Secure Virtual Assist - Setting 8 digit PIN in New PIN mode fails

Problem: With Secure Virtual Assist, during new PIN mode authentication if the PIN length is set to 8 digits, subsequent authentications fail.

Workaround: As a workaround, perform new PIN mode authentication using the web portal, and then use the PIN for normal authentication.

 

 

 

 

Attachments

    Outcomes