This section describes how to integrate Microsoft NPS with RSA Cloud Authentication Service using RADIUS.
Configure RSA Cloud Authentication Service
To configure RADIUS for Cloud Authentication Service for use with a RADIUS client, you must first configure a RADIUS client in the RSA SecurID Access Console.
Sign into the RSA Cloud Administrative Console and browse to Authentication Clients > RADIUS > Add RADIUS Client and enter the Name, IP Address and Shared Secret.
Configure Microsoft NPS
Perform these steps to configure Microsoft NPS as a RADIUS client to RSA Cloud Authentication Service and to configure Connection Request Policy in NPS.
1. In Server Manager, click Tools, and then click Network Policy Server to open the NPS console.
2. In the left-hand pane, expand the RADIUS Clients and Servers folder, right-click Remote RADIUS Server Groups and click New.
4. In the Add RADIUS Server dialog box, enter IP address or FQDN of your RSA Identity Router and click Verify if FQDN is used.
5. Click the Authentication/Accounting tab. For Shared secret and Confirm shared secret, enter the same shared secret used for adding RADIUS client in the RSA Cloud Administration Console.
6. Click Load Balancing tab, in Advanced Settings change the configuration values as mentioned below and Click OK.
- Number of seconds without response before request is considered dropped: Set to 60 seconds
- Maximum Number of dropped requests before server is identified as unavailable: Set to 3
- Number of seconds between requests when server is identified as unavailable: Set to 60 Seconds
Note: The default value of 3 seconds for Number of seconds without response before request is considered dropped might be insufficient and users might experience authentication failures with MFA. The Windows Security Event log records the authentication failure with Reason: The remote RADIUS (Remote Authentication Dial-In User Service) server did not respond and Reason Code: 117. Increase the timeout value to 45-60 seconds to resolve this issue.
The connection timeout value configured in your RADIUS client software balances the amount of time users have to respond to push methods against failover performance. The recommended starting value is 45 seconds. Increase the value to give users more time to authenticate or decrease the value to improve failover. Failover occurs when the client determines the server is down and sends a request to another server. Also consider if retries are configured for the RADIUS clients. For example, if the client allows three retries, the effective timeout is really 2 minutes and 15 seconds
In the RADIUS client settings configured in the Cloud Administration Console (Authentication Clients > RADIUS), if Automatically prompt for push notification methods is enabled, make sure the server timeout (Allow users to select authentication method after timeout) does not exceed the client’s connection timeout.
7. (Optional) Repeat steps 3 to 6 to add replica RSA identity routers as RADIUS servers and click OK.
8. In the left-hand pane, expand Policies, right-click Connection Request Policy, click New.
9. Enter a name for Policy name and select access server type of your deployment from Type of network access server drop-down list. Click Next.
10. Click Add to specify a new condition to the policy.
11. Select User Name for the condition. Click Add…
12. Depending on the format of your user login names, enter the common element of the User Name (For example, a pattern that matches email domain. The entry @pe.rsa.net matches all email addresses from the @pe.rsa.net domain). Click OK.
13. Click Next.
14. Select Forward requests to the following remote RADIUS server group for authentication radio button and select RADIUS Server group added in step 3 from the drop-down list. Click Next.
15. Select User-Name from the Attribute drop-down list and click Add.
16. For the Attribute Manipulation rule enter the common element of the User-Name in the Find: box and leave Replace with: blank. Click OK and then click Next.
Note: This configuration will prevent the common element of the user name being passed to the RSA RADIUS server. For example, during authentication, the end user enters "email@example.com" but only "username" will be passed to the RSA RADIUS Server.
17. Click Finish.
Next Step: Proceed to the Use Case Configuration Summary section for information on how to apply the RADIUS configuration to your use case.