000013625 - How to deploy LAC for remote users over SSL VPN?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013625
Applies ToRSA Authentication Agent for Windows 6.1.2
Windows XP Professional
Citrix Access Gateway
IssueHow to deploy LAC for remote users over SSL VPN?
Installing LAC over SSL VPN fails authentication test with "Node Verification Failed"
SSL VPN (Citrix Access Gateway) is configured as an agent host and authenticate users using SecurId
Offline day files can be downloaded even though there is a mismatch between the agent host record entry and the IP of the remote LAC (over SSL VPN)
ResolutionIn this scenario, the customer needs remote users to have a laptop wich has LAC with offline authentication enabled to log in to their laptop, and once logged in, they open an SSL VPN connection to their company. Also, the laptop is initially setup by an administrator while on the company's corporate LAN, and sent back to the remote user which will do an offline authentication using his SecurId token, and establish the SSL VPN connection.

The problem in this scenario is that:
  1. You need the node secret established on the laptop to have offline day files
  2. Offline day files must already exists for the remote remote user to be able to log in once he will receive his laptop
  3. Direct test authentication using LAC while over SSL VPN will always fail with a "Node Verification Failed" because the source message will come from the IP of the SSL VPN device.
  4. Customer did not want to setup a secondary node to the SSL VPN device agent host for every laptop distributed

The only workaround for this specific scenario is to:
  1. Install LAC on laptop while connected to the corporate LAN
  2. PIN of the token used by the remote user is cleared by the admin.
  3. Admin logs on laptop using his own username, calls the remote user, perform a test authentication by providing the user's login name and tokencode read over phone.
  4. Test auth prompts for new PIN, 1234 is used.
  5. Test auth succeeds and offline day files are downloaded.
  6. PIN of token used by the remote user is cleared by the admin.
  7. Remote user knows that his PIN has been cleared
  8. Remote user accesses any securId protected web page on the LAN (while already connected to the SSL VPN) to reset his PIN
  9. Laptop is sent to user
  10. User logs in using 1234+tokencode
  11. Establishes SSL-VPN and recharge files so that ODF will have the proper PIN setup.
  12. User logs off and can log back in offline using his own PIN + tokencode.
Legacy Article IDa41713