RSA Authentication Agents

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Feb 12, 2018
Version 3Show Document
  • View in full screen mode

Authentication agents are software applications that securely pass user authentication requests to and from RSA Authentication Manager. Authentication agents are installed on each machine, such as a domain server, web server, or a personal computer, that you protect with Authentication Manager.

For example, agent software residing on a web server intercepts all user requests for access to protected web pages. When a user attempts to access a protected URL, the agent requests the User ID and passcode and passes the User ID and passcode to the Authentication Manager for authentication. If the authentication is successful, the user is granted access to protected web pages.

Different types of authentication agents protect different types of resources. For example, to protect an Apache Web server, you need the current version of RSA Authentication Agent for Web for Apache.

Note:  Risk-based authentication (RBA) only works with web-based authentication agents.

Some authentication agents include support for the REST protocol. The following table compares the authentication agents that use the REST protocol to other authentication agents.


REST Protocol Authentication Agents

Other Authentication Agents

To use the authentication agent, you must have configured the REST service in Authentication Manager. You can then add the authentication agent. For instructions, see Configure the RSA SecurID Authentication API for Authentication Agents.To deploy an authentication agent that uses the UDP protocol, you must generate the RSA Authentication Manager configuration file , sdconf.rec, and copy it to each machine on which the agent is installed. You must also add an agent record for each installed agent. For more information, see Deploying an Authentication Agent.

One authentication agent record in Authentication Manager can represent more than one installed agent.

For example, you can install and configure the RSA Authentication Agent 8.0 for PAM on hundreds of servers, and then add the PAM agent one time in Authentication Manager. In this example, you can edit one authentication agent record to configure multiple installed agents.

Each installed agent has an authentication agent record in Authentication Manager. If you install one hundred agents, then you need to add one hundred authentication agent records.

A logical name can be used to identify authentication agent records, and a fully qualified hostname or IP address is not required.

More than one installed agent can share the same logical name, and each agent might have a different hostname and IP address.

More than one agent can be installed on the same machine with a shared hostname and IP address, but these agents can either share the same logical name or use different logical names.

In Authentication Manager, the authentication agents are identified with their hostname and IP address. Two agents are installed on the same machine would share the same authentication agent record in Authentication Manager.
Authentication Manager agent reporting can provide additional details, such as information about the machine on which each authentication agent is installed, how many installed agents exist for each authentication agent record, and a unique identifier for each installed agent.Authentication Manager can report some details on the agent.
A unique identifier is provided for each installed agent. An agent might have one record in Authentication Manager, but the agent can be installed on multiple machines with a unique identifier for each installation.

If only one authentication agent is installed on a machine, then the hostname or IP address identifies the agent.

Instead of a node secret, Transport Layer Security (TLS) is used to protect the channel. The authentication agent must be configured with the internal, trusted CA certificate of the deployment.

Node secrets are required for agents that use the UDP protocol.

The node secret is a shared secret known only to the authentication agent and Authentication Manager. Authentication agents use the node secret to encrypt authentication requests that they send to Authentication Manager. Authentication Manager automatically creates and sends the node secret to the agent in response to the first successful authentication on the agent.

Obtaining RSA Authentication Agents

RSA authentication agent software is available on the RSA website at and on RSA Link at

You may also purchase products that contain embedded RSA authentication agent software. The software is embedded in a number of products, such as remote access servers, firewalls, and web servers. For more information, go to the RSA Ready Partner website at

On the RSA Ready Partner website, locate the RSA Implementation Guide for Authentication Managerfor your agent. Save it to your desktop or a local drive that you can access during the integration process.

Note:  Only certified partner solutions have an implementation guide. For other agents that are certified as RSA SecurID Ready, you can create a custom implementation.