Risk-Based Authentication Configuration - Cisco ASA RSA Ready SecurID Access Implementation Guide

This section contains instructions on how to integrate Cisco ASA with RSA Authentication Manager using Risk Based Authentication.

Architecture Diagram

RSA Authentication Manager

To configure your RSA Authentication Manager for risk-based authentication with Cisco ASA, you must create an agent host record and enable it for risk-based authentication in the RSA Authentication Manager Security Console. You will need to download the sdconf.rec and the risk-based authentication integration script for the appropriate device type to configure the agent. RSA Authentication Manager can integrate risk-based authentication with UDP-based or RADIUS agents only.

The latest risk-based authentication script template is at the following link.

https://sftp.rsa.com/human.aspx?Username=partner&password=RSAS3cur3d!&arg01=881739309&arg12=downloaddirect&transaction=signon&quiet=true

Download this file and copy it to the following directory in your primary RSA Authentication Manager server.

/opt/rsa/am/utils/rba-agents

Refer to RSA Authentication Manager Administrator's Guide for more information on RBA integration scripts.

Cisco ASA

Follow the steps in this section to integrate Cisco ASA with RSA SecurID Access using risk-based authentication.

Before you begin

Complete RADIUS or Authentication Agent configuration and apply it to Clientless SSL VPN Portal use case.

Procedure

1. Browse to Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Web Contents and click Import.

2. Browse to the am_integration.js integration script, select No to not require authentication for access to content and click Import Now.

3. Browse to Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Customization and click Add.

4. Enter a Customization Object Name, mark the Use checkbox for your Connection Profile and then open the Logon Page > Informational Panel page.

5. Mark the checkbox to Display informational panel, copy the following text into the Text: field and click OK.

<script src='/+CSCOU+/am_integration.js' type="text/javascript"></script> <script>window.onload=redirectToIdP;</script>

6. Click Apply.

Important: Depending on which versions of AM and ASA you are integrating, you may get the error “Wrong URL” after RBA logon. See the Known Issues section of this guide for more information and a work-around.

Next Step: Head back to the main page for more certification related information.