Risk-Based Authentication Configuration - Cisco ASA RSA Ready SecurID Access Implementation Guide
2 years ago
Originally Published: 2018-11-13

This section contains instructions on how to integrate Cisco ASA with RSA Authentication Manager using Risk Based Authentication.

Architecture Diagram

arch-diag-rba_624x403.png

RSA Authentication Manager

To configure your RSA Authentication Manager for risk-based authentication with Cisco ASA, you must create an agent host record and enable it for risk-based authentication in the RSA Authentication Manager Security Console. You will need to download the sdconf.rec and the risk-based authentication integration script for the appropriate device type to configure the agent. RSA Authentication Manager can integrate risk-based authentication with UDP-based or RADIUS agents only.

The latest risk-based authentication script template is at the following link.

https://sftp.rsa.com/human.aspx?Username=partner&password=RSAS3cur3d!&arg01=881739309&arg12=downloaddirect&transaction=signon&quiet=true

Download this file and copy it to the following directory in your primary RSA Authentication Manager server.

/opt/rsa/am/utils/rba-agents

Refer to RSA Authentication Manager Administrator's Guide for more information on RBA integration scripts.

 

Cisco ASA

Follow the steps in this section to integrate Cisco ASA with RSA SecurID Access using risk-based authentication.

Before you begin

Complete RADIUS or Authentication Agent configuration and apply it to Clientless SSL VPN Portal use case.

Procedure

1. Browse to ConfigurationRemote Access VPN > Clientless SSL VPN Access > PortalWeb Contents and click Import.

integration configuration rba 1_624x215.png

2. Browse to the am_integration.js integration script, select No to not require authentication for access to content and click Import Now.

integration configuration rba 2_624x238.png

3. Browse to ConfigurationRemote Access VPN > Clientless SSL VPN AccessPortal > Customization and click Add.

integration configuration rba 3_624x203.png

4. Enter a Customization Object Name, mark the Use checkbox for your Connection Profile and then open the Logon Page > Informational Panel page.

integration configuration rba 4_624x186.png

5. Mark the checkbox to Display informational panel, copy the following text into the Text: field and click OK.

<script src='/+CSCOU+/am_integration.js' type="text/javascript"></script> <script>window.onload=redirectToIdP;</script>

integration configuration rba 5_624x124.png

6. Click Apply.

integration configuration rba 6_624x71.png

Important: Depending on which versions of AM and ASA you are integrating, you may get the error “Wrong URL” after RBA logon. See the Known Issues section of this guide for more information and a work-around.

 

Next Step: Head back to the main page for more certification related information.


Related Articles

Trending Articles

Don't see what you're looking for?