Cisco ISE - RSA SecurID Access Implementation Guide

Document created by RSA Information Design and Development on Dec 3, 2018
Version 1Show Document
  • View in full screen mode

Cisco Systems Inc.

Identity Services Engine 2.4

 

Peter Waranowski, RSA Partner Engineering

Last Modified: December 3rd, 2018

 

Solution Summary

This section shows all of the ways that Cisco ISE can integrate with RSA SecurID Access. Use this information to determine which use case and integration type your deployment will employ.

Use Cases

Policy Sets - When integrated, users must authenticate with RSA SecurID Access in order gain the access defined in the policy set. Policy Sets can be integrated with RSA SecurID Access using RADIUS or Authentication Agent .

Guest Access Portal - When integrated, users must authenticate with RSA SecurID Access in order to login to the Guest Access Portal. Guest Access Portal can be integrated with RSA SecurID Access using RADIUS, SAML SSO Agent, Relying Party, and Authentication Agent .

My Device Portal - When integrated, users must authenticate with RSA SecurID Access in order to login to the My Device Portal. My Device Portal can be integrated with RSA SecurID Access using SAML SSO Agent or Relying Party.

Admin Access - When integrated, users must authenticate with RSA SecurID Access in order to login to Cisco ISE administrative interface. Admin Access can be integrated with RSA SecurID Access using RADIUS or Authentication Agent .

 

Integration Types

RADIUS integrations provide a text driven interface for RSA SecurID Access within the partner application. RADIUS provides support for most RSA SecurID Access authentication methods and flows.

SSO Agent integrations use SAML 2.0 or HFED technologies to direct users’ web browsers to RSA SecurID Access for authentication. SSO Agents also provide Single Sign-On using the RSA Application Portal.

Relying Party integrations use SAML 2.0 to direct users’ web browsers to RSA SecurID Access for authentication. Primary authentication is configurable, so Relying Party can be a good choice for adding additional authentication (only) to existing deployments.

Authentication Agent integrations use an embedded RSA agent to provide RSA SecurID and Authenticate Tokencode authentication methods within the partner’s application. Authentication agents are simple to configure and support the highest rate of authentications.

Supported Features

This section shows all of the supported features by integration type and by RSA SecurID Access component. Use this information to determine which integration type and which RSA SecurID Access component your deployment will use. The next section in this guide contains the instruction steps for how to integrate RSA SecurID Access with CiscoISE using each integration type.

 

Cisco ISE integration with RSA Cloud Authentication Service

                                                                         
Authentication Methods

Authentication API

RADIUS

Relying Party

SSO Agent

RSA SecurID-
LDAP Password-
Authenticate Approve-
Authenticate Tokencode-
Device Biometrics-
SMS Tokencode-
Voice Tokencode-
FIDO Tokenn/an/a

 

Cisco ISE integration with RSA Authentication Manager

                                 
Authentication Methods

Authentiaction API

RADIUSAuthentication Agent
RSA SecurID-
On Demand Authentication-
Risk-Based Authenticationn/a--

 

                 
Supported
- Not supported
n/tNot yet tested or documented, but may be possible.

Configuration Summary

This section contains links to the sections that contain instruction steps that show how to integrate Cisco ISE with RSA SecurID Access using all of the integration types and also how to apply them to each supported use case. First configure the integration type (e.g. RADIUS) then configure the use case (e.g. Policy Sets).

This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All RSA SecurID Access and Cisco ISE components must be installed and working prior to the integration.

Integration Configuration

Authentication Agent

RADIUS with AM

RADIUS with CAS

Relying Party

SSO Agent

Use Case Configuration

Policy Sets

Guest Access Portal

My Device Portal

Admin Access

 

Certification Details

Date of testing: September 19, 2018

RSA Cloud Authentication Service

RSA Authentication Manager 8.2 SP1, Virtual Appliance

Cisco ISE 2.4.0.357

 

Known Issues

RSA SecurID External Identity Source – Fail after new PIN

When using RSA SecurID external identity type and force authentication after new PIN function is selected, authentications in new PIN mode indicate failed authentication. The new PIN is actually set, and the user should initiate another authentication using the new PIN.

My Devices Portal – RSA SecurID and RADIUS External Identity Source

My Devices Portal does not support multi-step authentications required by RSA SecurID and RADIUS external identity sources. If a user authenticates in new PIN or next tokencode mode they will fail authentication and not know why. Cisco is tracking this as an enhancement with bug id: CSCvd90254.

 

Attachments

    Outcomes