RSA Authentication Agents

Authentication agents are software applications that securely pass user authentication requests to and from RSA Authentication Manager. Authentication agents are installed on each machine, such as a domain server, web server, or a personal computer, that you protect with Authentication Manager.

For example, agent software residing on a web server intercepts all user requests for access to protected web pages. When a user attempts to access a protected URL, the agent requests the User ID and passcode and passes the User ID and passcode to the Authentication Manager for authentication. If the authentication is successful, the user is granted access to protected web pages.

Different types of authentication agents protect different types of resources. For example, to protect an Apache Web server, you need the current version of RSA Authentication Agent for Web for Apache.

Note: Risk-based authentication (RBA) only works with web-based authentication agents that use the UDP protocol.

Some authentication agents include support for the REST protocol. The following table compares the authentication agents that use the REST protocol to other authentication agents.

REST Protocol Authentication Agents

Other Authentication Agents

To use the authentication agent, you must have configured the REST service in Authentication Manager. You can then add the authentication agent. For instructions, see Configure the SecurID Authentication API for Authentication Agents. To deploy an authentication agent that uses the UDP protocol, you must generate the RSA Authentication Manager configuration file , sdconf.rec, and copy it to each machine on which the agent is installed. You must also add an agent record for each installed agent. For more information, see Deploying an Authentication Agent that Uses the UDP Protocol.

One authentication agent record in Authentication Manager can represent more than one installed agent.

For example, you can install and configure the RSA Authentication Agent 8.0 for PAM on hundreds of servers, and then add the PAM agent one time in Authentication Manager. In this example, you can edit one authentication agent record to configure multiple installed agents.

Each installed agent has an authentication agent record in Authentication Manager. If you install one hundred agents, then you need to add one hundred authentication agent records.

A logical name can be used to identify authentication agent records, and a fully qualified hostname or IP address is not required.

More than one installed agent can share the same logical name, and each agent might have a different hostname and IP address.

More than one agent can be installed on the same machine with a shared hostname and IP address, but these agents can either share the same logical name or use different logical names.

In Authentication Manager, the authentication agents are identified with their hostname and IP address. Two agents are installed on the same machine would share the same authentication agent record in Authentication Manager.

Authentication Manager agent reporting can provide additional details, such as information about the machine on which each authentication agent is installed, how many installed agents exist for each authentication agent record, and a unique identifier for each installed agent.

Some REST protocol agents require additional configuration steps to send agent details to Authentication Manager.

Authentication Manager can report some details on the agent, such as the security domain, IP address, and the last authentication date and time.

The agent does not provide Authentication Manager with information such as the installed agent count, version number, or platform. Authentication Manager agent reporting displays a 0 for the installed agent count parameter and dashes for the other information.

A unique identifier is provided for each installed agent. An agent might have one record in Authentication Manager, but the agent can be installed on multiple machines with a unique identifier for each installation.

If only one authentication agent is installed on a machine, then the hostname or IP address identifies the agent.

Instead of a node secret, Transport Layer Security (TLS) is used to protect the channel. The authentication agent must be configured with the internal, trusted CA certificate of the deployment.

Node secrets are required for agents that use the UDP protocol.

The node secret is a shared secret known only to the authentication agent and Authentication Manager. Authentication agents use the node secret to encrypt authentication requests that they send to Authentication Manager. Authentication Manager automatically creates and sends the node secret to the agent in response to the first successful authentication on the agent.

You can use a Security Console wizard to directly connect RSA Authentication Manager and the Cloud Authentication Service. After you establish this connection, REST protocol authentication agents allow users to authenticate to the cloud with any form of multifactor authentication that is supported by the Cloud Authentication Service.

After you use a Security Console wizard to directly connect between Authentication Manager and the Cloud Authentication Service, users can authenticate with Approve, Device Biometrics, or Authenticate Tokencode.

Obtaining RSA Authentication Agents

RSA authentication agent software is available on the RSA Documentation & Downloads page on RSA Link.

You may also purchase products that contain embedded RSA authentication agent software. The software is embedded in a number of products, such as remote access servers, firewalls, and web servers. For more information, go to the RSA Ready Partner website at

On the RSA Ready Partner website, locate the RSA Implementation Guide for Authentication Manager for your agent. Save it to your desktop or a local drive that you can access during the integration process.

Note: Only certified partner solutions have an implementation guide. For other agents that are certified as RSA Ready, you can create a custom implementation.