This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA SecurID® Access Discussions

Browse the SecurID Access discussion board to get product help and collaborate with other users of SecurID Access.
BJBrooks
Beginner
Beginner
‎2017-06-02 01:28 PM

Authentication Methods for Svc Account

We have a service account which will be accessing network devices under RSA SecurID management, RADIUS actually. This account only exists in the RSA appliance, not in AD, LDAP, etc. Is it possible to set that account to only require a password instead of a permanent token/passcode? If not, would it be possible if the user was in the AD?

Labels (1)
Labels
0 Likes
Reply
12 Replies
JayGuillette
Contributor Contributor
Contributor
‎2017-06-02 01:32 PM

Native SecurID protocol has a lot of agents that use the concept of Challenge, a Challenged User needs a Passcode, but an unChallenged user can logon with a Password.  But I do not think I have seen that in RADIUS, usually because if you do not want a PassCode prompt, you do not send the authentication request to Authentication Manager, AM.  A full RADIUS server could lookup users in LDAP for Passwords, and AM for PassCodes, but RSA's RADIUS cannot do that.

 

If the authentication request has to come to AM, the next best or closest thing might be a Fixed Passcode

0 Likes
Reply
BJBrooks
Beginner
Beginner
In response to JayGuillette
‎2017-06-02 01:33 PM

The user creation is not the issue. The issue is allowing the user to authenticate via password instead of PIN or permanent passcode.

0 Likes
Reply
JayGuillette
Contributor Contributor
Contributor
In response to BJBrooks
‎2017-06-02 01:40 PM

I was editing my first response while you wrote this.

If this were a Windows Server using a Windows agent, you could create a challenge group to challenge some people and not others, but with RADIUS the challenge is not under RSA's control

0 Likes
Reply
BJBrooks
Beginner
Beginner
In response to JayGuillette
‎2017-06-02 01:46 PM

Thanks. We don't want to bypass the challenge itself. The challenge can be met. This account is used in other areas not under RSA control. Those other areas require a password of 14 alpha-numeric characters. We would like to authenticate to RSA/RADIUS using that same 14 character alpha-numeric password instead of a 8 digit numeric PIN or permanent token.

0 Likes
Reply
JayGuillette
Contributor Contributor
Contributor
In response to JayGuillette
‎2017-06-02 01:52 PM

maybe SecurID Access Identity Router could handle this.  The Via, now SecurID Access hybrid cloud solution, which is merging / melding with Authentication Manager going forward, has the concept of Step-up authentication, and the first step before the 'up' is typically a password.

 

In the same vein Risk Based Authentication, RBA is an AM concept that works with some Web Based SSL VPNs that use RADIUS, e.g. Citrix NetScaler, and redirects a browser to AM, which will accept a simple password if the risk is considered low (same user, same home PC, same IP address, same software fingerprint on the PC) but if the risk is elevated (not using your work PC, or logon from foreign country) prompt for step up - in AM currently this is either answer your security questions or request an OnDemand Token - not a Hardware or Software token.

 

So it could get messy trying to create restricted groups for RBA users like your guy with the Password, and then PassCode for everyone else, if this were the same VPN.  I think that my version 8.3 of Authentication Manager, but maybe later, you could do what you want with the whole range of Authentication options, passwords to Passcodes, with degrees in between

Reply
BJBrooks
Beginner
Beginner
In response to JayGuillette
‎2017-06-02 01:57 PM

Thanks for the info.

0 Likes
Reply
JayGuillette
Contributor Contributor
Contributor
In response to JayGuillette
‎2017-06-02 02:02 PM

Let me look into a Policy that might allow a 14 digit alphanumeric Fixed PassCode that could match yours.  Maybe the PIN Policy would allow that in Current AM, unless limit is still 8.  If not, then you could open a support case for a Request for Enhancement, RFE, to allow this.  If this happened or worked, the Fixed PassCode and PassWord would not be synchronized, but they could be set to equal each other

0 Likes
Reply
BJBrooks
Beginner
Beginner
In response to JayGuillette
‎2017-06-02 02:09 PM

Unfortunately the limit is 8 but I appreciate it.

0 Likes
Reply
JayGuillette
Contributor Contributor
Contributor
In response to BJBrooks
‎2017-06-02 02:13 PM

Are you with VZ? I can open you an RFE case for this.  Could be worth the small effort, as this makes a lot of sense

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.