This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA SecurID® Access Discussions

Browse the SecurID Access discussion board to get product help and collaborate with other users of SecurID Access.
TouseefAhmad
Beginner
Beginner
‎2018-12-14 03:09 AM

Connection without using RSA token

Jump to solution

We are using RSA Solution for 2FA authentication. Now we want to configure 4 or 5 users to be authenticated with Active Directory without using RSA Token. Kindly guide if anyone knows about this ?

Labels (1)
Labels
0 Likes
Reply
1 Solution

Accepted Solutions
EdwardDavis
Employee
Employee
‎2018-12-14 08:17 AM

Jump to solution

Whatever device they are logging into will need to be able to authenticate to Active Directory by itself. RSA Authentication Manager server does not handle AD passwords...only userid+passcode. Any further authentication such as an AD password is up to the device they are logging into, not the Auth Manager server. 

View solution in original post

Reply
4 Replies
EdwardDavis
Employee
Employee
‎2018-12-14 08:17 AM

Jump to solution

Whatever device they are logging into will need to be able to authenticate to Active Directory by itself. RSA Authentication Manager server does not handle AD passwords...only userid+passcode. Any further authentication such as an AD password is up to the device they are logging into, not the Auth Manager server. 

View solution in original post

Reply
JayGuillette
Contributor Contributor
Contributor
‎2018-12-14 11:48 AM

Jump to solution

To add to what Ed said, if you are using an Authentication Manager agent, such as for PAM or Windows, the SecurID-speak term you want to understand is 'challenged'.  A Challenged User must provide a Passcode, but an Un-Challenged user can authenticate with a Password.

Challenge has 4 settings;

 1. Challenge Everyone, All Users

 2. Challenge Everyone in a group

 3. Challenge Everyone Not in a group

 4. Challenge No One

 

Groups can be nested, and you can start with either a local group or an AD group, or even a local group that points to a Domain group, but there are some limits.  There is also a cache setting for Windows laptops that may work offline, e.g. not on the Corp LAN with access to the AM servers like at home or Hotel room.  With cached challenge settings there is also a programmatic default if the group lookup fails; default is to challenge the person trying to logon, but you could select not challenge if more worried about access than security or for whatever reason.

LAC_ChallengeSettings.png

VPNs such as Cisco, Citrix, Sonic Wall, etc... should have their own way to configuring who to challenge, and allowing some users who are not challenged in SecurID terms to authenticate against AD, or LDAP, or whatever.

0 Likes
Reply
TouseefAhmad
Beginner
Beginner
In response to EdwardDavis
‎2018-12-14 12:35 PM

Jump to solution

Basically they dont want to waste RSA token code on their employees that's why they are thinking that they can use it for their customers. Can it possible to configure such a scenario where employees authenticate with AD credentials without using RSA token and the customers can use their release token codes to authenticate itself?

0 Likes
Reply
TouseefAhmad
Beginner
Beginner
In response to JayGuillette
‎2018-12-14 12:48 PM

Jump to solution

Basically they dont want to waste RSA token code on their employees that's why they are thinking that they can use it for their customers. Can it possible to configure such a scenario where employees authenticate with AD credentials without using RSA token and the customers can use their release token codes to authenticate itself?

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.