RSA MFA Agent for Windows Offline Authentication
- On-Premise RSA Authentication Manager 8.5 with latest patch (Primary and Replica) and RSA Identity Router (Nov 2020 release) integrated with RSA SecurID Access.
- Windows 10 clients with the RSA Authentication Agent 7.4.x, successfully authenticating to RSA Authentication Manager.
- Primary Authenticator: SecurID 700 (Physical Token)
Migrate Windows 10 clients to RSA MFA agent 2.0.2. Typical on-net desktops will be configured to authenticate to RSA Authentication Manager (AM) leveraging the REST API, pointing the desktop to the on-net [RSA AM Primary IP]:5555 and [RSA AM Replica IP]:5555 along with the API Key from AM. Laptops (road warriors) will be configured to authenticate to RSA SecurID Access, pointing the laptop the Cloud Authentication Service along with the API Key from SecurID Access.
For the most part, on-net Authentication using the MFA agent 2.0.2 appears to be working, however the behavior of offline authentication appears to be a bit confusing. When logging into a client with the RSA MFA agent 2.0.2, the user is required to provide their Active Directory username and password prior to being challenged for MFA. When the client is disconnected from the network, the user may be presented with an unsuccessful login when providing their Active Directory username and password. This behavior is different from the user experience when using the RSA Authentication Agent 7.4.x as if the Windows cached credentials are not leveraged. IN the event the user be able to successfully provide their Active Directory username and password while disconnected, they are challenged for RSA MFA. However, they are challenged to provide a tokencode from the RSA Authenticator App opposed to their SecurID passcode.
Is this normal behavior for offline authentication with the RSA MFA Agent 2.0.2 for Windows? We do not intend on leveraging the RSA Authenticator App as a primary authenticator.
- Auth Agent
- Authentication Agent
- Community Thread
- Forum Thread
- RSA SecurID
- RSA SecurID Access
The RSA MFA Agent 2.0.2 can operate in AM mode (static logon experience) or in CAS mode (dynamic, policy driven logon experience). The agent must be in AM mode in order to use SecurID tokens offline. Similarly, the agent must be in CAS mode in order to use Authenticate OTP offline.
If you want the road warrior laptop agents in CAS mode and authenticate offline, then they must use the Authenticate app. If you want to keep the SD700s and have offline capability, then you must configure the agents in AM mode. Keep in mind that when in CAS mode, the agent is online unless it can't reach the SID tenant.
Also, the password, passcode prompt order is configurable, and the Windows password integration (caching) functionality is not yet available in this agent version.
Thank you for the response. When you state "RSA MFA Agent 2.0.2 can operate in AM mode" and "CAS mode" are you referring to the settings/policies related to RSA SecurID Authentication API REST URL and RSA SecurID Authentication API Key or am I missing another configuration setting some where?
Authentication Manager (AM) Mode
- RSA SecurID Authentication API REST URL - https:// [RSA AM Primary/Replica IP]:5555
- RSA SecurID Authentication API Key - From Security Console > Setup > System Settings > RSA SecurID Authentication API page
- RSA SecurID Authentication API REST URL - https:// [tenant].auth.securid.com
- RSA SecurID Authentication API Key - Cloud Administration Console > My Account > Company Settings page
The RSA MFA Agent in CAS mode can use the tenant directly (as you have indicated) or it can proxy thru AM (using the Authentication Manager API REST URL). If you specify an Authentication Manager API REST URL and a Cloud Authentication Service Access Policy then the agent will be in CAS mode. If you do not specify the Cloud Authentication Service Access Policy then the agent will be in AM mode.
CAS mode direct