This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Community Blog

Subscribe to the official SecurID Community blog for information about new product features, industry insights, best practices and more.

Recent RADIUS specific improvements in RSA SecurID® Access

SudarsanKannan
Employee
Employee
2 1 1,282
‎2018-12-06 07:51 PM

During 2018, RSA has made several improvements to better support your ability to protect RADIUS-based resources using RSA SecurID® Access Cloud Authentication Service capabilities.  In this way, RSA SecurID® Access becomes even more pervasive, supporting access across a variety of traditional and cloud use cases.

 

For RADIUS-based applications we delivered the following improvements to customers through our cloud offering:

  • Expanded the choice of authenticators (e.g., SMS, Voice support) to provide more flexibility
  • Helped customers meet the latest PCI 3.2 guidance by supporting multi-method mode for supported VPN clients
  • Enabled Auto-push for mobile MFA to reduce end-user friction during authentication
  • Improved end-user experience for application-specific clientless SSL VPN (e.g., VPN for OWA) when users access VPN through browsers
  • Provided MFA only option to achieve passwordless behavior where primary trust is established through certificates or SSH keys between end-user devices and RADIUS clients

Looking ahead into 2019...you may want to use Active Directory (AD) user attributes in making granular authentication decisions for your RADIUS-based applications, all controlled by RSA SecurID®  Access policies.  We will continue to improve your ability to protect RADIUS based applications and make it more powerful through granular controls and policies.

 

Below is a deep dive into RADIUS specific features that were delivered in 2018.

 

Auto-Push for RADIUS logins 

Auto-push for RADIUS, when configured for a user, can send a push notification on a registered phone, after the user enters User ID and password. The extra step (Fig 1.) of selecting an authentication method at each RADIUS-based login is not required.  (Note:  this Auto-Push capability is available ONLY if passwords are used for primary authentication).  

How and where to configure Auto-Push: Add a RADIUS Client for the Cloud Authentication Service 

RADIUS for the Cloud Authentication Service Overview  

Users always have the flexibility to choose other authentication options if their mobile device is not handy during the time of authentication (e.g., lost, left at home, the RSA Authenticate app not registered).

 

pastedImage_1.png

Fig.1 Auto-push for RADIUS (a sample screenshot using Cisco ASA AnyConnect desktop client)

 

Password-less / step-up only RADIUS

If the RADIUS client (e.g., a VPN, a privileged access management solution) is configured to perform primary (e.g., a password) authentication, RSA SecurID Access no longer prompts for the user to enter their password a second (redundant) time thereby improving end-user experience.

 

If certificates or SSH keys are used to establish trust in lieu of passwords (as primary authentication), the step-up only RADIUS becomes more beneficial as the user is only challenged once (for step-up) for proving the user’s identity.  This feature enables customers to have a password-less MFA experience for RADIUS based logins. A classic example could be your Privileged Account Management (PAM) systems where primary trust is established through SSH keys for your admins and RSA SecurID® Access used as secondary authentication.

 

The step-up only feature helps customers comply with the latest PCI DSS 3.2 guidance. Under this configuration (multi-method mode), RSA SecurID®  Access prompts for password and MFA in a single screen and doesn’t act on a second authentication factor sequentially, based on the outcome of the primary authentication. This approach to verification is consistent with the latest Payment Card Industry Data Security Standard (PCI DSS) guidelines. Any VPN application (e.g., Cisco, Palo Alto) that supports the multi-method mode could start using this feature to help be PCI DSS 3.2 compliant. 

For more information on these capabilities, refer to:  https://community.rsa.com/docs/DOC-75832#RADIUS5 

pastedImage_1.png

Fig.2 Sample RADIUS Multi-method mode & passwordless end-user screens

Improving end-user experience for Cisco Clientless SSL VPN (RADIUS)

This feature enhances the user experience for application-specific VPN access - when logging in through a RADIUS-based clientless SSL VPN portal. RSA SecurID® Access now provides end-users with an improved user experience for Cisco’s clientless SSL-based VPN portals. Administrators can download the new web toolkit from RSA SID Access Cloud authentication console and deploy the toolkit in Cisco ASDM as part of configuring the clientless SSL VPN.

Typically, clientless SSL VPN solutions are used to provide application specific VPN access, create captive portals on a wireless network for secure access. Most customers prefer RADIUS based integration for these type of integrations due to inherent flexibility and power of configuring security policies but at the expense of reduced user experience. With our new web toolkit, customers can continue to use RADIUS based integration all while providing a great user experience for their end users. You can provide better user experience whether a user is trying to access OWA (as an example) or a business partner trying to gain access to a wireless network.

You can also continue to use the Auto-Push notification and provide a passwordless experience to RADIUS-based applications using this new web toolkit and elevate your end-users experience.

 

pastedImage_5.png

Fig 3. Cisco ASA Clientless SSL VPN step-up authentication end-user experience

Adding Flexibility: SMS and Voice authentication comes to RADIUS

Although hardware tokens (and then software tokens) are the classic protection for RADIUS-based resources, RSA now supports a wide variety of additional modern mobile authentication methods. Mobile Push has been available for some time, as has a mobile application (RSA’s Authenticate app) OTP.  The RSA SecurID® Access Cloud Authentication Service added SMS and Voice authentication options for RADIUS in early 2018, so now even users without a token and without the Authenticate app on their mobiles can authenticate to RADIUS based resources via SMS (or voice) delivered OTP. This can be much more convenient for infrequent and external users.

pastedImage_9.png

Fig 4.  SMS used for RADIUS authentication

For more information on these capabilities and others, please see the product documentation here:

https://community.rsa.com/community/products/securid/securid-access

All of these enhancements make RSA SecurID® Access and even more convenient and secure solution for your authentication needs

1 Comment
© 2023 RSA Security LLC or its affiliates. All rights reserved.