SecurID^® Discussions

MarioGarcia · ‎2018-12-20

Hi.

I'm trying to configure a RADIUS profile to use 2FA and I don't know if it is possible.

My idea was that a radius client sends an Access-Request challenge with the following information:

--User-Name: LDAP user

--User-Password: OPT

If this is correct the server shall send to the client an Access-Challenge requesting the User LDAP passwor.

Then the client will send an Access-Request with this information.

Finally the RADIUS server will send an Acees-Accept to the Client if this password is correct.

First of all I don't know if its possible to configure the LDAP authentication via RADIUS in this server and second I also don't know how to configure Access-Challenges in the RADIUS Server.

Thanks in advance.

CharlieSalomon · ‎2018-12-20

I had this exact question when configuring a Fortigate firewall for SSL VPN. RSA support said it was not possible for the set-up I had.

We are running RSA Authentication Manager (RSA-AM) 7.1 SP4. Yes, I know. It's end-of-life. I'm the new(ish) guy.

I added the RADIUS service to the RSA-AM server.

The FortiClient (VPN user endpoint) connects to the Fortigate Firewall. They enter their AD Username (RSA-AM connects to AD as an identity source) and RSA Token Code. I got that running successfully.

Adding the RSA Cloud Authentication Service (CAS) and Identity Router (IDR) can add more factors via RADIUS, but I need to upgrade Authentication Manager to 8.X to use it. CAS and IDR are no-cost add-ons if your support is current.

I am currently researching the upgrade process and CAS/IDR integrations.

On another note, RSA states that the combination PIN (something you know) and token code (something you have) satisfies the two-factor requirement. My Security Director is skeptical, but I think I can convince him.

_EricaChalfin · ‎2018-12-20

Mario Garcia‌ and Charlie Salomon‌,

I've moved your question to the RSA SecurID Access space where it will be seen by the product's support engineers, other customers and partners. Please bookmark this page and use it when you have product-specific questions.

Alternatively, from the RSA Customer Support" data-type="space‌ page, click on Ask A Question on the blue navigation bar and choose Ask A Product Related Question. From there, scroll to RSA SecurID Access and click Ask A Question. That way your question will appear in the correct space.

Regards,

Erica

AsifIqbal · ‎2018-12-21

We are using radius for authentication against RSA securid server, and sssd for identity against LDAP. So login ID has to be same on both radius server and ldap server. So your account has to not only have a valid 2FA authn, but also has to have a valid ldap dn to be able to login.

MarioGarcia · ‎2019-01-02

Hi.
Yeah, I suppose that you have to use the same nameID for both systems, but about your answer I suppose that the sssd daemon does authenticate users against a directory service (for instance an LDAP) and a RADIUS server. My idea is to only use the RADIUS server to configure this two factor authentication due to the fact that the RADIUS protocol supports this kind 2fa challenges.

Best.

MarkBell · ‎2019-01-07

RSA RADIUS is configured to listen on ports 1654/udp and 1812/udp for a user ID and user password (passcode) provided in the "Access-Request" that is sent from a RADIUS client. Please refer to the online reference called 'RSA RADIUS Authentication Process' for further information.

Online references with regards to RSA RADIUS & RADIUS with the Cloud Authentication Service:

RSA RADIUS Overview - URL https://community.rsa.com/docs/DOC-77458
RSA RADIUS Authentication Process - URL https://community.rsa.com/docs/DOC-77222
Communication Between RADIUS Servers and Clients - URL https://community.rsa.com/docs/DOC-77075
RADIUS for the Cloud Authentication Service Overview - URL https://community.rsa.com/docs/DOC-75832
Deploying RADIUS for the Cloud Authentication Service - URL https://community.rsa.com/docs/DOC-75847
Protect Applications with the Cloud Authentication Service - URL https://community.rsa.com/docs/DOC-75822

Should you wish to discuss RSA RADIUS or RADIUS with the Cloud Authentication Service with an RSA technical support engineer then please open a support case with RSA Customer Support using the contact information provided at URL https://community.rsa.com/docs/DOC-1294.

JAMESSAVORY · ‎2019-05-08

Can radius server be configured to accept user's LDAP password instead of OTP passcode? We already use AD as identity source.

AsifIqbal · ‎2019-05-08

We use radius for authentication and LDAP for ID mapping. So pam.d/sshd auth points to pam_radius and account points to pam_sss

JAMESSAVORY · ‎2019-05-08

Thanks but I still need answer to my question. I have 100's of special devices that support radius and using OTP is not practical. I want to know if is is possible to leverage RSA radius server using user AD credential when the auth to radius clients.

JayGuillette · ‎2019-05-08

Short answer: No. The version of RADIUS implemented within SecurID is not a full version, it accepts (as Mark pointed out) Authentication Requests on UDP 1812 or 1645 and passes them to Authentication Manager, so the expectation is the UserID is resolvable by AM (it could be in the AM internal database or an external LDAP Identity Source) and the data in the password field is a Passcode. You need something else to do what you are talking about, like a Cisco ASA that can configure authentications to combine LDAP passwords with RADIUS passwords or with SDI passcodes

SecurID® Discussions

2FA With the RADIUS Server

SecurID^® Discussions