This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
RobertCzukkerma
Beginner
Beginner
‎2017-02-14 09:20 AM

Bomgar Integration

Jump to solution

Is there a guide for integrating RSA SecureID with Bomgar? Or has anyone had experience with this?

I am attempting to setup our Bomgar device - it is acting like it can communicate with the RSA host, but it says it can't find any users:

 

Tue, Feb 14, 2017 9:16 AM EST416Unknown response code [0] for 'admin'.
Tue, Feb 14, 2017 3:15 AM EST0Finished syncing users.
Tue, Feb 14, 2017 3:15 AM EST0Synced 0 relationships.
Tue, Feb 14, 2017 3:15 AM EST60No users were synced. Verify the user search base DN, browse query, and object classes in the user schema settings.
Tue, Feb 14, 2017 3:15 AM EST0Inserted 0 users. Updated 0 users.
Tue, Feb 14, 2017 3:15 AM EST0Starting user sync.

The error 416 is the first time that is shows in the log

My Bomgar appliance is behind a Firewall, we are allowing port 1812 UDP.

Labels (1)
Labels
0 Likes
Reply
1 Solution

Accepted Solutions
EdwardDavis
Employee
Employee
‎2017-02-14 11:13 AM

Jump to solution

Anything accessing the RSA server on port 1812 udp is only doing a single user radius authentication...there is no listing of users or 'syncing' anything else that occurs on port 1812 udp.  Refer to the article mentioned by Erica, it has detailed troubleshooting steps if radius user authentication is not working. Your picture of log messages about 'syncing users'...that sort of functionality would be solely within the Bomgar device and it's own configuration... not the RSA server... as an RSA server cannot provide any sort of 'list of users' (unless you were using RSA admin api's and that would be on a TCP port).

 

 

I have worked on a case with another customer and Bomgar, and the type and setup of Bomgar they wanted required some sort of LDAP lookup from Bomgar through the device doing the 2-factor auth (the RSA server). Went back and forth with Bomgar support and the customer, and indicated the RSA server only uses LDAP to confirm the userid for an incoming authentication, we will not do any sort of lookups to LDAP and provide outgoing data about LDAP. So be sure that you know the RSA server will only confirm if a user and passcode is valid.... an incoming userid is valid and not locked out, and that whatever was in the password field is a passcode (pin+token) and we send back access-accept or access-reject (and we could append radius return attributes for that userid if needed). We are not able to function as any LDAP or user sync or user lookup mechanism for Bomgar.

 

 

On Bomgar site, there is this note mentioned about doing Securid radius auths.

 

https://www.bomgar.com/docs/remote-support/documents/radius-authentication.pdf 

 

RADIUS Server for Authentication 

 

To define group policies based upon groups within a remote server, you must configure both the LDAP group provider and the RADIUS user provider. You then must enable group lookup from the user provider's configuration page. One group security provider can be used to authorize users from multiple servers, including LDAP, RADIUS, and Kerberos.

 

LDAP Group Lookup

If you want users on this security provider to be associated with their groups on a separate LDAP server, choose one or more LDAP group servers to use for group lookup. Default Group Policy Each user who authenticates against an external server must be a member of at least one group policy in order to authenticat

 

This would mean you configure something entirely separate from the RSA server as your LDAP group provider, and then configure RSA server as the security provider. RSA server cannot do both roles.

 

LDAP Server for User Authentication and Group Lookup 

View solution in original post

Reply
2 Replies
_EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
‎2017-02-14 09:52 AM

Jump to solution

Robert Czukkermann,

 

Please take a look at the following article on 000031701 - Configuring a RADIUS client and RSA authentication agent for Bomgar 9.3.

 

Regards,

Erica

0 Likes
Reply
EdwardDavis
Employee
Employee
‎2017-02-14 11:13 AM

Jump to solution

Anything accessing the RSA server on port 1812 udp is only doing a single user radius authentication...there is no listing of users or 'syncing' anything else that occurs on port 1812 udp.  Refer to the article mentioned by Erica, it has detailed troubleshooting steps if radius user authentication is not working. Your picture of log messages about 'syncing users'...that sort of functionality would be solely within the Bomgar device and it's own configuration... not the RSA server... as an RSA server cannot provide any sort of 'list of users' (unless you were using RSA admin api's and that would be on a TCP port).

 

 

I have worked on a case with another customer and Bomgar, and the type and setup of Bomgar they wanted required some sort of LDAP lookup from Bomgar through the device doing the 2-factor auth (the RSA server). Went back and forth with Bomgar support and the customer, and indicated the RSA server only uses LDAP to confirm the userid for an incoming authentication, we will not do any sort of lookups to LDAP and provide outgoing data about LDAP. So be sure that you know the RSA server will only confirm if a user and passcode is valid.... an incoming userid is valid and not locked out, and that whatever was in the password field is a passcode (pin+token) and we send back access-accept or access-reject (and we could append radius return attributes for that userid if needed). We are not able to function as any LDAP or user sync or user lookup mechanism for Bomgar.

 

 

On Bomgar site, there is this note mentioned about doing Securid radius auths.

 

https://www.bomgar.com/docs/remote-support/documents/radius-authentication.pdf 

 

RADIUS Server for Authentication 

 

To define group policies based upon groups within a remote server, you must configure both the LDAP group provider and the RADIUS user provider. You then must enable group lookup from the user provider's configuration page. One group security provider can be used to authorize users from multiple servers, including LDAP, RADIUS, and Kerberos.

 

LDAP Group Lookup

If you want users on this security provider to be associated with their groups on a separate LDAP server, choose one or more LDAP group servers to use for group lookup. Default Group Policy Each user who authenticates against an external server must be a member of at least one group policy in order to authenticat

 

This would mean you configure something entirely separate from the RSA server as your LDAP group provider, and then configure RSA server as the security provider. RSA server cannot do both roles.

 

LDAP Server for User Authentication and Group Lookup 

Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.