Connect RSA Authentication Manager to the Cloud Authentication Service
We have connected our authentication manager (8.5) to the RSA CAS to extend our authentication methods, everything worked as expected, and we are able to login to our Windows workstations through the PIN+Approve or PIN+Bio-metric, unfortunately the user which is trying to login through the windows cannot select another authenticator option after the user enter his/her PIN successfully.
We have followed the Connect RSA Authentication Manager to the Cloud Authentication Service which is mentioning the following:-
The first option listed for an assurance level on the Assurance Levels page is presented as the default for each new user when he or she authenticates to an application or client assigned to that assurance level for the first time. A user can select another option at any time, as long as the assigned assurance level or a higher assurance level contains additional options that the user can complete. When a user successfully authenticates with an option, that option becomes the user's default for future authentications for that assurance level.
- Community Thread
- Forum Thread
- RSA SecurID
- RSA SecurID Access
- Token Auth
- Token Authentication
- Token Authenticator
- Token Authenticators
You'll need to update your Windows agent to the MFA agent 2.0.1. You can download that agent here.
You can point this agent directly at the cloud authentication service or you can point it at Authentication Manager.
Hassan Mehsen when using PIN+Approve or PIN+Biometrics (which by definition means you are using a legacy (non-REST API) agent) it will use the current default method (top of list in assurance level definition or last used method).
If you are using the Cloud Authentication Service for single sign-on or RADIUS you have the option of choosing the method during authentication. This has the affect of changing that user's default method for subsequent authentications.
If you are not utilizing SSO or RADIUS->IDR the only way to switch (for example) from approve to biometric would be to temporarily delete approve from the assurance level configuration and move biometric to the top of the assurance level list and then authenticate with your Windows Agent.
Hope that helps,
I have tried the MFA agent 2.0.1 in my lab unfortunately it didn't worked.
We have connected the MFA agent to the authentication manager 8.5 , and the AM itself is connected to the RSA CAS, unfortunately, when a user tries to login through thee MFA token and after putting his PIN, the user is not allowed to choose which option to authenticate with (Biometric or approve), knowing that the policy which is used for the authentication manager on the CAS side has an assurance level which includes both biometric and approve authentication methods
You'll need to do one of two things:
1. Connect the Windows agent directly to the cloud authentication service. Configuring the agent this way is covered in the agent's admin guide. - This will allow users to enter their password and then be prompted to choose their desired second factor.
2. If you are running Authentication Manager 8.5, you can use AM as a proxy to the cloud service. This is similar to what you are doing now but is slightly different. Instead of AM itself acting as a cloud "agent", AM would instead act as a proxy for your Windows agents. Essentially, your Windows agents would acting as if they're connected to the cloud service so the behavior would be the same as in example one above.
If you need help understanding the differences or configuring the agents as described above, you can reach out to RSA Support for assistance and we would be happy to help.
Could you please refer me to the deployment guide for the second point which you have mentioned, as currently on the MFA agent we are pointing the workstation windows login authentication requests to the authentication manager which is already connected to the cloud and proxying the MFA requests to the CAS.
i have followed this guide , unfortunately the MFA agent is not working as the https://community.rsa.com/docs/DOC-106667#PINsFirstAuth
document is mentioning.
im expecting the user to have the choice to choose one of the authentication methods after entering his pin.