SecurID^® Discussions

So this scenario does not work with the Windows Authentication Agent 7.4.3?

Hassan Mehsen when using PIN+Approve or PIN+Biometrics (which by definition means you are using a legacy (non-REST API) agent) it will use the current default method (top of list in assurance level definition or last used method).

If you are using the Cloud Authentication Service for single sign-on or RADIUS you have the option of choosing the method during authentication. This has the affect of changing that user's default method for subsequent authentications.

If you are not utilizing SSO or RADIUS->IDR the only way to switch (for example) from approve to biometric would be to temporarily delete approve from the assurance level configuration and move biometric to the top of the assurance level list and then authenticate with your Windows Agent. 

Hope that helps,

Ted

Or alternatively what Randy Belbin‌ said (upgrade to MFA Agent for Windows version 2.0.1).

Hello Ted,

I have tried the MFA agent 2.0.1 in my lab unfortunately it didn't worked.

We have connected the MFA agent to the authentication manager 8.5 , and the AM itself is connected to the RSA CAS, unfortunately, when a user tries to login through thee MFA token and after putting his PIN, the user is not allowed to choose which option to authenticate with (Biometric or approve), knowing that the policy which is used for the authentication manager on the CAS side has an assurance level which includes both biometric and approve authentication methods

Hi Hassan,

You'll need to do one of two things:

1. Connect the Windows agent directly to the cloud authentication service. Configuring the agent this way is covered in the agent's admin guide. - This will allow users to enter their password and then be prompted to choose their desired second factor.

2. If you are running Authentication Manager 8.5, you can use AM as a proxy to the cloud service. This is similar to what you are doing now but is slightly different. Instead of AM itself acting as a cloud "agent", AM would instead act as a proxy for your Windows agents. Essentially, your Windows agents would acting as if they're connected to the cloud service so the behavior would be the same as in example one above.

If you need help understanding the differences or configuring the agents as described above, you can reach out to RSA Support for assistance and we would be happy to help.

Thanks Randy,

Could you please refer me to the deployment guide for the second point which you have mentioned, as currently on the MFA agent we are pointing the workstation windows login authentication requests to the authentication manager which is already connected to the cloud and proxying the MFA requests to the CAS.

Hassan Mehsen‌,

Click to download the RSA MFA Agent 2.0.1 for Microsoft Windows Installation and Administration Guide.

Regards,

Erica

Thanks Eric, 

i have followed this guide , unfortunately the MFA agent is not working as the https://community.rsa.com/docs/DOC-106667#PINsFirstAuth 

document is mentioning.

im expecting the user to have the choice to choose one of the authentication methods after entering his pin.