Connect RSA Authentication Manager to the Cloud Authentication Service
We have connected our authentication manager (8.5) to the RSA CAS to extend our authentication methods, everything worked as expected, and we are able to login to our Windows workstations through the PIN+Approve or PIN+Bio-metric, unfortunately the user which is trying to login through the windows cannot select another authenticator option after the user enter his/her PIN successfully.
We have followed the Connect RSA Authentication Manager to the Cloud Authentication Service which is mentioning the following:-
The first option listed for an assurance level on the Assurance Levels page is presented as the default for each new user when he or she authenticates to an application or client assigned to that assurance level for the first time. A user can select another option at any time, as long as the assigned assurance level or a higher assurance level contains additional options that the user can complete. When a user successfully authenticates with an option, that option becomes the user's default for future authentications for that assurance level.
- Community Thread
- Forum Thread
- RSA SecurID
- RSA SecurID Access
- Token Auth
- Token Authentication
- Token Authenticator
- Token Authenticators
You'll need to make sure you're on AM 8.5 and that you have the Proxy MFA requests enabled as I show below. Again, this is a little different than AM 8.4 where AM was not acting as a proxy, AM was acting as an agent itself.
If you have the "proxy MFA requests" selected as shown below, the last step should be:
Ensure that you have a policy name configured in the GPO for the Windows agent.
When no policy name is configured, the agent operates in "AM Mode" (it basically operates in legacy mode) whereas when you have a policy name configured, the agent will operate in "cloud mode" where it can prompt the user to choose any available method.
One final note - do not enter your PIN at the SecurID prompt. You will also want to make sure that your GPO settings are such that Password is prompted before MFA. The flow will be:
User enters their Password.
User is prompted to choose and complete an additional factor.
Worked fine, i missing the GPO part, and my setup was operating in AM mode.
Could you please advise if auto-registration is supported on the Windows MFA agent 2.0.1
Auto-registration is not supported on the MFA agent, but there is a configuration option to create a logical agent entry in Authentication Manager, AM then you can configure all the MFA agents to use that same agent name. Kind of a logical agent if you will. We have customers who use a single authentication agent name for 10s of thousands of agents. A variation would be several 'regional' or 'country' agent names, such that specific agents use specific names in a many to one mapping of agents to Authentication Agent host entry. See ReST agents for more info
The MFA agent uses the ReST protocol, and there is a bit more configuration required with ReST compared to the old UDP port 5500 SecurID authentication agent protocol, which used the sdconf.rec file to find the AM servers.
Auto-registration is not needed for the MFA agent. The old UDP API was dependent on the presence of an agent record in AM bound to the source IP address.. the MFA protocol doesn't use this binding mechanism... instead the binding is to an agent name... you could deploy 10,000 agents with the same ID, our you could create different agents with different group entitlements if desired. Ultimately, the advanced agent reporting can be used to retrieve agent details for reporting purposes. Ultimately no auto-registration required.