RSA and off Domain Access
I'm looking for additional information on how to setup RSA for off Domain Access to a PC.
Right now when I'm at home/off the domain I have to login to my device with a local account to gain access to my remote software. We currently do not allow cashed credentials on our devices.
From my understanding we would have to allow the cashing of one set of AD credentials so the user could Authenticate with RSA off the domain. I have gone through a lot of the documentation and the off network policy seems interesting and appears that is what we would use but I don't fully understand how this works and what all the settings mean. It doesn't seem right that we would be able to do this without any of our on premises RSA servers facing externally.
Our Goal is to make users that are taking devices home to work remotely to have to use two factor authentication to be able to login. Can you point me in the direction of any documentation you may have that could assist me in this.
RSA has a solution that would not exactly solve your problem but could make your problem not a security problem. By that I mean you install the RSA Authentication agent for Windows, ver. 7.4.4 is the latest, and configure for offline authentication or offline days. When you are on the LAN, on Domain, you download an encrypted block of RSA authentication token codes for a particular token serial number assigned to a particular user of this Windows laptop. The PC is now protected by 2 factor authentication, the strongest authentication, and no one can access Windows without a correct UserID PIN and TokenCode.
After the RSA Credential provider authenticates you, you are handed to the Windows credential provider, at which point you must authenticate with a correct Windows Password. Therefore, if you have no cached Domain credentials, you cannot authenticate. But if your Security policy is based on a fear that cached credentials can be manipulated or hacked, you have just put the most secure authentication method in front of windows.
RSA does not have a solution to replace Windows authentication, only to get in front of it, at which point you have to make a policy decision if offline 2FA is secure enough for you to allow changing your no cached Domain credential policy.
A variation on this is the MFA agent for Windows which authenticates to Cloud Access instead of Authentication Manager.
It appears that the maximum offline days allowed is 100. If that is correct, how do we handle employees working remotely permanently or for more then 100 days? Would we have to have an external facing Authentication Manager?
Assuming the users connect to the network through a VPN, that constitutes being on the LAN, and more offline days can be downloaded or updated.
If user never connect to a VPN, that is a quite different situation.
Will there be a LAN connection for this Windows platform? If there is a Domain Account, will there be no Domain Controller access?
If this is an isolated LAN, you would have to have some authentication source locally, either AD or you could add Authentication Manager.
If your Windows platform is totally isolated, air-gapped, then there would need to be an authentication source on the Windows platform itself.
If there is a WAN connection back to the Domain Controller, is that intermittent or permanent?
If there is some way for the Windows platform to reach the AM server, you could re-charge offline days. If not, then you need something different
So currently our team members use a local computer account to login to their device while offsite. Then they launch our remote software and remote into either a virtual machine or another physical PC onsite to complete their work. They must have internet connectivity to be able to use the remote software.
Our goal is to enable cached credentials so users can login offsite using their domain credentials but keep the remote access method the same. But prior to enabling cached credentials, we would like to have two factor authentication in place (RSA). We are trying to figure out if that is even possible and if so, how can we accomplish that?
Hope that helps explain our situation a bit better.
The MFA agent authenticates against the Cloud Access Server, CAS, which can be integrated with Authentication Manager or not. So if you have an internet connection at this remote site, you should be able to authenticate offline, but with CAS instead of AM.
AM 8.5 allows for a limited Identity Router in your Security Console, which depending on how it is all configured, could be enough to get you multi-factor in front of the Cache Windows Domain Credentials.