SecurID^® Discussions

ParinDas · ‎2018-08-19

Hi Team,

Trust you are doing well.

I need some help in order to formulate a solution for our client. I am new to RSA products , however below is my query :

We need to integrate Fortinet VPN with RSA Secure ID for VPN users.

The infrastructure already has RSA Authentication manager which is used by end users to to access VPN using hardware token.

Now, as RSA has this new more capable product , RSA Identity Router , and I understand that it is a DMZ component which also has a RADIUS Server built in it.

So now, the VPN client would communicate to RSA Identity Router using RADIUS Protocol [ instead of RSA Authn Manager ].

I wanted to learn , how the RSA Identity Router would communicate with RSA Authentication Manager and how RSA Identity Router would communicate with RSA Cloud Authentication Service . Is the cloud Authn Service needed in this solution ?

Also, in one of the RSA document it was mentioned that RSA identity router would help in initial authentication , so does this mean this RSA Identity router which is in DMZ would communicate to my User Directory ,or am I missing a link here ?

Please provide some inputs , I have go through RSA links but unable to understand the folw between VPN client --> RSA identity Router --> Cloud Auth Service--> RSA Identity Router --> RSA Auth Manager.

Thanks,

Parin Das

LyndalK · ‎2018-08-20

Hi Parin,

thank you for interest in this product, and a warm welcome to the world of RSA!

The RSA SecurID Access Cloud Authentication Service product is a hybrid solution. The SaaS/Cloud component is known as the Cloud Authentication Service, aka "the Cloud". It can optionally work with on-premise components: the Identity Router, aka "IDR", and RSA Authentication Manager, aka "AM". The IDR cannot be used without the Cloud. However, the Cloud can be used without the IDR, dependent on what authentication options are chosen. For example, the IDR is required in order to integrate with AM, or to perform primary authentication.

I am not sure which documents you have seen so far, but here are some overview and quick start documents that I trust will help:

RADIUS for the Cloud Authentication Service Overview : this explains that there are two options - the Cloud manages both primary and step-up authentication, or it manages just step-up. When the Cloud manages both, the flow is explained here. When it manages just step-up, the flow is almost the same, except at step 4 it does not validate the password. As that flow diagram is only high-level, it does not show that to validate the password, the Cloud will send a request to one of the IDRs and that IDR will in turn send a request to the Identity Source (LDAP/AD server) to do primary (password) authentication.
RSA SecurID Access Cloud Authentication Service Quick Setup Guide for RADIUS Clients
Cloud Authentication Service Planning and Configuration
Cloud Authentication Service Help - Table of Contents
- See chapter "RSA Authentication Manager Integration". The section Enable RSA SecurID Token Users to Access Resources Protected by the Cloud Authentication Service explains how SecurID can be used for step-up authentications managed by the Cloud (including step-up challenges for RADIUS authentications) and what is required to configure it.
- See chapter "RADIUS" .
- See chapter "Access Policies". This explains how to setup rules and policies that determine, amongst other things, the circumstances when a user is prompted to use a particular step-up authentication method ("additional authentication"), such as SecurID.

When you use SecurID/AM as a challenge for RADIUS, the IDR communicates with AM as a typical AM Agent would. The IDR appears to AM as a client (Agent).

The IDR communicates with the Cloud using a proprietary protocol that RSA does not publish.

The Quick Setup Guide above gives details of protocols, ports, etc that must be opened all of the necessary RADIUS flows - refer chapter "Step 1: Plan", section "Connectivity Requirements". The Cloud Authentication Service Help above gives the connectivity requirements for an IDR to connect to AM, in the "RSA Authentication Manager" chapter.

Of course, please let us know if you need more information.

regards

Lyndal Kanagasabai

View solution in original post

LyndalK · ‎2018-08-20

Hi Parin,

thank you for interest in this product, and a warm welcome to the world of RSA!

The RSA SecurID Access Cloud Authentication Service product is a hybrid solution. The SaaS/Cloud component is known as the Cloud Authentication Service, aka "the Cloud". It can optionally work with on-premise components: the Identity Router, aka "IDR", and RSA Authentication Manager, aka "AM". The IDR cannot be used without the Cloud. However, the Cloud can be used without the IDR, dependent on what authentication options are chosen. For example, the IDR is required in order to integrate with AM, or to perform primary authentication.

I am not sure which documents you have seen so far, but here are some overview and quick start documents that I trust will help:

RADIUS for the Cloud Authentication Service Overview : this explains that there are two options - the Cloud manages both primary and step-up authentication, or it manages just step-up. When the Cloud manages both, the flow is explained here. When it manages just step-up, the flow is almost the same, except at step 4 it does not validate the password. As that flow diagram is only high-level, it does not show that to validate the password, the Cloud will send a request to one of the IDRs and that IDR will in turn send a request to the Identity Source (LDAP/AD server) to do primary (password) authentication.
RSA SecurID Access Cloud Authentication Service Quick Setup Guide for RADIUS Clients
Cloud Authentication Service Planning and Configuration
Cloud Authentication Service Help - Table of Contents
- See chapter "RSA Authentication Manager Integration". The section Enable RSA SecurID Token Users to Access Resources Protected by the Cloud Authentication Service explains how SecurID can be used for step-up authentications managed by the Cloud (including step-up challenges for RADIUS authentications) and what is required to configure it.
- See chapter "RADIUS" .
- See chapter "Access Policies". This explains how to setup rules and policies that determine, amongst other things, the circumstances when a user is prompted to use a particular step-up authentication method ("additional authentication"), such as SecurID.

When you use SecurID/AM as a challenge for RADIUS, the IDR communicates with AM as a typical AM Agent would. The IDR appears to AM as a client (Agent).

The IDR communicates with the Cloud using a proprietary protocol that RSA does not publish.

The Quick Setup Guide above gives details of protocols, ports, etc that must be opened all of the necessary RADIUS flows - refer chapter "Step 1: Plan", section "Connectivity Requirements". The Cloud Authentication Service Help above gives the connectivity requirements for an IDR to connect to AM, in the "RSA Authentication Manager" chapter.

Of course, please let us know if you need more information.

regards

Lyndal Kanagasabai

SecurID^® Discussions

RSA Identity Router and RSA Authn Manager Configuration for VPN client

Authenticators

SecurID® Discussions

RSA Identity Router and RSA Authn Manager Configuration for VPN client

Authenticators

SecurID^® Discussions