This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
SAMADAMS
Beginner
Beginner
‎2020-12-17 12:05 PM

RSA MFA Agent for Windows Offline Authentication

Current Setup

  • On-Premise RSA Authentication Manager 8.5 with latest patch (Primary and Replica) and RSA Identity Router (Nov 2020 release) integrated with RSA SecurID Access.
  • Windows 10 clients with the RSA Authentication Agent 7.4.x, successfully authenticating to RSA Authentication Manager.
  • Primary Authenticator: SecurID 700 (Physical Token)

 

Proposed Setup
Migrate Windows 10 clients to RSA MFA agent 2.0.2. Typical on-net desktops will be configured to authenticate to RSA Authentication Manager (AM) leveraging the REST API, pointing the desktop to the on-net [RSA AM Primary IP]:5555 and [RSA AM Replica IP]:5555 along with the API Key from AM. Laptops (road warriors) will be configured to authenticate to RSA SecurID Access, pointing the laptop the Cloud Authentication Service along with the API Key from SecurID Access.

 

For the most part, on-net Authentication using the MFA agent 2.0.2 appears to be working, however the behavior of offline authentication appears to be a bit confusing. When logging into a client with the RSA MFA agent 2.0.2, the user is required to provide their Active Directory username and password prior to being challenged for MFA. When the client is disconnected from the network, the user may be presented with an unsuccessful login when providing their Active Directory username and password. This behavior is different from the user experience when using the RSA Authentication Agent 7.4.x as if the Windows cached credentials are not leveraged. IN the event the user be able to successfully provide their Active Directory username and password while disconnected, they are challenged for RSA MFA. However, they are challenged to provide a tokencode from the RSA Authenticator App opposed to their SecurID passcode.

 

Is this normal behavior for offline authentication with the RSA MFA Agent 2.0.2 for Windows? We do not intend on leveraging the RSA Authenticator App as a primary authenticator.

Labels (1)
Labels
0 Likes
Reply
3 Replies
PeterWaranowski
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2020-12-18 03:15 PM

The RSA MFA Agent 2.0.2 can operate in AM mode (static logon experience) or in CAS mode (dynamic, policy driven logon experience). The agent must be in AM mode in order to use SecurID tokens offline. Similarly, the agent must be in CAS mode in order to use Authenticate OTP offline.

 

If you want the road warrior laptop agents in CAS mode and authenticate offline, then they must use the Authenticate app. If you want to keep the SD700s and have offline capability, then you must configure the agents in AM mode. Keep in mind that when in CAS mode, the agent is online unless it can't reach the SID tenant.

 

Also, the password, passcode prompt order is configurable, and the Windows password integration (caching) functionality is not yet available in this agent version.

Reply
SAMADAMS
Beginner
Beginner
In response to PeterWaranowski
‎2020-12-21 10:13 AM

Peter,

 

Thank you for the response. When you state "RSA MFA Agent 2.0.2 can operate in AM mode" and "CAS mode" are you referring to the settings/policies related to RSA SecurID Authentication API REST URL and RSA SecurID Authentication API Key or am I missing another configuration setting some where?

 

Authentication Manager (AM) Mode 

  • RSA SecurID Authentication API REST URL - https:// [RSA AM Primary/Replica IP]:5555
  • RSA SecurID Authentication API Key - From Security Console > Setup > System Settings > RSA SecurID Authentication API page

 

CAS Mode

  • RSA SecurID Authentication API REST URL - https:// [tenant].auth.securid.com
  • RSA SecurID Authentication API Key - Cloud Administration Console > My Account > Company Settings page
0 Likes
Reply
PeterWaranowski
Occasional Contributor Occasional Contributor
Occasional Contributor
In response to SAMADAMS
‎2021-01-04 07:02 AM

Hi Sam,

 

The RSA MFA Agent in CAS mode can use the tenant directly (as you have indicated) or it can proxy thru AM (using the Authentication Manager API REST URL). If you specify an Authentication Manager API REST URL and a Cloud Authentication Service Access Policy then the agent will be in CAS mode. If you do not specify the Cloud Authentication Service Access Policy then the agent will be in AM mode.

 

CAS mode via AM proxy

  • RSA SecurID Authentication API REST URL - https:// [RSA AM Primary/Replica IP]:5555
  • RSA SecurID Authentication API Key - From Security Console > Setup > System Settings > RSA SecurID Authentication API page
  • RSA Authentication Manager Agent Name - From Security Console > Access > Authentication Agents
  • Cloud Authentication Service Access Policy - From Cloud Administration Console > Access > Policies

 

CAS mode direct

  • RSA SecurID Authentication API REST URL - https:// [tenant].auth.securid.com
  • RSA SecurID Authentication API Key - Cloud Administration Console > My Account > Company Settings page
  • Cloud Authentication Service Access Policy - From Cloud Administration Console > Access > Policies

 

Authentication Manager (AM) Mode 

  • RSA SecurID Authentication API REST URL - https:// [RSA AM Primary/Replica IP]:5555
  • RSA SecurID Authentication API Key - From Security Console > Setup > System Settings > RSA SecurID Authentication API page
  • RSA Authentication Manager Agent Name - From Security Console > Access > Authentication Agents
0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.