This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
AshishGoel
Beginner
Beginner
‎2017-02-24 05:58 AM

Selective RSA Authentication

Jump to solution

Hi All,

 

I am installing a new RSA, and need to integrate it with LDAP. Integration with LDAP is done and i can see all AD account in RSA. Now, when i try to protect the resource, i want to setup i a way, that only manually allowed users are challenged by RSA. RSA should not challenge all users in AD. I set option to challenge all users except users in group, but that didnt served my request.

 

I believe another option will be map allowed users in a different group, that is not feasible as different users are from different AD group and have different polices applied.

 

Also, only the allowed request should see RSA prompt while login, all other should not see RSA login prompt.

 

Any Document or any Guidance to achieve that is highly appreciated.

 

Thanks,

Ashish

Labels (1)
Labels
0 Likes
Reply
1 Solution

Accepted Solutions
EdwardDavis
Employee
Employee
‎2017-02-24 08:17 AM

Jump to solution

The agent logic can protect a group, so you will need to identify the challenged users somehow by group, [even if

you make a new group, and add users to it, just for needing to use tokens].

 

The fact the users see the securid token login, regardless if they need a token or not, is partly unavoidable, and partly by design. An unauthorized person cannot 'probe' userids to determine if a user needs a token or not. If we were able to display the token login only for users who need one, and a password for users who don't, that is revealing too much  information to anyone about your security setup, so by design, the login prompt is the same for everyone. You may be able to display more tiles and have users who do not need a token use a specific login tile, but the idea is all users see the same login...it is just one of those logins will accept a password, and one of those will need a passcode first. Users will need to be trained a bit on which systems will force them to use a token, so the login experience is not frustrating.

View solution in original post

Reply
3 Replies
EdwardDavis
Employee
Employee
‎2017-02-24 08:17 AM

Jump to solution

The agent logic can protect a group, so you will need to identify the challenged users somehow by group, [even if

you make a new group, and add users to it, just for needing to use tokens].

 

The fact the users see the securid token login, regardless if they need a token or not, is partly unavoidable, and partly by design. An unauthorized person cannot 'probe' userids to determine if a user needs a token or not. If we were able to display the token login only for users who need one, and a password for users who don't, that is revealing too much  information to anyone about your security setup, so by design, the login prompt is the same for everyone. You may be able to display more tiles and have users who do not need a token use a specific login tile, but the idea is all users see the same login...it is just one of those logins will accept a password, and one of those will need a passcode first. Users will need to be trained a bit on which systems will force them to use a token, so the login experience is not frustrating.

Reply
AshishGoel
Beginner
Beginner
In response to EdwardDavis
‎2017-02-24 08:24 AM

Jump to solution

Hi Edward,

 

Thanks for the explanation.

 

When you say create Groups, does that mean creating groups on Authentication Manager, or on LDAP. Can we use RSA User Groups to allow only members users to be challenged for Passcode?

 

Also, is there a way, we can setup RSA prompt at the second level. I mean, if user try to RDP to a machine, 1st prompt will be to authenticate via RDP Password and then RSA passcode.

If Windows authentication succeeds then RSA passcode prompt only to challenged user group, otherwise no RSA prompt.

 

Thanks,

Ashish

0 Likes
Reply
EdwardDavis
Employee
Employee
In response to AshishGoel
‎2017-02-24 08:39 AM

Jump to solution

Hello,

 

It is passcode/password first, then [windows password next if a token was used]. We cannot re-order the logic to force windows password always first, then a token if a token is needed. A windows agent may or may not do 'windows password integration', and this mechanism could not work if the order of factors was reversed.

 

The challenge group can be a local group on the machine itself, or an LDAP group. Or a local group with domain child groups. Anyhow, any new group (maybe named 'tokenusers') as long as the windows machine can find that group we can challenge just members of that group to use a token. The RSA server does not need to know about this group at all, it is all on the agent side.

 

 

----

Groups on the RSA server, can be used to filter who can successfully use a token on any agent, instead of all users with tokens potentially logging into an agent. You can block some users with tokens from getting authenticated by specific agents. So, the groups on the RSA server do not directly correspond to the windows machine groups and how they are used.

 

User group access restriction on the RSA server side is independent of the agent challenge group.

 

pastedImage_1.png

Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.