Steps to be followed for using Hardware Tokens
I have installed and configured RSA 8.3 . Logged in to Security Console .
I have imported the Users xml , created users , assigned tokens to users using my Security Console .
Is there any other step that I need to follow for hardware tokens to be used. Please share any additional steps that may be required.
( please note I am not able to find "Distribute" , in the context menu of the token .)
I was following steps as mentioned in the RSA AM 8.3 Administrator's Guide : "Importing, Assigning, and Distributing RSA SecurID Tokens , Step 4 : Distribute the token. Choose one of the following: "
- Auth Agent
- Authentication Agent
- Community Thread
- Forum Thread
- hardware tokens
- RSA SecurID
- RSA SecurID Access
Just give the token to the user and when they first log in somewhere they should get prompted to set up a pin for the token. Any time a user is prompted for 'tokencode' that means just the digits on the token, 'passcode' means the new pin followed by digits on the token. Distribute is for software tokens, where there are multiple ways to get a software token to a user. Hardware tokens there is only one way, which is physically deliver it to the user.
One thing to note with your newly assigned hardware tokens is that when you give them to your end users they are in a state called New PIN Mode. This means that a PIN has not yet been created by the end user to use when authenticating.
When you assigned the hardware token, you defined if your users would authenticate using just the numbers shown on the token, known as the tokencode or if users would need to authenticate with a passcode, which is a user-created PIN and the tokencode, which is known as a passcode. At RSA we refer to this as something you know (your PIN) and something you have (your token). Let's look at how Bob and Alice would each authenticate, one with a tokencode, the other with a passcode.
How Bob authenticates with a tokencode
Bob's token allows him to authenticate to his network device by entering his user ID and the six digits he sees on his token. In this example, the tokencode that is showing is 03220728.
- Bob enters that number into the device interface and clicks OK.
- The device sends his information to the Authentication Manager server. The server sends back a request for a PIN.
- Since Bob's token is set to be tokencode only, he must wait for the tokencode to change and for the next tokencode of 81108024 to display.
- He then enters that second numeric string into the device. Et voila! Bob has a successful authentication.
How Alice authenticates with a passcode
Alice's token is PIN enabled. For her, the process of getting out of New PIN Mode has a few extra steps. As with Bob, you assigned a token to Alice and delivered it to her securely. Now she needs to create a PIN.
- If you have enabled the Self-Service Console,
- Send Alice the link to login to it.
- She clicks the link to Create PIN.
- She creates a PIN (something easy for her to remember but hard for others to guess) and confirms it, then clicks Save. She is no longer in New PIN Mode.
- Now when Alice goes to authenticate to her VPN or web page she uses her passcode (PIN + tokencode).
- If you have not enabled the Self-Service Console,
- Alice opens the device through which she authenticates (like a web page or VPN client).
- She enters her user ID in the correct field.
- She then enters the six digits she sees on the token ( e. g., 03220728) and clicks OK.
- As above, the information is sent to the server and a request for a PIN is sent back.
- This is where Alice creates her PIN and enters it into the interface. Let's say her PIN is 5130. She enters just that string and clicks OK.
- The next prompt Alice sees is to submit her passcode (PIN + tokencode). She needs to make sure the tokencode has rolled from the first one she submitted above to the next code (81108024).
- Now she enters the PIN followed by the tokencode, or 513081108024.
- She clicks OK and is successfully authenticated to her network device.
For both tokencode only and passcode tokens, waiting for the tokencode to change is very important. Entering the same tokencode more than once will result in a PASSCODE REUSE error that will be seen in the authentication logs.
Please let us know if you have additional questions on this.
Am asking this since I seem to have followed the correct steps mentioned in this thread.
But am getting :-
User “XXX” attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain “SystemDomain”
Authentication method failed"
So want to try it out on Self Service Console .
please share how to enable Self Service console.
Hello Charu, the self-service console should be accessible from the AM server internal network through the below URLs:
However, if you need to access the self-service console from the external network you need a Web-tier deployment, moreover you can find all the details you need in page 59 in the below guide:
Authentication method failed can happen for a variety of reasons.
- From what agent are you testing? You may be running into an issue we see where the agent has more than one IP address. Try the steps in the article on 000029015 - Using an IP address override to fix an initial authentication failures with RSA Authentication Manager when …
- Correct time is essential when using Authentication Manager. If you are having an issue authenticating with your token, take time out of the equation and test with a fixed passcode. Steps can be found in the article on https://community.rsa.com/docs/DOC-76697
- Check time on your Authentication Manager server. Is it correct? If it is off by more than two to three minutes that can cause authentication issues. Stopping and starting Authentication Manager services via command line opens the valid authentication window for the token to ten minutes for each user until they authenticate. Be sure to check out the information on how to Log On to the Appliance Operating System with SSH if you have not done so already.
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Tue Jul 17 17:25:06 2018 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am83p:~> cd /opt/rsa/am/server
rsaadmin@am83p:/opt/rsa/am/server> ./rsaserv restart all
You will see all of the services stop then come back up. Once you are back at the prompt, try authenticating again.
- A lot of geeky information can be found in the article on 000029685 - Navigating Next Tokencode Mode in RSA Authentication Manager 8.1 and above.
- Also, you should review the article on 000029890 - Resyncing RSA SecurID tokens using RSA Authentication Manager 8.1 Self-Service Console
I have again installed RSA , this time the time is matching with the machine hosting this VM and also with the linux machine on which OAM resides.
So , now RSA VM , windows box that hosts this VM and linux box that has the OAM server , all three are in the smae time zone.
And tested the hardware token using self service console .( set the PIN as well )
Now when I am accessing my protected application ,
- I enter the same username ( tested to be working fine. )
- and the RSA passcode as "the token code " that appears on the hardware token.
Tried creating sdopts.rec with the agent's IP , placed in the same dir as sdconf.rec
Still same error on the authentication Monitor .
Just to add that , on the authentication monitor , the Agent and the Client IPv4 match and are correct . ( means the hostname and IP match with what is entered in the Authentication Agents )
please suggest .