SecurID® Integrations
Certified: November 25, 2022
Solution Summary
This section describes Cisco ISE integration with RSA SecurID (or ID Plus). Use this information to determine which use case and integration type your deployment will employ.
Use Cases
Cisco ISE can be integrated with RSA SecurID to provide RSA SecurID authentication using SAML, Native SecurID, or RADIUS.
Policy Sets - When integrated, users must authenticate with RSA SecurID Access in order gain the access defined in the policy set. Policy Sets can be integrated with RSA SecurID Access using RADIUS or Authentication Agent.
Guest Access Portal - When integrated, users must authenticate with RSA SecurID Access in order to login to the Guest Access Portal. Guest Access Portal can be integrated with RSA SecurID Access using RADIUS, SAML SSO Agent, Relying Party, and Authentication Agent.
My Device Portal - When integrated, users must authenticate with RSA SecurID Access in order to login to the My Device Portal. My Device Portal can be integrated with RSA SecurID Access using SAML SSO Agent or Relying Party.
Admin Access - When integrated, users must authenticate with RSA SecurID Access in order to login to Cisco ISE administrative interface. Admin Access can be integrated with RSA SecurID Access using RADIUS or Authentication Agent.
Integration Types
RADIUS integrations provide a text-driven interface for RSA SecurID Access within the partner application. RADIUS also provides support for most RSA SecurID Access authentication methods and flows.
SSO integrations use SAML 2.0 technologies to direct users’ web browsers to Cloud Authentication Service for authentication. SSO provides Single Sign-On using the IDR My Applications/My Page Portal.
Relying Party integrations use SAML 2.0 to direct users’ web browsers to the RSA Cloud Authentication Service for authentication. Primary authentication is configurable, and relying party can be a good choice for adding additional authentication (only) to existing deployments.
Authentication Agent integrations use an embedded RSA agent to provide RSA SecurID and Authenticate OTP authentication methods within the partner’s application. Authentication agents are simple to configure and support the highest rate of authentications.
Supported Features
This section shows all the supported features by integration type and by RSA SecurID Access component. Use this information to determine which integration type and which RSA component your deployment will use. The next section in this guide contains the instruction steps for how to integrate RSA SecurID Access with Cisco ISE using each integration type.
Cisco ISE Integration with RSA Cloud Authentication Service
|
Authentication Methods |
RSA MFA API (REST) |
RADIUS |
Relying Party |
SSO |
|
RSA SecurID |
- |
|
 |
|
|
LDAP Password |
- |
|
|
|
|
Authenticate Approve |
- |
|
|
|
|
Authenticate OTP |
- |
|
|
|
|
Device Biometrics |
- |
|
|
|
|
SMS OTP |
- |
|
|
|
|
Voice OTP |
- |
|
|
|
|
FIDO Security Key |
- | - | |
|
Cisco ISE Integration with RSA Authentication Manager
|
Authentication Methods |
RSA MFA API (REST) |
RADIUS |
Authentication Agent |
|
RSA SecurID |
- |
|
|
|
Risk Based Authentication |
- |
- |
- |
|
Supported |
| - | Not supported |
| n/t | Not yet tested or documented, but may be possible |
| n/a | Not applicable |
Configuration Summary
This section contains links to the sections that contain instruction steps that show how to integrate Cisco ISE with RSA SecurID Access using all of the integration types and also how to apply them to each supported use case. First configure the integration type (RADIUS) then configure the use case (Policy Sets).
This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All RSA SecurID Access and Cisco ISE components must be installed and working prior to the integration.
Integration Configuration
RSA Cloud Authentication Service
Admin Portal
My Device Portal
Guest Portal
RSA Authentication Manager
Use Case Configuration
Reference
RSA Terminology Changes
The following table describes the differences in the terminologies used in the different versions of RSA products and components.
|
Previous Version |
New Version |
Examples/Comments |
|---|---|---|
| Company ID | Organization ID | |
| Account | Credential | |
| Token | OTP Credential |
SecurID OTP Credential |
| Tokencode | OTP/Access Code |
SecurID OTP, SMS OTP, Voice OTP Emergency Access Code, Disable Access Code |
| Hardware Token | Hardware Authenticator | |
| Device Serial Number | Binding ID | |
| Device | Credential/Authenticator | |
| Device Registration Code | Registration Code | |
| Authenticate App | Authenticator App |
Known Issues
RSA SecurID External Identity Source – Fail After New PIN
When using RSA SecurID external identity type and force authentication after new PIN function is selected, authentications in new PIN mode indicate failed authentication. The new PIN is set, and the user should initiate another authentication using the new PIN.
My Devices Portal – RSA SecurID and RADIUS External Identity Source
My Devices Portal does not support multi-step authentications required by RSA SecurID and RADIUS external identity sources. If a user authenticates in new PIN or next token code mode they will fail authentication and not know why. Cisco is tracking this as an enhancement with bug id: CSCvd90254.
SAML Request Signing
Cisco ISE does not send “Destination” attribute when sending SAML Requests so it will be rejected by RSA Cloud as this is compliant setting in SAML 2.0 when sending Signed SAML Requests. Therefore, we cannot set SAML Requests to be signed by Cisco ISE to RSA.
Admin Portal Challenge Packets
While being challenged in the Admin Portal, you would need to re-enter your username and click on tab to enter the password section each time you are challenged either in SecurID or RADIUS Protocols. (The Username does not populate after first entering the credentials).
Return Assertion Multiple Groups Bug
If RSA return multiple groups in the SAML Assertion, the Cisco ISE only processes the first group and discard the rest, this bug affects version 3.1, Fix in BugID: CSCwa17470.
Certification Details
RSA Authentication Manager 8.7 Patch 1, Virtual Appliance or later
Cisco ISE 3.2, Virtual Appliance
RSA Ready certification by Mahmoud Dawoud
