RSA support fields many questions regarding RSA Authentication Manager licenses and RSA SecurID tokens. Sometimes a new user license is purchased to increase the number of active users allowed, but additional tokens are not purchased. This means that although there is an increased active user limit, there are no free tokens to assign. In the reverse, users have purchased more hardware or software tokens, but not increased their active user limit. New tokens are imported to the database but cannot be assigned because the license is limiting the number of active users.
This article provides detail on the differences between RSA SecurID tokens (both hardware and software) and a license for RSA Authentication Manager. We also discuss what must be purchased to increase the number of users with tokens in your deployment.
When making a new purchase for either RSA SecurID hardware or software tokens or additional user licenses, be mindful that tokens and licenses are separate purchases. When working with your RSA sales rep or reseller, be sure to state that you want tokens, license or both. This prevents confusion and any delay in getting files to you.
RSA Authentication Manager licenses
An RSA Authentication Manager license provides the upper limit of the number of active users who are allowed in a deployment of the software. To view license information,
Log in to the Security Console.
Browse to Setup > Licenses > Status, as shown here:
In the screenshot above, the software license is for 100,000 users to have one or more authenticators assigned to them. Here, only 1,673 licenses have been used.
If you are assigning tokens to new users, but the Actual number is close to, or at the Limit number, specify during the purchase process that you need both a new license and additional token seeds. Once you reach the Actual number, you cannot assign more tokens to users.
The serial number can be found in the same location as when selecting View installed licenses. Select the drop-down on a LID number, and choose View.
This warning is an indicator that you have reached 95% of the license limit. Tokens can still be assigned but consider either unassigning tokens from users who no longer need them, or purchasing a larger license.
RSA SecurID hardware and software tokens
Each user can possess up to three authenticators or tokens which only count against the user license once. This is why there can be a difference between the Actual number that you see under license status compared to number of assigned tokens.
Log in to the Security Console.
Browse to Authentication > SecurID Tokens > Manage Existing.
Choose the Unassigned tab.
The page that is shown here displays the tokens that are installed in the system. As shown, search results can be filtered at left to show tokens that are not expired and are ready for use.
RSA SecurID Risk Based Authentication (RBA) and On-Demand Authentication (ODA)
You must have an Enterprise License for Risk Based Authentication (RBA) or On-Demand Authentication to enable these options. Confirm the license type in the Security Console under Setup > License Status.
If a user does not have a token assigned, enabling them for RBA/ODA adds a user to both the users with assigned authenticators license and the RBA/ODA license.
If a user already has a hardware or software token assigned to them, enabling them for RBA/ODA increases the RBA/ODA license.
The RSA Authentication Manager license shows the maximum number of users that can have tokens assigned. Despite the Limit value for a license, there can be millions of users in the database and millions of token seeds imported. The Actual value increases by one when one or more authenticators are assigned to a user.
Authenticators can be any combination of hardware tokens, software tokens, RBA/ODA, and fixed passcode (maximum of one fixed passcode), with a maximum of three per user, by default.
RSA Authentication Manager licenses are imported into the system using Setup > Licenses > Add New.
IMPORTANT LICENSING NOTES An RSA Authentication Manager 8.1 license can be used to deploy Authentication Manager 8.1, Authentication Manager 8.2, Authentication Manager 8.3, and Authentication Manager 8.4.
An RSA Authentication Manager 8.4 license cannot be used to deploy Authentication Manager 8.1, Authentication Manager 8.2, and Authentication Manager 8.3 software. An RSA Authentication Manager 8.4 license can only be used to deploy Authentication Manager 8.4 or later software.
Import RSA SecurID token seed records to the deployment by browsing to Authentication > SecurID Tokens > Import Tokens Job > Add New.