Hi
Coming from Duo Security to RSA SecurID i've learned a few things that i find missing in RSA SecurID.
1. Allow to assign multiple UserIDs one token. This is currently implemented thought User Alias it works for two users but it's kinda "sketchy".
2. Allow to protect multiple resources in one server. Let's say you have PAM installed on RHEL and you created Agent for it in AM and you allow only UnixAdmins to login (SSH, sudo). Then you install one web application on that same server and you want to protect it also with SecurID but you cannot add another agent with same IP to protect different resource on server and for different uses.
3. Above thing also happens with ASA. You have your VPN users protected with SecurID and ASA management access with RADIUS. You created RADIUS with associated AGENT. BUT you have no way to separate which groups are allowed to login through standard native AGENT and RADIUS.
These are a few RSA SecurID short comings i saw migrated from Duo Security.
Hello Luka,
1. Allow to assign multiple UserIDs one token. This is currently implemented thought User Alias it works for two users but it's kinda "sketchy".
You can open a support ticket and we can open Request For Enahcement (RFE) for this feature, but do not think that our engineering team will proceed with that feature as it is not secure to have the same token to 2 different users.
2. Allow to protect multiple resources in one server. Let's say you have PAM installed on RHEL and you created Agent for it in AM and you allow only UnixAdmins to login (SSH, sudo). Then you install one web application on that same server and you want to protect it also with SecurID but you cannot add another agent with same IP to protect different resource on server and for different uses.
For both agents you are using the node secret will be located under /var/ace, so think it will work with no issues. Did you try to authenticate and check the output or messages on the authentication activity report.
If the node secret location was different you can just copy it and paste it on the other agent, and there is no need to add another configuration on the security console.
3. Above thing also happens with ASA. You have your VPN users protected with SecurID and ASA management access with RADIUS. You created RADIUS with associated AGENT. BUT you have no way to separate which groups are allowed to login through standard native AGENT and RADIUS.
For challenge settings, it should be done from the agent side, if you tried to install RSA Windows Agent you will be able to get that feature as well, as it is done from the agent side. And another option that can be done is restricted agent and you can check it in RSA Authentication Manager 8.1 Administration's Guide Page 141.And for RADIUS we can use one of 2 options RADIUS attributes as it might address what you need, you can check it in the RSA Authentication Manager 8.1 Administration's Guide Page 310.
So kindly check and advise us back if there is any assistance needed from our side.
Best Regards,