We have a service account which will be accessing network devices under RSA SecurID management, RADIUS actually. This account only exists in the RSA appliance, not in AD, LDAP, etc. Is it possible to set that account to only require a password instead of a permanent token/passcode? If not, would it be possible if the user was in the AD?
The user creation is not the issue. The issue is allowing the user to authenticate via password instead of PIN or permanent passcode.
I was editing my first response while you wrote this.
If this were a Windows Server using a Windows agent, you could create a challenge group to challenge some people and not others, but with RADIUS the challenge is not under RSA's control
Thanks. We don't want to bypass the challenge itself. The challenge can be met. This account is used in other areas not under RSA control. Those other areas require a password of 14 alpha-numeric characters. We would like to authenticate to RSA/RADIUS using that same 14 character alpha-numeric password instead of a 8 digit numeric PIN or permanent token.
maybe SecurID Access Identity Router could handle this. The Via, now SecurID Access hybrid cloud solution, which is merging / melding with Authentication Manager going forward, has the concept of Step-up authentication, and the first step before the 'up' is typically a password.
In the same vein Risk Based Authentication, RBA is an AM concept that works with some Web Based SSL VPNs that use RADIUS, e.g. Citrix NetScaler, and redirects a browser to AM, which will accept a simple password if the risk is considered low (same user, same home PC, same IP address, same software fingerprint on the PC) but if the risk is elevated (not using your work PC, or logon from foreign country) prompt for step up - in AM currently this is either answer your security questions or request an OnDemand Token - not a Hardware or Software token.
So it could get messy trying to create restricted groups for RBA users like your guy with the Password, and then PassCode for everyone else, if this were the same VPN. I think that my version 8.3 of Authentication Manager, but maybe later, you could do what you want with the whole range of Authentication options, passwords to Passcodes, with degrees in between
Thanks for the info.
Let me look into a Policy that might allow a 14 digit alphanumeric Fixed PassCode that could match yours. Maybe the PIN Policy would allow that in Current AM, unless limit is still 8. If not, then you could open a support case for a Request for Enhancement, RFE, to allow this. If this happened or worked, the Fixed PassCode and PassWord would not be synchronized, but they could be set to equal each other
Unfortunately the limit is 8 but I appreciate it.
Are you with VZ? I can open you an RFE case for this. Could be worth the small effort, as this makes a lot of sense
Yes, I am. That would be great if we could do that.
AM-31151 - RFE AM 8.2 allow alpha-numeric fixed passcode up to 16 digits
Description
RFE: Customer would like to create a 16-digit AlphaNumeric fixed Passcode to match the Password on a VPN service account. This is a RADIUS client, so cannot set Challenge to allow this Service account user in with just Password
https://community.rsa.com/message/893047?commentID=893047#comment-893047
No. Replying privately. Thanks, again for the help
Native SecurID protocol has a lot of agents that use the concept of Challenge, a Challenged User needs a Passcode, but an unChallenged user can logon with a Password. But I do not think I have seen that in RADIUS, usually because if you do not want a PassCode prompt, you do not send the authentication request to Authentication Manager, AM. A full RADIUS server could lookup users in LDAP for Passwords, and AM for PassCodes, but RSA's RADIUS cannot do that.
If the authentication request has to come to AM, the next best or closest thing might be a Fixed Passcode