Good morning, I have users that frequently use their laptop when on travel. Obviously, they will not be connected to the domain, I understand there is a way to allow for logging into the machine using their RSA token login. Is this correct?
I've moved your question to the RSA SecurID Access space where it will be seen by the product's support engineers, other customers and partners. Please bookmark this page and use it when you have product-specific questions.
Alternatively, from the RSA Support page, click on Ask A Question on the blue navigation bar and choose Ask A Product Related Question. From there, scroll to RSA SecurID Access and click Ask A Question. That way your question will appear in the correct space.
Thanks Erica, I’m still getting used to this system.
Troy M. Culpepper
Mid Atlantic Engineering Technical Services
You can find documentation on the Windows Agent here: RSA Authentication Agent for Microsoft Windows
There should be a section about offline authentications.
Yes. It is called offline authentication.
The idea is:
-On AM server
you set an offline policy that the tokentype and passcode length is at a minimum to allow download of offline days, and how many days to download (default is 14)
Example: If my policy is 12, and I have a 6 digit token and 4 digit pin, no offline days will download for that particular token and pin. If I change the pin to 6 characters then it will be 12 total, and then download offline days.
-When a successful authentication occurs on the windows machine, and that machine can reach the AM server, it submits a proof of authentication ticket to the RSA server and downloads encrypted files, one per day, and it has codes for every minute of that day.
-When a user logs into that machine online, it will authenticate against the AM server, submit another proof, and try to top off offline days.
-When a user logs into that machine offline, it will look at the offline codes and try to find a match. If it finds one it generates a proof that is valid for 24 hours. If you go online within 24 hours, the proof will get submitted and try to top up offline days. If you do not connect, the proof eventually expires and you continue to login against offline days up to the last day that was downloaded.
-When testing this, the RSA Control Center test authentication button is sufficient to both trigger an offline day download, and, if you pull the network connection, the test authenticate button will try to authenticate against the offline days that were stored.
***This offline day communication is on tcp port 5580 (default is 5580, it can be changed) so you need to allow that tcp port to reach the AM server.
Ed! Good to hear from you again. I got all of that, I just cant for the life of me find where to assign a user and give them offline days. I have configured the offline authentication policy but I need to apply it to some of my users.
Hold off on my last email Ed, it is assigned to them, I believe I just need to set it up on his workstation.
Hello Ed, sorry to keep bugging you and please let me know if I need to put this on the board. From what I can tell, the offline authentication issue (not authorizing certain individuals), is only effecting people using IPhones. Android and physical tokens work fine. I feel this may be an odd issue.
Ed, I now how all required policies set to minimum eight characters for pin and token length. I have reissued tokens to some users and they added an 8 digit pin. One works, others do not.
If you are still having an issue I'd recommend that you contact RSA Customer Support open a case to work directly with an engineer.
Windows Agent does have feature called "Offline Days". The default is set for 14 days. This feature will download RSA SecurID keyfob token codes for 14 days in advance. So even if laptop is not on corporate network and not talking to RSA AM users will be able to authenticate for 14 days since they last synced with RSA AM. You can set number of days in RSA SercurID GPO template I believe.
Retrieving data ...