Hello,
Users are complaining because the Windows Agent (in our case used for RDS-Applications) is always asking for the second factor (SecurID).
Is there a way to define a "secure network" so that the Windows Agent doesn't ask for the RSA SecurID Passcode?
In our case it would be great if we could define (in Authentication Manager) all our private client networks and set any policy for disabling MFA for source hosts in this networks.
Thank you.
Greets,
Manuel
Hi Jay,
thanks for your fast reply.
But there is no possibility to add a policy in Authentication Manager to control this behavior centrally (like in CAS)?
For example if user's client is in 192.168.178.0/24 network, do not challenge him/her but if the same user comes with an OIP (because he/her isn't at the office) challenge him//her.
Thank you.
There's limited Risk Based Authentication on the Authentication Manager, AM side of SecurID Access, which is what you are really asking about (is the user on Corporate LAN or somewhere else?) AM agents can only challenge based on group membership, and if you were to use AM Risk Based Authentication, RBA, your only choices are Password for low risk, and either Security Question Answers or On Demand Token Authentication, ODA if the risk is higher. ODA is basically a single TokenCode delivered via email or SMS text after you enter your PIN.
It's on the Identity Router, IDR interface to the SID Access Cloud that you can configure more granular policies for step-up authentication.
But there is actually no possibility to build this as policy in CAS, because the Windows Agent doesn't offer any ability to communicate directly with the IDR / CAS, right?
Also I'm wondering how I could create such a policy. In the Authentication-Logs of the AM I can only see the IP of the server running the windows agent as client ip, no "real" client ip..
Thank you.
I'm not sure. With the current Windows agent (which only works with Authentication Manager) you can challenge or not based on group membership, so theoretically if you could add users to an AD group based on their IP or subnet address, you could use that group as the challenge or not group, and you might accomplish what you are trying to do, that users with an IP on the "secure network" would not be challenged, either at the console or when accessing Remote Desktop Connections (which I think you still have to add as an an RDCFileName)
There will be a next Generation MFA agent for Windows, which will use the REST API to authenticate against either AM or CAS, due by end of year as far as I know. You'd have to ask your Sales person about any early access.
If these are in Active Directory, and an AD site is configured, you should be able to do this using a Group Policy. Create a new Group Policy Object and apply it to the site the computers are in
And set the RSA Agent setting to not challenge users
Computers NOT in the site can have MFA enabled, and when a computer IS in the site MFA can be disabled. I don't know the download link to the RSA Group Policy Templates, but I know it's available.
You can find the GPO templates on the RSA Authentication Agent download page. Just download the version of the agent you need.
Regards,
Erica
Thank you all for your help. But I think you do not understand what I mean.
Actually I have a AD-Group to decide if a user has to be challenged or not (because we are in the rollout-phase).
But I need additionally a mechanism which decides based on the users location (client is using a private IP of our company or any OIP) wether the user has to be challenged or not.
If the user is in the company he should for example not be challenged.
Thank you.
Von meinem iPhone gesendet
Am 02.04.2019 um 23:00 schrieb Erica Chalfin <no-reply@rsa.com>:
Re: Private network without 2nd factor authentication - Windows Agent
reply from Erica Chalfin in RSA SecurID Access - View the full discussion
You can find the GPO templates on the RSA Authentication Agent download page. Just download the version of the agent you need.
Regards,
Erica
Reply to this message by replying to this email, or go to the message on RSA Link
Start a new discussion in RSA SecurID Access by email or at RSA Link
Following Re: Private network without 2nd factor authentication - Windows Agent in these streams: Inbox
This email was sent by RSA Link because you are a registered user.
You may unsubscribe instantly from RSA Link, or adjust email frequency in your email preferences
>
You need to add each of these apps as an RDCFileName so that Windows does not try to push a Credential Provider to the user when they access these apps, so they won't get prompted with the SID credential provider to enter their Passcode. Add either in the Registry as an entry in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\RSA\RSA Desktop\Local Authentication Settings\RDCFileName or as a GPO remote desktop connection.
https://community.rsa.com/docs/DOC-58298
The following discussion focused on adding Chrome as an RDC, if you want an example of what I'm talking about.
https://community.rsa.com/message/924431?commentID=924431#comment-924431