Hello I am new to RSA SecurityID and we are currently out of licenses. Existing users can log in, however, we can no longer add/assign tokens/licenses to new users. Is there a way to reclaim expired tokens and are tokens equal to license? Is there any adverse affect if I export tokens and users? I want to compare to accounts that are active in AD. Again, I am new to RSA and have zero training.
Thanks Jay, we ran that this morning. We were only able to delete one user.
Hello,
License count
describes the total number of users on the system that can be assigned a way to authenticate.
This typically never expires.
Tokens
Tokens have seed records that do expire. You cannot reuse a token that has expired. If it is a software token, you can purchase new unexpired token seeds, and use these new expire dates to extend the lifetime of the old software tokens that did expire. Or simply assign them as new tokens.
If all your tokens have expired, and you are caught without new tokens to assign, you can still have users authenticate by assigning them fixed passcodes. However, fixed passcodes are not 2-factor, it is 1-factor (essentially a password you know...and if you have another password such as Active Directory, that is considered 1-factor as well). So you can assign fixed passcodes as an emergency and users are not completely unable to access a resource while you wait for new tokens to arrive, but it is considered single factor and does not meet any security policy or regulation that requires 2-factor in the definition of 'something you have (the token only you possess) and something you know (the memorized pin for that token)'. Two single factors (fixed passcode and an Active Directory password) do not sum to true 2-factor.
If you're worried that you might be running out of available tokens, you can check Token Statistics on the Home Page of the Security Console to get a table of your tokens and their availability. Also on the Home Page is a link to License Status, which will show you the type of license, the number of allowed users-with-authenticators and how many such users there are. You might simply need to buy more tokens, or a larger license.
Were you able to resolve your issue or do you need additional assistance?
Regards,
Erica
Hi Erica,
I need still need assistance, just have not had time to schedule a webex.
Hi Erica,
We just received our new license xml file, however version does not match version we are on. License version 8.4, we are on 8.2 p 05.
<attachments deleted>
I removed your screen shots for security purposes. We recommend against posting PII on a public forum.
In this case, I would recommend that you install Authentication Manager 8.4 on your servers using the 8.4 license you received.
Regards,
Erica
A user counts against the active user license limit if they have a token, including on-demand tokens, if they are enabled to Risk Based Authentication, or if they have a Fixed Passcode assigned, but they can only count once against the limit even if they have 3 tokens assigned. So you need to identity who counts.
If your users are in an external Identity Source, Like Active Directory, run a Clean up, either now or scheduled
If users have been removed from AD, the clean-up job will find the tokens assigned to ex-employees and return them to available and lower your active user count.
Other approach would be to manually look through Security Console - Identity - Users - Manage Existing, and identity users who no longer need tokens.
Run a report on Users with tokens could help too