AnsweredAssumed Answered

Connect RSA Authentication Manager to the Cloud Authentication Service

Question asked by Hassan Mehsen on Aug 26, 2020
Latest reply on Sep 1, 2020 by Sean Doyle

Like • Show 0 Likes0
Comment • 13

Hello Guys!

We have connected our authentication manager (8.5) to the RSA CAS to extend our authentication methods, everything worked as expected, and we are able to login to our Windows workstations through the PIN+Approve or PIN+Bio-metric, unfortunately the user which is trying to login through the windows cannot select another authenticator option after the user enter his/her PIN successfully.

We have followed the Connect RSA Authentication Manager to the Cloud Authentication Service which is mentioning the following:-

The first option listed for an assurance level on the Assurance Levels page is presented as the default for each new user when he or she authenticates to an application or client assigned to that assurance level for the first time. A user can select another option at any time, as long as the assigned assurance level or a higher assurance level contains additional options that the user can complete. When a user successfully authenticates with an option, that option becomes the user's default for future authentications for that assurance level.

Please advise.

No one else has this question

Outcomes

13 Replies

Randy Belbin Aug 26, 2020 12:01 PM
Mark Correct
Correct Answer
Hi Hassan,

You'll need to update your Windows agent to the MFA agent 2.0.1. You can download that agent here.
RSA MFA Agent for Microsoft Windows

You can point this agent directly at the cloud authentication service or you can point it at Authentication Manager.
Like • Show 0 Likes0
Actions
- Hassan Mehsen @ Randy Belbin on Aug 26, 2020 12:13 PM
  Mark Correct
  Correct Answer
  So this scenario does not work with the Windows Authentication Agent 7.4.3?
  Like • Show 0 Likes0
  Actions
  - Ted Barbour @ Hassan Mehsen on Aug 26, 2020 4:47 PM
    Mark Correct
    Correct Answer
    Hassan Mehsen when using PIN+Approve or PIN+Biometrics (which by definition means you are using a legacy (non-REST API) agent) it will use the current default method (top of list in assurance level definition or last used method).
    If you are using the Cloud Authentication Service for single sign-on or RADIUS you have the option of choosing the method during authentication. This has the affect of changing that user's default method for subsequent authentications.
    
    If you are not utilizing SSO or RADIUS->IDR the only way to switch (for example) from approve to biometric would be to temporarily delete approve from the assurance level configuration and move biometric to the top of the assurance level list and then authenticate with your Windows Agent.
    
    Hope that helps,
    Ted
    Like • Show 0 Likes0
    Actions
    - Ted Barbour @ Ted Barbour on Aug 26, 2020 5:29 PM
      Mark Correct
      Correct Answer
      Or alternatively what Randy Belbin said (upgrade to MFA Agent for Windows version 2.0.1).
      Like • Show 0 Likes0
      Actions
      - Hassan Mehsen @ Ted Barbour on Aug 30, 2020 5:34 PM
        Mark Correct
        Correct Answer
        Hello Ted,
        
        I have tried the MFA agent 2.0.1 in my lab unfortunately it didn't worked.
        
        We have connected the MFA agent to the authentication manager 8.5 , and the AM itself is connected to the RSA CAS, unfortunately, when a user tries to login through thee MFA token and after putting his PIN, the user is not allowed to choose which option to authenticate with (Biometric or approve), knowing that the policy which is used for the authentication manager on the CAS side has an assurance level which includes both biometric and approve authentication methods
        Like • Show 0 Likes0
        Actions
        Randy Belbin @ Hassan Mehsen on Aug 31, 2020 12:01 PM
        Mark Correct
        Correct Answer
        Hi Hassan,
        
        You'll need to do one of two things:
        
        1. Connect the Windows agent directly to the cloud authentication service. Configuring the agent this way is covered in the agent's admin guide. - This will allow users to enter their password and then be prompted to choose their desired second factor.
        
        2. If you are running Authentication Manager 8.5, you can use AM as a proxy to the cloud service. This is similar to what you are doing now but is slightly different. Instead of AM itself acting as a cloud "agent", AM would instead act as a proxy for your Windows agents. Essentially, your Windows agents would acting as if they're connected to the cloud service so the behavior would be the same as in example one above.
        
        If you need help understanding the differences or configuring the agents as described above, you can reach out to RSA Support for assistance and we would be happy to help.
        Like • Show 0 Likes0
        Actions
        Hassan Mehsen @ Randy Belbin on Aug 31, 2020 5:42 PM
        Mark Correct
        Correct Answer
        Thanks Randy,
        
        Could you please refer me to the deployment guide for the second point which you have mentioned, as currently on the MFA agent we are pointing the workstation windows login authentication requests to the authentication manager which is already connected to the cloud and proxying the MFA requests to the CAS.
        Like • Show 0 Likes0
        Actions
        Erica Chalfin @ Hassan Mehsen on Aug 31, 2020 5:50 PM
        Mark Correct
        Correct Answer
        Hassan Mehsen,
        
        Click to download the RSA MFA Agent 2.0.1 for Microsoft Windows Installation and Administration Guide.
        
        Regards,
        Erica
        Like • Show 0 Likes0
        Actions
        Hassan Mehsen @ Erica Chalfin on Aug 31, 2020 5:57 PM
        Mark Correct
        Correct Answer
        Thanks Eric,
        
        i have followed this guide , unfortunately the MFA agent is not working as the https://community.rsa.com/docs/DOC-106667#PINsFirstAuth
        document is mentioning.
        
        im expecting the user to have the choice to choose one of the authentication methods after entering his pin.
        Like • Show 0 Likes0
        Actions
        Randy Belbin @ Hassan Mehsen on Aug 31, 2020 6:01 PM
        Mark Correct
        Correct Answer
        Hi Hassan,
        
        You'll need to make sure you're on AM 8.5 and that you have the Proxy MFA requests enabled as I show below. Again, this is a little different than AM 8.4 where AM was not acting as a proxy, AM was acting as an agent itself.
        
        If you have the "proxy MFA requests" selected as shown below, the last step should be:
        
        Ensure that you have a policy name configured in the GPO for the Windows agent.
        When no policy name is configured, the agent operates in "AM Mode" (it basically operates in legacy mode) whereas when you have a policy name configured, the agent will operate in "cloud mode" where it can prompt the user to choose any available method.
        
        One final note - do not enter your PIN at the SecurID prompt. You will also want to make sure that your GPO settings are such that Password is prompted before MFA. The flow will be:
        
        User enters their Password.
        User is prompted to choose and complete an additional factor.
        Like • Show 1 Like1
        Actions
        Hassan Mehsen @ Randy Belbin on Sep 1, 2020 10:15 AM
        Mark Correct
        Correct Answer
        Hello Randy,
        
        Worked fine, i missing the GPO part, and my setup was operating in AM mode.
        
        Could you please advise if auto-registration is supported on the Windows MFA agent 2.0.1
        Like • Show 0 Likes0
        Actions
        Jay Guillette @ Hassan Mehsen on Sep 1, 2020 10:59 AM
        Mark Correct
        Correct Answer
        Hassan,
        Auto-registration is not supported on the MFA agent, but there is a configuration option to create a logical agent entry in Authentication Manager, AM then you can configure all the MFA agents to use that same agent name. Kind of a logical agent if you will. We have customers who use a single authentication agent name for 10s of thousands of agents. A variation would be several 'regional' or 'country' agent names, such that specific agents use specific names in a many to one mapping of agents to Authentication Agent host entry. See ReST agents for more info
        RSA Authentication Agents
        The MFA agent uses the ReST protocol, and there is a bit more configuration required with ReST compared to the old UDP port 5500 SecurID authentication agent protocol, which used the sdconf.rec file to find the AM servers.
        Like • Show 0 Likes0
        Actions
        Sean Doyle @ Jay Guillette on Sep 1, 2020 12:00 PM
        Mark Correct
        Correct Answer
        Auto-registration is not needed for the MFA agent. The old UDP API was dependent on the presence of an agent record in AM bound to the source IP address.. the MFA protocol doesn't use this binding mechanism... instead the binding is to an agent name... you could deploy 10,000 agents with the same ID, our you could create different agents with different group entitlements if desired. Ultimately, the advanced agent reporting can be used to retrieve agent details for reporting purposes. Ultimately no auto-registration required.
        Like • Show 0 Likes0
        Actions

Connect RSA Authentication Manager to the Cloud Authentication Service

Outcomes

Related Content

Recommended Content