Good Afternoon,
I'm looking for additional information on how to setup RSA for off Domain Access to a PC.
Example;
Right now when I'm at home/off the domain I have to login to my device with a local account to gain access to my remote software. We currently do not allow cashed credentials on our devices.
From my understanding we would have to allow the cashing of one set of AD credentials so the user could Authenticate with RSA off the domain. I have gone through a lot of the documentation and the off network policy seems interesting and appears that is what we would use but I don't fully understand how this works and what all the settings mean. It doesn't seem right that we would be able to do this without any of our on premises RSA servers facing externally.
Our Goal is to make users that are taking devices home to work remotely to have to use two factor authentication to be able to login. Can you point me in the direction of any documentation you may have that could assist me in this.
Thanks,
James/Virginia
RSA has a solution that would not exactly solve your problem but could make your problem not a security problem. By that I mean you install the RSA Authentication agent for Windows, ver. 7.4.4 is the latest, and configure for offline authentication or offline days. When you are on the LAN, on Domain, you download an encrypted block of RSA authentication token codes for a particular token serial number assigned to a particular user of this Windows laptop. The PC is now protected by 2 factor authentication, the strongest authentication, and no one can access Windows without a correct UserID PIN and TokenCode.
After the RSA Credential provider authenticates you, you are handed to the Windows credential provider, at which point you must authenticate with a correct Windows Password. Therefore, if you have no cached Domain credentials, you cannot authenticate. But if your Security policy is based on a fear that cached credentials can be manipulated or hacked, you have just put the most secure authentication method in front of windows.
RSA does not have a solution to replace Windows authentication, only to get in front of it, at which point you have to make a policy decision if offline 2FA is secure enough for you to allow changing your no cached Domain credential policy.
A variation on this is the MFA agent for Windows which authenticates to Cloud Access instead of Authentication Manager.
RSA MFA Agent Downloads for Microsoft Windows