RSA® Hard Token Migration
The SecureAuth RSA SecurID® Migration Value Added Module (VAM) provides a migration path for our customers from RSA security tokens to more advanced multi-factor and adaptive authentication methods available with the SecureAuth® Identity Platform. Customers can continue to use their existing RSA tokens when authenticating to the SecureAuth Identity Platform, enabling a phased retirement of legacy hard-token technology and the SecurID platform.
Migrations are most successful when handled with a deliberate and planned approach, taking the time necessary to transition users with as little disruption as possible. Organizations benefit from use of the SecureAuth RSA SecurID Migration VAM by ensuring their RSA tokens can coexist with their SecureAuth Identity Platform deployment until all users are fully migrated. The VAM enables users to use their existing RSA soft and hard tokens as a second factor with the SecureAuth Identity Platform. In addition to RSA SecurID support, this VAM supports other vendors legacy platforms and tokens, provided the token can be validated via the standard RADIUS protocol.
This section provides two example scenarios for the SecureAuth RSA SecurID Migration VAM after its deployment.
Token Validation for Web Applications
Typically, RSA SecurID is leveraged to protect VPN and other RADIUS compatible devices. With this module, the tokens can now be used to authenticate to web applications during the RSA® token phase-out period.
The example below illustrates a typical user workflow when logging into a web based application protected by the SecureAuth Identity Platform.
Click the Security Token radio button, then click the Submit button. A screen appears, as in the next image.
Type or click the buttons to input the security-token code then click Submit.
After the token is validated, the requested application is now available to the user.
Token Validation via SecureAuth RADIUS Server
Most customers that use the RSA SecurID product leverage it to protect access to network resources such as VPNs. To migrate from RSA to SecureAuth, the SecureAuth RADIUS server is often used if the VPN does not support more modern authentication methods such as SAML. SecureAuth recommends using SAML when supported by the VPN, when migrating from RSA SecurID.
In cases where the VPN (or other protected resource) does not support modern authentication methods, the SecureAuth RADIUS server is used. The RADIUS protocol is well supported by VPNs and legacy applications. The SecureAuth RADIUS server proxies authentication requests from the VPN (or other protected resource) to the SecureAuth Identity Platform server. All of the authentication methods that you choose to make available to the user are presented via the VPN (or other protected resource) login user interface.
Below is an example of the user workflow when logging into a Cisco AnyConnect VPN client.
SecureAuth RADIUS Server Testing and Validation
When configuring the SecureAuth RADIUS server, we recommend validating the configuration using a test tool such as NTRadPing. This enables you to ensure the server is functioning and configured as expected prior to having RADIUS clients, such as VPNs, connect to the resource.
The SecureAuth RADIUS server supports Challenge/Response (as illustrated on the examples above). After entering the userID and Password, you are prompted to enter the second factor choice, then the value such as the RSA SecurID token value. This tool enables all phases of the login process to be validated.
User Name Mapping
If the RSA SecurID server uses sAMAccountName to validate the token, but the Authenticated UserID in the SecureAuth realm is mapped to UPN, you need to map AuxID5 to sAMAccountName (configured in the appliance web admin, “data” tab). The appliance would then log the user in via the UPN, but validate the token leveraging the sAMAccountName.
You would also need to confirm the SecurID field mappings in the appliance web.config file as shown below.
Architecture — Example Production Environments + Versions
The essential architecture of the SecureAuth RSA SecurID Migration VAM solution is described in this section.
An illustration of the RSA SecurID topology is shown in the image.
- User navigates to the target application using a web browser.
- The target application redirects the user to SecureAuth for authentication.
- SecureAuth validates the username and password and prompts the user to enter the OTP from the RSA Token.
- The RSA Token is validated against RSA Authentication Manager through the SecureAuthIdentity Platform.
- Successful validation allows access to the target resource. Failed validations are blocked.
NOTE: While the SecureAuth RSA SecurID Migration VAM was designed for use with RSA SecurID hard tokens, there are other RADIUS server providers — such as Vasco, Defender, and SafeNet — that can be used with this VAM.
Deployment & Configuration
When planning for deployment, keep in mind the following best practices:
- Utilize the RADIUS Test Client to streamline the integration. We recommend that you test both the RADIUS server connectivity and token validation using the Test Client process before any integration.
- We have found specific errors arising from RADIUS server policies in Vasco RADIUS servers. Any possible problems can be alleviated by using the Test Tool and examining the server logs.
- Make sure you download the SecureAuth RSA SecurID Migration VAM deployment package that matches your version of SecureAuth IdP or the SecureAuth Identity Platform. There are multiple versions of SecureAuth IdP and the SecureAuth Identity Platform, and each version has a corresponding version of this module. Verify version compatibility before installation
The requirements for deployment of this functionality are:
- SecureAuth IdP version 8.2 or later, or the SecureAuth Identity Platform 19.07
- The RSA SecurID with a RADIUS server enabled. Other vendor products such as Vasco, Defender, or SafeNet are supported via this module in place of SecurID.
- Connectivity between the SecureAuth Identity Platform appliance and the RSA SecurID RADIUS server.
- The appropriate version of the deployment package. (There is a version of this package for each supported version of SecureAuth IdP and the SecureAuth Identity Platform).
Installing the VAM
To configure the SecureAuth Identity Platform installation for RSA SecurID Migration authentication, perform the following steps.
1.- Download SecureAuth RSA SecurID Migration VAM deployment package from the SecureAuth site to a temporary folder on the SecureAuth IdP or Identity Platform appliance. (For the specific location of this deployment package, contact your project team for assistance.)
2.- Using a decompression program such as WinZip or 7-Zip, unpack the deployment package to a temporary folder. Two sub-folders appear:
3.- Drill into the SecureAuthxx folder.
4. Copy these files to the targeted realm’s bin folder, such as SecureAuth1/bin or SecureAuth2/ bin.
Repeat this step for every SecureAuth folder, except for the SecureAuth0 folder.
Configuring the VAM
1. Launch the SecureAuth Identity Platform Admin Console
Launch the SecureAuth Identity Platform Admin Console by entering the URL http://localhost:8088/. The admin console user interface can only be viewed on the local machine. For version IdP version 9.3 and above, open the classic admin interface.
2. Click the Tools option
From the admin console’s left panel, click the Tools option at the top of the page, as seen in the image below.
3. Select the Update Web Config option.
Select the Update Web Config option. A screen appears, as in the image below.
4. Click both the Update and Update Resource buttons.
The web config files are updated using the new DLLs you copied to the appropriate folders. After the update is completed, the admin UI reappears.
5. Add module settings to the configuration file:
- For versions 9.2 and below, click on the Admin Realm option, then from the left pane, click to select the targeted realm, such as SecureAuth1 or SecureAuth2, then click the System tab, then “Click to edit Web Config file.” to open the web.config editor.
- For versions 9.3 and above or the SecureAuth Identity Platform, click the Tools option, then Decrypt Web Config. Select all realms that will be using this module then click the Decrypt button.
6. Add the following configuration settings in the sections below as described:
<section name=”oneTimePasswordRadiusService” type=”SecureAuth.OTP.Radius.OneTimePasswordConfiguration, SecureAuth.OTP.Radius” allowDefinition=”MachineToApplication” />In key RegMethodOrder add “radius”
<add key=”RegMethodOrder” value=”Email,..,PushAccept,radius” />Add the following keys
<add key=”RadiusOathTokenValidationEnabled” value=”True” />
<add key=”RadiusOathTokenField” value=”AuxID5″ />
<add key=”RadiusTokenField” value=”AuxID5″ />
<add key=”msgRADIUSMethod” value=”RADIUS Registration Method Selected” />
<add key=”RegistrationRadius” value=”True” />Add the Radius provider inside
<!– otp –>section
<add description=”Radius Server Provider” Authentication_Port=”1812″ Authentication_Account=”1813″ Retries=”3″ Socket_Timout=”6000″ Hostname=”” Shared_Secret=”” RadiusClientNAS_IP_Address=”” name=”OTPRadiusProvider” type=”SecureAuth.OTP.Radius” /> </providers>
7. Click to select the Registration Methods tab.
Scroll down until you see the newly created RSA/RADIUS Server Settings section as shown in the next image.
8. Change the values in these fields as required. These fields include:
|Select whether a RADIUS server is enabled for this SecureAuth Identity Platform appliance. Enable this feature to connect with the RSA SecurID serve
|Enter the IP address or the server name of the target RADIUS server
|Enter the port number this appliance will use to authenticate applications overseen by the external RADIUS server gateway
|Not used. No value is needed or used for this use case
|Enter the number of retries the SecureAuth appliance will do before abandoning the request to the RSA RADIUS server
|Enter the number of milliseconds this RADIUS port will wait before abandoning the request to the RSA RADIUS server
|Enter the RADIUS shared secret that enables this appliance to access the RADIUS server
Update the configuration accordingly and click Save the to commit configuration changes.
Testing the SecureAuth RSA SecurID Migration VAM Deployment
A third component included in the SecureAuth RSA SecurID Migration VAM deployment package is the RADIUS Test Client. This command line tool enables you to test the deployment and ascertain whether the VAM configuration is working properly prior to any integration.
To initiate this test, use the following procedure:
- Place the RADIUS test tool into a directory of your choosing and extract the files. Notice that one of the files is an executable.
- Open the command line prompt by typing cmd. The command prompt dialog box appears.
- Use cmd to navigate to the directory where you placed the executable, then enter: SecureAuth.RadiusServerTestClient [hostname] [sharedsecret] [username] [password] where:
- [hostname] Enter the name of the host where the RADIUS server resides.
[sharedsecret] Enter the shared secret that enables the RADIUS server to communicate with the client.
[username] Enter the name of the user
[password] Enter the password associated with this user.
NOTE: If you enter only the executable name, a list of all parameters supported by this executable appear.
The test client runs and indicates whether the deployment was successful or not, as shown in the example below.
SecureAuth is an identity security company that enables the most secure and flexible authentication experience for employees, partners and customers. Delivered as a service and deployed across cloud, hybrid and on-premises environments, SecureAuth manages and protects access to applications, systems and data at scale, anywhere in the world. The company provides the tools to build identity security into new and existing applications and workflows without impacting user experience or engagement, resulting in increased productivity and reduced risk.