The SecureAuth RSA SecurID® Migration Value Added Module (VAM) provides a migration path for our customers from RSA security tokens to more advanced multi-factor and adaptive authentication methods available with the SecureAuth® Identity Platform. Customers can continue to use their existing RSA tokens when authenticating to the SecureAuth Identity Platform, enabling a phased retirement of legacy hard-token technology and the SecurID platform.
Migrations are most successful when handled with a deliberate and planned approach, taking the time necessary to transition users with as little disruption as possible. Organizations benefit from use of the SecureAuth RSA SecurID Migration VAM by ensuring their RSA tokens can coexist with their SecureAuth Identity Platform deployment until all users are fully migrated. The VAM enables users to use their existing RSA soft and hard tokens as a second factor with the SecureAuth Identity Platform. In addition to RSA SecurID support, this VAM supports other vendors legacy platforms and tokens, provided the token can be validated via the standard RADIUS protocol.
This section provides two example scenarios for the SecureAuth RSA SecurID Migration VAM after its deployment.
Typically, RSA SecurID is leveraged to protect VPN and other RADIUS compatible devices. With this module, the tokens can now be used to authenticate to web applications during the RSA® token phase-out period.
The example below illustrates a typical user workflow when logging into a web based application protected by the SecureAuth Identity Platform.
Click the Security Token radio button, then click the Submit button. A screen appears, as in the next image.
Type or click the buttons to input the security-token code then click Submit.
After the token is validated, the requested application is now available to the user.
Most customers that use the RSA SecurID product leverage it to protect access to network resources such as VPNs. To migrate from RSA to SecureAuth, the SecureAuth RADIUS server is often used if the VPN does not support more modern authentication methods such as SAML. SecureAuth recommends using SAML when supported by the VPN, when migrating from RSA SecurID.
In cases where the VPN (or other protected resource) does not support modern authentication methods, the SecureAuth RADIUS server is used. The RADIUS protocol is well supported by VPNs and legacy applications. The SecureAuth RADIUS server proxies authentication requests from the VPN (or other protected resource) to the SecureAuth Identity Platform server. All of the authentication methods that you choose to make available to the user are presented via the VPN (or other protected resource) login user interface.
Below is an example of the user workflow when logging into a Cisco AnyConnect VPN client.
When configuring the SecureAuth RADIUS server, we recommend validating the configuration using a test tool such as NTRadPing. This enables you to ensure the server is functioning and configured as expected prior to having RADIUS clients, such as VPNs, connect to the resource.
The SecureAuth RADIUS server supports Challenge/Response (as illustrated on the examples above). After entering the userID and Password, you are prompted to enter the second factor choice, then the value such as the RSA SecurID token value. This tool enables all phases of the login process to be validated.
If the RSA SecurID server uses sAMAccountName to validate the token, but the Authenticated UserID in the SecureAuth realm is mapped to UPN, you need to map AuxID5 to sAMAccountName (configured in the appliance web admin, “data” tab). The appliance would then log the user in via the UPN, but validate the token leveraging the sAMAccountName.
You would also need to confirm the SecurID field mappings in the appliance web.config file as shown below.
The essential architecture of the SecureAuth RSA SecurID Migration VAM solution is described in this section.
An illustration of the RSA SecurID topology is shown in the image.
NOTE: While the SecureAuth RSA SecurID Migration VAM was designed for use with RSA SecurID hard tokens, there are other RADIUS server providers — such as Vasco, Defender, and SafeNet — that can be used with this VAM.
The requirements for deployment of this functionality are:
When planning for deployment, keep in mind the following best practices:
To configure the SecureAuth Identity Platform installation for RSA SecurID Migration authentication, perform the following steps.
Repeat this step for every SecureAuth folder, except for the SecureAuth0 folder.
Launch the SecureAuth Identity Platform Admin Console by entering the URL http://localhost:8088/. The admin console user interface can only be viewed on the local machine. For version IdP version 9.3 and above, open the classic admin interface.
The web config files are updated using the new DLLs you copied to the appropriate folders. After the update is completed, the admin UI reappears.
NOTE: Note for this value: "RadiusOathTokenValidationEnabled" value="True"
|RADIUS Server||Select whether a RADIUS server is enabled for this SecureAuth Identity Platform appliance. Enable this feature to connect with the RSA SecurID serve|
|Host Name||Enter the IP address or the server name of the target RADIUS server|
|Authentication Port||Enter the port number this appliance will use to authenticate applications overseen by the external RADIUS server gateway|
|Authentication Account||Not used. No value is needed or used for this use case|
|Retries||Enter the number of retries the SecureAuth appliance will do before abandoning the request to the RSA RADIUS server|
|Socket Timeout||Enter the number of milliseconds this RADIUS port will wait before abandoning the request to the RSA RADIUS server|
|Shared Secret||Enter the RADIUS shared secret that enables this appliance to access the RADIUS server|
Update the configuration accordingly and click Save the to commit configuration changes.
Testing the SecureAuth RSA SecurID Migration VAM Deployment
A third component included in the SecureAuth RSA SecurID Migration VAM deployment package is the RADIUS Test Client. This command line tool enables you to test the deployment and ascertain whether the VAM configuration is working properly prior to any integration.
To initiate this test, use the following procedure:
NOTE: If you enter only the executable name, a list of all parameters supported by this executable appear.
SecureAuth, the secure identity company, provides the most advanced identity security solution for large organizations globally to enable secure access to systems, applications, and data. Our customers leverage our flexible, enterprise-grade identity and access platform coupled with the SecureAuth Intelligent Identity Cloud service to deliver the most secure, frictionless user experience for their customers, partners and employees, everywhere, exponentially reducing the threat surface, enabling user adoption and meeting business demands. To learn more, visit www.secureauth.com, or connect with us at firstname.lastname@example.org, Twitter, and LinkedIn.