How To Register Rsa Authentication Manager
Setting Up Two-Factor Hallmark (TFA) With RSA SecurID
You can prepare upwardly 2-gene authentication (TFA) with RSA SecurID in PAM360 if you have RSA Authentication Manager and RSA SecurID Appliance in your surroundings. This will help you leverage RSA SecurID's authentication factor as the second layer of security for your login.
Following are the steps to set TFA with RSA SecurID in PAM360:
- Configuring TFA in PAM360
- Integrating RSA SecurID with PAM360
- Enforcing TFA for required users
- Connecting to PAM360's web-interface when TFA is enabled
1. Configuring TFA in PAM360
- Navigate to Admin >> Authentication >> Two-factor Authentication.
- Choose the selection RSA SecurID and click Relieve. Administrators can too enable RSA On-Need authentication, by selecting the On-Demand authentication check-box.
- Then, click Confirm to enforce RSA SecurID as the second factor of authentication.
2. Integrating RSA SecurID with PAM360
You tin can integrate RSA SecurID with PAM360 by following the below steps:
- Annals the PAM360 server as an Agent Host in the RSA Authentication Director.
- Generate RSA Authentication Director configuration file, or sdconf.rec in RSA manager. Copy and paste the sdconf.rec to the<PAM360_SERVER_HOME>\bin directory. In improver, if a node secret file (securid) exists, copy and paste that equally well.
- In the RSA Hallmark API configuration file (rsa_api.properties), edit the "RSA_AGENT_HOST" belongings value as PAM360'southward server hostname or IP address. This file volition be located in the default awarding directory (<PAM360_SERVER_HOME>\bin).
Note: If you are using PAM360's high availability feature, you need to behave out the above steps in the secondary server installation too.
Mapping PAM360 users to RSA Authentication Managing director:
Before the second cistron authentication can take place, use the RSA Security Panel to enter all desired PAM360 users into RSA Authentication Manager, assign tokens to them and actuate them on the advisable Agent Host.
Ensure that the user proper noun in RSA Authentication Manager and the corresponding user name in PAM360 are the same. For an already existing RSA user, in case there is a user proper name mismatch betwixt PAM360 and RSA Authentication Manager, you can map the correct user name in PAM360 by editing the user properties in PAM360.
For instance, if you have imported a user past the name 'ZYLKER\rob' from Active Directory into PAM360 and in RSA Authentication Manager, the username is recorded as 'rob', in that location will be a mismatch. To avoid that, you tin can edit the user name in PAM360 and get the name 'ZYLKER\rob' mapped to 'rob')
The post-obit sequence describes the authentication process between PAM360 and RSA SecurID:
- When user get-go tries to access PAM360, authentication is done through ActiveDirectory or LDAP or locally.
- PAM360 prompts the user for a username and the RSA SecurID passcode, both of which are sent to the RSA Authentication Manager through the RSA Runtime API.
- RSA Authentication Manager then authenticates the user and returns a message to PAM360.
- PAM360 grants the user access to the requested resource.
3. Enforcing TFA for Required Users
- In one case you lot confirm RSA SecurID every bit the second cistron of hallmark, in a new pop-up window, you will be prompted to select users for whom TFA should be enforced.
- Y'all can enable or disable TFA for a single user or multiple users in bulk from here. To enable TFA for a single user, click Enable beside the respective username. For multiple users, select the required usernames and click Enable at the top of the user list. Similarly, you can likewise Disable TFA from here.
- You lot tin besides select the users later past navigating to Users >> More Actions >> Two-factor Authentication.
iv. Connecting to PAM360'due south Web-Interface when TFA is Enabled
The users who have TFA enabled for their accounts will have to authenticate twice successively during login. As mentioned above, the commencement level of authentication will be through PAM360's local authentication or Advertisement/LDAP hallmark. Depending on the type of TFA chosen past the ambassador, the second level of authentication will differ as explained below:
- Upon launching the PAM360 web-interface, the user has to enter the username and local hallmark or Advertizing/LDAP password to login to PAM360 and click Login.
- Confronting the text field RSA Passcode, enter the RSA SecurID passcode. The passcode could exist a combination of PIN and Tokencode or only the Tokencode alone or the On-Demand Pivot depending on the configuration washed in RSA Authentication Director.
- If you lot want to leverage the RSA On-Demand authenticator, select RSA On-Demand and continue. In this case, you need to provide the On-Need Tokencode as specified in case three below.
4.1. Three different scenarios possible while logging into PAM360 using RSA SecurID
Case 1: Entering user generated / system created PIN
As mentioned above, the RSA passcode could be a combination of Pivot and tokencode or just tokencode alone or a password depending on the configuration done in RSA Hallmark Director. If the settings in RSA Security Console demands the users to create a PIN on their own or use a organization generated PIN, the following options would exist shown to the users after step 2 (that is, afterwards entering the first countersign and RSA tokencode to log in to PAM360).
User Created PIN:
In the case of user created PIN, users will get the pick to enter the PIN on their own. The Pivot should contain numeric characters - minimum of 4 and a maximum of viii characters. After entering the Pivot, the user will have to wait for a while until the RSA tokencode changes to a new value. Then, in the next screen, enter the new Pivot and the RSA tokencode to authenticate.
System Created PIN:
In the case of system created Pin, PAM360 itself will randomly generate a PIN and it will be shown on the screen. Users volition have to notation down the new Pin and await for a while until the RSA tokencode changes to a new value. And then, in the next screen, the users will have to enter the new Pin every bit generated past the arrangement and the RSA tokencode to authenticate.
Case two: New Tokencode Mode
If a user attempts to log in to PAM360 using a random RSA passcode or by guesswork for a specified number of times, the RSA Authentication Manager will plough the screen to the New Tokencode style to verify whether the user possesses the token. In that case, PAM360 prompts for side by side tokencode during the login. That means, the user volition have to wait until the RSA device shows a new tokencode and the new code to go on with logging into PAM360.
Note: If the new tokencode entered past the user is wrong, PAM360 will revert to the initial login screen. Users volition have to start again by inbound the username.
Example 3: Tokencode Fashion
When RSA On-Demand authenticator is configured, you demand to supply the Tokencode to log into PAM360. Tokencode will be sent to the registered email id or mobile number as configured in the RSA On-Demand authentication arrangement.
Note: If you take configured High Availability, whenever yous enable TFA or when you alter the TFA service type, you need to restart the PAM360 secondary server one time for it to take effect.
Source: https://www.manageengine.com/privileged-access-management/help/rsa-secur-id-two-factor-authentication.html
Posted by: woldwilill.blogspot.com
0 Response to "How To Register Rsa Authentication Manager"
Post a Comment