Configuring RSA Authentication For Use With an E-Class Secure Remote Access Appliance

03/26/2020 15 13080

DESCRIPTION:
Configuring RSA Authentication For Use With an E-Class Secure Remote Access Appliance

RESOLUTION:

Description:

This article describes the steps for configuring an RSA ACE authentication server (now known as RSA Authentication Manager) for use with an Aventail / SonicWall E-Class Secure Remote Access appliance. This article contains instructions for both RSA ACE 5.2 and RSA Authentication Manager 7.1.

Pre-requisite:

Make sure the appliance and the RSA ACE server are able to resolve each other's FQDN (Fully Qualified Domain Name) properly. The FQDN you use for server must be forward and reverse resolvable in DNS. Adding hostnames and IP addresses to the hosts file of each system will not accomplish this; they must be resolvable by each device's configured DNS server.

Deployment Steps:

RSA 5.2

Step 1: Add an Agent host (Unix Agent) within the RSA Authentication Manager's database and generate the sdrec.conf file:

1. Launch RSA Authentication Manager. From the Agent Host menu, select Add Agent Host.
2. Type the FQDN of the Aventail appliance in the Hostname field.
   
   If the RSA server can resolve the name, then the IP address field will be automatically updated when you move to that field.
   
   Fill in the Site information and select Unix Agent under Agent type:
   
   
3. Make sure you do not have the Node Secret Created option selected.
4. Assign users to the Agent host by either selecting Open to All Locally Known Users or by activating users under User Activations:
   
   
5. Click OK to save the Agent, and then select Generate Configuration Files under Agent Hosts and generate a sdconf.rec file.
   Note: SonicWall recommends generating the sdconf.rec file with the All Agent Hosts option enabled, as shown below:
   
   

Step 2: Now log in to AMC and create a new RSA ACE authentication server. Upload the sdconf.rec file generated in Step1, and then save and apply the changes:

Step 3: Log in to WorkPlace using your appliance's RSA ACE realm. During the first authentication attempt, the appliance will negotiate the nodesecret. From that point on, users should be able to log in using their RSA username/token.

RSA Authentication Manager 7.1

Note: The following assumes you have already assigned a token to a user. In the example below, we will be displaying how authentication will look for a keyfob user.

Step 1: Add an Authentication Agent (the Aventail appliance) within the RSA Authentication Manager's database:

1. From the desktop or Start menu > All Programs > RSA Security, launch the RSA Security Console:
   
2. Once logged in, generate the agent from Access > Authentication Agents > Add New:
   
   
3. For your agent, fill in either the Hostname or IP Address and then click its corresponding "Resolve" button. The IP address and hostname should both resolve in DNS for the authentication agent. If they do not, then authentication will fail for users:
   
4. For the Agent Type select Standard Agent. Other options in the following screenshot can be set per your organization's security policy:
   
   
5. Click the Save button to save this authentication agent.

Step 2: Generate the sdconf.rec file for use on the Aventail appliance:

1. In the Security Console, click Access > Authentication Agents > Generate Configuration File.
2. Select Maximum Retries
3. Select Maximum Time Between Each Retry.
4. Click Generate Configuration File.
   The Download Configuration File page opens.
5. Click Download Now.
6. When prompted, click Save to Disk, and save the ZIP file to your machine.
7. Unzip the file, and use the extracted sdconf.rec file in the RSA ACE authentication server you're configuring on the appliance.

Step 3: Log into your appliance's RSA realm. The login process will look like this for a user who has just received a keyfob token and needs to set a PIN:

1. User connects to appliance, and selects the RSA realm. They enter their username and token code. They haven't yet created a PIN, so they just put in the code on their keyfob:
   
2. After clicking Log in the user is presented with the following page asking them to set their PIN. They enter a PIN and click OK:
   
   New PIN required! Please enter your new PIN. Minimum Length: 4 Maximum Length: 8.
   
   
3. Now that a PIN has been set, the user has to enter the passcode (the PIN plus tokencode) and then click OK:
   
   New passcode needed. Please enter the passcode after it changes on your token.
   
   
4. The user then receives a message that the passcode was accepted and, after clicking OK, is taken to WorkPlace:
   
   Passcode Accepted

Known Issues

Node secret mismatch after configuration replication

More details are avalable in KB item #6870

Node secret mismatch when logging into appliance

During the creation of this KB, support ran into the following error the first time they attempted to log a user into an RSA realm. When looking at the real-time reporting in the RSA Security Console, they saw the following error:

Node secret mismatch. Cleared on agent but not on server.

To resolve this issue, the node secret had to be cleared on the RSA server and on the Aventail appliance so it could be resent from the RSA server. These instructions are for RSA Authentication Manager 7.1. KBs 6517 and 6870 contain instructions on how to clear the node secret in version 5.2.

On the RSA server:

1. In the RSA Security Console go to Access > Authentication Agents > Manage Existing:
   
2. Click the arrow on the authentication agent that's having difficulties and select Manage Node Secret...
   
3. Select the checkbox next to Clear the node secret and then click Save:
   
4. Now, you must remove the associated file on the Aventail appliance.

On the Aventail appliance:

Warning SonicWall strongly recommends that users not familiar or comfortable with the command line contact SonicWall product support for assistance. Use the command line at your own risk.

Please see KB item #2500 for some suggestions on enabling SSH access to the appliance and getting onto the command line.

1. Log into the console using a serial cable or SSH.
2. Change to the /var/ace directory:
   cd /var/ace
3. Remove the nodesecret files (ststatus.12, securid) from the appliance:
   rm sdstatus.12 securid
4. Restart policyserver. Note: This will restart all access services and drop user sessions.
   /etc/init.d/policyserver restart
5. Log into WorkPlace again using a RSA token. If you're using real-time logging on the RSA server, you'll see that a new nodesecret is sent:
   

Appliance continues to authenticate to old RSA server after creating new RSA authentication server

Another issue seen while creating this KB article was that a sdconf.rec file that had already been imported to an appliance continued to be used by that appliance until the policy service (policyserver) was restarted from the command line of the Aventail appliance using this command:

/etc/init.d/policyserver restart