Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Configuring RSA Authentication For Use With an E-Class Secure Remote Access Appliance

03/26/2020 18 People found this article helpful 97,472 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    Configuring RSA Authentication For Use With an E-Class Secure Remote Access Appliance

    Resolution

    Description:

    This article describes the steps for configuring an RSA ACE authentication server (now known as RSA Authentication Manager) for use with an Aventail / SonicWall E-Class Secure Remote Access appliance. This article contains instructions for both RSA ACE 5.2 and RSA Authentication Manager 7.1.

     

    Pre-requisite:

    Make sure the appliance and the RSA ACE server are able to resolve each other's FQDN (Fully Qualified Domain Name) properly. The FQDN you use for server must be forward and reverse resolvable in DNS. Adding hostnames and IP addresses to the hosts file of each system will not accomplish this; they must be resolvable by each device's configured DNS server.


    Deployment Steps:

    RSA 5.2

    Step 1: Add an Agent host (Unix Agent) within the RSA Authentication Manager's database and generate the sdrec.conf file:

    1. Launch RSA Authentication Manager. From the Agent Host menu, select Add Agent Host.
    2. Type the FQDN of the Aventail appliance in the Hostname field.

      If the RSA server can resolve the name, then the IP address field will be automatically updated when you move to that field.

      Fill in the Site information and select Unix Agent under Agent type:
      Image
    3. Make sure you do not have the Node Secret Created option selected.
    4. Assign users to the Agent host by either selecting Open to All Locally Known Users or by activating users under User Activations:

      Image
    5. Click OK to save the Agent, and then select Generate Configuration Files under Agent Hosts and generate a sdconf.rec file.
      Note: SonicWall recommends generating the sdconf.rec file with the All Agent Hosts option enabled, as shown below:

      Image

    Step 2: Now log in to AMC and create a new RSA ACE authentication server. Upload the sdconf.rec file generated in Step1, and then save and apply the changes:

     

    Image
    Step 3: Log in to WorkPlace using your appliance's RSA ACE realm. During the first authentication attempt, the appliance will negotiate the nodesecret. From that point on, users should be able to log in using their RSA username/token.

     

    RSA Authentication Manager 7.1

    Note: The following assumes you have already assigned a token to a user. In the example below, we will be displaying how authentication will look for a keyfob user.

    Step 1: Add an Authentication Agent (the Aventail appliance) within the RSA Authentication Manager's database:

    1. From the desktop or Start menu > All Programs > RSA Security, launch the RSA Security Console:
      Image
    2. Once logged in, generate the agent from Access > Authentication Agents > Add New:
      Image
    3. For your agent, fill in either the Hostname or IP Address and then click its corresponding "Resolve" button. The IP address and hostname should both resolve in DNS for the authentication agent. If they do not, then authentication will fail for users:
      Image
    4. For the Agent Type select Standard Agent. Other options in the following screenshot can be set per your organization's security policy:

    5. Click the Save button to save this authentication agent.

    Step 2: Generate the sdconf.rec file for use on the Aventail appliance:

    1. In the Security Console, click Access > Authentication Agents > Generate Configuration File.
    2. Select Maximum Retries
    3. Select Maximum Time Between Each Retry.
    4. Click Generate Configuration File.
      The Download Configuration File page opens.
    5. Click Download Now.
    6. When prompted, click Save to Disk, and save the ZIP file to your machine.
    7. Unzip the file, and use the extracted sdconf.rec file in the RSA ACE authentication server you're configuring on the appliance.

    Step 3: Log into your appliance's RSA realm. The login process will look like this for a user who has just received a keyfob token and needs to set a PIN:

    1. User connects to appliance, and selects the RSA realm. They enter their username and token code. They haven't yet created a PIN, so they just put in the code on their keyfob:
    2. After clicking Log in the user is presented with the following page asking them to set their PIN. They enter a PIN and click OK:

      New PIN required! Please enter your new PIN. Minimum Length: 4 Maximum Length: 8.

    3. Now that a PIN has been set, the user has to enter the passcode (the PIN plus tokencode) and then click OK:

      New passcode needed. Please enter the passcode after it changes on your token.

    4. The user then receives a message that the passcode was accepted and, after clicking OK, is taken to WorkPlace:
      Image
      Passcode Accepted

    Known Issues

     

    Node secret mismatch after configuration replication

    More details are avalable in KB item #6870

    Node secret mismatch when logging into appliance

    During the creation of this KB, support ran into the following error the first time they attempted to log a user into an RSA realm. When looking at the real-time reporting in the RSA Security Console, they saw the following error:

    Node secret mismatch. Cleared on agent but not on server.

    To resolve this issue, the node secret had to be cleared on the RSA server and on the Aventail appliance so it could be resent from the RSA server. These instructions are for RSA Authentication Manager 7.1. KBs 6517 and 6870 contain instructions on how to clear the node secret in version 5.2.

    On the RSA server:

    1. In the RSA Security Console go to Access > Authentication Agents > Manage Existing:
      Image
    2. Click the arrow on the authentication agent that's having difficulties and select Manage Node Secret...
      Image
    3. Select the checkbox next to Clear the node secret and then click Save:
      Image
    4. Now, you must remove the associated file on the Aventail appliance.

    On the Aventail appliance:

    Warning SonicWall strongly recommends that users not familiar or comfortable with the command line contact SonicWall product support for assistance. Use the command line at your own risk.

    Please see KB item #2500 for some suggestions on enabling SSH access to the appliance and getting onto the command line.

    1. Log into the console using a serial cable or SSH.
    2. Change to the /var/ace directory:
      cd /var/ace
    3. Remove the nodesecret files (ststatus.12, securid) from the appliance:
      rm sdstatus.12 securid
    4. Restart policyserver. Note: This will restart all access services and drop user sessions.
      /etc/init.d/policyserver restart
    5. Log into WorkPlace again using a RSA token. If you're using real-time logging on the RSA server, you'll see that a new nodesecret is sent:
      Image

    Appliance continues to authenticate to old RSA server after creating new RSA authentication server

    Another issue seen while creating this KB article was that a sdconf.rec file that had already been imported to an appliance continued to be used by that appliance until the policy service (policyserver) was restarted from the command line of the Aventail appliance using this command:

    /etc/init.d/policyserver restart

    Related Articles

    • CT with Device Guard is stuck on Identifying when GVC Client is installed
    • SMA1000: CT compatibility with 3rd party VPN clients like GVC, Citrix and Fortinet
    • How can I upgrade firmware in SMA 1000 series appliance?

    Categories

    • Secure Mobile Access > SMA 1000 Series > Authentication

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top
    Trace:4ee82ce2006b54d95245027ae7978e4a-89