Secure Mobile Access 12.4 Administration Guide

Configuring RSA Server Authentication

The appliance supports SecurID, token-based user credentials that are validated against a database on an RSA Authentication Manager server. Configuring this type of authentication involves changes on both the RSA server and the SMA appliance, which are outlined below. For step-by-step instructions for RSA Authentication Manager 7.1, see the Knowledge Base article, Configuring RSA Authentication For Use With an E-Class Secure Remote Access Appliance (SW6571).

Affinity servers should be used only for authentication servers that do not include full group search capabilities, such as RADIUS, RSA, and PKI servers.

To configure RSA Authentication Manager for token-based credentials

  1. Create an agent host on the RSA server with the IP address for the internal interface of the SMA appliance.

  2. Make the configuration changes necessary to resolve the names of both the RSA server and the SMA appliance:

    • DNS must be able to resolve the RSA server’s name; simply adding the appliance and its IP address to your /etc/hosts file will not work.

    • The appliance’s name (as configured on the RSA server) must resolve to the internal IP address of the appliance.

  3. DNS must be able to resolve the RSA server’s name in both directions:

    • The appliance’s name (as configured on the RSA server) must resolve to the internal IP address of the appliance; simply adding the appliance and its IP address to your /etc/hosts file will not work.

    • The RSA server requires a reverse DNS entry for the internal interface of the SMA appliance.

  4. After adding the agent host on the RSA server, make sure that you generate the configuration file (sdconf.rec) for the correct agent host.

  5. In the AMC, navigate to System Configuration > Authentication Servers.

  6. Click New.

  7. Under Authentication directory, choose RSA Authentication Manager.

    The Credential type is automatically set to Token/ SecurID.

  8. Click Continue.

  9. In the Name field, type a name for the authentication server.

  10. Specify the location of your RSA Authentication Manager server SecurID configuration file, sdconf.rec. This configuration file is in binary format and contains the ports and processes associated with the RSA authentication service. When in place, this file is used by the RSA libraries to communicate over the network to an RSA server.
  11. Click Save to upload it to the appliance.

  12. The node secret is negotiated when the first authentication request is made from the agent host. Make sure that the node secret created flag is cleared on the RSA server.

    • If you make any changes to the RSA server (for example, change its IP address, host name, or re-install it), the sdconf.rec file must be uploaded to the appliance again.

    • After upgrading some older versions, users may not be able to authenticate through the RSA server because the node secret did not migrate properly. In this case, clear the node secret for the authentication agent on the RSA server.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.