SGD with RSA Token Authentication - Is it all or nothing?

Similar Messages

• SGD with Third Party Authentication issue

  Hi
  I am trying to setup SGD with Third Party Authentication and have done all the requisites for this.
  I input the SGD URL and get the Third Party Login page but after I input my credentials, I get redirected to the SGD default login page which should not be the case. I had already set "Tomcat Authentication" as false in server.xml and enabled the Third Party authentication scheme in Array Manger
  What else am I missing ?
  Kindly advise
  SGD ver4.31
  Thanks

  Every now and then I have found the same. One thing that almost always solved the problem was recreating a new trusted user, you can follow the steps from:
  [http://docs.sun.com/source/820-1088/trusted_users.html|http://docs.sun.com/source/820-1088/trusted_users.html]
  Especially the step to test the trusted_user is a very good test to see if the trusted user is ok: http://server/axis/services/rpc/externalauth
  When prompted, log in as the trusted user.
  An other way to test it is via the api-test functionality: http://server/sgd/admin/apitest/
  First setup a session: webtopsession->startSession(0)
  Then authenticate via externalauth->setSessionIdentity
  These steps are the minimal steps to perform 3rdParty Authentication
  (There is also an example jsp for 3rd Party Authentication on the wikis.sun: [http://wikis.sun.com/display/SecureGlobalDesktop/Single+sign-on+(before+4.40)|http://wikis.sun.com/display/SecureGlobalDesktop/Single+sign-on+(before+4.40)] )
  - Remold

• SSLVPN with RSA TOKEN

  Hi
  Does the firewall support ssl vpn with RSA token concept with below mentioned license
  Current remote acesss vpn is configured .If yes what are the changed reguired?
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled
  VPN-3DES-AES                   : Enabled
  Security Contexts              : 2
  GTP/GPRS                       : Disabled
  SSL VPN Peers                  : 2
  Total VPN Peers                : 750
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled
  AnyConnect for Cisco VPN Phone : Disabled
  AnyConnect Essentials          : Disabled
  Advanced Endpoint Assessment   : Disabled
  UC Phone Proxy Sessions        : 2
  Total UC Proxy Sessions        : 2
  Botnet Traffic Filter          : Disabled

  according to me, you will need a AAA server to communicate with the RSA key server. like below:
  Cisco ASA ---> ACS ---> RSA Server
  the license is fine.
  this is the guide for setup   http://www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ASA_AuthMan7.1.pdf

• Best Way To Setup SGD With RSA Authentication

  At the moment, I've got RSA Authentication working with SGD 4.60-911. Now under my setup, I've manually created a user profile and assigned a couple of Terminal Server sessions to it and everything is working. I'm not sure if this is the best or, more importantly, the most efficient way to be setting up users for SGD use.
  Is it possible to still have RSA Authentication in place and also have the SGD users profile being accessible from AD/LDAP queries? What I'm thinking is that I could set up a SGD "dial-in" group within AD and assign the users to it, again within AD. I could then assign the applications to that group within SGD and hence filter this down to the individual users. This would stop me having to create a SGD user profile for every user we want to access SGD.
  Hope this makes sense.
  TIA.

  The thing to understand about what Arno suggests is that the SecurID profile is not used at all.
  With third-party authentication, there are two stages: authentication (nothing to do with SGD) and search for an identity and profile (perfomed by SGD).
  Arno's posting tells you about the authentication set-up, and by the way, this is definitely the way to go because of the announcement here http://docs.sun.com/source/821-1928/z40000061616182.html
  The result of the authentication stage is a username, usually stored in the REMOTE_USER environment variable. All of this happens independently of SGD.
  With the search stage, SGD looks the the value of REMOTE_USER and performs a search for the user identity and user profile.
  How SGD does this is configurable, see http://docs.sun.com/source/821-1926/z400007d1322324.html#z400007d1323983
  The basic choice is to use LDAP or not.
  If you don't use LDAP, then the user profile is either a user profile object you have created specifically for the user or the default Third-Party Profile (in System Objects).
  If you do use LDAP, the user profile is either a user profile object you have created specifically for the user, an LDAP Profile object you create to apply settings to a group of users, or the default LDAP Profile (in System Objects).
  Note: you can enable both methods at the same time.
  If possible, use LDAP for the search stage. It reduces the number of user profile objects you need to create (you might not have to create any) and it means you can assign applications to users dynamically by searching the LDAP directory (less admin).
  Hope this helps.

• Router login with RSA token

  Is there any way to secure the logining process of a router using RSA token?
  And how to do that.
  Thank you!
  Regards.

  You can set the router to authenticate with TACACS or with Radius and then set up the authentication server to use RSA server as the authentication processor (an external authentication to the TACACS or Radius server).
  So the configuration of the router is pretty straightforward:
  aaa authentication login default group tacacs+ line
  aaa authentication enable default group tacacs+ enable
  The more unusual part is the configuration of the TACACS server to send authentication requests to RSA.
  HTH
  Rick

• MfE - 2stage logon with RSA token, possible?

  I'm finally able to use Exchange 2003 SP2 on OWA on my PC via IEv7.
  However, in order to use OWA at home I have 2 issues that I cannot figure out what to do with MfE.
  1. 2 stage logon.
  - First logon is the site logon id & pw. I work for a bank and as such security is its focus; gladly not a hinderance. I have a 2 stage logon because the AD ID I have is set for supporting 1 area of the bank while my access allows certain admin rights.
  - Thus my first logon is not the same as my AD. This enables a certificate to be installed into IE v7. This worked on MfE initially.
  - The second stage logon requires my AD account logon ID, and the pw uses my PIN+Tokencode (RSA hardtoken generated). 
  2. Although RSA supports S60 there is nothing on the web or on their site show a trial or full working application for download OR purchase. It supports S60 3rd Edition
  Now can MfE or any other software help me out in this situation.

  So I found RSA's link to purchasing the software ...
  http://www.rsa.com/node.aspx?id=3388
  BUT it asks you to basically register.
  Technical Specifications
  Currently shipping version: RSA SecurID® Token 2.20 for Symbian OSTM and UIQ
  Device requirements: Symbian OSTM 9.1 or higher UIQ 3.0 or higher
  Required components: RSA® Authentication Manager (5.1 or later required for AES token support; 6.1 recommended)
  AES (128-bit) token seeds
  Ordering options: AES (128-bit) token seeds available in 6-month and 1-, 2-, 3-, 4-, 5-, and 10-year lifetime configurations.
  Pricing and availability: RSA® SecurID Token 2.20 for Symbian OSTM and UIQ is available free of charge through RSA.
  Download RSA SecurID Token 2.20 for Symbian OSTM and UIQ, including documentation
  Token seeds are available through RSA sales channels.

• RSA-Token Authentication WLC 5500

  I can configure "RSA Secure ID" or "Token" ti authenticate users in a WLAN in the Wireless LAN Controller 5500 series?
  That is possible??

  LeeJohns,
  We are testing this type of Authentication our components are:
  1.- Wireless LAN Controller 5508
  2.- LAP 1141
  3.- RSA Authentication Manager 6.1
  We are don´t have External Radius serves as Cisco ACS.
  We add the Managment IP Address of the WLC into "Radius Client" from the RSA Authentication Manager 6.1.
  The configuration of the WLC is:
  1.- Security / Radius / Authentication: IP Address of the RSA Authentication Manager.
  2.- WLAN / Layer 2 Security : 802.1X / AAA Servers IP Address of the RSA Manager.
  Configuration of the RSA Authentication Manager.
  1.- RSA Authentication Manager > Add Agent Host > Network Address: Managment IP Address WLC
  2.- In the RSA Client enter the same shared key entered in the WLC.
  The WLAN show the prompt : Enter Username and Password when the user try to connect to the Wireless Network, the user enter the username/password and the authentication failed.
  Is necesary the Radius Server ?
  Thanks

• TMG with RSA for OWA on the same URL as EAS

  Hi
  We have a requirement to use RSA authentication for external OWA users on Exchange 2010.  Exchange ActiveSync users will not be affected and will authenticate normally.  We currently have OWA, EAS and Autodiscover on the same URL mail.company.com.
  I have installed TMG on a server with 1 NIC on our DMZ.  I have set up 3 listeners, one for OWA with RSA, one for EAS and one for Autodiscover.  The problem is the OWA/RSA listener can't share the same IP as the others (I get an 'overlap' error
  message) so I have had to add a 2nd IP address to the server NIC to solve that.  All looks OK on TMG except now I have the problem that all the traffic is coming into our firewall on one URL and has to be NATted to only one of the 2 IP addresses.
  Do I need to have separate external URL's for OWA and EAS/Autodiscover so that they can be NATted to different IP addresses and hence different listeners?  Is there an easier way to split the traffic?
  Thanks

  Hi,
  The following part in the thread below might help.
  Quote:
  We have a firewall in front of the TMG that we are using static NATs. So I would have to create another static NAT for the IP i just added to my external NIC for ActiveSync.
  Create two external DNS entries. One for owa.domain.com and one for activesync.domain.com and point them to their respective IPs.
  For more information:
  http://social.technet.microsoft.com/Forums/en-US/119c0a10-b475-449f-b2ea-15fe260e89ce/publishing-exchange-2010-owa-with-rsa-secureid-authentication-and-active-sync?forum=Forefrontedgegeneral
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• LEAP, ACS and RSA token Card

  Hello,
  Is it possible to use LEAP with Rsa Token Card to authenticate WLAN users in addition with ACS ?
  Best Regards,

  You can use RSA SecurID with PEAP only. You will need ACS 3.2 at least with ACU 6.3/ ADU 1.0.
  I have it working with limited functionality

• How can I do for ESA work with token RSA, I mean when I entry the login the authentication with RSA

  Hi there,
  How can I do for ESA work with token RSA, I mean when I entry the login, the authentication ask me the token with RSA, Is it possible???
  Regards,

  Hello Miguel,
  RSA tokens are currently not supported for login, neither to the GUI/CLI or access to the spam quarantine. There is currently a feature request"Support SecurID via RADIUS" for the WSA, if you want you can open a ticket and have either add your company to that request, or have it extended for ESA as well.
  Hope that helps,
  Andreas

• Web Authentication with RSA SecureID on a Cisco Switch

  Hi,
  I've recently been looking into linking in our Cisco 2960S Gb Switch with RSA SecureID via Radius
  I've already managed to link it in for ssh access
  but I've not managed to get it working for http / web access to the switch
  I think this is because we're using "single use" tokens for maximum security with RSA SecureID
  and the web interface attempts to authenticate multiple times against the Radius part of the RSA SecureID server
  (okay on the first authentication, but each time after it's going to want a different token code)
  I was wondering if anyone knew a way around this? (if there's a way to get the switch to just authenticate once instead of multiple times against the radius server)
  For info the switch is a WS-C2960S-24TS-L with IOS 15.0(1)SE2

  Hello Chris,
  Can you test the following configuration?
  aaa group server radius webtac_grp
  server
  cache expiry 1
  cache authorization profile httpauth
  cache authentication profile httpauth
  aaa authentication login httpauth cache webtac_grp group webtac_grp
  aaa authorization exec httpauth cache webtac_grp group webtac_grp
  aaa authorization network httpauth cache webtac_grp group webtac_grp
  aaa cache profile httpauth
  all
  ip http server
  ip http authentication aaa login-authentication httpauth
  ip http authentication aaa exec-authorization httpauth
  radius-server host key ******
  I know for sure the above configuration works when using TACACS+ instead of RADIUS in order to avoid the multiple prompts due to the JAVA Applets authentication when accessing the IOS GUI. I have not tested it against RSA acting as backend Authentication server.
  NOTE: As "aaa authorization exec" is configured the RSA should be sending Attribute Service-Type with value Administrative for it to work as expected.
  If this was helpful please rate.
  Regards.

• ACS for 802.1x Authentication using RSA Tokens and Microsoft PEAP

  Has anyone been able to configure 802.1x authentication on Windows XP machines using RSA tokens using Cisco ACS as the RADIUS server?
  I have come up with bunch of incompatibilities between the offered support e.g.
  1. Microsoft PEAP does not support anything but smartcard/certificate or MSCHAP2.
  2. Cisco support PEAP and inside it MSCHAP2 or EAP-GTC
  We tried using RSA provided EAP client both the EAP security and EAP-OTP options within Microsoft PEAP but ACS rejects that as "EAP type not configured"
  I know it works with third party EAP software like Juniper Odyssey client and the Cisco Aegis Client but we need to make it work with the native Windows XP EAP client.

  Hi,
  We have tried to do the exact same setup as you and we also failed.
  When we tried to authenticate the user with PEAP-MSCHAPv2 (WinXP native) ACS gives "external DB password invalid", and does not even try (!) to send the login to the RSA server. No traffic is seen between RSA and ACS.
  MS-PEAP relies on hashing the password with MS-CHAPv2 encoding. This is not reversible. RSA, on the other hand, does not require hashing of the password due to the one time nature of it. So they (RSA) don't.
  When we authenticate using e.g. a 3rd party Dell-client, we can successfully authenticate using either PEAP-GTC (Cisco peap), EAP-FAST and EAP-FAST-GTC.
  A list with EAP protocols supported by the RSA is in attach.
  Also below is the link which says the MS-PEAP is NOT supported with the RSA, please check the
  table "EAP Authentication Protocol and User Database Compatibility "
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/o.htm#wp792699
  What we are trying to do now in the project is leaving the AP authentication open and try to authenticate it using RADIUS through a firewall or Cisco router authentication proxy.

• ACS5.2 with Radius to RSA token server

  I have a test lab with the eval version of ACS5.2. I am running 802.1x on my switch to the ACS usinf radius and want to use my RSA token server to authenticate my users. I have setup my RSA server under "Radius Identiny Servers" in the external identity stores section of the ACS5.2. I have only selected this RSA server in access policies -> identity. When I plug in my 802.1x enabled laptop into the switch I can see the packets going to my ACS but I cannot see any communication from my ACS to the RSA server. And the error I get in the ACS is 22056 Subject not found in the applicable identity store(s). . It works fine with AD. Any reason why the ACS is not talking to the RSA token server?

  It looks like the RSA token server is not one of the identity stores used by the authentication policies you set up, I would start troubleshooting by looking at them and see what identity store or identity store sequence they are using.

• Only one UPN suffix works with OAM plugin for RSA-integrated Authentication

  Only one UPN suffix works with OAM plugin for RSA-integrated Authentication while others give "CredentialsRejected" error
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-
  Has anyone seen this before and might know the answer? Any suggestions? Thanks!
  I have setup an OAM authentication scheme that uses a custom plugin to use RSA ACE server - all pretty much exactly as it is outlined in the chapter called "Integrating the RSA SecurID Authentication Plug-in" in Oracle Access Manager Integration Guide. Here's the problem:
  Everything works fine when I use a particular UPN suffix to login to the RSA Securid Login form that is presented, eg. [email protected], but if I create another user that uses a different UPN suffix as defined in Active Directory, (eg. [email protected]), the credentials are rejected. This happens before the secuirid.pl script even gets a chance to run. After hitting "POST" the user is present with the same login screen he was just at, as expected during an authentication failure.
  More info:
  - I have performed successful anonymous ldap queries for both users in Active Directory using LDP. Both users exist in the same domain and in the same OU. If I change the UPN (in AD and the RSA database) to something different from the "good" one, on either user, it fails. If I change the UPN to the "good one" on either user (in AD and the RSA database) it works.
  - if I test users with either the "good" or the "bad" UPN via the RSA agent tester that sits on the OAM box, both of them show as authenticating successfully. However, it doesn't work for the "bad" UPN when I try to access via a web browser on a remote client (but does work with the "Good" UPN)
  - I am not using SSL in any of this yet, it's all http://
  - yes, I already got rid of the "-w" parameter in the first line of the perl script, as per the "login can fail if the Login Attribute Contains an "@" Character in Integration Guide Troubleshooting section
  - here's an example of the settings in rsa securid authentication scheme:
  action:/OracleAccessManager/securid-cgi/securid.pl
  form:/OracleAccessManager/securid-forms-adforest/securid-std-login.html
  creds:login password domain newpin newpin2
  passthrough:yes
  authn_securid fullformdir="C:\apache\Apache2\htdocs/OracleAccessManager/securid-forms-adforest/",machine="MyComputer.mydomain.com:80"
  credential_mapping obMappingBase="%domain%",obMappingFilter="(&(objectclass=user)(userPrincipalName=%login%))"
  Environment:
  OAM 7.0.4.3
  RSA Ace Server 5.2
  Windows 2003 domain with multiple UPNs defined in Active Direcory Domains and Trusts
  Error as seen in the oblog.log for the webgate on the server that holds the RSA login pages and perl script:
  Message^A plugin for the authentication scheme SecurID Authentication has denied authentication for credentials ([email protected]
  password=(omitted) domain=dc=ourdomain,dc=com newpin= newpin2= Resource=/OracleAccessManager/securid-cgi/securid.pl RequesterIP=10.250.1.2 Operation=POST).
  ReqReq^POST /OracleAccessManager/securid-cgi/securid.pl HTTP/1.1 ReqProto^HTTP/1.1 ReqHost^www.MyComputer.mydomain.com. ReqStatLine^
  ReqStatus^200 ReqRawUri^/OracleAccessManager/securid-cgi/securid.pl ReqUri^/OracleAccessManager/securid-cgi/securid.pl
  ReqFilename^C:/apache/Apache2/htdocs/OracleAccessManager/securid-cgi/securid.pl ReqPath^ ReqArgs^
  2009/07/13@15:19:49.665000 45688 46472 AUTHENTICATION ERROR 0x00001515
  \Oblix\coreid\palantir\webgate\src\authentication_event_handler.cpp:1361 "Authentication failed" HTTPStatus^401
  authenticationSchemeName^SecurID Authentication AuthenticationStatus^majorCode = 11[CredentialsRejected], minorCode = 47[AuthnPluginDenied],
  StatusMsg = , GSN = 0, needInfo = NONE Creds^[email protected] password=(omitted) domain=dc=ourdomain,dc=com newpin= newpin2=
  Resource=/OracleAccessManager/securid-cgi/securid.pl RequesterIP=10.250.1.2 Operation=POST
  Only error seen in log produced by the RSA agent that sits on the Access server:
  [20804] 12:27:08.915 File:ACNETSUB.C Line:326 # CheckServerAddress: server 0 detected from address 10.250.88.100
  [20804] 12:27:08.915 File:udpmsg.c Line:968 # Entering decrypts_ok_legacy()
  [20804] 12:27:08.915 File:udpmsg.c Line:999 # decrypts_ok_legacy: decrypt() wpcode1 failed; wpcode0 next ***********
  [20804] 12:27:08.915 File:udpmsg.c Line:1089 # Leaving decrypts_ok_legacy(), result=1
  [20804] 12:27:08.915 File:ACEXPORT.C Line:820 # Entering AceGetUserData()
  [20804] 12:27:08.915 File:ACEXPORT.C Line:833 # Leaving AceGetUserData() return: ACE_SUCCESS
  [20804] 12:27:08.915 File:ACEXPORT.C Line:579 # Entering AceGetAuthenticationStatus()
  [20804] 12:27:08.915 File:ACEXPORT.C Line:592 # Leaving AceGetAuthenticationStatus() return: ACE_SUCCESS

  What are the logs you see at the ACE server end? You can try passing an additional parameter debug="true" to the authn_securid plug-in - it should generate some more logs at the access server - I think in apps\common\bin.
  Also does "ReqHost^www.MyComputer.mydomain.com" look right in the logs?
  -Vinod

• How to pass credentials/saml token access sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication

  How to pass credentials/saml token exchange to the sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication 
  Identity provider here is Oracle identity provider 
  harika kakkireni

  Hi,
  The following materials for your reference:
  Consuming List.asmx on a claims based sharepoint site
  http://social.technet.microsoft.com/Forums/sharepoint/en-US/f965c1ee-4017-4066-ad0f-a4f56cd0e8da/consuming-listasmx-on-a-claims-based-sharepoint-site?forum=sharepointcustomizationprevious
  Sharepoint Claims based authentication and Single Sign on
  http://social.technet.microsoft.com/Forums/sharepoint/en-US/2dfc1fdc-abc0-4fad-a414-302f52c1178b/sharepoint-claims-based-authentication-and-single-sign-on?forum=sharepointadminprevious
  Sharepoint Claim Based Authentication Web Service issuehttp://social.msdn.microsoft.com/Forums/office/en-US/dd4cc581-863c-439f-938f-948809dd18db/sharepoint-claim-based-authentication-web-service-issue?forum=sharepointgeneralprevious
  Best Regards
  Dennis Guo
  TechNet Community Support