• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1471
  • Last Modified:

Questions about RSA Tokens and Two-Factor Authentication

I have a question that I need to get an answer to but first,  I don't have two-factor authentication yet.

Let's say I go with RSA tokens.

I have a Windows network with Active Directory.

I have an F5 Proxy and Arista core switches.

How does RSA two factor authentication work...how do I install it or what has to happen to make it work on my network?

Ultimately I want to get to the question of where on my network does the two-factor authentication get checked?  If I attempt to logon to one our web portals over the internet and I use my Windows username and password and the RSA pin number where on my network does that get authorized to pass or get rejected?
Is it at my F5 Big IP Proxy?
Is it at my Arista core switches?
Is it at the SharePoint Web Portal server?
Or does it make it all the way to my Domain Controller?
2 Solutions
Rich RumbleSecurity SamuraiCommented:
Domain Controller :)
Two factor works at the logon stage typically. Things like VPN authentication, and windows logon screens (interactive or Citrix/RDP/Terminal Services).
People forget that 2-factor doesn't work at the network level, once you get authenticated connecting via \\ip.ip.ip.ip or over http internally, is not hindered by 2-factor. Basically only LOGIN's are affected by some 2-factor, but once you have a token and are on the network, you can go anywhere you could before that doesn't prompt you for a password, it uses your token. (like \\some_pc\c$)
When you login you will provide you're username, password, the generated code+pin.
Something like this: (citrix/outlook/windows)
citrix-2factor loginowa 2-factorwindwos login
Users have to have an AD attribute set that RSA can pick up on, you can create one like an OU that the user is a part of, or set some standard field in the user attributes like "contact" and fill it with something that RSA can query.
The RSA device will use RADIUS to talk to AD and provide the verification for the pin+pass.
btanExec ConsultantCommented:
Also since you have F5 then you flexibility as you can explore their LTM + ACA or simply have APM module that works for AD and LDAP checks prior to granting app login and even SSO.

Typical scenario can be : The fist time login works this way: The first time an RSA OTP user logs in, they need to set a PIN for their token. This PIN is used in addition to the token code as the passcode. The user prepends the 8 character PIN to the token code.

Various means of authentication as follows:

LTM+ACA (using iRules) e.g. RADIUS Auth with SecurID

There is a nice short summary on outlook and APM or simply a LDAP lookup checks

In the past, they use firepass which is the predecessor of APM e.g. RSA SecurID Ready Implementation Guide which can help you visualise with the screenshot captured in the PDF @ http://www.f5.com/pdf/deployment-guides/rsa-firepass-dg.pdf

Tweaking FirePass – Integrating RSA SecurID via WebDAV Customization

Specifically, inside APM config guide, you can find the RSA SecurID configuration requirements for APM AAA to assist in configuring a SecurID AAA server for APMto request RSA SecurID authentication from an RSA Manager authentication server.
@ http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-3-0/1.html#unique_1217962019
rand1964Author Commented:
Thanks!  Excellent. Excellent.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now