Questions about RSA Tokens and Two-Factor Authentication

I have a question that I need to get an answer to but first,  I don't have two-factor authentication yet.

Let's say I go with RSA tokens.

I have a Windows network with Active Directory.

I have an F5 Proxy and Arista core switches.

How does RSA two factor authentication work...how do I install it or what has to happen to make it work on my network?

Ultimately I want to get to the question of where on my network does the two-factor authentication get checked?  If I attempt to logon to one our web portals over the internet and I use my Windows username and password and the RSA pin number where on my network does that get authorized to pass or get rejected?
Is it at my F5 Big IP Proxy?
Is it at my Arista core switches?
Is it at the SharePoint Web Portal server?
Or does it make it all the way to my Domain Controller?
rand1964Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich RumbleSecurity SamuraiCommented:
Domain Controller :)
Two factor works at the logon stage typically. Things like VPN authentication, and windows logon screens (interactive or Citrix/RDP/Terminal Services).
People forget that 2-factor doesn't work at the network level, once you get authenticated connecting via \\ip.ip.ip.ip or over http internally, is not hindered by 2-factor. Basically only LOGIN's are affected by some 2-factor, but once you have a token and are on the network, you can go anywhere you could before that doesn't prompt you for a password, it uses your token. (like \\some_pc\c$)
When you login you will provide you're username, password, the generated code+pin.
Something like this: (citrix/outlook/windows)
citrix-2factor loginowa 2-factorwindwos login
Users have to have an AD attribute set that RSA can pick up on, you can create one like an OU that the user is a part of, or set some standard field in the user attributes like "contact" and fill it with something that RSA can query.
The RSA device will use RADIUS to talk to AD and provide the verification for the pin+pass.
http://support.citrix.com/article/CTX121983
-rich
0
btanExec ConsultantCommented:
Also since you have F5 then you flexibility as you can explore their LTM + ACA or simply have APM module that works for AD and LDAP checks prior to granting app login and even SSO.

Typical scenario can be : The fist time login works this way: The first time an RSA OTP user logs in, they need to set a PIN for their token. This PIN is used in addition to the token code as the passcode. The user prepends the 8 character PIN to the token code.

Various means of authentication as follows:

LTM+ACA (using iRules) e.g. RADIUS Auth with SecurID
https://devcentral.f5.com/questions/radius-auth-with-securid

There is a nice short summary on outlook and APM or simply a LDAP lookup checks
https://devcentral.f5.com/questions/outlook-and-securid-road-blocks-need-help

In the past, they use firepass which is the predecessor of APM e.g. RSA SecurID Ready Implementation Guide which can help you visualise with the screenshot captured in the PDF @ http://www.f5.com/pdf/deployment-guides/rsa-firepass-dg.pdf

Tweaking FirePass – Integrating RSA SecurID via WebDAV Customization
https://devcentral.f5.com/articles/tweaking-firepass-integrating-rsa-securid-via-webdav-customization#.Uk9Jd4ZmhcY

Specifically, inside APM config guide, you can find the RSA SecurID configuration requirements for APM AAA to assist in configuring a SecurID AAA server for APMto request RSA SecurID authentication from an RSA Manager authentication server.
@ http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-3-0/1.html#unique_1217962019
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rand1964Author Commented:
Thanks!  Excellent. Excellent.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.