parda25

LDAP+RSA authentication implementation (1/3)

Blog Post created by parda25 Employee on Mar 13, 2018

Introduction

CA PAM is providing two-factor authentication with LDAP credentials and an RSA PIN and tokencode from RSA SecurID authenticator.

 

Test was done with PAM 3.0.2

 

Procedures:

There are three main parts to implement LDAP + RSA multi factor authentication for PAM server login. RSA server configuration for RSA user and LDAP configuration, and PAM side configuration.

 

Step 1. RSA server setting:

1. Add RSA user that will be used for PAM RSA login.

 

Security Console  Identity  User Gmups  A user re  Authentication  Reporting  RADIUS  Administration  Setup  Help  Identity Attribute Definitions  Ca ncel  Manage Existing  Add New  Add New With Options

 

User: parda25rsa  View  A user represents a person or a system with a unique account.  Acco  Sack to List  Administra tive Control  Identity Source:  Security Domain:  User Basics  First Name:  Middle Name:  Last Name:  User ID:  Email:  Certificate ON:  Notes:  Last Modified:  Last Authentication:  Password  Password :  Confirm Password:  Force Password Change:  Account Information  unt Starts:  Account Expires:  Account Status:  Locked Status:  Sack to List  Required field  Internal Database  _ SystemDomain  Daniel  Park  parda25rsa  daniel.park@ca.com  Dec 18, 2017 11:10:51 PM ESTby parda25  Jan 7, 2018 PM EST  Require user to change password at next logon:  Dec 18, 2017 PM EST  Does not expire  Account is disabled: No  Account is locked by lockout policy: No  No  Account is locked out of self-service troubleshooting:  No

 

2. Assign Secure ID token to RSA user.

Security Console  Home  Identity  Users  Authentication  Reporting  RADIUS  Administration  Last. First Name  Park, Daniel  Park, Daniel  Last. First Name  Setup  Help  A user represents a person or a system with a unique account.  Search Criteria  Security Domain:  System Domain V  Identity Source:  Internal Database V  All Users  Where:  User ID  contains  parda  More criteria..  Search  Advanced Search  Search for users across all  identitv sources  @ Search Results  2 found. Showing 1-2.  User ID  oarda25  oarda25rsa  rd  2 found.  User Group Membership  Add More...  Administrative Roles  Assign More...  Tokens  Assign More...  Assign Next Available SecurID Token  Manage Emergency Offline Access...  Risk-aased Authentication  View Associated Policies  Authentication Settings  Duplicate  Delete

 

3. Install RSA securID software token and import Token to get Tockencode for login authentication.

parda2Srs.  Toke n code  1817 4287  Options  Import Token  Manage Token  Token Storage Dev I Ces  Always on Top  Next Code  Help  Close  rsA  SecurIO

 

4. Register PAM server a authentication agents on RSA server.

Security Console  Home  Identity  Home  Authentication  Reporting  Active User Sessions  Authentication Agents  LIS  Manage Existing  Add New  Administration  Welcome parda25. You logged on: Sunday, Ja

 

Security Console  Identity  Authentication  Reporting  RADIUS  Administration  Setup  Help  Authentication Agent: 155.35.245.84  View  When a user attempts to gain access to a network resource, the agent receives the authentication request and submits it securely to the authentication server.  Sack to List  Administra tive Control  Security Domain:  Authentication Agent Basics  Hostname:  IP Address:  Protect IP Address:  Alternate IP Addresses:  Notes:  Last Auto Registration On:  Authentication Agent Attributes  Agent Type:  Disabled:  User Group Access Restriction:  Authentication Manager Contact List:  Trusted Realm Settings  Required field  System Doma n  administrators may manage this authentication agent  155.35.245.84  155.35.245.84  Prevent auto registration from unassigning IP address: Yes  Standard Agent  Agent is disabled: No  Allow access only to members of user groups who are granted access to this agent: No  Automatically assign automatic contact list from instance that responds first  If the deployment uses trusted realms, specify which trusted users can access the authentication agent.  rusted Realm Authentication:  rusted User Authentication:  Enable Trusted Realm Authentication: No  Open to all Trusted Users (Trusted Users will be created upon successful authentication)  Risk-Based Authentication (RBA)  Risk-based authentication applies only to RSA Authentication Agents that support RSA. You must use the integration script to configure the agent.  Risk-aased Authentication:  Enable this agent for risk-based authentication: No

 

5. Download sdconf.rec from RSA server and import it into PAM.

Security Console  Home  Identity  Authentication  Reporting  RADIUS  Administration  Setup  Help  Authentication Agents  Unrest r icted  estricted  All users who possess the necessary authenticator(s) can authenticate on the following unrestricted authentication agents.  Search Criteria  Security Domain:  System Domain V  Where:  contains  245.84  Search  @ Search Results  I items found.  Authentication Aaent  D 155.35.245.84  Authentication Aal  Enable Lagon Ali  Edit  IP Address  155.35.245.84  IP Address  Standard Agent  Logged on as:  Securitv Domain  System Doma n  Securitv Domain  I items found.  Manage Node Secret...  Enabled Logon Aliases  Enable More Aliases  Trusted User Groups with Access  Grant Access to More...  Duplicate  Delete

 

Security Console  Identity  Authentication  Reporting  RADIUS  Manage Existing  Add New  Administration  Active User Sessions  Authentication Agent: 155.35  Authentication Agents  View  When a user attempts to gain access to a network resource, the agent recei  Setup  It securely to ty  Generate Configuration File  Sack to List  Download Server Certificate File  Required field  Authentication Manager Contact List

 

Security Console  Identity  Authentication  Reporting  RADIUS  Administration  Setup  Help  Generate Configuration File  Configure Agent Timeout and Retries  Prior to generating the configuration file, you can configure the retry behavior for communication between the agent and the authentication server.  Ca ncel  Agent Timeout and Retries  Maximum Retries:  Maximum Time Between Each Retry:  Communica tion Services  before timing out  5 V nds between each attempt  The agents will communicate with the authentication server using the following ports and protocols. Take note of the port and protocol Information if yl  Authentication Service:  Agent Auto-Registration Service:  Offline Authentication Download Service:  Generate Config File  Port: 5500  Protocol: udp  Port: SSSO  Protocol: tcp  Port: 5580  Protocol: tcp

 

Security Console  Identity  Authentication  Reporting  RADIUS  Administration  Generate Configuration File  Download Configuration File  Your file was successfully generated and is ready to download.  he configuration file was successfully generated and is ready to download.  Download File  The file is ready to download. When prompted, select Save it to disk to save the ZIP file to your local machine.  Filename:  Download:  AM Config.zip  Download Now

Outcomes