RSA Authentication Manager 7.1 Administrator’s Guide Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com Trademarks RSA and the RSA logo are registered trademarks of RSA Security Inc. in the United States and/or other countries. For the most up-to-date listing of RSA trademarks, go to www.rsa.com/legal/trademarks_list.pdf. EMC is a registered trademark of EMC Corporation. All other goods and/or services mentioned are trademarks of their respective companies. License agreement This software and the associated documentation are proprietary and confidential to RSA, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by RSA. Third-party licenses This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed in the thirdpartylicenses.html files. Note on encryption technologies This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product. Distribution Limit distribution of this document to trusted personnel. RSA notice The RC5™ Block Encryption Algorithm With Data-Dependent Rotations is protected by U.S. Patent #5,724,428 and #5,835,600. © 2007-2008 RSA Security Inc. All rights reserved. First printing: April 2008 RSA Authentication Manager 7.1 Administrator’s Guide Setting Token Usage Requirements..................................................................................51 Limiting the Number of Incorrect Passcodes Allowed..............................................52 Setting Tokencode Ranges for Event-Based Tokens.................................................53 Requiring Periodic RSA SecurID PIN Changes........................................................53 Restricting Reuse of Old PINs...................................................................................54 Limiting RSA SecurID PIN Length...........................................................................54 Setting RSA SecurID PIN Character Requirements..................................................55 Requiring Periodic Fixed Passcode Changes.............................................................55 Restricting Reuse of Old Fixed Passcodes................................................................56 Limiting Fixed Passcode Length...............................................................................56 Setting Fixed Passcode Character Requirements.......................................................57 Setting Emergency Access Code Formats.................................................................57 Locking Users Out of the System.....................................................................................57 Locking Out Users After a Specified Number of Logon Attempts...........................58 Setting Offline Authentication Requirements...................................................................59 Integrating Your Windows Password with RSA SecurID.........................................61 Setting Minimum Online Passcode Lengths..............................................................61 Handling Offline Authentication with Devices that Do Not Meet Security Recommendations...................................................................................................62 Setting Offline Emergency Codes.............................................................................62 Refreshing Users’ Supplies of Offline Authentication Data.....................................63 Setting Self-Service Troubleshooting Requirements........................................................63 Chapter 3: Protecting Network Resources with RSA SecurID.........65 Overview of RSA SecurID Authentication.......................................................................65 Installing Authentication Agent Software on the Resource You Want to Protect............66 Creating an RSA Agent Record Using the RSA Security Console..................................66 Allowing Agents to Automatically Add Authentication Agent Records..................68 Creating and Installing the RSA Authentication Manager Configuration File.................71 Specifying Where Agents Send Authentication Requests................................................72 Using Authentication Agents to Restrict User Access......................................................73 Granting Access to Restricted Agents Using User Groups.......................................74 Setting Restricted Access Times for User Groups.....................................................75 Deploying Tokens to Users...............................................................................................75 Importing Hardware and Software Token Records...................................................78 Transferring Hardware and Software Token Records to Other Security Domains...79 Assigning and Unassigning Hardware and Software Tokens....................................79 Distributing Hardware Tokens to Users....................................................................80 Distributing Software Tokens to Users......................................................................81 4 Contents RSA Authentication Manager 7.1 Administrator’s Guide Delivering Tokencodes Using Text Message or E-mail...................................................85 Configuring RSA Authentication Manager for On-Demand Authentication............87 Changing the SMS Service Provider.........................................................................89 Enabling Users for On-Demand Authentication........................................................89 Setting PINs for On-Demand Tokencodes................................................................90 Preventing and Handling User Authentication Problems.................................................91 Educating Users About Security Responsibilities.....................................................91 Chapter 4: Administering Users..........................................................................93 Enabling and Disabling Users...........................................................................................93 Assisting Users Who Have Been Locked Out of the System...........................................94 Assisting Users Whose Tokens Are Lost, Stolen, Damaged, or Expired.........................95 Providing Users with Temporary Emergency Access......................................................96 Providing Temporary Emergency Access for Online Authentication.......................97 Providing Temporary Emergency Access for Offline Authentication......................99 Replacing Tokens............................................................................................................101 Enabling and Disabling Tokens......................................................................................102 Resynchronizing Tokens.................................................................................................103 Clearing PINs..................................................................................................................104 Requiring Users to Change Their PINs...........................................................................105 Providing Users with Fixed Passcodes...........................................................................106 Clearing Incorrect Passcodes..........................................................................................106 Designating a Default Shell for UNIX Users..................................................................106 Assigning Logon Aliases................................................................................................107 Updating Phone Numbers and E-mail Addresses for On-Demand Tokencodes............107 Granting Access with User Groups.................................................................................107 Chapter 5: Administering RSA Authentication Manager...................109 Modifying Administrator Permissions............................................................................109 Displaying All of the Administrative Roles with View or None Permission for a Specific Attribute..................................................................................................111 Using the Store Utility to Display Administrative Roles with a View or None Permission for a Specific Attribute........................................................................112 Securing Communications Between the Authentication Agent and RSAAuthentication Manager.......................................................................................112 Refreshing the Node Secret Using the Node Secret Load Utility.............................113 Determining Limits on Administrative Sessions.............................................................114 Limiting the Number of Concurrent Administrative Sessions.................................115 Limiting the Length of Administrative Sessions......................................................116 Limiting Periods of Inactivity Allowed for Administrative Sessions.......................116 Viewing and Closing Administrative Sessions................................................................117 Configuring the System Cache for Improved Performance.............................................118 Updating Identity Source Attributes................................................................................119 Contents 5 RSA Authentication Manager 7.1 Administrator’s Guide Chapter 8: Managing RSA RADIUS.................................................................159 Overview of RSARADIUS............................................................................................159 RSARADIUS Supports Secure Network Access...................................................160 How You Manage RSARADIUS...........................................................................160 How RSARADIUS Helps Enforce Access Control...............................................161 Other Attribute Types Provide Flexibility...............................................................165 How RSARADIUS Maintains Secure Communications........................................166 Managing User Access....................................................................................................167 Managing Profiles....................................................................................................167 Managing Profile Assignments................................................................................168 Managing RADIUS User Attributes........................................................................169 Managing RADIUS Clients.....................................................................................169 Managing RSARADIUS Servers...................................................................................170 Starting and Stopping RSARADIUS Servers.........................................................170 Adding a New RSARADIUS Server......................................................................170 List or Delete Existing RSARADIUS Server Entries.............................................170 View or Edit Existing RSARADIUS Server Properties.........................................171 Managing Replication..............................................................................................171 Manage EAP-POTP Configuration.........................................................................172 Monitoring System Usage...............................................................................................173 Viewing RSARADIUS Usage Statistics.................................................................173 View RADIUS Server Accounting Statistics..........................................................174 View RADIUS Server's Client Authentication and Accounting Statistics..............176 Choosing Accounting Attributes and Administrator Actions to Record.................177 Displaying the Authentication Log Files.................................................................178 Configuring the Log Retention Period.....................................................................182 Using the Server Log File........................................................................................182 Using the Accounting Log File................................................................................183 Maintaining RSARADIUS Servers...............................................................................188 Removing an RSARADIUS Server from Service..................................................188 Backing Up a RADIUS Server................................................................................189 Restoring a RADIUS Server....................................................................................189 Promoting an RSARADIUS Replica Server..........................................................191 Modify RSARADIUS Server Configuration and Dictionary Files........................192 Change the IP Address or Name of an RSARADIUS Server.................................193 Chapter 9: Logging and Reporting..................................................................195 Configuring RSA Authentication Manager Logging......................................................195 Archiving Log Files.................................................................................................197 Generating Reports.........................................................................................................198 Creating Custom Reports.........................................................................................198 Running Reports......................................................................................................200 Scheduling Recurring Reports.................................................................................201 Setting Report Ownership........................................................................................202 Viewing Reports......................................................................................................203 Contents 7 RSA Authentication Manager 7.1 Administrator’s Guide Appendix F: RSA Authentication Manager Message IDs..................361 Audit Log Messages........................................................................................................361 System Log Messages.....................................................................................................363 RSA Authentication Manager Administrative Audit Log Messages..............................373 RSA Authentication Manager Runtime Audit Log Messages........................................380 RSA Authentication Manager System Log Messages....................................................382 Appendix G: Troubleshooting............................................................................391 Common Problems and Resolutions...............................................................................391 General Troubleshooting Tips........................................................................................400 Using the Activity Monitor and Log Messages for Troubleshooting......................400 Making Sure the RSAAuthentication Manager Machine Meets Minimum System Requirements...........................................................................407 Supported Browsers..................................................................................................411 Configuring Browser Settings for the RSASecurity Console, RSA Operations Console, and RSA Self-Service Console...............................................................411 Assessing the Impact of Firewalls on RSAAuthentication Manager.....................412 Configuring the Cache for Improved Performance.................................................415 Test User Access to Restricted Agent......................................................................415 User and Token-Related Resolutions..............................................................................416 Unlocking a User.....................................................................................................416 Assisting Users with Lost, Stolen, Damaged or Expired Tokens............................416 Providing Emergency Access..................................................................................417 Clearing PINs...........................................................................................................417 Forcing PIN Changes...............................................................................................417 Clearing Incorrect Passcodes...................................................................................417 Resynchronizing a Token........................................................................................418 System-Related Resolutions...........................................................................................418 RSAAuthentication Manager Does Not Start.........................................................418 RSA Security Console Does Not Start....................................................................419 RSAAuthentication Manager Microsoft Management Console Snap-in Does Not Start.......................................................................................................419 RSA Security Console Times Out When Searching for Users................................419 Name and IP Address Resolution in RSAAuthentication Manager.......................420 Managing the Node Secret.......................................................................................421 Resynchronizing RSAAuthentication Manager with Coordinated Universal Time.................................................................................421 Updating an Agent Configuration File....................................................................422 Reconfiguring CT-KIP After Promoting a Replica Instance...................................422 Changing the IP Address or Hostname of a Server.................................................423 Glossary...........................................................................................................................425 Index...................................................................................................................................445 Contents 11 RSA Authentication Manager 7.1 Administrator’s Guide 3 Protecting Network Resources with RSA SecurID • Overview of RSA SecurID Authentication • Installing Authentication Agent Software on the Resource You Want to Protect • Creating an RSA Agent Record Using the RSA Security Console • Creating and Installing the RSA Authentication Manager Configuration File • Specifying Where Agents Send Authentication Requests • Using Authentication Agents to Restrict User Access • Deploying Tokens to Users • Delivering Tokencodes Using Text Message or E-mail • Preventing and Handling User Authentication Problems Overview of RSA SecurID Authentication When a user successfully authenticates through RSA Authentication Manager, he or she is able to access a resource, a VPN server for example, that is protected by Authentication Manager. Authentication Manager uses authentication agents to protect network resources. Authentication agents must be installed on each machine that you want to protect with Authentication Manager and RSA SecurID. You can either install an agent manually or use hardware that comes with preinstalled authentication agents. Authentication agents are software applications that securely pass authentication requests to and from Authentication Manager. When a user attempts to gain access to a network resource, the agent receives the authentication request and submits it to Authentication Manager. The Authentication Manager then approves or denies the request, prompting the agent to allow or deny access to the user. The following figure shows the flow of SecurID authentication: User A VPN Server Authentication (with VPN client) with Manager Agent "May I Enter?" "Is This User A?" "Enter." "Yes" RSA SecurID Token 3: Protecting Network Resources with RSASecurID 65 RSA Authentication Manager 7.1 Administrator’s Guide Installing Authentication Agent Software on the Resource You Want to Protect There are different types of authentication agents. The agent that you need depends on what type of resource you want to protect. For example, to protect an Apache Web server, download and install RSA Authentication Agent 5.3 for Web for Apache. RSA provides the latest RSA Authentication Agent software for your platform at http://www.rsa.com/node.asp?id=1174. Included with the agent download package is an Installation and Administration Guide and a Readme. RSA recommends that you read these documents before installing the agent. Important: For information about installing agent software, see your agent documentation. You may also purchase products that contain embedded RSA Authentication Agent software. The software is embedded in a number of products, such as remote access servers, VPNs, firewalls, and web servers. For more information about products with embedded RSA Authentication Agents, go to http://www.rsasecured.com. Creating an RSA Agent Record Using the RSA Security Console After you install and configure authentication agent software on the machines that you want to protect, use the RSA Security Console to create an agent record in the Authentication Manager for each agent. This process is called registering the agent. The agent record identifies the agent to the Authentication Manager and contains the following configuration information: Hostname. The name of the machine where you installed the agent software. In most cases, the hostname must be a fully qualified domain name (machine name + domain). For example: ‘mymachine.example.net’. However, if the machine is a member of a Windows workgroup, the hostname is the machine name only. For example, ‘mymachine.’ If you add an authentication agent to a server node that is also running Authentication Manager, select the hostname from the list of existing server nodes. IP Address. The IP address of the machine where you installed the agent software. Protect IP Address. Select this option to prevent the agent auto-registration utility from reassigning the agent’s IP address. For more information on agent auto-registration, see “Allowing Agents to Automatically Add Authentication Agent Records” on page 68. Alternate IP Address. A secondary IP address for the machine where you installed the agent software. You can specify as many as necessary. 66 3: Protecting Network Resources with RSASecurID RSA Authentication Manager 7.1 Administrator’s Guide Agent Type. This can be Standard Agent or Web Agent. The default agent type is Standard Agent. Select Web Agent if you are adding an agent to a web server. Select Standard Agent for all other agents. This field is for informational use only, and is used primarily to simplify the task of searching for agents. RADIUS Profile. Select a RADIUS profile for the agent. Disabled. Select to disable the agent. Agent May Be Accessed By. You can choose whether to allow all users to authenticate to a specific agent, or allow only users who are members of a user group that has been explicitly given permission to authenticate to the agent. Agents that allow all users to authenticate are called unrestricted agents. Agents that require users to be members of user groups that are explicitly given permission to authenticate to the agent are called restricted agents. See “Using Authentication Agents to Restrict User Access” on page 73. Authentication Manager Contact List. By default, authentication agents send authentication requests to the server node that responds first. That server node sends the agent an automatically maintained contact list informing the agent of other server nodes to communicate with if the original server node is offline. You can override this default by manually assigning the agent a contact list. You should only choose this option if you have specific requirements for managing your authentication request traffic. See “Specifying Where Agents Send Authentication Requests” on page 72. Trusted Realm Authentication. Enable the agent for trusted realm authentication. For more information on trusted realm authentication, see “Administering Trusted Realms” on page 145. For instructions, see the Security Console Help topic “Add New Authentication Agents.” Another way to add agents is to duplicate an existing agent. You might do this when you are adding agents with settings similar to an existing agent. For instructions, see the Security Console Help topic “Duplicate Authentication Agents.” You may also configure the system so that agent records are added to the internal database automatically. See the following section, “Allowing Agents to Automatically Add Authentication Agent Records.” Note: To edit an agent record after you add it to the Authentication Manager internal database, see the Security Console Help topic “Edit Authentication Agents.” 3: Protecting Network Resources with RSASecurID 67 RSA Authentication Manager 7.1 Administrator’s Guide Allowing Agents to Automatically Add Authentication Agent Records The Automated Agent Registration and Update utility (sdadmreg.exe), included with your RSA Authentication Agent software, enables new authentication agents to automatically add their agent record to the Authentication Manager internal database. This process is called registering the agent. Allowing authentication agents to automatically register themselves saves time and money by eliminating the need for an administrator to perform these tasks. By default, the Automated Agent Registration and Update utility automatically runs whenever the agent host is started to allow any IP address changes to be registered in the internal database before the agent is started. This is useful for systems that use the Dynamic Host Configuration Protocol (DHCP) to assign IP addresses. If you use DHCP and do not enable this utility, you must manually update the IP addresses each time the agent host changes its IP address. You can also run the Automated Agent Registration and Update utility manually whenever the IP address of an agent host changes to update the IP address in the internal database. Note: The RSA Authentication Agent 6.1.2 for Microsoft Windows automatically updates the internal database with any IP address changes. If you are using this agent, you do not need to manually run the utility. To allow agents to automatically register themselves in Authentication Manager, do the following: • Install the Automated Agent Registration and Update utility on the agent hosts. Do this during agent installation. For utility installation instructions or for information about manually running the utility, see your RSAAuthentication Agent documentation. • Enable agent auto-registration on the Authentication Manager Settings page in the Security Console. This enables agent auto-registration on the Authentication Manager server. For configuration instructions, see the Security Console Help topic “Allowing Agents to Register Themselves with RSA Authentication Manager.” Default Agent Settings When the Automated Agent Registration and Update utility is run on a newly installed, unregistered agent, a record for the agent is created in the internal database. By default, the agent has the following characteristics: Disabled. The agent is unable to process authentication requests. Unrestricted. All users are allowed to authenticate with this agent. 68 3: Protecting Network Resources with RSASecurID
Description: