RSA SecurID Ready Implementation Guide Partner Information Last Modified: September 16, 2013 Product Information Partner Name Web Site Product Name Version & Platform Product Description, Inc. workspot.com 2.0.3 for ipad and iphone helps companies improve productivity by securely connecting users to core business applications and data on their personal mobile devices. s patent-pending mobile virtualization solution can be quickly deployed using existing infrastructure. The solution consists of a client application running on a mobile device together with a cloud-based administration console.
Solution Summary The Client is a secure mobile virtualization container on the device, which includes a virtual file system and a virtual network. The virtual network provides secure connectivity to the users corporate resources while the virtual file system stores documents downloaded on the device. Control is a cloud-based service console that an IT administrator uses to configure and manage the applications, VPN connection and policies for mobile users. and RSA SecurID leverages RSA SecurID authentication provided by SSL VPN gateway appliances and currently supports the following vendors and products: Cisco Adaptive Security Appliance (ASA) Dell SonicWALL Secure Remote Access (SRA) F5 BIG-IP Access Policy Manager (APM) Juniper Secure Access Series SSL VPN Note: Individual products may not support all features. Links to RSA s Cisco, Dell, F5 and Juniper SSL VPN Implementation Guides can be found in the Appendix of this document. RSA SecurID supported features 2.0.3 RSA SecurID Authentication via Native RSA SecurID Protocol RSA SecurID Authentication via RADIUS Protocol On-Demand Authentication via Native SecurID Protocol On-Demand Authentication via RADIUS Protocol RSA Authentication Manager Replica Support Secondary RADIUS Server Support RSA Software Token Supported Features Windows Automation SID800 Automation OS X Automation ios Automation Android Automation File-based Provisioning CT-KIP Provisioning CTF Provisioning No No No No No - 2 -
Authentication using RSA SecurID In Control, the administrator defines which SSL VPN gateway the mobile user authenticates and connects to, and defines a security policy to enable RSA SecurID. The VPN gateway must be configured to use the RSA Authentication Manager for authentication. The client will authenticate using RSA SecurID as follows: 1. Control sends a security profile with RSA SecurID enabled to the mobile device. 2. The mobile user initiates a login via the client. 3. The user s credentials, username and passcode are sent to the VPN gateway to authenticate using the RSA Authentication Manager. 4. The RSA Authentication Manager may present authentication challenges associated with the user s account or token state. 5. The user enters responses to the authentication challenges as required. 6. If the credentials are valid, the user will be authenticated by the RSA Authentication Manager and a VPN session is created with the VPN gateway. If the authentication fails, the user is denied access and a session is not established. Control 1 2 5 3 Client 5 SSL VPN Gateway? X 4 6 Authentication Manager - 3 -
Partner Product Configuration Before You Begin This section provides instructions for configuring with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. RSA SecurID authentication for can either be enabled during the Express Setup or after the basic account has been configured. Important: The SSL VPN gateway must be configured to support RSA SecurID authentication before enabling RSA for. Refer to the appropriate RSA Implementation Guide found in the Appendix of this document. - 4 -
Procedure Overview Enabling RSA during the Express Setup To enable RSA SecurID during the Control Express Setup, select as shown in Screen 1. Screen 1 Enabling RSA during Express Setup - 5 -
Enabling RSA If the Express Setup has already been completed, RSA SecurID can be enabled using Control. First, by adding a new Security Policy, then assigning that policy to the group that will be using SecurID authentication. Refer to screens 2 through 6. Screen 2 Adding a New Security Policy (1 of 2) - 6 -
Screen 3 Adding a New Security Policy (2 of 2) - 7 -
Screen 4 Assigning the RSA Security Policy to a Group (1 of 3) Screen 5 Assigning the RSA Security Policy to a Group (2 of 3) - 8 -
Screen 6 Assigning the RSA Security Policy to a Group (3 of 3) - 9 -
Importing a RSA SecurID Software Token into The client supports an integrated token by importing a token into the client. To import a token, obtain either a SDTID file or CT-KIP URL through the RSA Authentication Manager. SDTID files should be converted to CTF format with the RSA tokenconvertor utility using the mobile option. See RSA SecurID Software Token Converter documentation http://www.emc.com/security/rsa-securid/rsa-securidsoftware-authenticators/converter.htm for more information. Note: This procedure is only required if you have a CTF or CT-KIP link and want to import that token into. It is not required if you are using an external physical or software token authenticator. To import a token, click on the CTF or CT-KIP link, on the device where is installed. (Screen 1 of 3) This will launch the Client and import the token; enter the token file password if needed. (Screen 2 of 3) Once the file has been successfully imported, click OK to continue. (Screen 3 of 3) - 10 -
RSA SecurID Authentication After RSA SecurID has been configured using Control, the policy is updated on the mobile device. Any user belonging to the group with RSA is enabled, will be prompted for a RSA SecurID passcode or PIN during authentication, as shown in the following device screens. Note: Your home and application screens will look different from the following examples and will be based on the applications defined in Control. Note: If using an integrated token, the token must be imported into before authenticating. From the home screen, click any application, such as an internal SharePoint site, which requires authentication using the SSL VPN gateway. (Screen 1 of 3) - 11 -
RSA Authentication with External Token To authenticate with a hardware or software token, the user should enter their username, password, and RSA SecurID passcode from the token. Depending on the token configuration, the passcode is typically PIN + token code for a hardware token, or the Passcode shown after the PIN is entered into the software token. (Screen 2 of 3) RSA Authentication with Integrated Token To authenticate with the integrated token, the user should enter their username, password, and RSA SecurID PIN. (Alternate screen 2 of 3) After successful authentication, the application home page is shown, in this example, SharePoint. (Screen 3 of 3) - 12 -
RSA SecurID Authentication Screen Examples Authentication Screens The SecurID authentication screens shown below are with configured for the Cisco ASA. Other supported SSL VPN gateways display similar authentication prompts. System generated new PIN prompts User defined (4-8) alphanumeric PIN - 13 -
Next tokencode - 14 -
Certification Checklist for RSA Authentication Manager Date Tested: September 16, 2013 Certification Environment Product Name Version Information Operating System RSA Authentication Manager 8.0 Virtual appliance Cisco ASA Cisco Adaptive Security Cisco IOS Appliance Software Version 8.0(5)23 2.0.3 ipad, iphone ios 6.1 RSA SecurID Authentication RSA Native Protocol New PIN Windows OS X Android ios Other Force Authentication After New PIN N/A N/A N/A N/A System-Generated PIN N/A N/A N/A N/A User Defined (4-8 Alphanumeric) N/A N/A N/A N/A User Defined (5-7 Numeric) N/A N/A N/A N/A Deny 4 and 8 Digit PIN N/A N/A N/A N/A Deny Alphanumeric PIN N/A N/A N/A N/A Deny PIN Reuse N/A N/A N/A N/A Passcode 16-Digit Passcode N/A N/A N/A N/A 4-Digit Fixed Passcode N/A N/A N/A N/A Next Tokencode Mode Next Tokencode Mode N/A N/A N/A N/A On-Demand Authentication On-Demand Authentication N/A N/A N/A N/A On-Demand New PIN N/A N/A N/A N/A Load Balancing / Reliability Testing Failover (3-10 Replicas) N/A N/A N/A N/A No RSA Authentication Manager N/A N/A N/A N/A GLS / PAR = Pass = Fail N/A = Not Applicable to Integration - 15 -
Certification Checklist for RSA Authentication Manager RSA Software Token Automation RSA Native Protocol PINless Token Windows OS X Android ios Other Next Tokencode Mode N/A N/A N/A N/A PINpad-style Token Deny Alphabetic PIN N/A N/A N/A N/A Next Tokencode Mode N/A N/A N/A N/A Fob-style Token 16-Character Passcode N/A N/A N/A N/A Alphanumeric PIN N/A N/A N/A N/A Next Tokencode Mode N/A N/A N/A N/A Other Password-Protected Token N/A N/A N/A N/A System-Generated PIN N/A N/A N/A N/A GLS / PAR = Pass = Fail N/A = Not Applicable to Integration - 16 -
Appendix Software Token SDK Integration Details Android ios Other RSA Software Token SDK RSA Software Token SDK Version N/A 1.5 N/A RSA Software Token Data Display Token Serial Number N/A N/A Display Token Expiration Date N/A N/A Number of Tokens Supported N/A 1 N/A Provisioning File-Based N/A No N/A CT-KIP N/A N/A CTF N/A N/A Secured by RSA Certified Implementation Guides Cisco ASA Series Adaptive Security Appliance https://gallery.emc.com/docs/doc-1167 Dell SonicWALL Secure Remote Access (SRA) https://gallery.emc.com/docs/doc-2317 F5 Networks BIG-IP https://gallery.emc.com/docs/doc-1231 Juniper Networks Secure Access SSL VPN https://gallery.emc.com/docs/doc-1297-17 -