Ads 468x60px

WiNG How-To Guide RSA SecurID_Overview

Wednesday, February 12, 2014 8:11 AM
RSA SecurID two-factor authentication is based on something you know (a password or PIN) and something you have (an authenticator) providing a much more reliable level of user authentication than reusable passwords. RSA two-factor authentication can be used with a Motorola WLAN Switch Controllers and AP-51X1/AP-71X1 Access Points to provide secure authenticated access to WLAN users as well as secure authenticated management access into the devices.


The RSA SecurID system comprises of the following three components:
·         Authenticators – Hardware or software tokens that organisations distribute to end-users. The RSA SecurID tokens generate a onetime authentication code every 60 seconds that the user combines with a personal pin during authentication.
·         Authentication Agent – RSA Authentication Agent software intercepts access requests whether local or remote from users or groups of users and directs them to the RSA Authentication Manager program for authentication. Once verified, permission to access protected resources is granted. Authentication Agents can be installed on the operating system, RADIUS server such as Juniper’s Steel Belted RADIUS or may additionally be installed directly into software on an access device such as a VPN concentrator.
·         Server – Enterprise-class management software that powers strong authentication for the RSA SecurID solution. Server software maybe installed on a pre-existing server or pre-installed on an appliance.

User Authentication:

With an RSA SecurID deployed in an organization, a user enters a valid passcode to gain access to a protected system. A passcode consists of:
·         A personal identification number, or PIN (something the user knows)
·         The tokencode currently displayed on the user’s token (something the user has)
Because user authentication requires these two factors, the RSA SecurID solution offers stronger security than traditional passwords (single-factor authentication.) RSA SecurID tokens are handheld devices containing microprocessors that calculate and display pseudorandom codes. These tokencodes change at a specified interval, typically every 60 seconds.


During authentication, the user enters a valid passcode made up of the user’s PIN followed by the tokencode currently displayed on the token. For example, if the user’s PIN is 1234 and the tokencode is 234836, the passcode would be 1234234836.
The RSA SecurID Appliance server software and RSA SecurID tokens work together to authenticate a user’s identity. The RSA Security patented time synchronization ensures that the pseudorandom code displayed by a user’s token is the same code that the Appliance’s server software has generated for that moment.
Because each token has its own unique identifier (serial number), the number it displays at any given time is different from the number on any other token. Therefore even if an attacker guesses a user’s PIN, unless they also have possession of the user’s token they will not be able to gain access to a protected network resource.

Infrastructure Management Authentication:

RSA SecurID can be used to provide two-factor authentication for management access into Motorola WLAN Switch Controller or AP-51X1/AP-71X1 Access Point. By default administrative access is provided using a local user database that is built into the infrastructure device which can be very challenging to maintain in large distributed deployments.
RSA SecurID authentication can be enabled on a WLAN Switch Controller and AP-51X1/AP-71X1 Access Point by enabling RADIUS management authentication and using an RSA integrated RADIUS server for RADIUS authentication. Once enabled administrators must provide a valid user-name and passcode (PIN+tokencode) before being granted management access into the device.
Authenticated management access is supported by the WLAN Switch Controllers and AP-51X1/AP-71X1 Access Points for all management interfaces including:
·         RS-232 Serial Console Access
·         Telnet / Secure Shell (SSH) CLI Access
·         HTTP / HTTPS Web-UI Access
  


When RSA authenticated management is enabled it is important to note that Motorola does not support New PIN and Next Tokencode modes. As such management authentication cannot be performed using a new RSA authenticator, an RSA authenticator that requires re-synchronisation or an RSA authenticator that has been flagged to set the PIN to the Next Tokencode.

Hotspot Authentication:

RSA SecurID can be used to provide two-factor authentication for Hotspot WLAN users. Hotspot user authentication allows enterprises to authenticate WLAN users using standard web browsers eliminating the need to deploy 802.1X or MAC authentication. Hotspot authentication is especially attractive in enterprise environments such as healthcare or education where the end-user devices are un-managed and 802.1X would be too costly to support and maintain.
RSA authenticated Hotspot access is supported when using an RSA integrated RADIUS server that supports PAP or CHAP authentication as the RADIUS server for the Hotspot enabled WLAN. When a user associates with the Hotspot WLAN and launches their web browser, the WLAN Switch Controller or AP-51X1/AP-71X1 Access Point will capture the users HTTP session and redirect the users web-browser to a login page. The login page can be a default unbranded page hosted on the infrastructure device, a customised login page hosted on the WLAN Switch Controller or customised login page hosted on an external web server.
Before being permitted access to the network the end-user must enter a valid user-name and passcode (PIN+tokencode) on the Hotspot login page. Once successfully authenticated the end-users web-browser is re-directed to a welcome or intranet page and the end-user is permitted access to the network.
Hotspot is commonly deployed for guest applications and does not provide end-user encryption. For enterprise applications data privacy can be provided by implementing WPA2-PSK with a strong passphrase on the Hotspot WLAN which will provide secure over the air encryption using AES-CCMP. Enterprises may also optionally provide encryption by deploying a IPSec or SSL VPN technology between the user and the protected network.



When RSA authenticated Hotspot WLANs are enabled it is important to note that Motorola does not support New PIN and Next Tokencode modes. As such Hotspot authentication cannot be performed using a new RSA authenticator, an RSA authenticator that requires re-synchronisation or an RSA authenticator that has been flagged to set the PIN to the Next Tokencode.

802.1X/EAP Authentication:

RSA SecurID can be used to provide two-factor authentication for 802.1X/EAP WLAN users. 802.1X/EAP authentication is commonly deployed in enterprise WLAN environments to provide secure authenticated access to wired and WLAN networks using the users corporate network credentials.
RSA authenticated 802.1X/EAP access is supported when using an RSA integrated RADIUS server that supports EAP-FAST, EAP-GTC or EAP-TTLS as the RADIUS server for the 802.1X/EAP enabled WLAN. When a user associates with the 802.1X/EAP WLAN their 802.1X/EAP client establishes a secure session with the RSA integrated RADIUS server which requests the user’s credentials. The end-user is prompted by their 802.1X/EAP client to provide a valid user-name and passcode (PIN+tokencode). Once successfully authenticated the end-user is permitted access to the network.

Depending on the capabilities of the RSA integrated RADIUS server and 802.1X/EAP client advanced RSA features such as New PIN and Next Tokencode modes can be supported. Users with new RSA authenticators can associate and establish their PIN as well as synchronise with the RSA SecurID server.

Nhãn: ,

0 nhận xét:

Post a Comment

Subscribe to: Post Comments (Atom)