Section 3.63. <AuthBy RSAAM>

3.63. <AuthBy RSAAM>

This module provides authentication via RSA Authentication Manager AM 7.1 and later. AM 7.1 provides more features than the ACE server and RSA Mobile servers it replaces.

AM 7.1 supports traditional SecurID two-factor token cards, as well as static passwords. It also supports OnDemand tokencodes, where a random tokencode is sent to the user via email or SMS. It also supports authentication through a series of user-configurable security questions. All these authentication methods are supported by AuthBy RSAAM.

AuthBy RSAAM can authenticate the following protocols against AM. Note that CHAP, MSCHAPV1, MSCHAPV2 and EAP-MSCHAPV2 cannot be authenticated against AM.

PAP
TTLS-PAP
EAP-GTC
EAP-OTP
PEAP-GTC

AuthBy RSAAM works on all platforms supported by Radiator, including Windows, Linux, Solaris, Unix etc. AuthBy RSAAM connects the AM server by SSL and SOAP, and therefore required the following Perl modules from CPAN:

SOAP::Lite and its prerequisites
Either Crypt::SSLeay or IO::Socket::SSL
Net::SSLeay

For more information, see Section 2.1.2. CPAN.

Tip

Sample configuration files are provided in the goodies directory of your distribution in rsaam.cfg and eap_peap_gtc_rsaam.cfg.

Tip

RSA AM is not able to specify the preferred authentication policy to use for each user. Therefore, if you need to use different authentication policies for different groups of user, you will need an <AuthBy RSAAM> clause for each policy, and then direct requests to the appropriate clause using one of the many methods supported by Radiator.

Tip

AuthBy RSAAM returns IGNORE if it unable to communicate with its configured AM server. This means you can chain several AuthBy RSAAM clauses together using AuthByPolicy ContinueWhileIgnore to implement failover from one AM server to another in the event of AM server unavailability.

Tip

In some circumstances, The Radiator connection to RSA AM may fail with an error message in the RSA Weblogic server like:

Received fatal alert: bad_record_mac at sun.reflect.NativeConstructorAccessorImpl.
newInstance0

This can be fixed by adding these lines to the weblogic server start file:

Dhttps.protocols=SSLv3,TLSv1
Dsun.security.ssl.allowLegacyHelloMessages=true
Dsun.security.ssl.allowUnsafeRenegotiation=true

Configuring Authentication Manager for AuthBy RSAAM

In order to configure Authentication Manager to work with AuthBy RSAAM:

Install RSA AM 7.1 on your platform of choice, or Install 8.0 virtual appliance
Install Radiator on your platform of choice. It may be the same as the AM 7.1 host, or a different one in case of AM 8.0.
Install SOAP::Lite and its prerequisites on the Radiator host.
Starting with one of the sample RSAAM configuration files, configure Radiator.
Get the user name and password required for AuthBy RSAAM to connect to AM. These commands will print out the user name and password that AM automatically generates during installation.
Do this on AM7.1 or earlier:
```
cd "C:\Program Files\RSA Security\RSA Authentication Manager\Utils rsautil 
      manage-secrets -m <MASTERPWD> -a list
```
Do this on AM 8.0:
```
cd /opt/rsa/am/utils
./rsautil manage-secrets --action list
```
This will print out the user name and password required for Radiator to connect to AM 7.1 or 8.0. Enter the user name and password as SessionUsername and Session- Password in your Radiator configuration file.
Select which authentication method you will use to authenticate all your users. Set Policy in your Radiator configuration file.
Set Host in your Radiator configuration file to the FQDN (fully qualified domain name) and port number of your AM host. For example
```
Host boodgie.open.com.au:7002
```
Add and configure a test user to AM. If required allocate a token to the user.

Start Radiator and test with a command like:

radpwtst -noacct -user username -password password -interactive -timeout 60

3.63.1. Host

This parameter specifies the address and port number of the RSA AM server. It is used as %1 in the Endpoint parameter. The default is "localhost:7002". You will have to change this to the hostname/address and port number of your RSA AM server, since by default AM does not listen on localhost. 7002 is the usual port number for RSA AM.

3.63.2. Endpoint

This optional parameter specifies how to create the endpoint of the SOAP connection to the RSA AM server. Special characters are permitted. %0 is replaced by the value of the Protocol parameter (for more information, see Section 3.63.3. Protocol) and %1 is replaced by the value of the Host parameter (for more information, see Section 3.63.1. Host). The default is

%0://%1/ims-ws/
                     services/CommandServer

.

You should not normally need to change this from the default.

3.63.3. Protocol

This optional parameter specifies the protocol that will be used to contact the RSA AM server. It is used as %0 in the Endpoint parameter. The default is "https". You should not normally need to change this.

3.63.4. URI

This optional parameter specifies the SOAP URI that will be accessed in the RSA AM server. The default is "http://webservice.rsa.com/". You should not normally need to change this. Note that this is not the address of a web resource and it is not accessed by Radiator during authentication.

3.63.5. Policy

This optional parameter specifies the authentication policy that is to be used. Defaults to RSA_Password.

Options are:

SecurID_Native
Traditional SecurID two-factor token cards. User enters their PIN followed by the tokencode currently showing on their token card.
OnDemand
User enters their PIN. AM sends a temporary tokencode to the user by email or SMS, according to however AM is configured. User then enters the tokencode they receive.
RSA_Password
Static password stored in the RSA internal database.
LDAP_Password
Static password stored in an LDAP database.
Security_Questions
User is asked a series of security questions, and enters answers that they have previously configured using the RSA Self-Service Console.
SecurID_Proxy

3.63.6. SessionUsername

User name used to authenticate the SSL connection to AM. Created automatically by AM during installation. For more information, see Section 3.63.1. Host.

3.63.7. SessionPassword

Password used to authenticate the SSL connection to AM. Created automatically by AM during installation. For more information, see Section 3.63.1. Host

3.63.8. ChallengeHasPrompt

Add RADIUS Prompt attribute to Access-Challenge messages. Prompt value is based on responses received from RSA AM. Default is not to add Prompt in Access-Challenges. Prompt attribute is a hint to the client software to echo or not echo sensitive user input such as PINs or security question answers.

3.63.9. SessionRealm

Tip

This is now an obsolete parameter.

Previously, the realm name used to authenticate the SSL connection to AM.

3.63.10. Timeout

This optional parameter specifies the timeout in seconds that will be used during authentication requests sent by Radiator to the RSA AM server. The default is 20 seconds.

3.63.11. SOAPTrace

This optional parameter enables low level protocol tracing in the SOAP::Lite module. Setting it to ”debug” will cause details of each incoming and outgoing SOAP request to be printed on STDOUT.

3.63.12. Message

This optional parameter enables customisation of various user messages generated by this module. The key for each message is the RSA AM message, and the value is the string you want the user to see.

3.63.13. SSLVerify

May be used to control how the Server's certificate will be verified. May be one of "none" or "require".

3.63.14. SSLCAFile

Use this option to locate the file containing the certificates of the trusted certificate authorities. Thus, you can verify that the server certificate has been signed by a reputable certificate authority. Special characters are permitted.

Here is an example of using SSLCAFile:

SSLCAFile %D/certificates/demoCA/cacert.pem

3.63.15. SSLCAPath

SSLCAPath parameter specifies the name of a directory containing CA root certificates that may be required to validate TLS client certificates. Radiator looks for root certificates first in SSLCAFile, then in SSLCAPath, so there usually is no need to set both. When Certificate Revocation List (CRL) checks are enabled, this directory is also used by TLS library to look for CRL files.

Special characters are supported.The certificates and CRLs must be in PEM format, one per file. The file name has a special format. Setting up this directory is described in Setting up this directory is described in Section 3.11.3. TLS_CAPath.

Here is an example of using SSLCAPath:

SSLCAPath %D/cadirectory

3.63.16. SSLVerifyCNName and SSLVerifyCNScheme

SSLVerifyCNName sets the name which is used when verifying the hostname against the certificate presented by RSA AM HTTPS server. SSLVerifyCNScheme controls how the verification is done, for example, if wildcards are allowed. For more information, see IO::Socket::SSL

.

The following allow wildcard certificate name *.example.com to match.

SSLVerifyCNName example.com
SSLVerifyCNScheme http

3.63.17. SSL_CertificateFile

Specifies the name of a client certificate file which will be use to authenticate SSL connection to the AM server. The certificate will be sent to the AM server SSL authentication. The certificate file must be in PEM. The certificate file can also contain the client’s TLS private key if the SSL_PrivateKeyFile parameter specifies the same file. Not required if AM does not require client certificate authentication.

3.63.18. SSL_PrivateKeyFile

Specifies the name of the file containing the SSL client's private key. It is sometimes in the same file as the client certificate (SSL_CertificateFile). The private key must not be encrypted and must not require a passphrase.