Configuring SecurID authentication in IAG
Applies To: Intelligent Application Gateway (IAG)
In order to use an RSA SecurID server for Whale Communications Intelligent Application Gateway (IAG) 2007 authentication, an RSA agent for Windows must be installed on IAG. The following agents are supported:
RSA Authentication Agent 6.0 for Windows
RSA ACE/Agent 5.6 for Windows
RSA ACE/Agent 5.5 for Windows
The SecurID authentication scheme authenticates the user on a RSA ACE/Server. When challenged, the user has to enter a password that is a combination of two numbers: a personal identification number (PIN), supplied by RSA, combined with a token code, which is the number displayed on the RSA SecurID authenticator.
The SecurID scheme also supports additional challenge-response modes: Next Token and New PIN. Those are described in the following sections.
Next Token mode
Next Token mode is applied in cases where the authentication process requires additional verification of the token code. The user is then challenged to enter the next token code, that is, to wait for the number that is displayed on the authenticator to change and enter the new number (without the PIN).
New PIN mode
New PIN mode is applied in cases where the authentication process requires additional verification of the PIN. In this case, the user is required to use a new PIN. The new PIN is derived from one of the following two sources, depending on the configuration of the RSA ACE/Server:
The user is prompted to select and enter a new PIN.
The server supplies the user with a new PIN.
The user is then required to reauthenticate with the new PIN.
The use of the New PIN mode is optional and can be enabled or disabled in both the authentication server and the IAG Configuration console, whereby the Configuration console takes precedence over the authentication server settings. That is, if IAG is configured to disable the New PIN mode, the option will be disabled even if it is enabled in the server.
Note
For security considerations, we recommend that you do not enable the New PIN mode.
RSA SecurID authentication flow
The following figure illustrates the authentication process users go through when the RSA SecurID scheme is implemented.
Note
The flow includes both Next Token and New PIN modes, which are only applicable under the conditions described above.
The flow allows for three login attempts, after which login failure is final. The actual number of login attempts users are allowed is determined in the Authentication tab, in Permitted Authentication Attempts.RSA SecurID Authentication Flow
.gif "1b58651e-d407-4f2f-a8e6-e3a29b973e1a")
Configuring the RSA ACE authentication server
It is the responsibility of the system administrator to define IAG as an agent host (new server versions) or a client host (older server versions) of the RSA ACE/Server. In the dialog box where you define IAG, make sure the following is configured:
Agent type: Net OS Agent
The Open to All Locally Known Users check box is selected
If the New PIN mode is used, the system administrator must define whether the new PIN will be system-generated or requested from the user. These settings will affect the appearance and functionality of the login continue page. IAG supports PINs that are four to eight digits in length.