Walk-through for RSA SecurID Authentication for IAG 2007 – Part 2 of 2

Last post we reviewed the RSA Agent configuration, now we are going to cover the IAG. 


IAG 2007 Configuration


          Install the RSA Authentication Agent on the IAG server.

          IAG 2007 uses the RSA supplied authentication agent to communicate with and verify credentials against, the RSA Authentication Manager.  The RSA Authentication Agent is typically supplied with your RSA software package.  It is also available directly from RSA.

          NOTE: The installation of the RSA Authentication Agent on the IAG server will update the GINA on the server.  However, you can still provide AD credentials when logging in to the IAG 2007 server.

          Test authentication and create the Node Secret

          After installing the RSA Authentication Agent, and rebooting the server, launch the RSA Security Center application on the IAG server.  In RSA Security Center, select ‘Authentication Test’ and click the ‘Test’ button.  In the Authenticator drop-down list, select ‘Key fob, standard card, PINPad.  For User name, enter a user name that has been created on the RSA Authentication Manager.  For Passcode, enter the Passcode shown on the token that is currently associated with the user name entered.

This test will:

1.       Verify the connection between the IAG server and the RSA Authentication Manger

2.       Verify that the credentials and Passcode supplied are valid

3.       Establish the Node Secret between the IAG server and the RSA Authentication Manager.  The established Node Secret is stored in the registry on the IAG server.

Figure 1


          Configure RSA SecurID authentication on the IAG server

          In the IAG Configuration application, under HTTPS Connections, select the relative Portal/Trunk.  Under the ‘Security & Networking’ section, click Configure next to ‘Advanced Trunk Configuration’.

          In the Advanced Trunk Configuration dialog, select the Authentication tab and click ‘Add’.  In the ‘Authentication and User/Group Servers dialog, click ‘Add’.

          In the ‘Add Server’ dialog, select ‘ACE’ in the Type drop-down list.  Enter a name to represent this authentication server (i.e. SecurID).   Enter the IP address of the RSA Authentication Manager server.  The default port for SecurID authentication is 5500.  If the RSA Authentication Manager has been configured with an alternate/non-default port, enter the port number here.  Click OK.  Activate the Configuration.


Figure 2


          The Portal login page will now have the SecurID authentication type available.  Note that if you have configured multiple Authentication servers in your Portal, when logging into the Portal, you will need to make sure you select the RSA SecurID authentication type from the available choices in the ‘Directory’ drop-down list.



Figure 3




Richard Barker

Security Support Engineer – ISA/IAG Team

Microsoft – NC