RSA SecurID® Setup guide: Local Authentication

DISCLAIMER This documentation is intended for informational purposes only. These guides reflect the NASA SEWP Security Center experiences with this product. These guides are independent and are to be used as a reference to setting up the RSA SecurID® product. There are no express or implied warranties regarding the veracity of the information provided. Please read the RSA documentation for complete product information. Note: This is intended for setup for local authentication. Setup guide should cover things from installing the agent to configuring the agent. The resources for information will come directly from the RSA supplements PDF files and other docs. Other sources provided by support documentation from the RSA help center. RSA Agent 6.0 Local Authentication: Windows XP Pro Sp2 Note comes from download of the site not from cd (make sure you specify where to find them. Installing Agent: Check List: To do first

1. Make sure that the server is installed on a machine 2. Second decide the type of install you want (in this case local

authentication. 3. Decide whether you want auto register an update to server or

you want manually create an agent host file on the server database.

a. Recommended to auto: It will automatically do the file creation. Otherwise the admin will have to create the record and change it anytime the agent changes IP address or other info.

4. Make sure server is enabled to auto register Agents 5. Make sure server is running along with the Data broker (note

data broker will automatically be running when server is running.)

6. If you have not already done so, copy the sdconf.rec and server.cer file from the ACEDATA directory(C:RSA>ace>data) on the Primary RSA ACE/Server

1

to the computers on which you plan to install these RSA ACE/Agent components: – Local authentication client (copy to c:/ drive)

7. Begin installing Agent on Machine

Install: Depending if you are installing from a CD or was downloaded

from The RSA site the methods and instruction should be the same. Note that this guide is designed from a download from the RSA site.

1. Download the .zip file from RSA website Agent 6.0 2. Unzip it contents to Desktop. It won’t matter were you put it

because it will be installed) 3. To install the agent open folder AA601_Win (or whatever it is

called) 4. Locate the RSA ACE Agent for Windows Installer package

.msi (path: AA601_Win/en/acecInt/nt_i386) 5. Double click

a. Assuming no other services is running or installed, aka meaning no other RSA stuff is on machine. If so stop the stuff

6. Advance through welcome pages: Choose North America then

hit Next:

2

7. select agree and click next

8. Select Custom: We are doing Local Authentication. Typical

will by default install stuff for a domain authentication. Another setup guide.

3

9. Turn off all components except for Local Authentication Client: (click on the small thumbnail image click on the red x to stop the installation of that feature) Hit Next

10. Locate the sdconf.rec file to identify the server: Note should be copied to c drive (c:\sdconf.rec) If not: hit browse to locate and select the sdconf file. Depending on where you have the file make sure you specify where to locate the file, but by default if stored on the C Drive the program should go right to it.

4

11. If you want to change the path it’s your choice just remember its new Location otherwise click next to keep the default.

12. Same as step 11 click next to keep default location

5

13. Choose “Do not challenge the Admin” Hit Next: Note may choose to challenge after installation you will have to remember to go in and specify. You can also challenge all users Caution if you log off the machine after install you will be locked out if there are any problems of authenticating. Thus Admin not challenged allows for a way back into the machine.

14. Click Install

6

15. Click Finish but do not restart yet….

Automated Registration of Agent Hosts in the RSA ACE/Server Database To install and run the Automated Agent Host Registration and Update utility: 16. Copy the sdconf.rec and server.cer files on the Primary (path!!!!) RSA ACE/Server to a temporary directory on the Agent host. (c:\temp\) 17. Copy the sdadmreg_install.exe file from the acesupp\sdadmreg\nt_i386 directory to the temporary directory you created in the previous step. (c:\temp\)

7

NOTE: Before you run sdadmreg.exe, verify that database brokers are running on the RSA ACE/Server. If the RSA ACE/Server is installed on a Windows computer, starting any RSA ACE/Server program, such as the Database Administration application, automatically starts the database brokers. 18. On the Agent host, double-click sdadmreg_install.exe, and follow the instructions on your screen. The sdadmreg_install utility installs sdconf.rec, server.cer, and sdadmreg.exe in the \system32 directory. 19. Go through welcome by hit next

8

20. Accept click Yes

21. Install click Yes

9

22. Click finish (maybe verify they are in the system folder)

23. Restart machine: This will activate the Agent and the auto feature to the server. This will start the RSA login box and request user Name and passcode. Test the Authentication using the RSA ACE/Agent in Control Panel. 1. Test the Authentication using the ACE/Agent. Control Panel ---> RSA ACE/Agent --->Double click Click on test Authentication with RSA ACE/Server.

2. Click on RSA ACE/Server Test Directly.

3. Type the securID user name and passcode.

10

4. Notice the Authentication successful message.

5. Challenge the users in a group with SecurID

a. Create a group first and add a securID user as a member to that group. b. Set the SecurID Challenge for users in a group

Select the option “Challenge Users” in and select a group.

6. Set the reserve password.

11

Reserve password must be more than 6 characters and contain at least one number. Document this reserve password in a secured location. This will provide access to the machine in case of emergency and can be used only after disconnecting the machine from the network. Offline access configuration:(not tested) 1. Control Panel -->Administrative Tools --->Services --->Double click on RSA Authentication Agent Offline Local Properties

Click on Start button. Click OK. Restart the machine. Log in as a user from challenge group. You will be prompted with securID. After that you will be prompted for Windows password. This password will be stored in ACE/Server database. Log off and log back as same user. Notice, that you will be able to log in only with securID credentials. Troubleshooting: 1. On ACE/server verify system configuration and confirm that password integration is enabled at system level and Agent host level as well. 2. Make sure that on ACE/Server offline auth data daemon is running and the port 5580 is listening. 3. Observe ACE/Server log monitor for any related errors.

12

4. On the Agent host, make sure that the service RSA Authentication Agent Offline Local is running. 5. Enabling tracing in ACE/Agent Advanced tab. This creates ACECLIENT.LOG file in Winnt directory on Windows 2000 machines (On Windows 2003 and XP machines trace file is created in Windows directory).

Please refer online help menu for details. 6. In advanced tab, clear offline logon data, if password download fails. Password recharging: On the Agent host ---- >Task Bar ----> Double click on the RSA SecurID –Recharge offline days icon. You can recharge the password, if you have changed the password on domain.

13

Local Authentication client (LAC) and Domain Authentication Client (DAC) can be installed on the same machine. The limitation with this configuration is that the domain password must match with the local password for a given user account. Otherwise, if a local password is changed, it breaks the password integration using domain authentication. If the password is changed on domain, click on clear offline logon data in Advanced tab. Then authenticate again. This will download the password again. Enable Tracing: This creates the tracing file ACECLIENT.LOG in Winnt/System32 on Windows 2000 clients. On Windows 2003/XP machines tracing file is created in Windows/System32.

14