Installation and Upgrade Guide for Cisco Unified Presence Release 8.0 and 8.5
RSA SecurID Ready Implementation Guide · 2015. 10. 1. · RSA Authentication Manager 8.0 Virtual...
Transcript of RSA SecurID Ready Implementation Guide · 2015. 10. 1. · RSA Authentication Manager 8.0 Virtual...
Workspot, Inc.
RSA SecurID Ready Implementation Guide
Last Modified: September 16, 2013
Partner Information
Product Information Partner Name Workspot, Inc.
Web Site workspot.com
Product Name Workspot
Version & Platform Workspot 2.0.3 for iPad and iPhone
Product Description Workspot helps companies improve productivity by securely connecting users to core business applications and data on their personal mobile devices. Workspot’s patent-pending mobile virtualization solution can be quickly deployed using existing infrastructure. The Workspot solution consists of a client application running on a mobile device together with a cloud-based administration console.
- 2 -
Workspot, Inc. Workspot
Solution Summary
The Workspot Client is a secure mobile virtualization container on the device, which includes a virtual file system and a virtual network. The virtual network provides secure connectivity to the users’ corporate resources while the virtual file system stores documents downloaded on the device.
Workspot Control is a cloud-based service console that an IT administrator uses to configure and manage the applications, VPN connection and policies for mobile users.
Workspot and RSA SecurID
Workspot leverages RSA SecurID authentication provided by SSL VPN gateway appliances and currently supports the following vendors and products:
Cisco Adaptive Security Appliance (ASA)
Dell SonicWALL Secure Remote Access (SRA)
F5 BIG-IP Access Policy Manager (APM)
Juniper Secure Access Series SSL VPN
Note: Individual products may not support all features. Links to RSA’s Cisco, Dell, F5 and Juniper SSL VPN Implementation Guides can be found in the Appendix of this document.
RSA SecurID supported features
Workspot 2.0.3
RSA SecurID Authentication via Native RSA SecurID Protocol Yes RSA SecurID Authentication via RADIUS Protocol Yes On-Demand Authentication via Native SecurID Protocol Yes
On-Demand Authentication via RADIUS Protocol Yes
RSA Authentication Manager Replica Support Yes
Secondary RADIUS Server Support Yes
RSA Software Token Supported Features
Windows Automation No SID800 Automation No OS X Automation No iOS Automation Yes
Android Automation No
File-based Provisioning No
CT-KIP Provisioning Yes
CTF Provisioning Yes
- 3 -
Workspot, Inc. Workspot
Workspot Authentication using RSA SecurID
In Workspot Control, the administrator defines which SSL VPN gateway the mobile user authenticates and connects to, and defines a security policy to enable RSA SecurID. The VPN gateway must be configured to use the RSA Authentication Manager for authentication.
The Workspot client will authenticate using RSA SecurID as follows:
1. Workspot Control sends a security profile with RSA SecurID enabled to the mobile device.
2. The mobile user initiates a login via the Workspot client.
3. The user’s credentials, username and passcode are sent to the VPN gateway to authenticate
using the RSA Authentication Manager.
4. The RSA Authentication Manager may present authentication challenges associated with the
user’s account or token state.
5. The user enters responses to the authentication challenges as required.
6. If the credentials are valid, the user will be authenticated by the RSA Authentication Manager and
a VPN session is created with the VPN gateway. If the authentication fails, the user is denied
access and a session is not established.
Workspot Control
Workspot ClientAuthentication
Manager
?
SSL VPN Gateway
X
1
2
3
45
5
6
- 4 -
Workspot, Inc. Workspot
Partner Product Configuration
Before You Begin
This section provides instructions for configuring Workspot with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations.
It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.
RSA SecurID authentication for Workspot can either be enabled during the Workspot Express Setup or after the basic Workspot account has been configured.
Important: The SSL VPN gateway must be configured to support RSA SecurID authentication before enabling RSA for Workspot. Refer to the appropriate RSA Implementation Guide found in the Appendix of this document.
- 5 -
Workspot, Inc. Workspot
Procedure Overview
Enabling RSA during the Express Setup
To enable RSA SecurID during the Workspot Control Express Setup, select Yes as shown in Screen 1.
Screen 1 Enabling RSA during Express Setup
- 6 -
Workspot, Inc. Workspot
Enabling RSA
If the Express Setup has already been completed, RSA SecurID can be enabled using Workspot Control. First, by adding a new Security Policy, then assigning that policy to the group that will be using SecurID authentication. Refer to screens 2 through 6.
Screen 2 Adding a New Security Policy (1 of 2)
- 7 -
Workspot, Inc. Workspot
Screen 3 Adding a New Security Policy (2 of 2)
- 8 -
Workspot, Inc. Workspot
Screen 4 Assigning the RSA Security Policy to a Group (1 of 3)
Screen 5 Assigning the RSA Security Policy to a Group (2 of 3)
- 9 -
Workspot, Inc. Workspot
Screen 6 Assigning the RSA Security Policy to a Group (3 of 3)
- 10 -
Workspot, Inc. Workspot
Importing a RSA SecurID Software Token into Workspot
The Workspot client supports an integrated token by importing a token into the Workspot client. To import a token, obtain either a SDTID file or CT-KIP URL through the RSA Authentication Manager. SDTID files should be converted to CTF format with the RSA tokenconvertor utility using the –mobile option. See RSA SecurID Software Token Converter documentation http://www.emc.com/security/rsa-securid/rsa-securid-software-authenticators/converter.htm for more information.
Note: This procedure is only required if you have a CTF or CT-KIP link and want to import that token into Workspot. It is not required if you are using an external physical or software token authenticator.
To import a token, click on the CTF or CT-KIP link, on the device where Workspot is installed.
(Screen 1 of 3)
This will launch the Workspot Client and import the token; enter the token file password if needed.
(Screen 2 of 3)
Once the file has been successfully imported, click OK to continue.
(Screen 3 of 3)
- 11 -
Workspot, Inc. Workspot
RSA SecurID Authentication
After RSA SecurID has been configured using Workspot Control, the policy is updated on the mobile device. Any user belonging to the group with RSA is enabled, will be prompted for a RSA SecurID passcode or PIN during authentication, as shown in the following device screens.
Note: Your Workspot home and application screens will look different from the following examples and will be based on the applications defined in Workspot Control.
Note: If using an integrated token, the token must be imported into Workspot before authenticating.
From the Workspot home screen, click any application, such as an internal SharePoint site, which requires authentication using the SSL VPN gateway.
(Screen 1 of 3)
- 12 -
Workspot, Inc. Workspot
RSA Authentication with External Token
To authenticate with a hardware or software token, the user should enter their username, password, and RSA SecurID passcode from the token. Depending on the token configuration, the passcode is typically “PIN + token code” for a hardware token, or the Passcode shown after the PIN is entered into the software token.
(Screen 2 of 3)
RSA Authentication with Integrated Token
To authenticate with the integrated token, the user should enter their username, password, and RSA SecurID PIN.
(Alternate screen 2 of 3)
After successful authentication, the application home page is shown, in this example, SharePoint.
(Screen 3 of 3)
- 13 -
Workspot, Inc. Workspot
Workspot RSA SecurID Authentication Screen Examples
Authentication Screens
The Workspot SecurID authentication screens shown below are with Workspot configured for the Cisco ASA. Other supported SSL VPN gateways display similar authentication prompts.
System generated new PIN prompts
User defined (4-8) alphanumeric PIN
- 14 -
Workspot, Inc. Workspot
Next tokencode
- 15 -
Workspot, Inc. Workspot
Certification Checklist for RSA Authentication Manager
Date Tested: September 16, 2013
Certification Environment
Product Name Version Information Operating System
RSA Authentication Manager 8.0 Virtual appliance
Cisco ASA Cisco Adaptive Security Appliance Software Version 8.0(5)23
Cisco IOS
Workspot 2.0.3 iPad, iPhone iOS 6.1
RSA SecurID Authentication – RSA Native Protocol
Windows OS X Android iOS Other
New PIN
Force Authentication After New PIN N/A N/A N/A N/A
System-Generated PIN N/A N/A N/A N/A
User Defined (4-8 Alphanumeric) N/A N/A N/A N/A
User Defined (5-7 Numeric) N/A N/A N/A N/A
Deny 4 and 8 Digit PIN N/A N/A N/A N/A
Deny Alphanumeric PIN N/A N/A N/A N/A
Deny PIN Reuse N/A N/A N/A N/A
Passcode
16-Digit Passcode N/A N/A N/A N/A
4-Digit Fixed Passcode N/A N/A N/A N/A
Next Tokencode Mode
Next Tokencode Mode N/A N/A N/A N/A
On-Demand Authentication
On-Demand Authentication N/A N/A N/A N/A
On-Demand New PIN N/A N/A N/A N/A
Load Balancing / Reliability Testing
Failover (3-10 Replicas) N/A N/A N/A N/A
No RSA Authentication Manager N/A N/A N/A N/A
GLS / PAR = Pass = Fail N/A = Not Applicable to Integration
- 16 -
Workspot, Inc. Workspot
Certification Checklist for RSA Authentication Manager
RSA Software Token Automation – RSA Native Protocol
Windows OS X Android iOS Other
PINless Token
Next Tokencode Mode N/A N/A N/A N/A
PINpad-style Token
Deny Alphabetic PIN N/A N/A N/A N/A
Next Tokencode Mode N/A N/A N/A N/A
Fob-style Token
16-Character Passcode N/A N/A N/A N/A
Alphanumeric PIN N/A N/A N/A N/A
Next Tokencode Mode N/A N/A N/A N/A
Other
Password-Protected Token N/A N/A N/A N/A
System-Generated PIN N/A N/A N/A N/A
GLS / PAR = Pass = Fail N/A = Not Applicable to Integration
- 17 -
Workspot, Inc. Workspot
Appendix
Software Token SDK Integration Details
Android
iOS
Other RSA Software Token SDK RSA Software Token SDK Version
N/A
1.5
N/A
RSA Software Token Data Display Token Serial Number
N/A
Yes
N/A
Display Token Expiration Date N/A Yes N/A Number of Tokens Supported N/A 1 N/A Provisioning
File-Based
N/A
No
N/A
CT-KIP
N/A
Yes
N/A CTF
N/A
Yes
N/A
Secured by RSA Certified Implementation Guides
Cisco ASA Series Adaptive Security Appliance https://gallery.emc.com/docs/DOC-1167
Dell SonicWALL Secure Remote Access (SRA) https://gallery.emc.com/docs/DOC-2317
F5 Networks BIG-IP https://gallery.emc.com/docs/DOC-1231
Juniper Networks Secure Access SSL VPN https://gallery.emc.com/docs/DOC-1297