RSA Authentication Manager maintains its own database of users internally. In smaller installations, or installations where a separate user database is desirable, this doesn’t cause any real problems. It only becomes an issue when the organisation is large enough for this to pose a scalability problem. In this case, it is possible to integrate with external directories (including Active Directory) servers to populate the user database by pulling names using LDAP.
Adding a new user to the database is simple. In the RSA Authentication Manager Database tool, go to User -> Add User.
Fill in the first name and last name fields accurately as they are used for searching the user database later on. The most important field is the default login. This is the username that will be used to authenticate the user when RSA is integrated with a third party product. Generally, you will want the user to create a PIN, so it is suggested that you click the “Required to Create a PIN” option to force them to do so.
If the user is to have an administrative role within the RSA software, use the “Administrative Role” button to add this option to the user. If agent hosts (eg authentication clients) have been assigned to groups rather than “All users”, you will need to assign group membership to the user too.
Token Management
Before tokens can be assigned to users, they must be imported from seed record files. In the RSA Authentication Manager Database tool, select Token -> Import Tokens.
From here, you will need to browse to the location of the .xml files that are provided as a download from RSA. You will also need to obtain the seed record password to decrypt these records.
Once complete, you should check to see that the correct number of tokens has been imported. Apply caution if you every need to delete a token - you will never be allowed to reimport the token record again.
You can list the tokens by going the Token -> List Tokens option on the menu bar.
Assigning a Token
Assigning a token to a user is an essential step in getting a user setup. It is easiest to do this from within the Edit user dialogue. Simply click the “Assign Token” button.
Unless you are provisioning tokens to very remote users, it is advisable to pull them into the office to collect their token. The reason for this is twofold. Firstly, you are able to get the user to sign for their token; this is pretty much essential when you consider that an RSA token is circa £50... Secondly, the final part of assigning a token involves providing the user with some interactive training by getting them to set their own PIN.
This can be performed using the RSA Security Centre utility that is installed as part of the RSA Authentication Agent for Windows. It is best practise to install this on the Authentication Manager server to aid diagnosis of token/agent problems.
Using the test application, enter the username and passcode. If this is the first time that the token has been used since being assigned, the passcode is simply the value shown on the token face.
It is obvious if this has gone badly!
If the user authenticates correctly, they will be given an opportunity to set their PIN. This is a value between 4 and 8 characters. It is possible to allow alphanumeric PINs if required.
Once you have set the PIN, it is essential that the user authenticates correctly. This time, the passcode is made up of PIN + tokencode. For example, if the PIN is 1234 and the tokencode is 676767, then the user should enter 1234676767 as their passcode.
The user is now set up and authentication has been tested. All done!
No comments:
Post a Comment