Monday, December 26, 2011

RSA SecurID 130 Appliance Basic Setup

I set up one of these years ago and wrote up a short article describing how to use one of these to authenticate against them from a Cisco ASA. I set another of these up recently and figured I'd cover the basic points to get it running.

Assuming your Active Directory domain is called testad.local and you've named the appliance "rsaappliance.testad.local" in DNS...

1. You'll need to do the base configuration and set up the initial license file. It's important that the following is configured correctly:

  • IP Address (it's probably necessary that you create a PTR record in DNS for the appliance. At the very least, you should have the IP address in DNS with a matching hostname (i.e., rsaappliance.testad.local)

  • NTP/time sources - you should use the same NTP servers that you're using for your Active Directory domain controllers. If you are running VMware ESX/ESXi and are running the domain controllers as VMs, you can use the ESX/ESXi host(s) as NTP time sources.

    2. The next work requires use of the operations-console:


     Under the admin console -> deployment configuration -> Identity sources -> add new ->

    (you'll probably be required to provide administrative credentials to get in)

    provide the:
  • Identity Source Name: descriptive name

  • Type (Microsoft Active Directory)

  • Directory URL
  • directory UL: ldap://dc1.testad.local  (or ldaps://dc1.testad.local, if available)
  • directory failover URL: ldap://dc2.testad.local
  • directory user id: you can create a user for this purpose. Assuming you created a user called "rsaauth" in the default users container in Active directory, you'll construct the entry like so:
       Of course, you might have OUs set up for these sorts of things. If you had an OU in your domain called "utilityusers," the entry would be:
       (for those of you unfamiliar with LDAP, cn should be the full name of the user.)
       2b. click on the "map" tab and set your User Base DN and User Group base DN. If you're not using any OUs, you'll default to the standard cn=users,dc=testad,dc=local... otherwise, put in the appropriate OU. You can fine tune the LDAP search filters and mappings below, but all you need to get started is the User Base DN and User Group DN.
      By the way, if you check "Directory is an Active Directory Global Catalog," you'll likely get an error in a later step:
      "Cannot link the runtime identity source because no administrative identity sources reference this runtime source"
      The easiest way to fix this is to uncheck "Directory is an Active Directory Global Catalog" - or do additional configuration.

    3. You'll want to enable the Radius Server, if you're going to authenticate against this appliance from, say, a Cisco ASA:

     Deployment Configuration -> RAIDUS -> Configure Server -> go ahead and create your RADIUS server... the defaults should be fine.

     4. You'll need to link the newly created Identity Source to a realm (newly created or the default SystemDomain realm.)

     Go to the security console:


     5. From there, go to Administration -> REALMS -> Manage Existing (you can create a new realm, if you have the appropriate licensing)
        select the "SystemDomain" realm (or the realm you created if you chose to create your own.)
        Under Link Identity Source, select the active directory Identity source you created in step one and click the arrow pointing to the right to put it in the linked field. Now, save your entry.
        If you get the dreaded "Cannot link the runtime identity source because no administrative identity sources reference this runtime source," this probably means you set the Active Directory Identity Source in step 1 to be a Global catalog.
     You should be ready to add tokens. To do so under the security console:

     Authentication ->  Manage existing -> New Import SecurID Tokens Job ->

  • name: just a descriptive name
  • Security domain: SystemDomain (unless you've created your own security domain)
  • Import file: (import the xml file from the CD RSA included with the tokens
  • File password: This password was likely on a scratchoff slip of paper in a separate folder

     Provided the tokens import correctly, you should be able to start assigning them to users.

    6. Finally, you'll probably need to add a Radius client if you you enabled the Radius server in step 3. From the Security console ( https://rsaappliance.testad.local:7004/console-am): RADIUS -> RADIUS clients -> add new:
  • Client Name: use a descriptive name
  • IP Address: the IP address of the client
  • Make / Model: Select the appropriate model (i.e., Cisco PIX for Cisco ASA)
  • Shared Secret: choose a long password
  • Go ahead and save without RSA agent.