Skip to content

RSA SecurID Authentication

RSA SecurID is a two-factor authentication solution from RSA Security, Inc that is based on hardware or software tokens. We recommend that you review the Authentication Manager documentation before using SecurID.

Reflection for Secure IT supports RSA SecurID authentication using the Secure Shell keyboard-interactive protocol.

Requirements

You must have a correctly configured RSA SecurID environment.

Micro Focus does not provide the following components:

Required Item Function
RSA Authentication Manager Verifies authentication requests and centrally manages authentication policies.
RSA Authentication Agent Intercepts authentication requests and directs them to the Authentication Manager for authentication. The RSA Authentication Agent for Windows or the RSA Authentication Manager must be running on the same computer as the Reflection for Secure IT server.
Hardware Token A hardware device, such as a key fob or smart card, that generates a one-time authentication code.

How it works

The Reflection for Secure IT server acts as a SecurID client in order to authenticate a user.

  1. The Reflection for Secure IT server receives a keyboard-interactive authentication request from a client.

  2. If SecurID authentication is enabled, the Reflection for Secure IT server passes the user name to the RSA SecurID Agent.

  3. The RSA SecurID agent returns a text prompt, which is sent to the client.

  4. The client user responds to the prompt.

  5. The Reflection for Secure IT server forwards this response to the RSA SecurID Agent, which may return another prompt. This continues until the RSA SecurID Agent indicates that authentication is complete.

  6. If the RSA SecurID Agent indicates that authentication is successful, the client connection is allowed and the Reflection for Secure IT server provides user access based on the current server configuration. If the RSA SecurID Agent indicates that authentication failed, the client connection is not allowed.

Note

Authentication fails if a user is able to authenticate to the RSA SecurID Authentication Manager server, but no account exists for that user on the local computer, in the Windows domain, or in the Reflection Gateway Administrator. (The last option applies only if you are running Reflection Gateway and have enabled Reflection Gateway Users.

RSA SecurID Pane

From the server console, click Configuration > Authentication > RSA SecurID .

RSA SecurID authentication

  • Agent path - Specifies the location of the RSA Authentication Agent. |
  • Allow/Require/Deny - The default is Deny. Before you can select Allow or Require the RSA Authentication Agent must be installed, with aceclnt.dll in the specified path. |

Retries

  • Number of authentication attempts - The default is 3.
  • Delay between tries (seconds) - The default is 2.

More information