Return to home page
Decrease font size by 1 pointChange font to 8 pointChange font to 9 point (default)Change font to 10 pointIncrease font size by 1 point

Log in or log out
Tech Notes

Enabling RSA SecurID Connections for RADIUS

Technical Note 2150

Last Reviewed 16-Nov-2006
Applies To
Mobility XE version 6.x only
Windows 2000, Windows XP

 Printer-friendly version

Summary

This technical note applies to Mobility XE version 6.x only. If you are using Mobility XE 7.x. please refer to technical note 2214. If you are running a mixed environment of Mobility 6.x and 7.x, please refer to the Mobility 7.x System Administrator Guide.

If you plan to use RSA SecurID authentication for RADIUS user authentication with Mobility XE 6.x, you need to make the following configuration changes:

  1. Configure the RSA ACE/Server software to accept connections from the Mobility server.

  2. Configure the Mobility server to use RADIUS with RSA SecurID authentication.

  3. Configure the Mobility clients to use RSA SecurID authentication.

1. Configure the RSA ACE/Server software

The RSA ACE/Server software manages the authentication process for users. If the Mobility server is using the "SecurID OTP" (one-time-password) option to provide user credentials to the RSA ACE/Server RADIUS server, you need to modify the RSA ACE/Server configuration to accept connections from the Mobility server and allow successful user authentication.

  1. Click Start > Programs > RSA ACE/Server > Data Administration—Host Mode.

  2. Click Agent Host > List Agent Hosts.

  3. Accept the defaults to list them to the screen. Verify that the primary RSA ACE/Server is already in the list. If it is not, see "Adding Servers as Agent Hosts to the Primary Database" in the RSA ACE/Server 5.2 Installation Guide.

  4. Click Agent Host > Add Agent Host.

  5. In the Name box, enter the fully qualified domain name of the Mobility server.

  6. In the Network Address box, enter the Mobility server's IP address.

  7. In the Agent type list, select Net OS Agent.
    Note: Mobility XE does not support the "Single-Transaction Comm Server" agent type. Messages informing clients that they are in "Next Token Mode" or "New PIN Node" are not transmitted to the NAS/NMS unless they are configured for Net OS Agent.

  8. Select the Open to All Locally Known Users check box.

  9. Click the Assign/Change Encryption Key button. In the Key box, enter the RADIUS secret. The secret you enter here must match the shared secret entered for this RADIUS server when configuring the Authentication—RADIUS Server List setting on the Mobility server (Mobility console, Server Settings page).

On the Start menu, open RSA/ACE Server > Configuration Tools > Configuration Management. Click Edit to make configuration options editable:

  1. Select the RADIUS Server Enabled check box.

  2. The RADIUS port setting must match the port entered for this RADIUS server when configuring the Authentication—RADIUS Server List setting on the Mobility server. The RSA ACE/Server software RADIUS default port is 1645, and the Mobility XE default is 1812. You can specify any port, but both settings must be the same.

  3. Because Mobility XE does not currently support entering successive token codes (Next Token Mode), you may want to increase the number of times a user is allowed to enter an incorrect token code in order to reduce help desk calls. (This configuration change in the RSA ACE/Server software is a recommendation and not a requirement. Making this change will affect all agents with the Agent Host definition of Net OS Agent Host).

    To change the settings, click the Agent Host button. In the Network OS Agent Host group box make the following changes to reduce the number of occasions that a user will be required to use Next Token Mode to log in:

    • Increase the value of the Incorrect PASSCODES Before Next Tokencode setting to 10 or more.

    • Increase the value of the Incorrect PASSCODES Before Disabling Token setting to 20 or more.

On the Start menu, open RSA/ACE Server > Configuration Tools > RADIUS Configuration.

  1. On the Receive tab, select the Discard Duplicate Packets check box. This will prevent the ACE server from increasing the count of invalid attempts for the user's token.

  2. Verify that the UNIX style prompt check box is selected (without it Mobility will not get the correct information from the RADIUS server). Do not edit any Prompts listed on the General tab. The Mobility server looks for specific strings in the packets from the RSA ACE/Server software, and it will not recognize messages with altered text.

When the Mobility server is configured to use the "SecurID OTP" option for RADIUS user authentication, the user enters Windows credentials in the Log On to Windows dialog box, and then enters the RSA SecurID authentication user name and passcode in the NetMotion Logon dialog box that follows. Any password-protected screen saver will require Windows credentials for access to the Windows desktop.

Mobility XE does not provide a facility for a user to acquire a new RSA SecurID PIN (New PIN Mode), or for entering successive token codes (Next Token Mode). These tasks must be performed using RSA ACE/Agent software. Once a Mobility client is in New PIN Mode or Next Token Mode, the user must bypass Mobility XE in order to connect to an RSA ACE/Agent machine from the client device.

2. Configure the Mobility server to use RADIUS with "SecurID OTP"

Open the Mobility console and make the following changes on the Server Settings page:

  1. Set Authentication—Protocol to "RADIUS".

  2. Set Authentication—RADIUS Protocol to "SecurID OTP".

  3. Select Authentication—RADIUS Server List and add your RSA/ACE Server machine.

  4. Set Authentication—RADIUS Retransmit Interval to 3000 milliseconds (from the default of 300 milliseconds).

  5. Set Authentication—RADIUS Retransmits to 3 attempts (from the default of 10). This should definitely be done if Discard Duplicate Packets (described above) is not selected.

3. Configure the Mobility clients to use SecurID authentication

RSA SecurID authentication is not enabled on the Mobility client by default. This is because the RSA SecurID passcode (with or without Mobility) is sent to the server in clear text and vulnerable to an active man-in-the-middle attack. (This type of attack requires some level of sophistication, but it is nevertheless a weakness. Over 802.11 links you can deter this kind of attack with WEP or WPA.)

Configuring the client to use SecurID authentication requires a registry change, which you can make manually or by running Securid_otp_on.inf (this file is also located in the \2kclient\ folder of the Mobility XE product CD). To run the .inf file, save it locally, right-click on it in File Explorer, and then select Install.

The following statement in the .inf file changes the registry and makes the client's authentication behavior appropriate exclusively for SecurID:

HKLM,"System\CurrentControlSet\Services\NetMotion\Mobility Client","HelloListMask",0x00010001,32

Related Information

2177

Setting Up Mobility Authentication

2214

Enabling Native RSA SecurID Connections for Mobility Clients (Mobility version 7.x only)

9979

NetMotion Mobility Technical Notes

Please comment on this technical note.