RSA Authentication Manager as a Secure Proxy Server for RSA Cloud Access Service

a day ago

RSA Authentication Manager as a Secure Proxy Server for RSA Cloud Access Service

You can use RSA Authentication Manager (AM) 8.5 and later as a secure proxy server that sends authentication requests to Cloud Access Service (CAS). This feature offers the following benefits:

Creates one secure connection from your organization's network to CAS for authentication requests from multiple authentication agents, instead of requiring each agent to connect to CAS individually.
This eliminates the need to configure firewall rules for multiple authentication agents. For example, you can prevent certain users from accessing external resources while still allowing them to authenticate to CAS through AM.

Supports authentication methods available through REST protocol authentication agents. When AM is used as a secure proxy, authentication is performed by CAS. To use AM authentication methods, configure one or more IDRs and a connection from CAS to AM.
Provides High Availability by supporting all AM authentication methods locally, including authenticators synchronized from CAS, when AM cannot communicate with CAS.
Supports offline authentication to AM or CAS for the authentication agents that support this feature.
Supports passwordless authentication when AM functions as a secure proxy for CAS. This feature is supported from AM 8.9 onwards and works with the MFA Agent for Windows.

RSA Authentication Manager 8.5 or later enables this feature by default when you connect to CAS or upgrade a deployment that was previously connected with RSA Authentication Manager 8.4 Patch 4 or later. To configure this feature, including enabling Send multifactor authentication request to the Cloud on the Cloud connection, see Configure RSA Authentication Manager as a Secure Proxy Server for Cloud Access Service.

The following table shows the possible deployment options. For more specific information, see your authentication agent documentation.

Scenario	Authentication Methods	High Availability
Direct connection to RSA Authentication Manager 8.5 or later with the UDP, TCP or REST protocol. RSA Authentication Manager is not connected to CAS.	AM handles authentication. For example, RSA SecurID hardware and software tokens, on-demand authentication, and AM emergency access methods.	Does not apply.
Direct connection to CAS with the REST protocol. AM is not connected to CAS.	CAS handles authentication. For example, Approve, Device Biometrics, Authenticate Tokencode, RSA SecurID hardware and software tokens, Emergency Access Code, SMS OTP, and Voice OTP.	Does not apply.
Direct connection to RSA Authentication Manager 8.5 or later with the UDP, TCP, or REST protocol. AM is connected to CAS.	AM validates RSA SecurID hardware and software tokens that are managed in AM, on-demand authentication, and AM emergency access methods. When a user authenticates by using a cloud-managed method and the connection to CAS is available, AM forwards the authentication request to CAS. Cloud-managed methods include Authenticate OTP, Approve, Device Biometrics, and SecurID 700 tokens that are managed in CAS. AM automatically downloads High Availability OTP records for supported SecurID OTP authenticators from CAS by using an overnight batch job that runs each day.	When CAS or the connection from AM to CAS is unavailable and High Availability (HA) OTP is enabled, AM validates Authenticate OTP locally by using downloaded HA OTP records. SecurID 700 tokens and other methods that are managed in AM support high availability because the token records are already available in AM. SecurID 700 tokens, DS100, and iShield authenticators that are managed in CAS support high availability when token records are available in AM, regardless of whether HA OTP is enabled.
Direct connection to CAS with the REST protocol is configured in the authentication agent to use RSA Authentication Manager 8.5 or later as a secure proxy server. AM is connected to CAS.	Applications send authentication requests to AM by using the REST protocol. When the RSA MFA Agent configuration or the application's Initialize request includes a CAS access policy or assurance level, AM treats the request as a proxy request and forwards the authentication flow to CAS. CAS evaluates the access policy or assurance level and determines the authentication methods, which can include Approve, Device Biometrics, Authenticate OTP, SecurID 700 tokens that are managed in CAS, Emergency Access Code, SMS OTP, and Voice OTP. If a connection from CAS to AM is configured, CAS can invoke AM to perform step-up authentication with RSA SecurID hardware or software tokens that are managed in AM.	When CAS or the connection from AM to CAS is unavailable, AM cannot act as a secure proxy server to CAS. In this state, AM validates Authenticate OTP and SecurID OTP (managed by CAS) locally by using downloaded OTP records when user records are present in AM. AM does not evaluate cloud access policies or assurance levels. Note: Authenticate OTP records are downloaded to AM only when High Availability OTP is enabled in CAS and AM is connected to CAS.
RADIUS clients directly connected to RSA Authentication Manager 8.5 or later. AM is connected to CAS.	The RADIUS client sends authentication requests to AM. AM validates RSA SecurID hardware and software tokens that are managed in AM, on-demand authentication, and AM emergency access methods. When a user authenticates by using a Cloud‑managed method and the connection to CAS is available, AM forwards the authentication request to CAS. When the RADIUS client is configured for the Cloud MFA Experience and linked to a CAS RADIUS access policy, CAS validates cloud‑managed methods including Approve, Authenticate OTP, Device Biometric, SMS OTP, Voice OTP, Emergency Access Code, and SecurID OTP (including SecurID 700 tokens and other SecurID OTP methods managed in CAS).	When CAS or the connection from AM to CAS is unavailable, AM validates CAS managed SecurID OTPs locally for RADIUS users by using downloaded HA OTP records. This includes Authenticate OTP when High Availability OTP is enabled in CAS. When CAS is unreachable and the Cloud MFA Experience is enabled for the RADIUS client, modern cloud authenticators (for example, Approve, Device Biometrics, SMS OTP, Voice OTP, and Emergency Access Code) are not offered. AM prompts the user to enter a OTP only. SecurID 700 tokens and other methods that are managed in AM support HA because the token records are already available in AM. SecurID OTP methods that are managed in CAS support HA when OTP records are available in AM, regardless of whether HA OTP is enabled.

Scenario

Authentication Methods

High Availability

Direct connection to RSA Authentication Manager 8.5 or later with the UDP, TCP or REST protocol.

RSA Authentication Manager is not connected to CAS.

AM handles authentication. For example, RSA SecurID hardware and software tokens, on-demand authentication, and AM emergency access methods.

Does not apply.

Direct connection to CAS with the REST protocol.

AM is not connected to CAS.

CAS handles authentication. For example, Approve, Device Biometrics, Authenticate Tokencode, RSA SecurID hardware and software tokens, Emergency Access Code, SMS OTP, and Voice OTP.

Does not apply.

Direct connection to RSA Authentication Manager 8.5 or later with the UDP, TCP, or REST protocol.

AM is connected to CAS.

AM validates RSA SecurID hardware and software tokens that are managed in AM, on-demand authentication, and AM emergency access methods.

When a user authenticates by using a cloud-managed method and the connection to CAS is available, AM forwards the authentication request to CAS. Cloud-managed methods include Authenticate OTP, Approve, Device Biometrics, and SecurID 700 tokens that are managed in CAS.

AM automatically downloads High Availability OTP records for supported SecurID OTP authenticators from CAS by using an overnight batch job that runs each day.

When CAS or the connection from AM to CAS is unavailable and High Availability (HA) OTP is enabled, AM validates Authenticate OTP locally by using downloaded HA OTP records.

SecurID 700 tokens and other methods that are managed in AM support high availability because the token records are already available in AM. SecurID 700 tokens, DS100, and iShield authenticators that are managed in CAS support high availability when token records are available in AM, regardless of whether HA OTP is enabled.

Direct connection to CAS with the REST protocol is configured in the authentication agent to use RSA Authentication Manager 8.5 or later as a secure proxy server.

AM is connected to CAS.

Applications send authentication requests to AM by using the REST protocol. When the RSA MFA Agent configuration or the application's Initialize request includes a CAS access policy or assurance level, AM treats the request as a proxy request and forwards the authentication flow to CAS.

CAS evaluates the access policy or assurance level and determines the authentication methods, which can include Approve, Device Biometrics, Authenticate OTP, SecurID 700 tokens that are managed in CAS, Emergency Access Code, SMS OTP, and Voice OTP.

If a connection from CAS to AM is configured, CAS can invoke AM to perform step-up authentication with RSA SecurID hardware or software tokens that are managed in AM.

When CAS or the connection from AM to CAS is unavailable, AM cannot act as a secure proxy server to CAS.

In this state, AM validates Authenticate OTP and SecurID OTP (managed by CAS) locally by using downloaded OTP records when user records are present in AM. AM does not evaluate cloud access policies or assurance levels.

Note: Authenticate OTP records are downloaded to AM only when High Availability OTP is enabled in CAS and AM is connected to CAS.

RADIUS clients directly connected to RSA Authentication Manager 8.5 or later.

AM is connected to CAS.

The RADIUS client sends authentication requests to AM.

AM validates RSA SecurID hardware and software tokens that are managed in AM, on-demand authentication, and AM emergency access methods.

When a user authenticates by using a Cloud‑managed method and the connection to CAS is available, AM forwards the authentication request to CAS. When the RADIUS client is configured for the Cloud MFA Experience and linked to a CAS RADIUS access policy, CAS validates cloud‑managed methods including Approve, Authenticate OTP, Device Biometric, SMS OTP, Voice OTP, Emergency Access Code, and SecurID OTP (including SecurID 700 tokens and other SecurID OTP methods managed in CAS).

When CAS or the connection from AM to CAS is unavailable, AM validates CAS managed SecurID OTPs locally for RADIUS users by using downloaded HA OTP records. This includes Authenticate OTP when High Availability OTP is enabled in CAS.

When CAS is unreachable and the Cloud MFA Experience is enabled for the RADIUS client, modern cloud authenticators (for example, Approve, Device Biometrics, SMS OTP, Voice OTP, and Emergency Access Code) are not offered. AM prompts the user to enter a OTP only.

SecurID 700 tokens and other methods that are managed in AM support HA because the token records are already available in AM. SecurID OTP methods that are managed in CAS support HA when OTP records are available in AM, regardless of whether HA OTP is enabled.

High Availability OTP for the Secure Proxy Server

When RSA Authentication Manager (AM) 8.5 or later acts as a secure proxy server for CAS, users can access AM-protected resources using the SecurID OTP and Emergency Access Code authentication methods assigned in CAS when CAS, or the connection to CAS, is temporarily unavailable or too slow.

AM automatically downloads High Availability OTP records from CAS. AM determines if CAS is reachable, and if local authentication is needed.

When CAS is not reachable, authentication proceeds as follows:

RSA MFA agents prompt users for Authenticate Tokencode or RSA SecurID passcode or Emergency Access Code (EAC).
The access policy in CAS is not applied. For example, a user who normally authenticates with Approve or Device Biometrics is prompted for Authenticate Tokencode or RSA SecurID passcode, or EAC.
If the SecurID OTP is in Next Token mode or New PIN mode, AM uses the downloaded OTP records to successfully authenticate.
AM determines whether a user is enabled, disabled, or locked. User status from CAS is not available until the connection is restored
If CAS is not reachable from AM, RSA MFA Agents that are configured for passwordless authentication use previously downloaded day files to complete authentication. For more information, see Offline Authentication for RSA Authentication Agents.

Authentication records are recorded in the AM Activity Monitor and Report, and the CAS User Event Monitor. The status of the connection from AM to CAS is recorded in the AM System Activity Monitor and System Log Report. Detailed technical status of the connection from AM to CAS is available in AM internal logs only when trace logging is enabled in verbose mode (see Configure Logging).

Warning: Verbose trace logging consumes large amounts of disk space in AM. Use verbose mode only for short periods to capture an issue. Typically, 5 to 10 minutes on one affected AM server is sufficient for investigating a Cloud connection issue. For more information, contact RSA Support.

An internal REST protocol agent called @#RSAHighAvailability_#@_InternalAgent1#@ provides High Availability OTPs to users when the connection to CAS is not available. You cannot edit, enable, disable, or delete this internal agent.

For configuration instructions, see Configure High Availability OTP.

Offline Authentication for RSA MFA Agents

When you use RSA Authentication Manager (AM) as a secure proxy server, some MFA agents can be configured to support offline authentication to CAS:

Offline emergency access codes (EACs) can be automatically downloaded to the Agent for users who access the MFA agent. Users can continue to authenticate if the connection to AM or CAS is not available. For more information, see Configure Emergency Access Code for Online and Offline Use.
When AM cannot connect to CAS, EACs downloaded to the agent are used for high availability passwordless authentication.
MFA agents automatically download OTPs and EACs and store them in offline data day files through AM for uninterrupted authentication to CAS. If a MFA agent is unable to access AM, then the authentication agent uses the downloaded data in day files for authentication. For instructions on configuring offline authentication, see your agent documentation.

Don't see what you're looking for?

RSA Authentication Manager as a Secure Proxy Server for RSA Cloud Access Service

High Availability OTP for the Secure Proxy Server

Offline Authentication for RSA MFA Agents

Related Articles

Trending Articles