This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
HassanMehsen
Respected Contributor
Respected Contributor
‎2020-08-24 06:10 AM

MFA with WLAN

Hello Guys!

 

We need to enable MFA on our Cisco Wireless LAN, i was checking if this is compatible with RSA CAS on RSA Ready, unfortunately nothing is mentioned regarding the new authentication methods(Biometric or push to approve).

 

Could you please advise on that.

Labels (1)
0 Likes
Reply
12 Replies
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2020-08-24 12:21 PM

One way to view this question is, where do you put the RSA agent?  If you are planning to put the Authentication agent on your Windows platform, to authenticate as the Windows platform connects to a wireless network, you would need the Windows MFA agent in order to authenticate against the RSA SecurID Access cloud, which can be found here

RSA MFA Agent Downloads for Microsoft Windows 

 

If you only needed to authenticate with a token passcode against RSA SecurID Authentication Manager, you could use the Authentication Agent for Windows, which can be found here

https://community.rsa.com/community/products/securid/authentication-agent-windows/downloads  

 

If the Cisco Wireless Access is authenticating users for Wireless access, then the RSA Authentication agent is not on Windows it is on the Cisco, which means you need to look for a Cisco Partner Guide for that particular product to integrate to RSA 2-factor or multi-factor authentication.  You would need to search RSA Link for your particular Cisco Product Partner Guide.  

Link_Search_Partner_Cisco.png

0 Likes
Reply
EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
‎2020-08-24 02:30 PM

Hassan Mehsen‌,

 

To make accessing the Cisco Partner Guides easier, here is a direct link to them:  Cisco Systems Inc. - Technology Integrations.

 

Regards,

Erica

0 Likes
Reply
HassanMehsen
Respected Contributor
Respected Contributor
In response to EricaChalfin
‎2020-08-24 04:41 PM

Hello Eric,

 

What we are looking for here is to enable MFA while users are trying to access the WLAN which is managed by a Cisco WLC.

 

I have already checked the RSA Ready document Cisco Wireless LAN Controller WLC 2100 and 4400 - RSA SecurID Access Standard Agent Implementation Guide, however, its only mentioning the integration with authentication manager using ODA or software tokens, nothing is mentioned regarding the RSA cloud authentication service by using the new authentication methods (Biometric or push to approve).

0 Likes
Reply
TedBarbour
Employee
Employee
In response to HassanMehsen
‎2020-08-24 05:07 PM

Hassan Mehsen‌ - if the Cisco device (with RSA  agent) is utilizing Authentication Manager version 8.4 Patch 4 or above you could make use of the new PIN+Approve functionality.  

See the RSA AM 8.4 Patch 13 readme for more information about this Patch 4 and above feature.

 

Hope that helps,

Ted

Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to HassanMehsen
‎2020-08-24 05:15 PM

The Implementation guide is from 2013, so that definitely means it uses the original UDP Agent API to Authentication Manager.  I don't think you can use this Cisco Product with the Cloud Access.  Unless anyone else has a different approach, but you get push to approve and Bio-metric from CAS, not from AM

0 Likes
Reply
HassanMehsen
Respected Contributor
Respected Contributor
In response to JayGuillette
‎2020-08-24 05:20 PM

Thanks Jay,

 

im looking for the integration with RSA CAS( fully cloud solution) and not the hybrid one.

 

My question here if this integration is possible and if we can use the authentication methods which you mentioned while accessing our WLAN.

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to HassanMehsen
‎2020-08-24 05:27 PM

Ted pointed out that AM 8.4 P4 and above can leverage PIN+Approve on a CAS registered device if your AM is integrated with CAS and the IDR.

You can read about it under Patch 4 New Features in the AM readme for any patch higher than p4.  See 

Authenticate with a Push Notification to Your Mobile Device; No Agent Updates Required 

 

So Cisco sends the authentication to AM, and AM talks to CAS to check the Push to Approve and responds back to Cisco whether to grant access or not.

0 Likes
Reply
HassanMehsen
Respected Contributor
Respected Contributor
In response to JayGuillette
‎2020-08-24 05:34 PM

So in order to move with such integration radius should be implemented between Cisco WLC and our AM, which the AM  then  proxy the authentication request to the CAS for MFA capabilities?


Could you please assist me on how the association will happen when a client is trying to connect to a WLAN.

0 Likes
Reply
TedBarbour
Employee
Employee
In response to HassanMehsen
‎2020-08-24 05:55 PM

If the Cisco device uses RADIUS then you could target your Authentication Manager's RADIUS server and use the AM->Cloud Authentication Service (CAS) capability discussed above.

Or you could target the RADIUS client at our Identity Router (IDR) virtual appliance (IDRs contain a RADIUS server) which would forward the request to the Cloud Authentication Service. 

 

Ted

0 Likes
Reply
© 2022 RSA Security LLC or its affiliates. All rights reserved.