Hello and welcome to Power Protect Data Manager Appliance 516 release. I'm Sonali Verma from the technical marketing engineering team. In this video, we'll be seeing multi-factor authentication with RSA security.
Now, let's see what's RSA Secure ID. It's created by RSA Data Security and is an MFA technology designed to increase security for network resources and help organizations maintain compliance. It combines password or pin authentication with hardware authentication in the form of physical or virtual tokens. Prior to the 516 release, DM5500 supported multi-factor authentication with Google and Microsoft authentication only. However, with the 516 release, it now supports RSA Secure ID multi-factor authentication as well.
There are a few points to be noted here. Only one can be enabled at a time in this appliance. When RSA Secure ID is enabled, it’s applicable for local appliance users as well as AD users. Admin and security officer users are by default added in the bypass list and cannot be removed from there. Also, audit logs will be shown in the audit logs tab in the appliance UI.
Now, let’s go over some of the prerequisites in order to configure RSA Secure ID with the DM5500 appliance. First and foremost, the RSA Secure server needs to be deployed and configured. For local users, the username of the local user must be configured in the RSA server, and an RSA token needs to be assigned. For AD users, the AD server is added and configured into the RSA Secure ID. Thirdly, network connectivity must be available between the RSA server and the DM5500 appliance.
Some information that we need to keep handy is the RSA P authentication. When it’s enabled over the RSA server, copy the access key information. Also, the RSA server certificate needs to be downloaded and kept handy for the configuration. Lastly, configure the authentication agent on RSA and keep the client ID ready.
Now, let’s go over the demo to see how we can configure multi-factor authentication with RSA Secure ID. First, we will log into Power Protect Data Manager Appliance and go to Administration > Access Control. We have a local user created here, and we can see its MFA authentication status as disabled. So, we’ll go to the MFA tab, and we can see from this release, it supports TOTP and RSA Secure ID. We’ll expand RSA Secure ID, click on Configure, and start providing all the details that we need to grab from the RSA server.
We will log into our RSA server to fetch all the information required, starting with the RSA server hostname or IP address. We’ll grab this information from the URL as we have logged into the RSA server and paste it into the appliance. Next is the client ID, which is the authentication agent. We’ll go to Access > Authentication Agent > Manage Existing, and grab this pre-created authentication agent, which is the client ID, and paste it into our appliance client ID field.
Next is the access key. We’ll go back to the RSA server setup, system settings, click on RSA Secure Authentication API, or enable the Authentication API, to see the access key information, copy that, and paste it into the appliance. Next is the certificate. We’ll export this certificate and open it in Notepad++. After exporting it, we can copy the certificate information and paste it into the appliance.
Next, you can see the advanced settings, such as connection timeout, read timeout, and the port information. The connection port is 5555. Next, click on Test Setup for the verification to be done. If all your details are correct, it will give a green flag, and you can click on Save.
Now your RSA Secure ID has been successfully configured. If you go back to your user groups, you can see that the local user has MFA status as enabled. Admin and security officer users are bypassed by default for MFA, so we do see bypass status. Now, we’ll verify this. Our first use case is to log out and log in with our local user where MFA has been enabled. It will ask us for an RSA passcode. We’ll copy the RSA passcode and paste it for multi-factor authentication. We can see that it has successfully logged in.
The next use case involves bypassing MFA. Click on Edit, select the checkbox for bypass, and save this information for the next login. It won’t ask for the RSA passcode if we use the bypass option. Let’s log in with our local user Sonali and see that only the password was needed to log in successfully.
In the MFA tab, as we said, it supports both TOTP and RSA Secure ID from the 516 release, but only one can be enabled at a time—either RSA Secure ID or TOTP. If we want to switch to TOTP, we need to disable RSA Secure ID first. If we want to go back to RSA Secure ID, we need to disable TOTP and then enable RSA Secure ID again. You can see the status as enabled on the right side.
Now, if you go to your user group, you’ll see your local user has been reset with MFA status enabled. Kindly note the same workflow works with AD users as well. The only difference is that the bypass option is only supported for local users, not AD users. And that’s how we set up MFA with RSA Secure ID. Thank you all for watching.
