Related Topics
Configure SecurID Authentication
To use SecurID authentication, you must configure the RADIUS, VASCO, or ACE/Server servers correctly. The users must also have an approved SecurID token and a PIN (personal identification number). Refer to the RSA SecurID documentation for more information.
For more information about the RADIUS protocol and how RADIUS works, see Configure RADIUS Server Authentication and How RADIUS Server Authentication Works.
For Firebox authentication with the Authentication Portal, Mobile VPN with IPSec, or Mobile VPN with SSL, SecurID supports only PAP (Password Authentication Protocol) authentication.
- Select Authentication > Servers.
The Authentication Servers page appears. - From the Servers list, select SecurID.
The SecurID server settings appear.
- Select the Enable SecurID Server check box.
- In the IP Address text box, type the IP address of the SecurID server.
- In the Port text box, type the port number to use for SecurID authentication.
The default number is 1812. - In the Passphrase text box, type the shared secret between the Firebox and the SecurID server.
The shared secret is case-sensitive, and it must be the same on the device and the SecurID server. The shared secret cannot include only space characters. - In the Confirm text box, type the shared secret again.
- In the Timeout text box, type the amount of time that the Firebox waits for a response from the authentication server before it tries to connect again.
- In the Retries text box, type the number of times the Firebox tries to connect to the authentication server before it reports a failed connection for one authentication attempt.
- In the Group Attribute text box, type the group attribute value. We recommend that you do not change this value.
The group attribute value is used to set the attribute that carries the user group information. When the SecurID server sends a message to the Firebox that a user is authenticated, it also sends a user group string. For example, engineerGroup or financeGroup. This information is then used for access control. - In the Dead Time text box, type the amount of time after which an inactive server is marked as active again. To change the duration, from the adjacent drop-down list, select Minutes or Hours.
After an authentication server has not responded for a period of time, it is marked as inactive. Additional authentication attempts do not use this server until it is marked as active again, after the dead time value is reached. - To add a backup SecurID server, in the Secondary Server Settings section, select the Enable Secondary SecurID Server check box.
- Repeat Steps 4–11 to configure the backup server. Make sure the shared secret is the same on the primary and backup SecurID servers.
For more information, see Use a Backup Authentication Server. - Click Save.
- Click .
Or, select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears. - Select the SecurID tab.
- Select the Enable SecurID server check box.
- In the IP Address text box, type the IP address of the SecurID server.
- In the Port text box, type or select the port number to use for SecurID authentication.
The default number is 1812. - In the Secret text box, type the shared secret between the Firebox and the SecurID server.
The shared secret is case-sensitive, and it must be the same on the device and the RADIUS server. The shared secret cannot include only space characters. - In the Confirm text box, type the shared secret again.
- In the Timeout text box, type or select the amount of time that the Firebox waits for a response from the authentication server before it tries to connect again.
- In the Retry text box, type or select the number of times the Firebox tries to connect to the authentication server before it reports a failed connection for one authentication attempt.
- In the Group Attribute text box, type or select the group attribute value. We recommend that you do not change this value.
The group attribute value is used to set the attribute that carries the user group information. When the SecurID server sends a message to the Firebox that a user is authenticated, it also sends a user group string. For example, engineerGroup or financeGroup. This information is then used for access control. - In the Dead Time text box, type or select the amount of time after which an inactive server is marked as active again. To change the duration, from the adjacent drop-down list, select minutes or hours.
After an authentication server has not responded for a period of time, it is marked as inactive. Additional authentication attempts do not use this server until it is marked as active again, after the dead time value is reached. - To add a backup SecurID server, select the Backup Server Settings tab, and select the Enable a backup SecurID server check box.
- Repeat Steps 4–11 to configure the backup server. Make sure the shared secret is the same on the primary and backup SecurID servers.
For more information, see Use a Backup Authentication Server. - Click OK.
- Save the Configuration File.