Configure SecurID Authentication

In Fireware v12.5 and higher, SecurID does not require separate configuration. To use SecurID, configure a RADIUS server and enable SecurID for that server. For RADIUS server configuration information, go to Configure RADIUS Server Authentication.

To use SecurID authentication, you must configure the RADIUS, VASCO, or ACE/Server servers correctly. The users must also have an approved SecurID token and a PIN (personal identification number). Refer to the RSA SecurID documentation for more information.

For more information about the RADIUS protocol and how RADIUS works, go to Configure RADIUS Server Authentication and How RADIUS Server Authentication Works.

For Firebox authentication with the Authentication Portal, Mobile VPN with IPSec, or Mobile VPN with SSL, SecurID supports only PAP (Password Authentication Protocol) authentication.

  1. Select Authentication > Servers.

    The Authentication Servers page appears.
  2. From the Servers list, select SecurID.

    The SecurID server settings appear.

Screen shot of the SecurID server settings

  1. Select the Enable SecurID Server check box.
  2. In the IP Address text box, type the IP address of the SecurID server.
    Fireware v12.4 or higher supports both IPv4 and IPv6 addresses. Fireware v12.3.x or lower supports only IPv4 addresses.
  3. In the Port text box, type the port number to use for SecurID authentication.
    The default number is 1812.
  4. In the Shared Secret text box, type the shared secret between the Firebox and the SecurID server.
    The shared secret is case-sensitive, and it must be the same on the device and the SecurID server. The shared secret cannot include only space characters.
  5. In the Confirm Secret text box, type the shared secret again.
    Fireware v12.4 or higher supports 64-character shared secrets. Fireware v12.3.x or lower supports 36-character shared secrets.
  6. In the Timeout text box, type the amount of time that the Firebox waits for a response from the authentication server before it tries to connect again.
  7. In the Retries text box, type the number of times the Firebox tries to connect to the authentication server before it reports a failed connection for one authentication attempt.
  8. In the Dead Time text box, type the amount of time after which an inactive server is marked as active again.
    The default value is 3 minutes. In Fireware v12.1.1 or lower, the default value is 10 minutes.
  9. From the Dead Time drop-down list, select Minutes or Hours to set the duration.
    After an authentication server has not responded for a period of time, it is marked as inactive. Additional authentication attempts do not use this server until it is marked as active again, after the dead time value is reached.
  10. In the Group Attribute text box, type the group attribute value. We recommend that you do not change this value.
    The group attribute value is used to set the attribute that carries the user group information. When the SecurID server sends a message to the Firebox that a user is authenticated, it also sends a user group string. For example, engineerGroup or financeGroup. This information is then used for access control.
  11. To add a backup SecurID server, in the Secondary Server Settings section, select the Enable Secondary SecurID Server check box.
  12. Repeat Steps 4–12 to configure the backup server. Make sure the shared secret is the same on the primary and backup SecurID servers.
    For more information about Backup Authentication Servers, go to Use a Backup Authentication Server.
  13. Click Save.
  1. Click the Authentication Servers icon.
    Or, select Setup > Authentication > Authentication Servers.
    The Authentication Servers dialog box appears.
  2. Select the SecurID tab.

Screen shot of the Authentication Server dialog box, SecurID tab

  1. Select the Enable SecurID server check box.
  2. In the IP Address text box, type the IP address of the SecurID server.
    Fireware v12.4 or higher supports both IPv4 and IPv6 addresses. Fireware v12.3.x or lower supports only IPv4 addresses.
    In the Port text box, type or select the port number to use for SecurID authentication.
    The default number is 1812.
  3. In the Shared Secret text box, type the shared secret between the Firebox and the SecurID server.
    Fireware v12.4 or higher support 64-character shared secrets. Fireware v12.3.x or lower support 36-character shared secrets.
    The shared secret is case-sensitive, and it must be the same on the device and the RADIUS server. The shared secret cannot include only space characters.
  4. In the Confirm Secret text box, type the shared secret again.
  5. In the Timeout text box, type or select the amount of time that the Firebox waits for a response from the authentication server before it tries to connect again.
  6. In the Retry text box, type or select the number of times the Firebox tries to connect to the authentication server before it reports a failed connection for one authentication attempt.
  7. In the Dead Time text box, type or select the amount of time after which an inactive server is marked as active again.
    The default value is 3 minutes. In Fireware v12.1.1 or lower, the default value is 10 minutes.
  8. From the Dead Time drop-down list, select Minutes or Hours to set the duration.
    After an authentication server has not responded for a period of time, it is marked as inactive. Additional authentication attempts do not use this server until it is marked as active again, after the dead time value is reached.
  9. In the Group Attribute text box, type or select the group attribute value. We recommend that you do not change this value.
    The group attribute value is used to set the attribute that carries the user group information. When the SecurID server sends a message to the Firebox that a user is authenticated, it also sends a user group string. For example, engineerGroup or financeGroup. This information is then used for access control.
  10. To add a backup SecurID server, select the Backup Server Settings tab, and select the Enable a backup SecurID server check box.
  11. Repeat Steps 4–11 to configure the backup server. Make sure the shared secret is the same on the primary and backup SecurID servers.
    For more information about Backup Authentication Servers, go to Use a Backup Authentication Server.
  12. Click OK.
  13. Save the Configuration File.

Related Topics

About Third-Party Authentication Servers