Print View

Configuring RSA Authentication Manager with ISA Server 2006

Issue

There are some features of RSA Authentication Manager integration with ISA 2006 that are not well documented.

Resolution

1) Configuration with EAP Authentication

When installing the RSA Authentication Agent on a multi-homed ISA server:

On the ISA Server:

- Create a text file: %SYSTEMROOT%\system32\sdopts.rec
- Add the entry to the file:
CLIENT_IP=<inside IP>

- "IP Address Override" should be set to 0.0.0.0 in the RSA Authentication Agent

<inside IP> should be the same as the "Primary IP Address" in the Agent Host definition


2) RADIUS Authentication
The RSA RADIUS server is an OEM version of Funk Software's Steel Belted RADIUS, but it does not support the entire feature set. Most importantly it only supports PAP authentication:

http://theether.net/download/RSA/SecurID/6.1/RSA-SBR%20vs%20SBR-EE.pdf

Also the RSA RADIUS Server will not pass the authentication request to Authentication Manager, showing no activity in the logs if the authentication type is other than PAP.

RADIUS Client Definition
RADIUS clients require a definition in both the RSA RADIUS Server Administration, and in the Authentication Manager Administration as an Agent Host.

In RSA Authentication Manager Administration:

- Select Agent Host | Add Agent Host
- Enter the Name and Network Address
- Select Communication Server for Agent type
- Check Open to All Locally Known Users
- Uncheck Enable Offline Authentication
- Uncheck Enable Windows Password Authentication
- Click OK

- Select RADIUS | Manage RADIUS Server
- Double click RADIUS Clients in the right pane
- Click Add
- Enter the details as required and click OK

Products

RSA SecurID Authentication Manager 6.1
Microsoft Internet Security and Acceleration Server 2006

Created: 15th May 2008
Updated: 15th May 2008

Print View

© 2005-2024 Jamie Morrison