Configure SecurID Authentication
To use SecurID authentication, you must configure the RADIUS, VASCO, or ACE/Server servers correctly. The users must also have an approved SecurID token and a PIN (personal identification number). Refer to the RSA SecurID documentation for more information.
For more information about the RADIUS protocol and how RADIUS works, see Configure RADIUS Server Authentication and How RADIUS Server Authentication Works.
For Firebox authentication with the Authentication Portal, Mobile VPN with IPSec, or Mobile VPN with SSL, SecurID supports only PAP (Password Authentication Protocol) authentication.
From Fireware XTM Web UI:
- Select Authentication > Servers.
The Authentication Servers page appears.
- From the Servers list, select SecurID.
The SecurID server settings appear.
- Select the Enable SecurID Server check box.
- In the IP Address text box, type the IP address of the SecurID server.
- In the Port text box, type the port number to use for SecurID authentication.
The default number is 1812.
- In the Passphrase text box, type the shared secret between the XTM device and the SecurID server. The shared secret is case-sensitive and must be the same on the XTM device and the SecurID server.
- In the Confirm text box, type the shared secret again.
- In the Timeout text box, type the amount of time that the XTM device waits for a response from the authentication server before it tries to connect again.
- In the Retries text box, type the number of times the XTM device tries to connect to the authentication server before it reports a failed connection for one authentication attempt.
- In the Group Attribute text box, type the group attribute value. We recommend that you do not change this value.
The group attribute value is used to set the attribute that carries the user group information. When the SecurID server sends a message to the XTM device that a user is authenticated, it also sends a user group string. For example, engineerGroup or financeGroup. This information is then used for access control.
- In the Dead Time text box, type the amount of time after which an inactive server is marked as active again. To change the duration, from the adjacent drop-down list, select Minutes or Hours.
After an authentication server has not responded for a period of time, it is marked as inactive. Subsequent authentication attempts do not use this server until it is marked as active again, after the dead time value is reached.
- To add a backup SecurID server, in the Secondary Server Settings section, select the Enable Secondary SecurID Server check box.
- Repeat Steps 4–11 to configure the backup server. Make sure the shared secret is the same on the primary and backup SecurID servers.
For more information, see Use a Backup Authentication Server.
- Click Save.
About Third-Party Authentication Servers