Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Issues Configuring RSA Adaptive Auth

applmott_
Occasional Contributor
‎10-03-2013 11:19:AM
‎10-03-2013 11:19:AM

Issues Configuring RSA Adaptive Auth

Hi all,

 

We're trying to configure our new RSA Risk-based Authentication (aka Adaptive Auth) solution to work with our SA4500. We have configured the RSA auth server, added it to our realm and imported the .js file to the custom sign-in page, as well as modifying the LoginPage.thtml with the script tags as indicated by the EMC/RSA implementation guide..

 

A quick note about our RSA topology: We currently have all of our RSA infrastructure BEHIND the firewall in our LAN, aka not on the DMZ not exposed to the internet at all. This is the part that's got me stumped.. when designing this solution, RSA told us that we did not need to expose any of our Adaptive Auth servers to the internet and that the SA4500 was supposed to intermediate all of the requests to those servers. The problem I have with that answer is this: When a user hits the Juniper login page, and inputs their LDAP credentials (we're using RSA as a secondary auth server), they are redirected to an RSA URL, which returns a 404 error. This is due to the fact that the URL redirect is of the form https://rsaserver.company.com, which doesn't resolve because it's not exposed to the internet.

 

First, has anyone seen this deployment architecture, and second, has anyone gotten it working?

 

All suggestions/comments/criticisms welocome.

 

Thanks

 

-C 

0 Kudos
5 REPLIES 5
SVK_
Regular Contributor
‎10-07-2013 09:02:PM
‎10-07-2013 09:02:PM

Re: Issues Configuring RSA Adaptive Auth

Hi,

 

I believe the Adaptive Authentication Adapter should be reachable from the internet.

 

Regards,

Svk

0 Kudos
SVK_
Regular Contributor
‎10-07-2013 09:04:PM
‎10-07-2013 09:04:PM

Re: Issues Configuring RSA Adaptive Auth

to prove this from the internal network access the SA , once the user is authenticated this will forward you to https://rsaserver.company.com after which you should be authenticated and presented with the bookmark page.

0 Kudos
dcvers_
Regular Contributor
‎10-08-2013 08:32:AM
‎10-08-2013 08:32:AM

Re: Issues Configuring RSA Adaptive Auth

You should be able to set up an Authorisation Only sign-in policy (and associated role and resource policy) to enable access to the internal URL needed during login.

You can tie down which URLs are accessible with the resource policy but remember anything allowed can be access unauthenticated.

0 Kudos
madansudhindra_
Occasional Contributor
‎11-11-2013 08:37:AM
‎11-11-2013 08:37:AM

Re: Issues Configuring RSA Adaptive Auth

The RSA Adaptive Authentication Adapter (adapters-juniper-aa webapp), needs to be accessible from the user's device. 

There is a redirect to this URL and this url actively collects the device prints and if necessary front-ends the step-up authentication. 

 

 

0 Kudos
zanyterp_
Respected Contributor
‎12-02-2013 09:07:PM
‎12-02-2013 09:07:PM

Re: Issues Configuring RSA Adaptive Auth

Unless you are doing anonymous auth or authorization only, the 443(?) access to the RSA server needs to be allowed directly through the DMZ.
0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.