Example: using SecurID authentication with the Forcepoint VPN Client

This example shows a general overview of using SecurID authentication for the Forcepoint VPN Client.

For more information about using SecurID authentication, see the RSA documentation at https://⁠www.rsa.com.

Company C is about to introduce remote Forcepoint VPN Client access to their network. The administrators decide to add one-time passwords with SecurID cards with their existing RSA Authentication Manager server that already shares the user information with the company’s LDAP server.

Figure: Company C's authentication scheme



The administrators:
  1. Create an Agent Host record for the Engine in the RSA Authentication Manager server.
  2. Configure a mobile VPN in the Management Client with the default Hybrid Authentication selected as the authentication method for connecting clients.
    • Hybrid authentication is available for the Forcepoint VPN Client. Hybrid authentication requires the client to authenticate the SD-WAN Gateway (the engine) by using a certificate. The users must provide the correct User Name/Password combination (validated by the RSA Authentication Manager server in this case).
  3. Create a RADIUS Authentication Server element.
  4. Create a custom Authentication Method element for the server, named “SecurID”.
  5. Open the Active Directory Server Properties dialog box, and do the following:
    1. Click the Authentication tab.
    2. Add the new authentication method under External Authentication Methods to indicate that it is supported by the server.
  6. To configure the SecurID authentication method to always be used with the domain by default, do the following:
    1. Open the LDAP Domain element properties dialog box.
    2. Click the Default Authentication tab.
    3. Select the SecurID authentication method.
    Note: If SecurID is not the default authentication method, then users must login with syntax “username;SecurID”.
  7. Add Access rules with both an authentication and a SD-WAN requirement defined as shown here:
    Table 1. Example Access rule for SecurID authentication
    Source Destination Authentication Action
    The virtual IP address range used on the virtual adapters of the Forcepoint VPN Client. IP addresses of network services that require authentication. User or User Group elements. Require authentication with “SecurID” Authentication Method. Allow, with the SD-WAN Action option set to Enforce SD-WAN.