RSA Authentication Manager 7.1 Administrator's Guide - IT Services ...
RSA Authentication Manager 7.1 Administrator's Guide - IT Services ...
RSA Authentication Manager 7.1 Administrator's Guide - IT Services ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>RSA</strong> <strong>Authentication</strong> <strong>Manager</strong> <strong>7.1</strong> Administrator’s <strong>Guide</strong><br />
For many organizations, automatic contact lists are sufficient. However, you may<br />
choose to create a manual contact list if you have a specific way that you want to route<br />
authentication requests.<br />
For example, suppose that you are an administrator at a company that has Boston,<br />
New York, and San Jose locations. The New York and San Jose locations are small<br />
and all authentications are routed to <strong>Authentication</strong> <strong>Manager</strong> replica instances at each<br />
site. The Boston location, however, is largest, and the primary instance at that location<br />
handles all of your Boston location users, as well as all VPN requests from external<br />
users. You may choose to create a manual contact list that routes authentication<br />
requests to all of your server nodes, except the database sever. This leaves the<br />
database server free to replicate data to your replica instances in New York and San<br />
Jose.<br />
For instructions, see the Security Console Help topics, “Manage the<br />
<strong>RSA</strong> <strong>Authentication</strong> <strong>Manager</strong> Contact List,” “Assign a Contact List to an<br />
<strong>Authentication</strong> Agent,” and “Edit Manual Contact Lists.”<br />
Using <strong>Authentication</strong> Agents to Restrict User Access<br />
<strong>Authentication</strong> <strong>Manager</strong> allows you to configure authentication agents in two ways:<br />
Unrestricted agents. Unrestricted agents process all authentication requests from<br />
all users in the same realm as the agent. They eliminate the need to grant access to<br />
user groups on the agent.<br />
Restricted agents. Restricted agents only process authentication requests from<br />
users who are members of user groups that have been granted access to the agent.<br />
Users who are not members of a permitted user group cannot use the restricted<br />
agent to authenticate.<br />
For example, when an authentication request comes from a restricted agent,<br />
<strong>Authentication</strong> <strong>Manager</strong> checks to see if the request comes from a user that is a<br />
member of a user group that is granted access to the agent. If a user is a member,<br />
he or she is authenticated and access is granted. If a user is not a member, he or<br />
she is not authenticated and access is denied.<br />
You can grant access to existing user groups, or you can create new user groups<br />
specifically for use with restricted agents.<br />
Important: Active Directory supports multiple types of groups. When<br />
configured to use Active Directory groups, <strong>Authentication</strong> <strong>Manager</strong> only<br />
supports Universal groups. When you view the Active Directory groups from<br />
the Security Console, the Security Console displays all groups, regardless of<br />
type. If you select a group from this list to activate users on restricted agents,<br />
make sure that you select a Universal group. Use the Active Directory Users<br />
and Computers MMC Console to examine the type of group. If you use any<br />
other type of Active Directory group, the user cannot authenticate.<br />
3: Protecting Network Resources with <strong>RSA</strong> SecurID 73