How UNAB Integrates With the RSA SecurID

Implementation Guide › Installing and Customizing a UNAB Host › Before You Begin › Integration with RSA SecurID › How UNAB Integrates With the RSA SecurID

How UNAB Integrates With the RSA SecurID

UNAB integrates with the RSA SecurID by leveraging PAM stack capabilities. PAM stack capabilities allow you to set which authentication program to use for users authentication during the login process and the order in which the authentication occurs.

The following process explains UNAB integration with RSA SecurID:

Install UNAB on an endpoint that has RSA SecurID client installed.
Configure the PAM stack in the order by which you want users authentication to occur. For example, you configure the PAM stack to call the RSA SecurID to authenticate the user passcode and PIN number and if unsuccessful, use UNAB to authenticate the user Active Directory credentials.
When a user attempts to log into the UNAB host the following occurs:
Using RSA SecurID authentication and UNAB authentication:
1. RSA SecurID prompts the user for a passcode and PIN number.
2. The user enters the passcode and PIN number.
3. The RSA SecurID attempts to authenticate the user passcode and PIN number. The following occurs:
  - The RSA SecurID validates the user passcode and PIN number and enables the user to login. The authentication process ends and this point and user account management process starts.
  - The RSA SecurId rejects the user passcode or PIN number.
  - UNAB prompts the user for a Active Directory user account or local account credentials.
  - UNAB attempts to authenticate the user credentials and if authenticated the authentication process ends and the user account management process starts.

Example: Using RSA SecurID authentication in Red Hat Advanced Server 5.3

The following snippet from the /etc/pam.d/system-auth file indicates that users authentication to the Red Hat Linux Advanced Server 5.3 is done by RSA SecurID only:

auth required pam_securid.so

Example: Using RSA SecurID, local UNIX and UNAB authentication in Red Hat Linux Advanced Server 5.3

The following snippet from the /etc/pam.d/system-auth file indicates that users authentication to the Red Hat Linux Advanced Server 5.3 is done by RSA SecurdID, local UNIX and UNAB:

auth sufficient   pam_securid.so
auth sufficient   pam_unix.so
auth sufficient   pam_uxauth.so

In this example the /etc/pam.d/system-auth file is configured to call the RSA SecurID (pam_securid.so) module to attempts and authenticate the user credentials. If unsuccessful, the local UNIX PAM module (pam_unix.so) attempts to authenticate the user credentials. If unsuccessful, the UNAB PAM stack module (pam_uxauth.so) attempts to authenticate the user credentials. In this example, when the UNAB PAM module attempts to authenticate the user credentials, UNAB does not prompt the user for a password. The local UNIX PAM module provides the UNAB PAM stack module with the password.

Note: The authentication process can end with either of the PAM stack modules.

Example: Using UNAB authentication and RSA SecurID authentication in Red Hat Advanced Server 5.3

The following snippet from the /etc/pam.d/system-auth file indicates that users authentication to the Red Hat Advanced Server 5.3 is done using UNAB authentication and RSA SecurID authentication:

auth optional     pam_unix.so
auth sufficient   pam_uxauth.so
auth sufficient   pam_securid.so

In this example the /etc/pam.d/system-auth file is configured to use the UNAB PAM stack (pam_uxauthd.so) to attempt and authenticate the user Active Directory credentials before using the RSA SecurID PAM stack (pam_securid.so) to authenticate the user passcode. The local UNIX PAM stack module (pam_unix.so) is set to optional. This indicates that the local UNIX PAM stack does not authenticate the user but rather prompts the user for password and forwards the password to the PAM stack.

Note: In this example the authentication process can end with either the RSA SecurID or UNAB modules successful authentication without using local UNIX authentication.