09-24-2012 09:01 AM
We've been working on finalizing our Aruba Mobility 650 deployment and we've hit a bit of a stumbling point with implementing RSA SecurID Tokens.
We have an existing setup through a WatchGuard Firebox that is using the tokens, so we do have RSA setup and functioning in a production environment, the snag is getting a clear understanding of how we need to configure the Mobility 650.
The initial question is "Can this be done at all?" There doesn't seem to be any clear walkthrough that I've been able to find in the KB.
The secondary question, assuming an affirmative answer to the first, would be "How do I configure the 650 and RSA to speak with eachother?" I've gotten as far as the RSA monitor giving me a "Authentication method failed, passcode format error"
Any help would be greatly appreciated! We've worked with Aruba Tech Support and have yet to get a clear answer from them as to if we can do this, and I'm honestly not sure he understand what we asking.
09-24-2012 06:40 PM
My name is Glenn Williams. I work for RSA as one of the Product Managers for SecurID. I came originally from the Advanced Tech Support team for SecurID. The answer to one of your questions is "yes" - you can set up an Aruba Mobility Controller to use SecurID. The Implementation Guide is attached below.
The error "Passcode Format Error" means that there are too many or too few characters in the passcode (pin+tokencode) that is received on the SecurID server. This is usually one of two things. Either you entered the passcode (pin+tokencode) incorrectly (probably not the case here) or the RADIUS shared secret does not match on the Aruba device and the SecurID server. This results in the passcode being decoded as a long string of nonsense characters, which is why you see the passcode format error (remember, too many or too few characters).
Go through the Implementation Guide and you'll probably find where you made your mistake.
09-25-2012 03:17 PM
Thank you for the response, Glenn. It's very appreciated. That walkthrough will be helpful for ensuring that we've created the relationship between the RSA and Aruba Controller properly.
I'm a bit embarassed to admit that I left out a key ingredient on my description of the project: We're trying to use RSA Tokens through VIA on the iPad/iPhone, Mac, and PC VIA Clients.
Do you perhaps have an additional guide for configuring those client's and their connection profiles?
09-26-2012 11:10 AM
Also one other question in regards to two-factor authentication. I understand in dealing with Aruba that the user, when connecting, will be asked to enter their token or token/pin combination in the password field instead of their windows nt password. My question is: isn't that only really single-factor? Granted, it is a one-time-use token, but we would like to have some sort of explanation as to where the second form of authentication is taking place, if it's taking place on each connection request, etc.
09-28-2012 10:14 AM
When entering pin+tokencode in the password field, you are entering 2 separate pieces of information. One factor (the PIN) is something the user knows, the other factor (the token) is something the user has. The fact that both pieces of information are entered together does not change anything.
Does that answer your question?