STEP 4: Install and Configure RSA and EDGE1
Applies To: Windows Server 2012 R2, Windows Server 2012, Windows 8
RSA is the RADIUS and OTP server, and is installed prior to configuring RADIUS and OTP.
You will perform the following steps to configure the RSA deployment:
Install the operating system on the RSA server—Install Windows Server 2008 R2 on the RSA server.
Configure TCP/IP on RSA—Configure TCP/IP settings on the RSA server.
Copy Authentication Manager installation files to the RSA server—After installing the operating system on RSA, copy the Authentication Manager files to the RSA computer.
Join the RSA server to the CORP domain—Join RSA to the CORP domain.
Disable Windows Firewall on RSA—Disable the Windows Firewall on the RSA server.
Install RSA Authentication Manager on the RSA server—Install RSA Authentication Manager.
Configure RSA Authentication Manager—Configure Authentication Manager.
Create DAProbeUser—Create a user account for probing purposes.
Install RSA SecurID software token on CLIENT1—Install RSA SecurID software token on CLIENT1.
Configure EDGE1 as an RSA Authentication Agent—Configure RSA Authentication Agent on EDGE1.
Configure EDGE1 to support OTP authentication—Configure OTP for DirectAccess, and verify the configuration.
Install the operating system on the RSA server
On RSA, start the installation of Windows Server 2008 R2.
Follow the instructions to complete the installation, specifying Windows Server 2008 R2 Standard (Full Installation) and a strong password for the local Administrator account. Log on using the local Administrator account.
Connect RSA to a network that has Internet access and run Windows Update to install the latest updates for Windows Server 2008 R2, and then disconnect from the Internet.
Connect RSA to the Corpnet subnet.
Configure TCP/IP on RSA
In Initial Configuration Tasks, click Configure networking.
In Network Connections, right-click Local Area Connection, and then click Properties.
Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
Click Use the following IP address. In IP address, type 10.0.0.5. In Subnet mask, type 255.255.255.0. In Default Gateway, type 10.0.0.2. Click Use the following DNS server addresses, in Preferred DNS server, type 10.0.0.1.
Click Advanced, and then click the DNS tab.
In DNS suffix for this connection, type corp.contoso.com, and then click OK twice.
On the Local Area Connection Properties dialog box, click Close.
Close the Network Connections window.
Copy Authentication Manager installation files to the RSA server
On the RSA server create the folder C:\RSA Installation.
Copy the contents of the RSA Authentication Manager 7.1 SP4 media to the C:\RSA Installation folder.
Create the subfolder C:\RSA Installation\License and Token.
Copy the RSA license files to C:\RSA Installation\License and Token.
Join the RSA server to the CORP domain
Right-click My Computer, and click Properties.
In the System Properties dialog box, on the Computer Name tab, click Change.
In Computer Name, type RSA. In Member of, click Domain, type corp.contoso.com, and click OK.
When you are prompted for a user name and password, type User1 and its password, and click OK.
On the domain welcoming dialog box click OK.
When you are prompted that you must restart the computer, click OK.
On the System Properties dialog box, click Close.
When you are prompted to restart the computer, click Restart Now.
After the computer has restarted, type User1 and the password, select CORP in the Log on to: drop down list, and click OK.
Disable Windows Firewall on RSA
Click Start, click Control Panel, click System and Security, and click Windows Firewall.
Click Turn Windows Firewall on or off.
Turn off Windows Firewall for all settings.
Click OK and close Windows Firewall.
Install RSA Authentication Manager on the RSA server
If the Security Warning message appears at any time during this process, click Run to continue.
Open the C:\RSA Installation folder and double-click autorun.exe.
Click Install Now, click Next, select the top option for the Americas, and click Next.
Select I accept the terms of the license agreement, and click Next.
Select Primary Instance, and click Next.
In the Directory Name: field type C:\RSA, and click Next.
Verify that the server name (RSA.corp.contoso.com) and IP address are correct, and click Next.
Browse to C:\RSA Installation\License and Token, and click Next.
On the Verify license file page, click Next.
In the User ID field type Administrator, and in the Password and Confirm Password fields type a strong password. Click Next.
On the log selection screen, accept the defaults and click Next.
On the summary screen, click Install.
After installation is complete, click Finish.
Configure RSA Authentication Manager
If the RSA Security Console does not open automatically, then on the RSA computer desktop double-click “RSA Security Console”.
If the security certificate warning / security alert appears, click Continue to this website or click Yes to proceed, and add this site to trusted sites, if requested.
In the User ID field type Administrator and click OK.
In the Password field type the password for the Administrator account and click Log On.
Insert Token information.
In the RSA Security Console click Authentication and click SecurID Tokens.
Click Import Tokens Job, and then click Add New.
In the Import Options section click Browse. Browse to and select the tokens XML file in the C:\ RSA Installation\License and Token folder and click Open.
Click Submit Job on the bottom of the page.
Create OTP new user.
In the RSA Security Console click the Identity tab, click Users, and click Add New.
In the Last Name: section type User, and in the User ID: section type User1 (UserID must be the same as the AD username used for this lab). In the Password: and Confirm Password: sections type a strong password. Clear the ‘Require user to change password at next logon’ check box and click Save.
Assign User1 to one of the imported tokens.
On the Users page click User1 and click SecurID Tokens.
Click SecurID Tokens and click Assign Token.
Under the Serial Number heading click the first number listed, and click Assign.
Click the assigned token, and click Edit. In the SecurID PIN Management section for User Authentication Requirement, select Do not require PIN (only tokencode).
Click Save and Distribute Token.
On the Distribute Software Token page in the Basics section, click Issue Token File (SDTID).
On the Distribute Software Token page in the Token File Options section, clear the Enable copy protection check box. Click No Password and Next.
On the Distribute Software Token page in the Download File section, click Download Now. Click Save. Browse to C:\RSA Installation and click Save and Close.
Minimize the RSA Security Console for use later.
Configure Authentication Manager as RADIUS server.
On the RSA computer desktop double-click “RSA Security Operations Console”.
If the security certificate warning / security alert appears, click Continue to this website or click Yes to proceed, and add this site to trusted sites if requested.
Enter the User ID and Password and click Log On.
Click Deployment Configuration – RADIUS – Configure Server.
On the Additional Credentials Required page enter the administrator User ID and Password and click OK.
On the Configure RADIUS Server page enter the same password used for the administrator user for the Secrets and Master Password. Enter the Administrator User ID and Password, and click Configure.
Verify that the message ‘Successfully configured RADIUS server’ is displayed. Click Done. Close the RSA Operations Console.
Switch back to the “RSA Security Console”.
On the RADIUS tab click RADIUS Servers. Verify that rsa.corp.contoso.com is listed.
Configure RSA server as RSA Authentication Client.
On the RADIUS tab, click RADIUS Clients and Add New.
Click the ANY RADIUS Client check box.
Type a strong password of your choice in the Shared Secret field. You will use this same password later when configuring EDGE1 for OTP.
Leave the IP Address field blank, and the Make / Model entry as Standard RADIUS.
Click Save without RSA Agent.
Create files required for configuring EDGE1 as a RSA Authentication Agent.
On the Access tab, highlight Authentication Agents, and click Add New.
Type EDGE1 in the Hostname field, and click Resolve IP.
Notice that the IP address for EDGE1 is now displayed in the IP Address field. Click Save.
Generate a configuration file for the EDGE1 server (AM_Config.zip).
On the Access tab, highlight Authentication Agents, and click Generate Configuration File.
On the Generate Configuration File page click Generate Config File, and then click Download Now.
Click Save, browse to C:\ RSA Installation, and click Save.
Click Close on the Download Complete dialog.
Generate a node secret file for the EDGE1 server (EDGE1_NodeSecret.zip).
On the Access tab, highlight Authentication Agents, and click Manage Existing.
Click the current configured node EDGE1, and click Manage Node Secret.
Check the Create a new random node secret, and export the node secret to a file check box.
Enter the same password used for the administrator user in the Encryption Password and Confirm Encryption Password fields, and click Save.
On the Node Secret File Generated page click Download Now.
On the File Download dialog click Save, browse to C:\RSA Installation, and click Save. Click Close on the Download Complete dialog.
From the RSA Authentication Manager media copy \auth_mgr\windows-x86_64\am\rsa-ace_nsload\win32-5.0-x86\agent_nsload.exe to C:\RSA Installation.
In the RSA Security Console click the Identity tab, click Users, and click Add New.
In the Last Name: section type Probe, and in the User ID: section type DAProbeUser. In the Password: and Confirm Password: sections type a strong password. Clear the ‘Require user to change password at next logon’ check box and click Save.
Install RSA SecurID software token on CLIENT1
Use this procedure to install SecurID software token on CLIENT1.
Install SecurID software token
On the CLIENT1 computer, create the folder C:\RSA Files. Copy the file Software_Tokens.zip from C:\RSA Installation on the RSA computer to C:\RSA Files. Extract the file User1_000031701832.SDTID to C:\RSA Files on CLIENT1.
Access the RSA SecurID software token media source, and double-click RSASECURIDTOKEN410 in the SecurID SoftwareToken client app folder to start the RSA SecurID installation. If the Open File – Security Warning message appears, then click Run.
On the RSA SecurID Software Token – InstallShield Wizard dialog click Next twice.
Accept the license agreement, and click Next.
On the Setup Type dialog select Typical, click Next, and click Install.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
Select the Launch RSA SecurID Software Token check box, and click Finish.
Click Import from File.
Click Browse, select C:\RSA Files\User1_000031701832.SDTID, and click Open.
Click OK twice.
Configure EDGE1 as an RSA Authentication Agent
Use this procedure to configure EDGE1 to perform RSA authentication.
Configure the RSA Authentication Agent
On EDGE1 open Windows Explorer and create the folder C:\RSA Files. Browse to the RSA ACE Installation media.
Copy the files agent_nsload.exe, AM_Config.zip and EDGE1_NodeSecret.zip from the RSA media to C:\RSA Files.
Extract the contents of both zip files to the following locations:
Copy agent_nsload.exe to C:\Windows\SysWOW64\.
Open an elevated command prompt and navigate to C:\Windows\SysWOW64.
Type agent_nsload.exe –f nodesecret.rec –p <password> where <password> is the strong password that you created during the initial RSA configuration. Press Enter.
Copy C:\Windows\SysWOW64\securid to C:\Windows\System32.
Configure EDGE1 to support OTP authentication
Use this procedure to configure OTP for DirectAccess, and verify the configuration.
Configure OTP for DirectAccess
On EDGE1, open Server Manager, and click REMOTE ACCESS in the left pane.
Right-click EDGE1 in the SERVERS pane, and select Remote Access Management.
In the DirectAccess Setup window, under Step 2 – Remote Access Server, click Edit.
Click Next three times, and in the Authentication section select Two factor authentication and Use OTP, and ensure that Use computer certificates is checked. Verify that the root CA is set to CN=corp-APP1-CA. Click Next.
In the OTP RADIUS Server section, double-click the blank Server Name field.
In the Add a RADIUS Server dialog, type RSA in the Server name field. Click Change next to the Shared secret field, and type the same password that you used when configuring the RADIUS clients on the RSA server in the New secret and Confirm new secret fields. Click OK twice, and click Next.
If the RADIUS server is in a domain that is different than the Remote Access server, then the Server Name field must specify the FQDN of the RADIUS server.
In the OTP CA Servers section select APP1.corp.contoso.com, and click Add. Click Next.
On the OTP Certificate Templates page click Browse to select a certificate template used for the enrollment of certificates that are issued for OTP authentication, and on the Certificate Templates dialog box select DAOTPLogon. Click OK. Click Browse to select a certificate template used to enroll the certificate used by the Remote Access server to sign OTP certificate enrollment requests, and on the Certificate Templates dialog box select DAOTPRA. Click Ok. Click Next.
On the Remote Access Server Setup page click Finish, and click Finish on the DirectAccess Expert Wizard.
On the Remote Access Review dialog box click Apply, wait for the DirectAccess policy to be updated, and click Close.
On the Start screen, type powershell.exe, right-click powershell, click Advanced, and click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
In the Windows PowerShell window, type gpupdate /force and press ENTER.
Close and reopen the Remote Access Management Console and verify that all OTP settings are correct.