LastPass Enterprise supports RSA SecurID as a 2nd factor of authentication for user access to their LastPass Enterprise account. A second factor of authentication can protect your LastPass vault against replay-attacks, man-in-the-middle attacks, and a host of other threat vectors.
Setting up RSA SecurID with LastPass Enterprise
Once enabled, the user will be prompted first for his/her LastPass Master Username and Password, and then for his/her RSA SecurID passcode. As with all of our multi-factor options, users will have the option to ‘trust’ certain devices to eliminate the 2nd factor prompt – striking the perfect balance between security and convenience. If you prefer to disable the Trust option, this can be done using the configurable LastPass Security Policies.
Agent Host Configuration
To facilitate communication between LastPass Enterprise and the RSA Authentication Manager / RSA SecurID Appliance, an agent host record must be added to the RSA Authentication Manager database. The agent host record identifies LastPass Enterprise and contains information about communication and encryption. Set the Agent Type to “Standard Agent” when adding the authentication agent.
Since LastPass will be communicating with RSA Authentication Manager via RADIUS, a RADIUS client that corresponds to the agent host record must be created in the RSA Authentication Manager. RADIUS clients are managed using the RSA Security Console.
The following information is required to create a RADIUS client:
- IP Addresses for network interfaces
- RADIUS Secret
Note: The RADIUS client’s hostname must resolve to the IP address specified.
LastPass Enterprise employs a distributed architecture which encompasses many similarly configured servers. As a result of this architecture, RSA Authentication Manager administrators will need to configure agent host records and/or RADIUS clients for each LastPass Enterprise server. There are a few different methods for achieving this with varying amounts of administrative effort. These options are:
- Configure an agent host record and corresponding RADIUS client for each LastPass Enterprise server.
- Configure an agent host record for each LastPass Enterprise server with a shared RADIUS client.
- Configure a shared RADIUS client that does not use an agent host record. (Global change)
Note: Refer to RSA Authentication Manager Administrators Guide for information on configuring shared RADIUS clients.
Configuring RSA SecurID within the LastPass Admin Console
This section provides instructions for configuring LastPass Enterprise with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations.
It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.
All LastPass Enterprise components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding.
Configure LastPass Enterprise for RSA SecurID Authentication
- While logged into your LastPass Enterprise Admin Console, click on the Advanced Options link > Enterprise Options > RSA SecurID/RADIUS. You can also go directly to https://lastpass.com/enterprise_options.php#securid
- Enter the IP addresses of the RADIUS servers used by your RSA SecurID implementation, and enter the RADIUS shared secret as well.
4. Click “Update” to save the values to your LastPass Enterprise account.
5. Your users will now be able to enable RSA SecurID as a multifactor authentication option within Account Settings.
End User Settings
Once the connection has been configured, your users can now enable RSA SecurID on their accounts by clicking on the LastPass Plug-in -> Preferences -> Account Settings -> Multifactor Options, and then selecting ‘RSA SecurID’. From this screen your employees can enable SecurID on their LastPass account.
RSA SecurID Login Screens
Enforcing the Use of RSA by Your Employees through LastPass Policies
With LastPass Enterprise you can leave the 2nd factor decision up to your end users, or you can mandate its use with our configurable Security Policies. To access these policies, click on the LastPass Plug-in, select ‘Admin Console’ – > Settings -> Policies. Here are some policies that you might consider implementing relative to RSA SecurID:
Require use of RSA SecurID
Require use of RSA SecurID as a second factor of authentication when logging into LastPass. Click the ‘enabled’ box to enable this policy. RSA SecurID must be configured by the user.
Require use of any multifactor option
Require use of any multifactor option as a second factor of authentication when logging into LastPass. Click the ‘enabled’ box to enable this policy. YubiKey, LastPass Sesame, Google Authenticator, Toopher, Duo Security, Transakt, Salesforce#, and RSA SecurID are the currently available options.
Restrict Multifactor Trust
Restrict computers that can be trusted by IP address (learn more about ‘trusted computers’ here: https://helpdesk.lastpass.com/account-settings/trusted-computers/. You can enable this policy to allow users to skip second factor authentication from trusted locations (such as the office) but still require it from remote locations.
Any of the aforementioned policies can be enabled across all users in the account, or based on some sub-set thereof.
Certification Test Checklist for RSA Authentication Manager
Table of Contents
- Getting Started
- Admin Dashboard
- Shared Folders
- LastPass Single Sign-on for Applications
- Advanced Options
- Multifactor Authentication
- Terminating User Accounts from Your Enterprise
- LastPass for Applications
- Site Map
- Sample Survey
- Email Templates for End User Roll Out and Training