Requiring token authentication for specific groups or local users

RSA supports the ability to require RSA token authentication for specific groups of users. This feature is supported when using Centrify Authentication Service. You can specify Active Directory groups as the required group. Local groups work as well.

You can also configure the agent so that specific groups are not prompted to authenticate with the RSA SecurID token. Group members excluded from SecurID authentication can authenticate using UNIX credentials or by way of another PAM module; you can configure this

Note:   The ability to require RSA SecurID token authentication for specific groups does not work with AIX. There is a bug in the AIX OS that prevents the SecurID agent from iterating Active Directory groups.

Note:   Be sure to exclude any users that you do not want to authenticate with the RSA SecurID token. Once you’ve enabled users or groups for token authentication, then all users will be challenged for a token even if they weren’t assigned on. This situation can cause some users to be locked out of the computer that they’re trying to log in to. When you are testing this functionality, it’s a good practice to exclude the root user to avoid any complications.

To require SecurID token authentication for specific groups or users:

  1. Edit the sd_pam.conf file and add the following lines:

    #VAR_ACE :: the location where the sdconf.rec, sdstatus.12 and securid files will go
    VAR_ACE=/opt/RSA
  2. To specify specific groups to authenticate using the RSA token, first enable group support by setting the ENABLE_GROUP_SUPPORT parameter to 1, as shown below:

    #ENABLE_GROUP_SUPPORT :: 1 to enable; 0 to disable group support
    ENABLE_GROUP_SUPPORT=1
  3. To specify the list of groups that will use the RSA token, include them in the LIST_OF_GROUPS parameter, as shown below:

    #LIST_OF_GROUPS :: a list of groups to include or exclude...Example
    #LIST_OF_GROUPS=other:wheel:eng:othergroupnames
    LIST_OF_GROUPS=sampleadgroup
  4. To exclude groups from requiring the RSA token, include them in the INCL_EXCL_GROUPS parameter, as shown below:

    #INCL_EXCL_GROUPS :: 1 to always prompt the listed groups for securid
    # authentication (include)
    # :: 0 to never prompt the listed groups for securid
    # authentication (exclude) INCL_EXCL_GROUPS=1
  5. (Optional) To configure what happens when an excluded user tries to authenticate, modify the PAM_IGNORE_SUPPORT parameter, as shown below:

    #PAM_IGNORE_SUPPORT :: 1 to return PAM_IGNORE if a user is not SecurID
    # authenticated due to their group membership
    # :: 0 to UNIX authenticate a user that is not SecurID
    # authenticated due to their group membership
    PAM_IGNORE_SUPPORT=1
  6. To specify specific users to authenticate using the RSA token, first enable user support by setting the ENABLE_USERS_SUPPORT parameter to 1, as shown below:

    #ENABLE_USERS_SUPPORT :: 1 to enable; 0 to disable users support
    ENABLE_USERS_SUPPORT=1
  7. To specify the list of users that will use the RSA token, include them in the LIST_OF_USERS parameter, as shown below:

    #LIST_OF_USERS :: a list of users to include or exclude...Example
    LIST_OF_USERS=localuser1:aduser2
  8. To exclude users from requiring the RSA token, include them in the INCL_EXCL_USERS parameter, as shown below:

    #INCL_EXCL_USERS :: 1 to always prompt the listed users for securid
    # authentication (include)
    # :: 0 to never prompt the listed users for securid
    # authentication (exclude) INCL_EXCL_USERS=1
  9. (Optional) To configure what happens when an excluded user tries to authenticate, modify the PAM_IGNORE_SUPPORT_FOR_USERS parameter.

You can also consult the RSA SecurID documentation for more details about configuring token authentication for groups, users, excluding users, and so forth. There are more configurations available than are presented in this document.