Example: using SecurID authentication with the Forcepoint VPN Client

This example shows a general overview of using SecurID authentication for the Forcepoint VPN Client.

For more information about using SecurID authentication, see the RSA documentation at https://⁠www.rsa.com.

Company C is about to introduce remote Forcepoint VPN Client access to their network. The administrators decide to add one-time passwords with SecurID cards with their existing RSA Authentication Manager server that already shares the user information with the company’s LDAP server.

Figure: Company C's authentication scheme



The administrators:
  1. Create an Agent Host record for the Firewall in the RSA Authentication Manager server.
  2. Configure a mobile VPN in the Management Client with the default Hybrid Authentication selected as the authentication method for connecting clients.
    • Hybrid authentication is available for the Forcepoint VPN Client. Hybrid authentication requires the VPN Gateway (the firewall) to authenticate users using a certificate. The users must provide the correct User Name/Password combination (validated by the RSA Authentication Manager server in this case).
  3. Create a RADIUS Authentication Server element.
  4. Create a custom Authentication Method element for the server, named “SecurID.”
  5. Add the “SecurID” Authentication Method in the correct User and User Group elements (stored on the existing external LDAP server).
  6. Add Access rules with both an authentication and a VPN requirement defined as shown here:
    Table 1. Example Access rule for SecurID authentication
    Source Destination Authentication Action
    The virtual IP address range used on the virtual adapters of the Forcepoint VPN Client. IP addresses of network services that require authentication. User or User Group elements. Require authentication with “SecurID” Authentication Method. Allow, with the VPN Action option set to Enforce VPN.