HELP FILE

How do I integrate RSA SecurID with my LastPass Business account?

    LastPass Business supports RSA SecurID integration, which allows your users to utilize RSA SecurID as their second factor of authentication when they log in to LastPass.

    Note: The steps outlined below must be performed by an admin of both the integration tool and LastPass Business.

    Limitations and compatibility

    RSA Authentication Manager Features Supported in LastPass Business?
    RSA SecurID Authentication via Native RSA SecurID UDP Protocol No
    RSA SecurID Authentication via Native RSA SecurID TCP Protocol No
    RSA SecurID Authentication via RADIUS Protocol Yes
    RSA SecurID Authentication via IPv6 No
    On-Demand Authentication via Native SecurID UDP Protocol No
    On-Demand Authentication via Native SecurID TCP Protocol No
    Risk-Based Authentication No
    RSA Authentication Manager Replica Support Yes
    Secondary RADIUS Server Support Yes
    RSA SecurID Software Token Automation No
    RSA SecurID SD800 Token Automation No
    RSA SecurID Protection of Administrative Interface No

    Prerequisites for setup

    Before you start, ensure you have the following in place:

    • RSA SecurID account
    • LastPass Business account

    Step #1: Set up a RADIUS client and obtain RSA SecurID integration info

    LastPass Business supports RSA SecurID authentication via RADIUS, enabling you to set RSA SecurID as a multifactor authentication option for your users. For this, you must first set up a RADIUS client in your RSA Authentication Manager and obtain some RSA SecurID information.

    1. Add an agent host record to the RSA Authentication Manager database. Set the Agent Type to “Standard Agent” when adding the authentication agent.

      This is required to facilitate communication between LastPass Business and the RSA Authentication Manager / RSA SecurID Appliance. The agent host record identifies LastPass Business and contains information about communication and encryption.

    2. Create a RADIUS client that corresponds to the agent host record in the RSA Authentication Manager. Follow the instructions to set up a RADIUS client.

      This is required because LastPass will be communicating with RSA Authentication Manager via RADIUS.

      RADIUS clients are managed using the RSA Security Console.

      The following information is required to create a RADIUS client:

      • Hostname
      • IP addresses for network interfaces
      • RADIUS Secret
      Note:  The RADIUS client’s hostname must resolve to the IP address specified.

      Since RSA Authentication Manager does not let you specify multiple IP addresses for a RADIUS client, we recommend using the "ANY Client" option, and using a separate firewall to restrict connections to the necessary IP addresses. If you use the "ANY Client" option, you also need to edit the securid.ini file and change CheckUserAllowedByClient from 1 to 0. This RADIUS client must be accessible from all LastPass server IP addresses.

    3. RSA Authentication Manager administrators need to configure agent host records and/or RADIUS clients for each LastPass Business server.

      This is required because LastPass Business employs a distributed architecture which encompasses many similarly configured servers.

      There are a few different methods that can be applied with varying amounts of administrative effort. These options are:

      • Configure an agent host record and corresponding RADIUS client for each LastPass Business server.
      • Configure an agent host record for each LastPass Business server with a shared RADIUS client.
      • Configure a shared RADIUS client that does not use an agent host record (Global change).
      Note:  Refer to RSA Authentication Manager Administrators Guide for information on configuring shared RADIUS clients.

    4. Copy the following values and save them to a text editor:

      • RADIUS Server IP addresses
        Note:  Separate multiple IP addresses with commas, append ':port' if not 1812 (e.g. 216.162.248.81,216.162.248.82:1645)
      • RADIUS Shared Secret
      • RADIUS Timeout (seconds)
      • Failure Message

    Step #2: Set up RSA SecurID via RADIUS integration in LastPass Business

    In order to set RSA SecurID as a multifactor authentication option for your users, after having set up a RADIUS client, you are required to set up RSA SecurID integration in LastPass Business itself.

    1. Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
    2. Go to Advanced Options > Business Options > Multifactor options > RSA SecurID/RADIUS.
    3. Enter the following information that you obtained in Step #1 above:

      • RADIUS Server IP addresses
        Note:  Separate multiple IP addresses with commas, append ':port' if not 1812 (e.g. 216.162.248.81,216.162.248.82:1645)
      • RADIUS Shared Secret
      • RADIUS Timeout (seconds)
      • Failure Message

      RADIUS can also be used to support other Multifactor Authentication options besides RSA Secure ID (e.g., SafeNet). If you would like to customize the name and logos that your users will see, do the following:

      • Enter a "Service Name"
      • Upload logo 1 (124x124 PNG)
      • Upload logo 2 (190x42 PNG)

    4. Click Update when finished.

    Step #3: Enable RSA SecurID as a multifactor option

    Before your users can set up RSA SecurID at their end as an added layer of security to protect their LastPass account, you need to enable RSA SecurID as a multifactor authentication option in LastPass Business.

    1. From within the Admin Console, go to Advanced Options > Business Options > Multifactor options.
    2. Under Enabled Multifactor Options, toggle on the switch for the RSA SecurID/RADIUS option.

    Step #4: Add and configure a Multifactor Authentication policy

    With LastPass Business, you can leave the multifactor authentication decision up to your end users, or you can mandate its use with our configurable security policies. Add a policy to require your users to use a multifactor authentication solution.

    1. From within the Admin Console, go to Settings > Policies in the navigation pane.
    2. Click Add Policy.
    3. Under Multifactor, select Require use of any multifactor option.
    4. Select your desired user list for which this policy should be applied. 
    5. Enter notes for additional information about this policy (optional).
    6. Click Save when finished.
    What to do next: Consider adding the Allow users to skip MFA at trusted locations policy. This policy allows for the restricting of computers that can be trusted by IP address. You can enable this policy to allow users to skip second factor authentication from trusted locations (such as the office) but still require it from remote locations.

    Step #5: Advise your users to set up RSA SecurID Multifactor Authentication

    Once you have completed the steps above, your users can set up and enable RSA SecurID Multifactor Authentication for their LastPass Business account.

    Important note about the removal of users enabled with RSA SecurID/RADIUS

    The RSA SecurID/RADIUS integration is associated with your LastPass Business account. If you remove users from your company account without first disabling RSA SecurID/RADIUS as their multifactor authentication option, those users may become locked out of their LastPass account (if it is converted to a LastPass Free account) once removed. For this reason, we recommend disabling the RSA SecurID/RADIUS for users you plan to remove.
    1. Go to https://lastpass.com/company/#!/dashboard and log in to access the Admin Console.
    2. Select Users in the navigation pane.
    3. Check the boxes next to your desired users.

      Tip: To sort by users enabled with RSA SecurID/RADIUS, click the Multifactor column header row for the users table.

    4. Select More actions > Disable multifactor for selected users.
    5. Click OK to confirm.
    You have disabled RSA SecurID/RADIUS for your selected users, and you can now safely remove those users from your company account without risk of locking them out (if their accounts convert to LastPass Free accounts).