Integrate RSA SecurID with my LastPass Business account

LastPass Business supports RSA SecurID integration, which allows your users to utilize RSA SecurID as their second factor of authentication when they log in to LastPass.

Note: The steps outlined below must be performed by an admin of both the integration tool and LastPass Business.

Limitations and compatibility

RSA Authentication Manager Features	Supported in LastPass Business?
RSA SecurID Authentication via Native RSA SecurID UDP Protocol	No
RSA SecurID Authentication via Native RSA SecurID TCP Protocol	No
RSA SecurID Authentication via RADIUS Protocol	Yes
RSA SecurID Authentication via IPv6	No
On-Demand Authentication via Native SecurID UDP Protocol	No
On-Demand Authentication via Native SecurID TCP Protocol	No
Risk-Based Authentication	No
RSA Authentication Manager Replica Support	Yes
Secondary RADIUS Server Support	Yes
RSA SecurID Software Token Automation	No
RSA SecurID SD800 Token Automation	No
RSA SecurID Protection of Administrative Interface	No

Prerequisites for setup

Before you start, ensure you have the following in place:

RSA SecurID account
LastPass Business account

Step #1: Set up a RADIUS client and obtain RSA SecurID integration info

LastPass Business supports RSA SecurID authentication via RADIUS, enabling you to set RSA SecurID as a multifactor authentication option for your users. For this, you must first set up a RADIUS client in your RSA Authentication Manager and obtain some RSA SecurID information.

Add an agent host record to the RSA Authentication Manager database. Set the Agent Type to “Standard Agent” when adding the authentication agent.
This is required to facilitate communication between LastPass Business and the RSA Authentication Manager / RSA SecurID Appliance. The agent host record identifies LastPass Business and contains information about communication and encryption.
Create a RADIUS client that corresponds to the agent host record in the RSA Authentication Manager. Follow the instructions to set up a RADIUS client.
This is required because LastPass will be communicating with RSA Authentication Manager via RADIUS.

RADIUS clients are managed using the RSA Security Console.

The following information is required to create a RADIUS client:
- Hostname
- IP addresses for network interfaces
- RADIUS Secret
Note: The RADIUS client’s hostname must resolve to the IP address specified.

Since RSA Authentication Manager does not let you specify multiple IP addresses for a RADIUS client, we recommend using the "ANY Client" option, and using a separate firewall to restrict connections to the necessary IP addresses. If you use the "ANY Client" option, you also need to edit the securid.ini file and change CheckUserAllowedByClient from 1 to 0. This RADIUS client must be accessible from all LastPass server IP addresses.
RSA Authentication Manager administrators need to configure agent host records and/or RADIUS clients for each LastPass Business server.
This is required because LastPass Business employs a distributed architecture which encompasses many similarly configured servers.

There are a few different methods that can be applied with varying amounts of administrative effort. These options are:
- Configure an agent host record and corresponding RADIUS client for each LastPass Business server.
- Configure an agent host record for each LastPass Business server with a shared RADIUS client.
- Configure a shared RADIUS client that does not use an agent host record (Global change).
Note: Refer to RSA Authentication Manager Administrators Guide for information on configuring shared RADIUS clients.
Copy the following values and save them to a text editor:
- RADIUS Server IP addresses
  Note: Separate multiple IP addresses with commas, append ':port' if not 1812 (e.g. 216.162.248.81,216.162.248.82:1645)
- RADIUS Shared Secret
- RADIUS Timeout (seconds)
- Failure Message

Step #2: Set up RSA SecurID via RADIUS integration in LastPass Business

In order to set RSA SecurID as a multifactor authentication option for your users, after having set up a RADIUS client, you are required to set up RSA SecurID integration in LastPass Business itself.

Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
Go to Advanced > Enterprise Options > Multifactor options > RSA SecurID/RADIUS.
Enter the following information that you obtained in Step #1 above:
- RADIUS Server IP addresses
  Note: Separate multiple IP addresses with commas, append ':port' if not 1812 (e.g. 216.162.248.81,216.162.248.82:1645)
- RADIUS Shared Secret
- RADIUS Timeout (seconds)
- Failure Message
RADIUS can also be used to support other Multifactor Authentication options besides RSA Secure ID (e.g., SafeNet). If you would like to customize the name and logos that your users will see, do the following:
- Enter a "Service Name"
- Upload logo 1 (124x124 PNG)
- Upload logo 2 (190x42 PNG)
Click Update when finished.

Step #3: Enable RSA SecurID as a multifactor option

Before your users can set up RSA SecurID at their end as an added layer of security to protect their LastPass account, you need to enable RSA SecurID as a multifactor authentication option in LastPass Business.

From within the Admin Console, go to Advanced > Enterprise Options > Multifactor options.
Under Enabled Multifactor Options, toggle on the switch for the RSA SecurID/RADIUS option.

Step #4: Add and configure a Multifactor Authentication policy

With LastPass Business, you can leave the multifactor authentication decision up to your end users, or you can mandate its use with our configurable security policies. Add a policy to require your users to use a multifactor authentication solution.

In the new Admin Console, go to Policies > General policies.
Under the Password multifactor policy category, select Require use of any MFA option.
Select your desired user list for which this policy should be applied.
Optional: In the Settings field, enter notes for additional information about this policy.
Select Enabled in the Status field.
Select Save changes when finished.

What to do next: Consider adding the Allow users to skip MFA at trusted locations policy. This policy allows for the restricting of computers that can be trusted by IP address. You can enable this policy to allow users to skip second factor authentication from trusted locations (such as the office) but still require it from remote locations.

Step #5: Advise your users to set up RSA SecurID Multifactor Authentication

Once you have completed the steps above, your users can set up and enable RSA SecurID Multifactor Authentication for their LastPass Business account.

Important note about the removal of users enabled with RSA SecurID/RADIUS

The RSA SecurID/RADIUS integration is associated with your LastPass Business account. If you remove users from your company account without first disabling RSA SecurID/RADIUS as their multifactor authentication option, those users may become locked out of their LastPass account (if it is converted to a LastPass Free account) once removed. For this reason, we recommend disabling the RSA SecurID/RADIUS for users you plan to remove.

Go to https://lastpass.com/company/#!/dashboard and log in to access the Admin Console.
Select Users in the navigation pane.
Check the boxes next to your desired users.

Tip: To sort by users enabled with RSA SecurID/RADIUS, click the Multifactor column header row for the users table.
Select More actions > Disable multifactor for selected users.
Click OK to confirm.

Results: You have disabled RSA SecurID/RADIUS for your selected users, and you can now safely remove those users from your company account without risk of locking them out (if their accounts convert to LastPass Free accounts).