SPS RSA plugin parameter reference
This section describes the available options of the SPS RSA plugin.
The plugin uses an ini-style configuration file with sections and name=value pairs. This format consists of sections, led by a [section] header and followed by name=value entries. Note that the leading whitespace is removed from values. The values can contain format strings, which refer to other values in the same section. For example, the following section would resolve the %(dir)s value to the value of the dir entry (/var in this case).
[section name] dirname=%(dir)s/mydirectory dir=/var
All reference expansions are done on demand. Lines beginning with # or ; are ignored and may be used to provide comments.
You can edit the configuration file from the SPS web interface. The following code snippet is a sample configuration file.
[rsa]
server=<radius.example.com>
# Do NOT use secret in production
; secret=<RADIUS-shared-secret>
port=1812
auth_type=chap
timeout=10
retries=3
[plugin]
config_version=1
log_level=info
cred_store=<name-of-credstore-storing-sensitive-data>
[auth]
prompt=Hit Enter to send RSA push notification or provide the OTP:
whitelist=name-of-a-userlist
[username_transform]
append_domain=""
[ldap]
ldap_server_config=<SPS-LDAP-server-policy-name>
filter=(&(samAccountName={})(objectClass=user))
user_attribute=mail
[cache]
soft_timeout=15
hard_timeout=90
conn_limit=5
[question_1]
key=<name-of-name-value-pair>
prompt=<the-question-itself-in-text>
disable_echo=No
[question_2]...
[rsa]
This section contains the options related to your RSA account.
[rsa] server=<radius.example.com> # Do NOT use secret in production ; secret=<RADIUS-shared-secret> port=1812 auth_type=chap timeout=10 retries=3
server
| Type: | string |
| Required: | yes |
| Default: | N/A |
Description: The name of your RSA SecurID server, where the RADIUS interface is available.
secret
| Type: | string |
| Required: | yes |
| Default: | N/A |
|
|
Caution:
This parameter contains sensitive data. Make sure to store this data in your local Credential Store. Type the $ value for this parameter in production. For details, see "Store sensitive plugin data securely". Only enter a value different than $ for this parameter in the configuration for testing purposes in a secure, non-production environment. |
Description: Your RADIUS shared secret. SPS uses this to communicate with the RADIUS server. For details on using a local Credential Store to host this data, read Store sensitive plugin data securely.
port
| Type: | integer |
| Required: | no |
| Default: | 1812 |
Description: The port where the RADIUS server is listening for access requests.
auth_type
| Type: | string (chap | pap) |
| Required: | no |
| Default: | chap |
Description: RADIUS authentication type.
-
chap: CHAP (Challenge-Handshake Authentication Protocol) is a more secure authentication scheme than PAP. In a CHAP scheme, the following process establishes a user identity:
-
After the link between the user machine and the authenticating server is established, the server sends a challenge message to the connection requester. The requester responds with a value obtained by using a one-way hash function.
-
The server checks the response by comparing it against its own calculation of the expected hash value.
-
If the values match, the authentication is acknowledged, otherwise the connection is terminated.
At any time, the server can request the connected party to send a new challenge message. CHAP identifiers are changed frequently and the server can make an authentication request at any time.
-
-
pap: The Password Authentication Protocol (PAP) provides a simple method for a user to authenticate using a two-way handshake. PAP only executes this process when establishing the initial link to the authenticating server. A user machine repeatedly sends an ID/Password pair to the authenticating server until authentication is acknowledged or the connection is terminated.
Use PAP authentication where a plain text password must be available to simulate a login at a remote host. This method provides a similar level of security to the usual user login at the remote host.
timeout
| Type: | integer [seconds] |
| Required: | no |
| Default: | 10 |
Description: How long the RADIUS server waits to respond.
retries
| Type: | integer |
| Required: | no |
| Default: | 3 |
Description: The number of times authentication is retried.
[plugin]
This section contains general plugin-related settings.
[plugin] config_version=1 log_level=20 cred_store=<name-of-credstore-hosting-sensitive-data>
config_version
| Type: | integer |
| Required: | yes |
| Default: | 1 |
Description: The version number of the configuration format. This is used to enable potentially incompatible changes in the future. If provided, the configuration will not be upgraded automatically. If not provided, the configuration will be upgraded automatically.
cred_store
| Type: | string |
| Required: | no |
| Default: | N/A |
Description: The name of a local credential store policy configured on SPS. You can use this credential store to store sensitive information of the plugin in a secure way, for example, the ikey/skey values in the [rsa] section. For details, see Store sensitive plugin data securely.
log_level
| Type: | integer or string |
| Required: | no |
| Default: | info |
Description: The logging verbosity of the plugin. The plugin sends the generated log messages to the SPS syslog system. You can check the log messages in the Basic settings > Troubleshooting > View log files section of the SPS web interface. Filter on the plugin: string to show only the messages generated by the plugins.
The possible values are:
-
debug or 10
-
info or 20
-
warning or 30
-
error or 40
-
critical or 50
For details, see Python logging API's log levels: Logging Levels.
[auth]
This section contains the options related to authentication.
[auth] prompt=Hit Enter to send RSA push notification or provide the OTP: whitelist=name-of-a-userlist
prompt
| Type: | string |
| Required: | no |
| Default: | Hit Enter to send push notification or provide the OTP: |
Description: SPS displays this text to the user in a terminal connection to request an OTP interactively. The text is displayed only if the user uses an OTP-like factor, and does not send the OTP in the connection request.
prompt="Hit Enter to send RSA push notification or provide the OTP:"
whitelist
| Type: | string |
| Required: | no |
| Default: | N/A |
Description: The name of a user list containing gateway users configured on SPS (Policies > User Lists). You can use this option to selectively require multi-factor authentication for your users, for example, to create break-glass access for specific users.
-
If you set the Default Policy of the user list to Reject, then the list is a whitelist, so the plugin will not request RSA authentication from the users on the list.
-
If you set the Default Policy of the user list to Accept, then the list is a blacklist, so the plugin will request RSA authentication only from the users on the list.
For details on creating user lists, see "Creating and editing user lists" in the Administration Guide.