• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

CMAK and RSA SecurID

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> CMAK and RSA SecurID Page: [1]
Login
Message << Older Topic   Newer Topic >>
CMAK and RSA SecurID - 23.Feb.2006 3:25:55 AM   
jerrice

 

Posts: 28
Joined: 9.Dec.2005
Status: offline
Has anyone tried to create a reasonable installer with CMAK that works with RSA SecurID?  The issue is that the CMAK creates a connection requiring Username and Password, but then the following RSA SecurID prompt also requires username and password.  entering the correct username/password on the first screen (actually, username/passcode) doesn't transfer to the second screen.  Either it needs to transfer it, or it should not ask for it on the first screen.

Has anyone solved this?  If not, how would you suggest deploying clients?  I'd really like to get this down to a single installer rather than 2, plus filling out everything I can all automated-like...

Thanks...

_____________________________

-Jerry
Post #: 1
RE: CMAK and RSA SecurID - 23.Feb.2006 6:14:43 PM   
jerrice

 

Posts: 28
Joined: 9.Dec.2005
Status: offline
I got part of this figured out.  I'll document it here in case anyone needs it:

There are a number of optional "Advanced" settings that do not show up in the Advanced list by default.  You can type them in manually.  These include a few that can hide all the prompting (set in the Connection Manager key):
HideDomain (set to 1 to hide domain prompt)
HidePassword (set to 1 to hide domain password)
HideInternetPassword (set to 1 to hide internet password)
HideUserName (set to 1 to hide domain username)
HideInternetUsername (set to 1 to hide internet username)

I'm still working on a way to launch the silent command-line RSA EAP installer from the CMAK installer...

< Message edited by jerrice -- 23.Feb.2006 6:16:19 PM >


_____________________________

-Jerry

(in reply to jerrice)
Post #: 2
RE: CMAK and RSA SecurID - 24.Feb.2006 12:45:26 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
I did manage it and it is possible, but it was a bit of a bitch to get working

I am back in the office next week and will be able to dig out the script to get it working if you like. PM me your email address and I will give you a shout next week.

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to jerrice)
Post #: 3
RE: CMAK and RSA SecurID - 24.Feb.2006 3:14:08 AM   
jerrice

 

Posts: 28
Joined: 9.Dec.2005
Status: offline
Ok, got this all straightened out, and I'll post the results here to help anyone else out...  Much thanks to Jason Jones, who pointed me at the post-install processing for the CMAK installer and provided other info.  Without that, this would be MUCH uglier than it already is.

In addition to the above changes, there is a section in the profilename.inf file called [RunPostSetupCommandsSection].  You can add any programs you want to run there (make sure you include them in the Additional Files dialog during the CMAK Wizard).  This line will kick off the RSA Authentication Agent:
"msiexec /qn /norestart /i ""%49000%\%ShortSvcName%\RSA ACEAgent for Windows.msi"""
The %49000% variable is the location that the CMAK installs things to.  I am actually running a batch file instead, in order to prompt for a admin user name using RunAs, but it's basically the same thing.

So, for RSA, you need to include the installer msi (RSA Authentication Agent for Windows.msi) and the options file (packageOptionsFile.txt).  The options file tells it to just install the EAP bits.  If you do not have the options file, here is the text (there is likely a bit of extra stuff in this text, remove it if you don't need to specify it):
InstallSilentDAC=0
InstallSilentLAC=0
InstallSilentAUTOREG=0
InstallSilentRAS=0
InstallSilentEAP=1
AUTH_CONFIG_DIALOG=1
AUTHCONFIGSELECTED=1
AGENT_ACTIVATION_STATE=True
WINDOWS_PASSWORD_STATE=True
IMPORT_CUSTOMBITMAP_STATE=False
ENABLE_NOVELL_PASSWORD_UPDATE=0
PIN_UNLOCK_ENABLED_STATE=False
PIN_UNLOCK_TIMEOUT=75
PIN_UNLOCK_ATTEMPTS=3
REGISTRY_CONFIG_STATE=False

Hopefully this will help someone else out in this same position...

_____________________________

-Jerry

(in reply to Jason Jones)
Post #: 4
RE: CMAK and RSA SecurID - 25.Feb.2006 11:42:03 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Glad you got it working Jerry

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to jerrice)
Post #: 5
RE: CMAK and RSA SecurID - 28.Feb.2006 5:17:03 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jerry and Jason,
Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> CMAK and RSA SecurID Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts