Apparently, on Windows machines where "RSA Authentication Agent" is installed, it's possible to leverage that to provide authentication services. It seems there's some documentation/SDK somewhere for doing this. It seems it's possible to statically link this functionality in, or load it dynamically by calling some functions exported from "aceclnt.dll".
However, since RSA's website was moved to emc.com, all links to old site are dead. I can't find the docs anywhere on the new site. Please help me google this!
We can trivially use SecurID authentication in our application on UNIX/Linux, via PAM. It's only on Windows where we need to use some special SecurID API to query whether to accept/reject the credentials.
It is not that trivial, especially using the C SDK, which you will be using with aceclnt.dll
. Many API calls are asynchronous, which means you must call and poll for the answer. Most/All traffic is encrypted, Wireshark is of little help.
But to get the files, I you must have a support account (I have one and used it to confirm with RSA).
From the RSA Authentication Agent API 8.1 SP2 for C release notes :
The RSA Authentication Agent application programming interface (API) for C enables developers to integrate RSA SecurID into custom or third-party applications. The API is available for download on RSA SecurCare Online at https://knowledge.rsasecurity.com as a .tar and a .zip file.
The exact URL for the C SDK is https://knowledge.rsasecurity.com/scolcms/set.aspx?id=8635
Starting with Authentication Manager 7.1, there is a new Java, Python and C# API. There much easier to work with. I have use the Java version successfully for token management and user authentication.
The URL for the Authentication Manager SDK Python, Java and C# SDK is https://knowledge.rsasecurity.com/scolcms/set.aspx?id=8205.
Posting the files would void my support account, but others have posted sample code. It is in Python, but Java and C# objects names are the same.
Your server can be a RADIUS client. Integrate a RADIUS client library to your code and send the PIN and token code to the SecurID server. It will do the validation. As a bonus, you will be ready to support other RADIUS based authentication services.
Keep in mind that you will be validating a PIN and tokencode. In most/all configurations, the PIN will be different that the Windows password.
You must call the SecurID server with that information because there is no way to tell which part is the pin and which part is the tokencode. Tokencodes are not always 6 digits and PIN can be numeric, too. Or maybe the user has not set a PIN yet, etc.
There is a generic back and forth mechanism in RADIUS that you can also support. It will be used to prompt the user for his next token code, change his PIN, etc. You server, acting as a RADIUS client, will be moving the information back and forth from the client to the server until it is satisfied. You can then consider authentication completed. You can use NTRadPing to test.