Configuring two-factor authentication

Security Manager Help | Web, Data, and Email Protection Solutions | v8.4.x

Use the Global Settings > General > Two-Factor Auth page to manage the use of two-factor authentication for administrator logons.


	Note Only Global Security Administrators can access this page.

Two-factor authentication requires administrators to provide 2 forms of identification when logging on to the Security Manager.

Access to Forcepoint Mobile Security is not covered by two-factor authentication; you must log on to the cloud-based console using your regular user name and password.

The following methods are available:

RSA SecurID® authentication (see How RSA SecurID authentication works)

Certificate authentication (see How certificate authentication works).

If you choose to enable RSA SecurID authentication:

Use RSA Authentication Manager 6.1.2 or higher.

Ensure only one network interface controller (NIC) is configured and enabled on your Forcepoint management server.

Create a custom agent for the Forcepoint Security Manager in the RSA Authentication Manager (see Creating a custom agent for RSA SecurID authentication).

Certificate authentication is automatically disabled. If you have previously enabled certificate authentication, and then enable RSA SecurID authentication, a warning message appears.

To set up Security Manager RSA SecurID authentication:

Mark Authenticate administrators using RSA SecurID authentication.

Enter a valid User name and Passcode for RSA SecurID logon.

The user must be able to authenticate with RSA Authentication Manager, but does not have to be a Security Manager administrator.

Click Test Connection to RSA Manager.

The connection test must be successful before the Security Manager allows changes to be saved on this page. The results of the test are displayed next to the Test Connection button; for more information on these results, see Test connection to RSA Manager results.

To allow administrators to log on to the Security Manager if RSA authentication is unavailable, mark the Fall back to other authentication mechanisms option.

This means that any administrators configured on the General > Administrators page can log on using their local or network credentials as a fallback. If you do not select this option, RSA authentication is the only option for all administrators except the "admin" account created during installation.

Click OK.

To set up Security Manager certificate authentication:

Mark Authenticate administrators using client certificate authentication.

To enable attribute matching, under Certificate Matching mark Use attribute matching as a fallback method and select whether it applies to all administrators, or only administrators without certificates in the Security Manager.

To configure the attributes used for matching, click Configure Attribute Matching, then see Setting up attribute matching.

To import certificates from your user directory for network administrators, click Import Administrator Certificates.

When certificates are successfully imported, a success message is displayed at the top of the page. If any of the certificates are not imported correctly, you can upload a certificate for each network administrator on the General > Administrators > Edit Network Account page.

Click Add under Root Certificates to add a root certificate for signature verification. There must be at least one root certificate in the Security Manager for two-factor authentication to operate.

Browse to the location of the root certificate file, then click Upload Certificate.

Whenever a root certificate is added or changed, create a new master certificate file and copy it to the "Websense TRITON Web Server" service. Click Create Master Certificate File to create the new file, then see Deploying the master certificate file for further information.

To enable password authentication as a fallback method, mark Allow password authentication to log on... and select whether it applies to all administrators, or only administrators without certificates in the Security Manager.


	Note The "admin" account created during installation can always log on from the Forcepoint management server machine using password-based authentication.

Click OK.