Configuring two-factor authentication

Security Manager Help | Web, Data, and Email Protection Solutions | v8.5.x

Use the page Global Settings > General > Two-Factor Auth to manage the use of two-factor authentication for administrator logons.


	Note Only Global Security Administrators can access this page.

Two-factor authentication requires administrators to provide two forms of identification when logging on to the Security Manager.

Access to Forcepoint Mobile Security is not covered by two-factor authentication; you must log on to the cloud-based console using your regular user name and password.

The following methods are available:

RSA SecurID® authentication (see How RSA SecurID authentication works)

Certificate authentication (see How certificate authentication works).

If you choose to enable RSA SecurID authentication:

Use RSA Authentication Manager 6.1.2 or higher.

Ensure that only one network interface controller (NIC) is configured and enabled on your Forcepoint management server.

Create a custom agent for the Forcepoint Security Manager in the RSA Authentication Manager (see Creating a custom agent for RSA SecurID authentication).

Certificate authentication is automatically disabled. If you have previously enabled certificate authentication, and then enable RSA SecurID authentication, a warning message appears.

To set up Security Manager RSA SecurID authentication:

In the section RSA SecurID Authentication, mark the check box Authenticate administrators using RSA SecurID authentication.

Enter a valid User name and Passcode for RSA SecurID logon.

The user must be able to authenticate with RSA Authentication Manager but does not have to be a Security Manager administrator.

Click Test Connection to RSA Manager.

The connection test must be successful before the Security Manager allows changes to be saved on this page. The results of the test are displayed next to the Test Connection button; for more information on these results, see Test connection to RSA Manager results.

To allow administrators to log on to the Security Manager if RSA authentication is unavailable, mark the check box Fall back to other authentication mechanisms.

This means that any administrators configured on the page General > Administrators can log on using their local or network credentials as a fallback. If you do not select this option, RSA authentication is the only option for all administrators except the "admin" account created during installation.

Click OK.

The settings are saved.

To set up Security Manager certificate authentication:

In the section Certificate Authentication, mark the check box Authenticate administrators using client certificate authentication.

To enable attribute matching, in the section Certificate Matching, mark the check box Use attribute matching as a fallback method and select whether it applies to all administrators or only to administrators without certificates in the Security Manager.

To configure the attributes used for matching, click Configure Attribute Matching, then see Setting up attribute matching.

To import certificates from your user directory for network administrators, click Import Administrator Certificates.

When certificates are successfully imported, a success message is displayed at the top of the page. If any of the certificates are not imported correctly, you can upload a certificate for each network administrator on the page General > Administrators > Edit Network Account.

In the section Root Certificates, click Add to add a root certificate for signature verification. There must be at least one root certificate in the Security Manager for two-factor authentication to operate.

Browse to the location of the root certificate file, then click Upload Certificate.

Whenever a root certificate is added or changed, create a new master certificate file and copy it to the "Websense TRITON Web Server" service. Click Create Master Certificate File to create the new file, then see Deploying the master certificate file for further information.

In the section Password Authentication, to enable password authentication as a fallback method, mark the check box Allow password authentication to log on to the Security Manager for: and select whether it applies to all administrators or only to administrators without certificates in the Security Manager.


	Note The "admin" account created during installation can always log on from the Forcepoint management server machine using password-based authentication.

Click OK.

The settings are saved.