2 2 12 CLASIFICACIÓN DE MÉTODOS DE ENSEÑANZAS

Offline authentication extends RSA SecurID authentication to users when the

connection to RSA Authentication Manager is not available, for example, when users work away from the office, or when network conditions make the connection

temporarily unavailable. You enable, disable, and configure offline authentication through the Authentication Manager by specifying an offline authentication policy and applying that policy to Authentication Manager security domains.

When offline authentication is enabled, Authentication Manager downloads a

configurable number of “offline days” of tokencode data to users’ machines. This data is used when users attempt to authenticate offline.

You enable local authentication and Windows password integration through the RSA Security Console, as part of an offline authentication policy. Only users assigned to security domains with an offline authentication policy that allows offline

authentication and Windows password integration can use these features.

When you install Authentication Manager, a default offline authentication policy is automatically created. You can edit this policy, or create a custom offline

authentication policy and designate it as the default.

One offline authentication policy is always designated as the default policy.

Authentication Manager assigns the default policy to each new security domain. You can use the default offline authentication policy or assign a custom policy to each security domain.

To use the default policy, make sure Use the default policy is selected from the Offline Authentication Policy drop-down list. The policy designated as the default is automatically assigned to the security domain. To use an offline authentication policy other than the default, specify a policy name from the drop-down list.

Offline authentication policies assigned to upper-level security domains are not inherited by lower-level security domains. For example, if you assign a custom policy to the top-level security domain, all new security domains that you create below it in the hierarchy are still assigned the default offline authentication policy.

To add a custom offline authentication policy:

1. Click Authentication > Policies > Offline Authentication Policies > Add New. 2. In the Offline Authentication Policy Name field, enter a unique name for the

policy.

3. Optional. If you want this policy to allow offline authentication, click Enable Offline Authentication. This allows users to authenticate with their tokens when their computer is not connected to the network.

4. Optional. To enable Windows password integration, click Enable Windows Password Integration. When you enable Windows password integration, users can authenticate with their Windows user name and password.

5. Optional. If you want this policy to be the default offline authentication policy, click Set as default offline authentication policy. The default policy is applied to all new security domains.

6. Use the Minimum Online Passcode Length drop-down menu to select the minimum length of the passcode (PIN + tokencode) a user must enter to download days of offline data. Passcodes are checked against this length before users are allowed to download offline data.

7. Optional. PINPad tokens, software tokens, tokens that are configured so that they do not require a PIN, and fixed passcodes (including emergency access

tokencodes) are likely to contain fewer characters than required by the minimum offline passcode length setting. RSA Security recommends that you do not allow offline authentication with these types of tokens. You can however, use the Allow Offline Authentication Using field to override the minimum length setting for users that authenticate with any of these tokens.

8. Optional. Select the Allow offline emergency codes to be generated checkbox if you want Authentication Manager to generate offline emergency codes for your users.

9. Select the type of offline emergency codes you want to generate.

• Offline emergency tokencodes are for users who have misplaced their tokens. Because emergency passcodes enable authentication without a PIN,

RSA Security recommends that you use emergency tokencodes instead. Users still must enter their PIN followed by the emergency tokencode to gain entry to their computers.

• Offline emergency passcodes are for users who have forgotten their PIN and need a full passcode. Provide emergency passcodes only in situations where users have forgotten their PINs. Emergency passcodes allow users to log on without entering their SecurID PIN, and should be used sparingly. In such cases, make sure you properly identify the users before providing them with emergency passcodes.

10. In the Lifetime field, enter the length of time, in days, for which emergency codes are valid. The default is thirty days.

11. In the Maximum Days of Offline Data field, enter the amount, in days, of offline data you want to allow users to download.

12. In the Days of Offline Data Warning field, specify the number of remaining days of offline authentication data that triggers a warning to users.The default is seven days. Users who receive the warning must reconnect to the network and replenish their supply of offline logon days. If users run out of offline logon days, they must contact an administrator.

13. In the Offline Authentication Failures field, enter the number of allowable failed offline authentication attempts before users must use an emergency code to gain entry to their computers.

14. Optional. Select the Offline Logging checkbox if you want authentication log entries uploaded to Authentication Manager when the user reconnects to the network.

15. Click Save.