HELP FILE

How do I integrate RSA SecurID with my LastPass Business account?

LastPass Business supports RSA SecurID authentication via RADIUS. To set up this integration, you must set up a RADIUS client for LastPass in your RSA Authentication Manager.

Since RSA Authentication Manager does not let you specify multiple IP addresses for a RADIUS client, we recommend using the "ANY Client" option, and using a separate firewall to restrict connections to the necessary IP addresses. If you use the "ANY Client" option, you also need to edit the securid.ini file and change CheckUserAllowedByClient from 1 to 0. This RADIUS client must be accessible from all LastPass server IP addresses.

LastPass uses an outbound firewall, so if you're using a port other than 1812 or 1645, your server's IP must be explicitly allowed by our Operations team. To obtain a list of all LastPass server IP addresses and/or request a change for allowing your server's IP address to be explicitly allowed, contact your assigned sales representative.

If you need additional assistance, please contact Customer Care by selecting Contact Support at the bottom of this article.

Required for setup:

  • RSA SecurID account
  • LastPass Business account

Step #1: Get the RSA SecurID integration info

  1. Follow the instructions to set up a RADIUS client.
  2. Copy the following values and save them to a text editor:
    • RADIUS Server IP addresses
      Note:  Separate multiple IP addresses with commas, append ':port' if not 1812 (e.g. 216.162.248.81,216.162.248.82:1645)
    • RADIUS Shared Secret
    • RADIUS Timeout (seconds)
    • Failure Message

Step #2: Set up the RSA SecurID via RADIUS integration in LastPass Enterprise

  1. Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
  2. Go to Advanced OptionsEnterprise Options > Multifactor options > RSA SecurID/RADIUS.
  3. Enter the following information that you copied from Step #1 above:
    • RADIUS Server IP addresses
      Note:  Separate multiple IP addresses with commas, append ':port' if not 1812 (e.g. 216.162.248.81,216.162.248.82:1645)
    • RADIUS Shared Secret
    • RADIUS Timeout (seconds)
    • Failure Message

    RADIUS can also be used to support other Multifactor Authentication options besides RSA Secure ID (e.g., SafeNet). If you would like to customize the name and logos that your users will see, do the following:

    • Enter a "Service Name"
    • Upload logo 1 (124x124 PNG)
    • Upload logo 2 (190x42 PNG)
  4. Click Update when finished.

Configure RSA SecureID and RADIUS Integration

Step #3: Enable RSA SecurID as a Multifactor Option

  1. From within the Admin Console, go to Advanced OptionsBusiness Options > Multifactor options.
  2. Under "Enabled Multifactor Options" toggle on the switch for the RSA SecurID/RADIUS option.

Step #4: Add and configure a Multifactor Authentication policy

  1. From within the Admin Console, go to SettingsPolicies in the left navigation.
  2. Click Add Policy, then choose from the following policies:
  3. Under Multifactor, select Require use of any multifactor option
  4. Select your desired user list for which this policy should be applied. 
  5. Enter Notes for additional information about this policy (optional).
  6. Click Save when finished.

Step #5: Advise your users to set up Multifactor Authentication

Once you have completed the steps above, your users can set up and enable Multifactor Authentication for their LastPass Business account.

About removal of users enabled with RSA SecurID/RADIUS

The RSA SecurID/RADIUS integration is associated with your LastPass Business account. If you remove users from your company account without first disabling RSA SecurID/RADIUS as their multifactor authentication option, those users may become locked out of their LastPass account (if it is converted to a LastPass Free account) once removed.

For this reason, we recommend disabling the RSA SecurID/RADIUS for users you plan to remove, as follows:
  1. Go to https://lastpass.com/company/#!/dashboard and log in to access the Admin Console.
  2. Select Users in the left navigation.
  3. Check the boxes next to your desired users.
    Tip: To sort by users enabled with RSA SecurID/RADIUS, click the Multifactor column header row for the users table.
  4. Select More actions > Disable multifactor for selected users.
  5. Click OK to confirm.

You have disabled RSA SecurID/RADIUS for your selected users, and you can now safely remove those users from your company account without risk of locking them out (if their accounts convert to LastPass Free accounts).