HELP FILE

How do I integrate RSA SecurID with my LastPass Enterprise account?

LastPass supports RSA SecurID authentication via RADIUS. To set up this integration, you must set up a RADIUS client for LastPass in your RSA Authentication Manager.

Since RSA Authentication Manager does not let you specify multiple IP addresses for a RADIUS client, we recommend using the "ANY Client" option, and using a separate firewall to restrict connections to the necessary IP addresses. If you use the "ANY Client" option, you also need to edit the securid.ini file and change CheckUserAllowedByClient from 1 to 0. This RADIUS client must be accessible from all LastPass server IP addresses.

LastPass uses an outbound firewall, so if you're using a port other than 1812 or 1645, your server's IP must be explicitly allowed by our Operations team. To obtain a list of all LastPass server IP addresses and/or request a change for allowing your server's IP address to be explicitly allowed, click Contact Support at the bottom of this article, or contact your assigned sales representative.

Required for setup:

  • RSA SecurID account
  • LastPass Enterprise account

Step #1: Get the RSA SecurID integration info

  1. Follow the instructions to set up a RADIUS client.
  2. Copy the following values and save them to a text editor:
    • RADIUS Server IP addresses

      Note: Separate multiple IP addresses with commas, append ':port' if not 1812 (e.g. 216.162.248.81,216.162.248.82:1645)

    • RADIUS Shared Secret
    • RADIUS Timeout (seconds)
    • Failure Message

Step #2: Set up the RSA SecurID via RADIUS integration in LastPass Enterprise

  1. Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
  2. Go to Advanced OptionsEnterprise Options in the left navigation.
  3. Click the RSA SecurID/RADIUS tab.
  4. Enter the following information that you copied from Step #1 above:
    • RADIUS Server IP addresses

      Note: Separate multiple IP addresses with commas, append ':port' if not 1812 (e.g. 216.162.248.81,216.162.248.82:1645)

    • RADIUS Shared Secret
    • RADIUS Timeout (seconds)
    • Failure Message

    RADIUS can also be used to support other Multifactor Authentication options besides RSA Secure ID (e.g., SafeNet). If you would like to customize the name and logos that your users will see, do the following:

    • Enter a "Service Name"
    • Upload logo 1 (124x124 PNG)
    • Upload logo 2 (190x42 PNG)
  5. Click Update when finished.

Configure RSA SecureID and RADIUS Integration

Step #3: Enable RSA SecurID as a Multifactor Option

  1. From within the Admin Console, go to Advanced OptionsEnterprise Options in the left navigation.
  2. Select the Enabled Multifactor Options tab.
  3. Check the box to enable the RSA SecurID/RADIUS option, then click Update.

Step #4: Add and configure a Multifactor Authentication policy

  1. From within the Admin Console, go to SettingsPolicies in the left navigation.
  2. Click Add Policy, then choose from the following policies:
  3. Under Multifactor, select Require use of any multifactor option
  4. Select your desired user list for which this policy should be applied. 
  5. Enter Notes for additional information about this policy (optional).
  6. Click Save when finished.

Step #5: Advise your users to set up Multifactor Authentication

Once you have completed the steps above, your users can set up and enable Multifactor Authentication for their LastPass Enterprise account.

Related

Advanced LastPass Admin Options

Enable Multifactor Authentication (Admins)