Hello
I have implemented such a solution for a major oil company .
and i totally disagree with Didier Arenzana .
First You dont need to create local users with Auth manager. You can import
your users from active Directory to your Auth Manager.
Yes the RSA agent EAP should be installed on the remote clients, and this is
more secure.The purpose of using a RSA SecurID is to only be sure that who are
logging remotely are who they really are and that is why you have to use 2
factor authentication for the remote users. They have to be authenticated by
Auth manager before they can login in to the network.
If you need more details you can always email me

Regards
Bhagat Panwar
ISS, CISSP , RSA SecurID , CCIE


Didier Arenzana <darenzana@...> wrote:
Hi,

2006/7/5, speedy_1s <speedy_1s@...>:
> Hi has anyone used securid for remote logins to an active directory?,
> most of my users will dialin via adsl, here are some questions i have:

I haven't used such a feature, but I think I can help anyway :

> 1) should user accounts (within auth manager) be local or remote (i
> really would like to avoid having to use realms unless completely
> neccesary)

Your user accounts within auth manager will be local. Remote accounts
is only used when you want users from another realm to be able to
authenticate through yours. If all your users are within your
resposability, meaning you are the only one to provide them SecurID
cards, then you don't need to use remote accounts.

> 2) does the client software need to be installed on the remote pc
> (keeping in mind that the user will be entering their passscode in the
> dialup networking screen not the windows gina).

I don't think so. That would mean the remote PC itself is contacting
your auth manager to check the passcode, which would be a very bad
idea, since that would mean you trust the remote PC's security.

Regards,
Didier.