The new PCI regulation requires TLS v1.2. RSA Authentication Manager 8.2 supports two TLS configuration modes.
Strict TLS 1.2 mode
In this mode, all ports in RSA Authentication Manager 8.2 will be in TLS v1.2 mode except the RADIUS administration port 1813 which will negotiate in SSLv3 since RADIUS does not support TLS mode. This mode can be enabled only if customer environment requires it and it needs optional configuration.
Non-strict TLS 1.2 mode (default mode of Authentication Manager 8.2)
The default mode of RSA Authentication Manager 8.2 is non-strict TLS 1.2. This mode supports all TLS versions of TLS protocol such as TLS 1.1, TLS 1.0, and SSLv3. This mode is used as default mode mainly to keep the backward compatibility with the older Agents and SDK agents.
Limitations of strict TLS 1.2 mode
These limitations are mostly due to the inability of older clients to negotiate with TLS v1.2 protocol. The strict TLS mode does not support the following:
- Provisioning of software token via CT-KIP to Android versions prior to 5.0.2, iOS versions prior to 8.x, Software token for Macintosh and Blackberry.
- Auto registration and Offline Authentication in RSA Authentication Agents prior to 7.3.
- RADIUS administration TCP port 1813 of Steel-Belted RADIUS server still requires SSLv3.
- The enabling of strict TLS mode requires the CLU to be run on each server to update the server configuration.