RADIUS with AM Configuration - Thycotic Secret Server 10.6 - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development on May 22, 2019
Version 1Show Document
  • View in full screen mode

This section contains instructions on how to integrate Thycotic Secret Server with RSA Authentication Manager using RADIUS.

Architecture Diagram

RSA Authentication Manager Configuration

To configure your RSA Authentication Manager for use with a RADIUS Agent, you must configure a RADIUS client and a corresponding agent host record in the Authentication Manager Security Console.

The relationship of agent host record to RADIUS client in the Authentication Manager can be 1 to 1, 1 to many or 1 to all (global).

RSA Authentication Manager listens on ports UDP 1645 and UDP 1812.

 

Configure Thycotic Secret Server

Follow the steps in this section to configure Thycotic Secret Server as a RADIUS client to RSA Authentication Manager.

Procedure

1. Login to Secret Server as an administrator, and click Admin > Configuration.

2. On the Configuration Page, click the Login tab.

3. At the bottom of the page, click the Edit button.

4. Click Enable RADIUS Integration checkbox. The page displays the other configuration parameters for RADIUS. Enter the details:

  • RADIUS Server Port can be set to either 1645 or 1812.
  • RADIUS Server IP is the IP of the primary Authentication Manager instance.
  • RADIUS Shared Secret is the Shared Secret configured while creating the RADIUS client in Authentication Manager.

Note:  The Time Out (seconds) value is set to 60 by default. This should be good enough for most integrations. But it can be increased if required, specially in cases where there is frequent authentication failures due to timeout. Increasing the timeout value means that failover RADIUS server is not used as quickly if the primary RADIUS server is not available.

5. To configure a RADIUS failover server, click Enable Failover RADIUS Server checkbox. The page shows other configurable parameters for the failover RADIUS server. Enter the details:

  • Failover RADIUS Server Port can be set to either 1645 or 1812.
  • Failover RADIUS Server IP is the IP of the replica Authentication Manager instance.
  • Failover RADIUS Shared Secret is the Shared Secret configured while creating the RADIUS client in Authentication Manager.

6. Click Save.

7. Click Admin > Users.

8. On the Users page, click the user who is being enabled for RADIUS two-factor authentication. On the View User page, click Edit.

Note:  For successful authentication, the user record needs to be present in Secret Server. This can be achieved by adding the user record in Secret Server locally or by adding and synchronizing an LDAP Identity Source to Secret Server instance. Detailed steps for adding a user and/or synchronizing Identity Source is available in Thycotic Secret Server's documentation.

9. On the Edit User page, do the following:

  1. From the Two Factor drop-down list, select RADIUS.
  2. In the RADIUS User Name field, enter the user name of the user, which should match the user name in Authentication Manager.
  3. Click Save.

 

Configuration is complete.

For additional integrations, see "Configuration Summary" on page 5.

 

Attachments

    Outcomes