000038058 - Creating a RADIUS monitoring account for Citrix NetScaler in RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Oct 15, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038058
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
IssueThis article explains how to create a RADIUS monitoring account that attempts to log into the RADIUS server.

On the RSA Authentication Manager server

  1.  Login to the Security Console of your primary server.
  2. Create a new user (Identity > Users > Add New), being sure to ad all required information.  When done, click Save.
  3. Using the Search Criteria options on the left, search for the new user.
  4. Click on the context arrow next to the user ID and choose Authentication Settings.
  5. Check the option to Allow authentication with a fixed passcode.
  6. Enter and confirm the fixed passcode.  For example, 87654321.
  7. Click Save when done.
  8. Be sure to login to the Self-Service Console at least once with the new user ID and fixed passcode because you will be asked to change the fixed passcode.
  9. When prompted, change the fixed passcode to something else (for example, 12345678).  
  10. Use the newly updated fixed passcode with the monitoring account.

There is no need to assign a token to your monitoring user as long as you are using a fixed passcode. You don’t want to waste a token on a user just for monitoring.


On the Citrix NetScaler

  1. In the NetScaler Configuration Utility, on the left under Traffic Management > Load Balancing, click Monitors. On the right, click Add.
  2. Provide a name for the monitor.
  3. Change the Type listed in the drop-down to RADIUS.
  4. On the Standard Parameters tab, you might have to increase the Response Time-out to 4.
  5. On the Special Parameters tab, enter valid RADIUS credentials: 
    1. In the User Name field, type the user ID of the user created in the Security Console.
    2. In the Password field, enter the fixed passcode which was set in the Self-Service Console.
    3. In the Radius Key Field, enter the shared secret configured on RSA Authentication Manager server and Citrix NetScaler:

User-added image


  1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups then choose the created service group for RSA RADIUS.
  2. On the right, in the Advanced Settings column, click Monitors and on the Monitors Section, click on No Service Group to Monitor Binding.
  3. Click the arrow next to Click to select and Select your new RADIUS monitor.  Click Select then click Bind.

To verify that RADUS monitoring is working correctly

  1. After Binding, verify that member is up by clicking on Service Group Members and click Monitor Details.  It should say RADIUS response code 2 or 3 was received. Click OK then Done.
  2. From the Security Console add a new report, selecting the Authentication Activity template or use the real time authentication activity report (Reporting > Real-time Activity MonitorsAuthentication Activity Monitor > Start Monitor). With either option there should be see successful login attempts from the RADIUS monitoring account