000038649 - Configuring a restricted agent associated to a RADIUS client to control user access with RSA Authentication Manager 8.x.

Document created by RSA Customer Support Employee on Mar 31, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038649
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
IssueA RADIUS client with an associated RSA agent is created in the Security Console, and the RSA agent has the following setting enabled:
User Group Access Restriction: Allow access only to members of user groups who are granted access to this agent 

The following observations are noted:

  • RADIUS authentication is successful when the associated RSA agent is enabled for group restriction. This is not expected.  It is expected to see the following message in the Authentication Activity Monitor:

Activity Key: Authentication agent access check 
Reason: Principal does not belong to any groups activated on restricted agent

  • The Authentication Activity Monitor reports the RSA Authentication Manager's IP address rather than the RADIUS client's IP address in the Agent and Client IPv4 columns.
CauseThe CheckUserAllowedByClient parameter in the [Configuration] section of the /opt/rsa/am/radius/securid.ini file has a value of 0, as shown below:

; SecurID General options
Enable = 1
CheckUserAllowedByClient = 0
;DefaultProfile = DEFAULT
;AllowSystemPins = 0

ResolutionFor the group restriction to work for a RADIUS client with an associated RSA Agent, an administrator must ensure the CheckUserAllowedByClient parameter in the [Configuration] section of the /opt/rsa/am/radius/securid.ini file has a value of 1.  Once the value is updated, you must restart the RSA RADIUS server on the Authentication Manager instance using the steps below:
  1. Log in to the command line of the RSA Authentication Manager instance with the operating system account. This can be rsaadmin or another account configured during Quick Setup.
  2. Enter the command awk '!/;/ && /CheckUserAllowedByClient/{$NF="1"} 1' /opt/rsa/am/radius/securid.ini > /tmp/securid.ini.new

This awk command skips lines that are comments, locates CheckUserAllowedByClient, updates the value to 1, and redirects the output to a new file. For example:

rsaadmin@am84p:~> awk '!/;/ && /CheckUserAllowedByClient/{$NF="1"} 1' /opt/rsa/am/radius/securid.ini > /tmp/securid.ini.new

  1. Check the value of CheckUserAllowedByClient in /tmp/securid.ini.new with the command cat /tmp/securid.ini.new | grep CheckUserAllowedByClient. For example:

rsaadmin@am84p:~> cat /tmp/securid.ini.new | grep CheckUserAllowedByClient
CheckUserAllowedByClient = 1

  1. Check the differences between the original securid.ini file and the changed securid.ini.new file. Only the CheckUserAllowedByClient should have a changed value. For example, where only CheckUserAllowedByClient has changed:

rsaadmin@am84p:~> diff /tmp/securid.ini.new /opt/rsa/am/radius/securid.ini
< CheckUserAllowedByClient = 1
> CheckUserAllowedByClient = 0

  1. Overwrite the RSA RADIUS server securid.ini file with the changed securid.ini.new file. For example:

rsaadmin@am84p:~> cp /tmp/securid.ini.new /opt/rsa/am/radius/securid.ini

  1. Check the CheckUserAllowedByClient in /opt/rsa/am/radius/securid.ini is set with a value of 1. For example:

rsaadmin@am84p:~> cat /opt/rsa/am/radius/securid.ini | grep CheckUserAllowedByClient
CheckUserAllowedByClient = 1

  1. Restart the RSA RADIUS server at the command line for the change to take effect:

rsaadmin@am84p:~> /opt/rsa/am/server/rsaserv restart radius
Stopping RSA RADIUS Server: ***
RSA RADIUS Server                                          [SHUTDOWN]
Starting RSA Administration Server with Operations Console: *
Starting RSA Database Server: *
RSA Administration Server with Operations Console          [RUNNING]
Starting RSA RADIUS Server Operations Console: - RSA Database Server                                        [RUNNING]             *
RSA RADIUS Server Operations Console                       [RUNNING]
Starting RSA Runtime Server: *
RSA Runtime Server                                         [RUNNING]
Starting RSA RADIUS Server: **
RSA RADIUS Server                                          [RUNNING]

  1. Open real-time authentication activity monitor.
  2. From the Security Console, select Reporting > Real-time Activity Monitors > Authentication Activity Monitor.
  3. Click Start Monitor
  4. Perform a RADIUS authentication, and check the authentication events.

The steps that are provided in this knowledge article avoid having to use the vi editor.

Should you have Linux and vi editor experience, an alternative would be:

  1. Make a copy of the /opt/rsa/am/radius/securid.ini file.
  2. Update the CheckUserAllowedByClient parameter.
  3. Save the change.
  4. Restart the RSA RADIUS Server.