Microsoft NPS2019 - RADIUS with AM Configuration - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development Employee on Jul 9, 2020
Version 1Show Document
  • View in full screen mode

This section describes how to integrate Microsoft NPS with RSA Authentication Manager using RADIUS.

Architecture Diagram

Configure RSA Authentication Manager

To configure your RSA Authentication Manager for use with a RADIUS Agent, you must configure a RADIUS client and a corresponding agent host record in the Authentication Manager Security Console.

The relationship of agent host record to RADIUS client in the Authentication Manager can 1 to 1, 1 to many or 1 to all (global).

RSA Authentication Manager listens on ports UDP 1645 and UDP 1812.


Configure Microsoft NPS

Perform these steps to configure Microsoft NPS as a RADIUS client to RSA Authentication Manager and to configure Connection Request Policy in NPS.


1. In Server Manager, click Tools, and then click Network Policy Server to open the NPS console.

2. In the left-hand pane, expand the RADIUS Clients and Servers folder, right-click Remote RADIUS Server Groups and click New.

3. In the New Remote RADIUS Server Group dialog box, for Group name, enter a name for the remote RADIUS server group. Under RADIUS Servers, click Add.

4.  In the Add RADIUS Server dialog box, enter IP address or FQDN of the primary RSA Authentication Manager RADIUS server and click Verify if FQDN is used.

5. Click Authentication/Accounting tab. For Shared secret and Confirm shared secret, enter the same shared secret used for adding RADIUS client in RSA Authentication Manager.

6. Click Load Balancing tab, increase the timeout value for Number of seconds without response before request is considered dropped to 10 seconds and click OK.



Note:  The default value of 3 seconds for Number of seconds without response before request is considered dropped might be insufficient and users might experience authentication issues. The Windows Security Event log records the authentication failure with Reason: The remote RADIUS (Remote Authentication Dial-In User Service) server did not respond and Reason Code: 117. Increase the timeout value appropriately to resolve this issue.

7.(Optional) Repeat steps 3 to 6 to add replica RSA Authentication Manager RADIUS servers and click OK.

8. In the left-hand pane, expand Policies, right-click Connection Request Policy, click New.

9. Enter a name for Policy name and select access server type of your deployment from Type of network access server drop-down list. Click Next.

10. Click Add to specify a new condition to the policy.

11. Select User Name for the condition. Click Add…

12. Depending on the format of your user login names, enter the common element of the User Name (For example, a pattern that matches email domain. The entry matches all email addresses from the domain). Click OK.

13. Click Next.

14. Select Forward requests to the following remote RADIUS server group for authentication radio button and select RADIUS server group added in step 3 from the drop-down list. Click Next.

15. Select User-Name from the Attribute drop-down list and click Add.

16. For the Attribute Manipulation rule enter the common element of the User-Name in the Find: box and leave Replace with: blank. Click OK and then click Next.

Note:  This step is necessary if User ID mapping in RSA Authentication Manager is not same as E-mail and this will prevent the common element of the user name being passed to the RSA RADIUS server. For example, during authentication, the end user enters "" but only "username" will be passed to the RSA RADIUS Server.

17. Click Finish.



Next Step: Proceed to the Use Case Configuration Summary section for information on how to apply the RADIUS configuration to your use case.

You are here
Microsoft NPS2019 - RADIUS with AM Configuration - RSA Ready SecurID Access Implementation Guide