|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1
|Issue||In the Security Console's authentication activity monitor, you may notice that if a RADIUS client authenticates with primary RADIUS server, the server node IP address is always primary Authentication Manager server IP address(or if a RADIUS client authenticates with replica RADIUS server, the server node IP address is always the same replica Authentication Manager server IP address). This indicates the Authentication Manager 8.1 RADIUS server always forward the authentication attempts to the same Authentication Manager server where RADIUS server resides. It never use other primary or replica Authentication Manager servers for authentication.|
Please note that from the Authentication Manager server's perspective, RSA RADIUS server is also an agent. The RADIUS server acts like a proxy, which receives RADIUS authentication requests sent from RADIUS clients, forwarding them to the Authentication Manager server on the same instance or other instances in primary/replica environment for authentication. The RADIUS server gets authentication results from the Authentication Manager server and sends the corresponding RADIUS response to the RADIUS clients.
In Authentication Manager 7.1, the RADIUS server automatically load balances the authentications across all instances in a primary/replica environment.
|Resolution||In earlier Authentication Manager versions, the RSA RADIUS server used SDK 6.1 to communicate with Authentication Manager server. In Authentication Manager 8.1, this has been replaced with SDK 8.1. |
Currently the problem is investigated in JIRA AM-29416.
The workaround is to create an sdopts.rec file in the /opt/rsa/am/radius directory by adding all primary and replica IP addresses. An example of sdopts.rec configuration is shown below. Replace primary_ip_address and replica_ip_address strings below with the real IP addresses of the servers followed by the weight value from 0 to 10.
After creating the sdopts.rec file, restart the RADIUS server through Operations Console or SSH to the primary and run the following:
For a detailed explanation of the sdopts.rec, please refer to the RSA Authentication Agent Installation and Administration Guide for the agent that you have installed