000030920 - AM 8.1 need manually create sdopts.rec for RADIUS server to authenticate with all Authentication Manager servers

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030920
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1
Platform: Other
Platform (Other): ..
O/S Version: null
Product Name: RSA-0010810
Product Description: RSA-0010810
IssueIn Security Console authentication activity monitor, you may notice that if a radius client authenticates with primary radius server, the server node IP address is always primary authentication manager server IP address(or if a radius client authenticates with replica radius server, the server node IP address is always the same replica authentication manager server IP address). This indicates the AM 8.1 radius server always forward the authentication attempts to the same authentication manager server where radius server resides. It never use other primary or replica authentication manager servers for authentication.
Please note that from authentication manager server's perspective, RSA radius server is also an agent. The radius server acts like a proxy, which receives radius authentication request sent from radius clients, forwarding them to authentication manager server on the same instance or other instances in primary-replica environment for authentication. The radius server gets authentication results from the authentication manager server and send corresponding radius response to radius clients. 
In AM 7.1, the radius server automatically load balance the authentications across all instances in primary-replica environment.
In AM 8.1, the radius server by default just authenticate with its own authentication manager server. 
ResolutionIn earlier AM versions RSA radius server use SDK 6.1 to communicate with authentication manager server. In AM 8.1, this has been replaced with SDK 8.1. 
Currently the problem is investigated in JIRA AM-29416
The workaround is create a sdopts.rec in /opt/rsa/am/radius folder by adding all all primary and replica ip addresses.
An example of sdopts.rec configuration is shown below. Replace primary and replica ip with the real ip address. 
After creating the sdopts.rec file, restart the radius server service with command "/opt/rsa/am/server/rsaserv restart radius"
Please detailed explanation of sdopts.rec, please refer to the rsa agent admin guide.