000030920 - Manually creating an sdopts.rec file for use by a RADIUS server to authenticate with all RSA Authentication Manager 8.1 servers

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Apr 4, 2018
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030920
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1
IssueIn the Security Console's authentication activity monitor, you may notice that if a RADIUS client authenticates with primary RADIUS server, the server node IP address is always primary Authentication Manager server IP address(or if a RADIUS client authenticates with replica RADIUS server, the server node IP address is always the same replica Authentication Manager server IP address). This indicates the Authentication Manager 8.1 RADIUS server always forward the authentication attempts to the same Authentication Manager server where RADIUS server resides. It never use other primary or replica Authentication Manager servers for authentication.

Please note that from the Authentication Manager server's perspective, RSA RADIUS server is also an agent. The RADIUS server acts like a proxy, which receives RADIUS authentication requests sent from RADIUS clients, forwarding them to the Authentication Manager server on the same instance or other instances in primary/replica environment for authentication. The RADIUS server gets authentication results from the Authentication Manager server and sends the corresponding RADIUS response to the RADIUS clients. 

In Authentication Manager 7.1, the RADIUS server automatically load balances the authentications across all instances in a primary/replica environment.
In Authentication Manager 8.1, the RADIUS server by default just authenticates with its own Authentication Manager server. 

ResolutionIn earlier Authentication Manager versions, the RSA RADIUS server used SDK 6.1 to communicate with Authentication Manager server. In Authentication Manager 8.1, this has been replaced with SDK 8.1. 

Currently the problem is investigated in JIRA AM-29416.

The workaround is to create an sdopts.rec file in the /opt/rsa/am/radius directory by adding all primary and replica IP addresses.  An example of sdopts.rec configuration is shown below. Replace primary_ip_address and replica_ip_address strings below with the real IP addresses of the servers followed by the weight value from 0 to 10.


After creating the sdopts.rec file, restart the RADIUS server through Operations Console or SSH to the primary and run the following:

/opt/rsa/am/server/rsaserv restart radius


For a detailed explanation of the sdopts.rec, please refer to the RSA Authentication Agent Installation and Administration Guide for the agent that you have installed