000017106 - 'How to ensure Agent Hosts for RADIUS clients are not required when setting up RSA RADIUS on Authentication Manager 7.1 or Appliance 3.0'

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017106
Issue"How to ensure Agent Hosts for RADIUS clients are not required when setting up RSA RADIUS on Authentication Manager 7.1 or Appliance 3.0"
  RADIUS client <ANY>
ANY RADIUS Client dynamic RADIUS
 Error: "Agent host not found" in RSA Authentication Manager activity log
Cause By default, you must add RADIUS clients in "Manage Radius" AND Agent Hosts in Database Administration for any RADIUS client. This can be changed by modifying a configuration file on the RSA RADIUS Server. 
Resolution To configure RSA RADIUS to only require RADIUS clients:

1. Log onto the Operations Console of the Primary RSA Server, using Operations Console credentials. 
2. Select Maintenance, Flush Cache 
You will be required to do a second authentication, but this one uses Security Console SuperAdmin credentials, not the Operations Console credentials
Click the Flush button

3. Select Deployment Configuration > RADIUS > Manage Existing
4. In the dropdown box for the Primary, select Manage RADIUS Server 
5.  Select the link for Edit Server Configuration Files
6. In the drop-down for radius.ini (in some versions you need the file securid.ini ),  select Edit  
7. Scroll down until you find the line that says  ;[Configuration]  or  [Configuration] , if there is a semicolon in the line, remove it.
8. add a line after it:
CheckUserAllowedByClient = 1    (this is case sensitive)
Click Save
9. Select Deployment Configuration > RADIUS > Manage Existing
10.  In the dropdown box for the Primary, select Manage RADIUS Server  
11. Click the Link for Stop Server , wait for the RADIUS Server to stop.
12. Click the link for Start Server , wait for the RADIUS Server to start

You have now configured the Primary RADIUS Server to be able to work with <ANY>  ; If you have any Replicas, repeat steps 3-12  for EACH Replica, but these are done on the Primary's Operations Console
NotesNote: See Primus A30024  for a similar solution for AM6.1
 This makes the system more flexible as it allows any radius client with the proper RADIUS Share key to be able to authenticate.  This does have two drawbacks:

1. since <ANY> radius client will have a chance to authenticate, this is less secure than having a specific list of clients

2. The AM logs may not show the client names, which may not be acceptable in all environments
Legacy Article IDa60636

Attachments

    Outcomes