As part of the RADIUS setup process, you must add one or more RADIUS clients, such as VPN servers or firewalls.
Before you begin
- You must be a Super Admin in the Cloud Administration Console.
Determine whether the RADIUS client you add will use the default user authentication interface provided by the manufacturer, or the customized, streamlined web client interface that RSA provides for some specific RADIUS client devices. To use the custom interface, you must install the RSA web client kit for your RADIUS client device. For instructions, see Install the RADIUS Custom Web Client Interface.
- Sign into the Cloud Administration Console.
- Click Authentication Clients > RADIUS.
- In the left-hand navigation frame, click RADIUS Clients.
- Click Add RADIUS Client.
- In the Name field, enter a name for the RADIUS client, such as Cisco, or Citrix.
- In the IP Address field, enter the IP address of the network device you want to add as RADIUS client.
- In the Shared Secret field, enter the shared secret that acts as a password between this client and the RADIUS server.
- (Optional). In the Authentication Details section, select how validation will be performed for user requests to this RADIUS client. By default, the Cloud Authentication Service validates the user's directory server password and applies the access policy that is configured for the RADIUS client for additional authentication. You can configure the client to require the Cloud Authentication Service to only apply the configured access policy for additional authentication. In this case, make sure the RADIUS client requires password authentication, or that the access policy requires all users to perform additional authentication.
In the Access Policy field, select a policy to apply to users who authenticate through this RADIUS client.
Note: If the policy requires additional authentication, it must specify at least one of these methods: Approve, SecurID Token, Authenticate Tokencode, Device Biometrics, SMS Tokencode, or Voice Tokencode. RADIUS does not support other methods. Also, RADIUS does not support authentication conditions in access policies. Policies with conditions do not appear in the drop-down list.
(Optional). Enable the Automatically prompt for default authentication method field to enable the RADIUS client to send push notifications for Approve and Device Biometrics without forcing users to select a method, when Approve or Device Biometrics is the user's default method. Enabling this field does not affect the RADIUS user experience for other authentication methods.
(Optional) If you enabled the previous field, Automatically prompt for default authentication method, users who do not respond to the push notification within 40 seconds are prompted to select another method provided from the assurance level in the access policy. You can use the Allow users to select authentication method after timeout (seconds) field to increase or decrease the 40 second default. If the assurance level provides an alternate method, RSA recommends that you allow users 10-40 seconds to complete the alternate method.
Note: If the user taps the device notification or opens the Authenticate app, the app resets the timeout to 60 seconds, regardless of the value set for this field. If the device does not receive the notification, or the user does not tap the notification or open the app, mobile authentication times out on the RADIUS client after 90 seconds and authentication fails.
- In the Web Client Interface field, leave Standard selected if this RADIUS client will use the default user authentication interface provided by the device manufacturer, or select Custom if you plan to use the customized, streamlined web client interface that RSA provides for some specific RADIUS client devices.
- If you plan to use the custom web client interface:
- Select your RADIUS device from the RADIUS Device Type drop-down menu.
- Click Download Custom Web Client Kit, and save the zip package to a location on your local drive. The web client kit contains files that you must install on your RADIUS device to enable the custom web client interface.
- Click Save.
- Click Publish Changes to apply the configured settings.