000034103 - Configuring a RADIUS client for McAfee Enterprise Security Manager 5.3 to authenticate to RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Nov 30, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034103
Applies ToRSA Product Set : SecurID
RSA Product/Service Type : RSA Authentication Manager
RSA Version/Condition: 8.2, 8.1 Service Pack 1
IssueAn administrator has a requirement to protect the McAfee management interface with SecurID two-factor authentication.
ResolutionMcAfee Enterprise Security Manager (ESM) can send RADIUS authentications but cannot handle RADIUS challenge response.  This means ESM cannot support new PIN or next tokencode mode.
Where RADIUS is used to send the authentication to RSA Authentication Manager 8.x deployment, a RADIUS client and an associated RSA agent host record must be created using the Security Console for the software/device sending the RADIUS authentication.
  1. In the Security Console select RADIUS > RADIUS Client > Add New.  
  2. Enter a client name, IP address and IP address.
  3. Leave the default Make/Model value as - Standard Radius -.
  4. Create the Shared Secret.  This secret must be the same as the one on the RADIUS client.
User-added image


  1. Click Save & Create Associated RSA Agent.  You will see the message Added 1 RADIUS client(s).
User-added image

McAfee Enterprise Security Manager requires a RADIUS profile be returned which provides group access after a successful authentication.

  1. In the Security Console select RADIUS > RADIUS ProfilesAdd New.
  2. Enter a Profile Name.
  3. In the section for Return List Attributes, select the Filter-ID[M] attribute and enter a value, such as McAfee:version=1:groups=<ACCESS_GROUPS>,replacing <ACCESS_GROUPS> with a comma-separated list of ESM access groups. For example, if you had an ESM access group called AllRights, you would type: McAfee:version=1:groups=AllRights.
  4. For two access groups called Policy and Reporting that require this policy, you would type McAfee:version=1:groups=Policy,Reporting.  For example,
User-added image


  1. Click Add in the Return List Attribute section and then click Save.

User-added image


  1. Left-click the name of the profile created above.  
  2. Select Associated Users.
  3. Select Assign to More Users.
  4. Use the Search Criteria to search for User IDs.
  5. Select the User IDs to assign to the RADIUS profile and click Assign Profile.  For example, 
User-added image

User-added image

  1. Perform a RADIUS authentication with the User ID that is assigned the RADIUS profile.  In this example a test RADIUS authentication was done using NTRadPing to an Authentication Manager 8.1 server.
User-added image

  1. In the screen shot we see the RADIUS server reply with an Access-Accept and the Filter-ID and group information crated above.
  2. The RADIUS log file created in /opt/rsa/am/radius and named for the date that the test was done (in this case, 20160926.log), shows the line:

09/26/2016 15:29:39 Sent accept response for user rsatest to client NTRADPING

  1. The Authentication Monitor output is as follows:
User-added image