|Resolution||McAfee Enterprise Security Manager (ESM) can send RADIUS authentication,s but cannot handle the RADIUS challenge response. This means the ESM cannot support New PIN Mode or Next Tokencode Mode.|
Where RADIUS is used to send the authentication to RSA Authentication Manager 8.x deployment, a RADIUS client and an associated RSA agent record must be created using the Security Console for the software/device sending the RADIUS authentication.
- In the Security Console select RADIUS > RADIUS Client > Add New.
- Enter a client name, IP address and IP address.
- Leave the default Make/Model value as - Standard Radius -.
- Create the Shared Secret. This secret must be the same as the one on the RADIUS client.
- Click Save & Create Associated RSA Agent. You will see the message Added 1 RADIUS client(s).
McAfee Enterprise Security Manager requires a RADIUS profile be returned which provides group access after a successful authentication.
- In the Security Console select RADIUS > RADIUS Profiles > Add New.
- Enter a Profile Name.
- In the section for Return List Attributes, select the Filter-ID[M] attribute and enter a value, such as McAfee:version=1:groups=<ACCESS_GROUPS>, replacing <ACCESS_GROUPS> with a comma-separated list of ESM access groups. For example, if you had an ESM access group called AllRights, you would type: McAfee:version=1:groups=AllRights.
- For two access groups called Policy and Reporting that require this policy, you would type McAfee:version=1:groups=Policy,Reporting. For example,
- Click Add in the Return List Attribute section and then click Save.
- Left-click the name of the profile created above.
- Select Associated Users.
- Select Assign to More Users.
- Use the Search Criteria to search for User IDs.
- Select the User IDs to assign to the RADIUS profile and click Assign Profile. For example,
- Perform a RADIUS authentication with the User ID that is assigned the RADIUS profile. In this example a test RADIUS authentication was done using NTRadPing to an RSA Authentication Manager 8.1 server.
- In the screen shot we see the RADIUS server reply with an Access-Accept and the Filter-ID and group information crated above.
- The RADIUS log file created in /opt/rsa/am/radius and named for the date that the test was done (in this case, 20160926.log), shows the line:
09/26/2016 15:29:39 Sent accept response for user rsatest to client NTRADPING
- The Authentication Monitor output is as follows: