000034103 - Configure McAfee Enterprise Security Manager 5.3 as RADIUS client to authenticate to RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Nov 30, 2016Last modified by RSA Customer Support on Jan 8, 2020
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000034103
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 and later
IssueThis article explains how to protect the McAfee management interface with RSA SecurID two-factor authentication.
ResolutionMcAfee Enterprise Security Manager (ESM) can send RADIUS authentication,s but cannot handle the RADIUS challenge response.  This means the ESM cannot support New PIN Mode or Next Tokencode Mode.

Where RADIUS is used to send the authentication to RSA Authentication Manager 8.x deployment, a RADIUS client and an associated RSA agent record must be created using the Security Console for the software/device sending the RADIUS authentication.
  1. In the Security Console select RADIUS > RADIUS Client > Add New.  
  2. Enter a client name, IP address and IP address.
  3. Leave the default Make/Model value as - Standard Radius -.
  4. Create the Shared Secret.  This secret must be the same as the one on the RADIUS client.

User-added image


  1. Click Save & Create Associated RSA Agent.  You will see the message Added 1 RADIUS client(s).

User-added image
 


McAfee Enterprise Security Manager requires a RADIUS profile be returned which provides group access after a successful authentication.
  1. In the Security Console select RADIUS > RADIUS ProfilesAdd New.
  2. Enter a Profile Name.
  3. In the section for Return List Attributes, select the Filter-ID[M] attribute and enter a value, such as McAfee:version=1:groups=<ACCESS_GROUPS>, replacing <ACCESS_GROUPS> with a comma-separated list of ESM access groups. For example, if you had an ESM access group called AllRights, you would type: McAfee:version=1:groups=AllRights.
  4. For two access groups called Policy and Reporting that require this policy, you would type McAfee:version=1:groups=Policy,Reporting.  For example,

User-added image


 


  1. Click Add in the Return List Attribute section and then click Save.

User-added image


 


  1. Left-click the name of the profile created above.  
  2. Select Associated Users.
  3. Select Assign to More Users.
  4. Use the Search Criteria to search for User IDs.
  5. Select the User IDs to assign to the RADIUS profile and click Assign Profile.  For example, 

User-added image


User-added image


  1. Perform a RADIUS authentication with the User ID that is assigned the RADIUS profile.  In this example a test RADIUS authentication was done using NTRadPing to an RSA Authentication Manager 8.1 server.

User-added image


  1. In the screen shot we see the RADIUS server reply with an Access-Accept and the Filter-ID and group information crated above.
  2. The RADIUS log file created in /opt/rsa/am/radius and named for the date that the test was done (in this case, 20160926.log), shows the line:



09/26/2016 15:29:39 Sent accept response for user rsatest to client NTRADPING


  1. The Authentication Monitor output is as follows:

User-added image

NotesFor more information on using NTRadPing, see 000014905 - Performing RADIUS authentication tests with NTRadPing to RSA Authentication Manager.

Attachments

    Outcomes