on Jan 11, 2017Article Content
| Article Number | 000033383 |
| Applies To | RSA Product Set: SecurID RSA Product/Service Type: Authentication Manager RSA Version/Condition: 8.2 |
| Issue | RSA Authentication Manager 8.2 uses RADIUS administration port 1813 which still requires SSLv3 even after implementing strict TLS v1.2 mode. |
| Cause | RADIUS administration port 1813 negotiates with SSLv3 protocol since RADIUS does not support TLS mode. |
| Resolution | The new PCI regulation requires TLS v1.2. RSA Authentication Manager 8.2 supports two TLS configuration modes. 1. Strict TLS 1.2 mode In this mode, all ports in RSA Authentication Manager 8.2 will be in TLS v1.2 mode except the RADIUS administration port 1813 which will negotiate in SSLv3 since RADIUS does not support TLS mode. This mode can be enabled only if customer environment requires it and it needs optional configuration. 2. Non-strict TLS 1.2 mode ( default mode of AM 8.2) The default mode of RSA Authentication Manager 8.2 is non-strict TLS 1.2. This mode supports all TLS versions of TLS protocol such as TLS 1.1, TLS 1.0, and SSLv3. This mode is used as default mode mainly to keep the backward compatibility with the older Agents and SDK agents. Limitations of strict TLS 1.2 mode These limitations are mostly due to the inability of older clients to negotiate with TLS v1.2 protocol. The strict TLS mode does not support the following: 1. Provisioning of software token via CT-KIP to Android versions prior to 5.0.2, iOS versions prior to 8.x, Software token for Macintosh and Blackberry. 2. Auto registration and Offline Authentication in RSA Authentication Agents prior to 7.3. 3. RADIUS administration TCP port 1813 of Steel-Belted RADIUS server still requires SSLv3. 4. The enabling of strict TLS mode requires the CLU to be run on each server to update the server configuration. Note: Refer to RSA Authentication Manager 8.2 Release Notes for details on enabling strict TLS v1.2 mode. The CLU allows to enable TLS v1.2 mode. However, in order to take effect of the configuration changes the RSA services must be restarted. See How to enable strict TLS 1.2 mode in RSA Authentication Manager 8.2 |