000033383 - What are the limitations of strict TLS 1.2 mode in RSA Authentication Manager 8.2?

Document created by RSA Customer Support Employee on Jan 11, 2017Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033383
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2
IssueRSA Authentication Manager 8.2 uses RADIUS administration port 1813 which still requires SSLv3 even after implementing strict TLS v1.2 mode.
CauseRADIUS administration port 1813 negotiates with SSLv3 protocol since RADIUS does not support TLS mode. 
ResolutionThe new PCI regulation requires TLS v1.2. RSA Authentication Manager 8.2 supports two TLS configuration modes.
1. Strict TLS 1.2 mode 
     In this mode, all ports in RSA Authentication Manager 8.2 will be in TLS v1.2 mode except the RADIUS administration port 1813 which will negotiate in SSLv3 since RADIUS does not support TLS mode. This mode can be enabled only if customer environment requires it and it needs optional configuration.
2. Non-strict TLS 1.2 mode   ( default mode of AM 8.2)
    The default mode of RSA Authentication Manager 8.2 is non-strict TLS 1.2. This mode supports all TLS versions of TLS protocol such as TLS 1.1, TLS 1.0, and SSLv3. This mode is used as default mode mainly to keep the backward compatibility with the older Agents and SDK agents.
Limitations of strict TLS 1.2 mode
These limitations are mostly due to the inability of older clients to negotiate with TLS v1.2 protocol. The strict TLS mode does not support the following:
1. Provisioning of software token via CT-KIP to Android versions prior to 5.0.2, iOS versions prior to 8.x, Software token for Macintosh and Blackberry.
2. Auto registration and Offline Authentication in RSA Authentication Agents prior to 7.3.
3. RADIUS administration TCP port 1813 of Steel-Belted RADIUS server still requires SSLv3.
4. The enabling of strict TLS mode requires the CLU to be run on each server to update the server configuration.
Note: Refer to RSA Authentication Manager 8.2 Release Notes for details on enabling strict TLS v1.2 mode. The CLU allows to enable TLS v1.2 mode. However, in order to take effect of the configuration changes the RSA services must be restarted.
See How to enable strict TLS 1.2 mode in RSA Authentication Manager 8.2