|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2
|Issue||RSA Authentication Manager 8.2 uses RADIUS administration port 1813 which still requires SSLv3 even after implementing strict TLS v1.2 mode.|
|Cause||RADIUS administration port 1813 negotiates with SSLv3 protocol since RADIUS does not support TLS mode.|
|Resolution||The new PCI regulation requires TLS v1.2. RSA Authentication Manager 8.2 supports two TLS configuration modes.|
Strict TLS 1.2 mode
In this mode, all ports in RSA Authentication Manager 8.2 will be in TLS v1.2 mode except the RADIUS administration port 1813 which will negotiate in SSLv3 since RADIUS does not support TLS mode. This mode can be enabled only if customer environment requires it and it needs optional configuration.
Non-strict TLS 1.2 mode (default mode of Authentication Manager 8.2)
The default mode of RSA Authentication Manager 8.2 is non-strict TLS 1.2. This mode supports all TLS versions of TLS protocol such as TLS 1.1, TLS 1.0, and SSLv3. This mode is used as default mode mainly to keep the backward compatibility with the older Agents and SDK agents.
Limitations of strict TLS 1.2 mode
These limitations are mostly due to the inability of older clients to negotiate with TLS v1.2 protocol. The strict TLS mode does not support the following:
|Notes||Refer to the RSA Authentication Manager 8.2 Release Notes for details on enabling strict TLS v1.2 mode. The CLU allows to enable TLS v1.2 mode. However, in order to take effect of the configuration changes the RSA services must be restarted.|
Refer to the article entitled How to enable or disable strict TLS 1.2 mode in RSA Authentication Manager 8.2 for instructions on enabling or disabling strict TLS 1.2 mode.