Configure RADIUS Settings

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Jun 13, 2017
Version 2Show Document
  • View in full screen mode

RADIUS settings allow you to perform routine RADIUS administrative tasks that apply to all RADIUS servers and clients in a deployment.


  1. In the Security Console, click Setup > System Settings.

  2. Under Advanced Settings, click RADIUS.

  3. Under RADIUS Settings, do the following:

    • In the RADIUS Profile Priority field, select a profile to use when both the agent and the user are assigned RADIUS profiles.

    • In the Default RADIUS Profile field, select the RADIUS profile that Authentication Manager assigns to a user's request when there is no assigned profile. RSA Authentication Manager does not contain a default RADIUS profile. If you want a default profile, you must specify one. For more information, see Add a RADIUS Client.

    • Select Send RADIUS Attributes if you want Authentication Manager to send RADIUS user attributes to the RADIUS server after the user has authenticated.

    • In the RADIUS Attribute Format field, specify the format of the attributes in the return list. The format must be compatible with the RADIUS clients. Most RADIUS clients can handle only the attribute value, but some older RADIUS clients can handle additional attribute formats. For more information, see your RADIUS client documentation.

  4. Under Radius Replication Configuration, in the Periodic RADIUS Replication field, select the Enable periodic RADIUS replication every 15 minutes checkbox to enable periodic radius replication. By default, this check box is selected.

    To ensure that RADIUS servers remained synchronized, you must enable periodic RADIUS replication, or use the Security Console to initiate RADIUS replication. For instructions, see Initiate Replication to RADIUS Replica Servers.

  5. (Optional) If you want to customize the EAP-POTP settings, under EAP-POTP Settings, do the following:

    • In the Length of the Symmetric Key fields, enter the minimum and maximum bit length for the EAP symmetric key, which is named Pepper. The default minimum value is 1. The default maximum value is 2.

    • In the Symmetric Key Lifetime option, specify the amount of time that a symmetric key is valid. Enter a number between 1-365. The default value is 30.

    • In the Symmetric Key Refresh option, specify the time when Authentication Manager should create a new symmetric key before the old symmetric key expires. Select a number between 1-15. Select a number from the drop-down menu that is less than the time frame specified in the Symmetric Key Lifetime option. The default value is 4.

      Authentication Manager uses this field if the EAP session is still active but the symmetric key will expire soon. Authentication Manager creates a refreshed symmetric key with the lifetime value specified in the Symmetric Key Lifetime option.

    • In the Iteration Count fields, enter the minimum and maximum number of iterations to use in the algorithm to generate the symmetric key. The default minimum value is 1,000. The default maximum value is 2,000.

      The client randomly selects a number in this range and sends this number to the server, which sends it to Authentication Manager. Authentication Manager uses the specific iteration count when it generates the symmetric key.

    • In the EAP-POTP Session Lifetime field, specify how long the session lasts before the user is prompted to re-enter credentials. Enter the number of hours between 1-24. The default value is 10.

    • In EAP-POTP Session Resumption field, select the Allow resumption of user session while the session lifetime is still active check box if you want to allow Windows end users to resume sessions (for example, when roaming between wireless access points) without entering credentials, as long as the end users' computers have not restarted during the sessions.

      Do not select this option if you want to require Windows end users to re-enter their credentials to resume sessions. You might disable (clear) this option to meet corporate security requirements.

      If you disable this field, users cannot resume their previously saved EAP-POTP sessions. The next time the users request network access, Authentication Manager must create new symmetric keys for each user.

  6. Click Save.