Contact Lists for Authentication Requests

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Apr 30, 2019
Version 10Show Document
  • View in full screen mode

Contact lists are ordered lists of instances available to accept authentication requests, and are created either automatically by Authentication Manager, or manually by an administrator. Authentication Manager uses contact lists to determine to which instance authentication requests are sent. Authentication Manager sends contact lists to each agent after the initial contact between the agent and Authentication Manager.

Depending on your license type, your Authentication Manager deployment can have a primary instance and up to 15 replica instances. To increase efficiency, use contact lists to route authentication requests from agents to the instances that can respond the quickest.

Agents request new contact lists as a part of subsequent authentications. Periodically, the agent reviews all the instances listed in the contact list to determine where to send authentication requests. The agent uses metrics, such as the amount of time it takes the instance to respond to authentication requests, to determine where to send requests.

If none of the servers on the contact list respond to authentication requests, the agent reverts to the Authentication Manager configuration file and uses an IP address in the configuration file to reconnect with Authentication Manager.

RSA RADIUS supports contact lists for the RADIUS server agent. RADIUS client agents do not support contact lists because there is no authentication agent software installed on RADIUS clients. The associated agent record in the internal database enables Authentication Manager to track RADIUS authentication attempts made through the RADIUS server. For more information, see RADIUS Clients.

IPv4/IPv6 agents do not support contact lists.

Automatic Contact Lists

An automatic contact list is assigned to each instance in your deployment. The list contains the IP addresses of each instance the contact list is assigned to, up to a limit of 11. Agents receive automatic contact lists by default. Authentication Manager automatically updates these lists each time a new instance is added to the deployment. When the list is updated, a time stamp associated with the list is also updated. Agents use this time stamp to determine when to request an updated list.

The Super Admin can edit an automatic contact list in the Security Console on the Edit Authentication Manager Contact List page. Any edits that you make to an automatic contact list may be overwritten when a new instance is added to the deployment.

Manual Contact Lists

The Super Admin updates manual contact lists to reflect the most recent list of instances. Manual lists can contain the IP address of any instance in the deployment, up to a limit of 11. For many organizations, automatic contact lists are sufficient. However, you may choose to create a manual contact list if you have a specific way that you want to route authentication requests.

For example, suppose that you are an administrator at a company that has Boston, New York, and San Jose locations. The New York and San Jose locations are small and all authentications are routed to Authentication Manager replica instances at each site. The Boston location, however, is largest, and the primary instance at that location handles all Boston location users, as well as all VPN requests from external users. You can create a manual contact list that routes authentication requests to the replica instances. This leaves the primary instance free to replicate data to the replica instances in New York and San Jose.

Managing Contact Lists

A Super Admin can add and maintain manual contact lists, assign both automatic and manual contact lists to authentication agents, and update contact lists automatically when replica instances are added and removed from the deployment. For instructions, see the following topics:

Add a Manual Contact List

Manual contact lists are created and maintained by the Super Admin, as an alternative to automatic contact lists. This allows an administrator to specify an ordered lists of instances that are available to accept authentication requests.

Before you begin 

You must be a Super Admin.

Procedure 

  1. In the Security Console, click Access > Authentication Agents > Authentication Manager Contact List > Add New.

  2. Enter a name for the contact list. The name must be unique, and from 1 to 128 characters.

  3. From the Available column, select the instances with which you want authentication agents to communicate. Agents that use this contact list can communicate with these instances.

  4. Click Save.

Assign a Contact List to an Authentication Agent

You can assign either a manual or an automatic contact list to an authentication agent.

Procedure 

  1. In the Security Console, click Access > Authentication Agents > Manage Existing.

  2. Click the Restricted or Unrestricted tab, depending on whether the agent you want to work with is restricted or unrestricted.

  3. Use the search fields to find the agent to which you want to assign a contact list.

  4. From the search results, click the agent to which you want to assign a contact list.

  5. From the context menu, click Edit.

  6. Use the Authentication Manager Contact List buttons to select an automatic contact list or a manual contact list.

  7. If you selected a manual contact list, select a list from the drop-down menu.

  8. Click Save.

Edit a Manual Contact List

When an agent with a manual contact list needs a new replica instance, a Super Admin must add the server to its manual contact list.

Before you begin 

You must be a Super Admin.

Procedure 

  1. In the Security Console, click Access > Authentication Agents > Authentication Manager Contact List > Manage Existing.

  2. Use the search fields to find the contact list with which you want to work.

  3. From the search results, click the contact list that you want to edit.

  4. From the context menu, click Edit.

  5. Make any necessary changes to the contact list.

  6. Click Save.

Duplicate a Contact List

When you duplicate a contact list, a new contact list is created with information identical to the original list. You can duplicate a contact list whenever you want to use an existing list as a template for new lists.

Procedure 

  1. In the Security Console, click Access > Authentication Agents > Authentication Manager Contact List > Manage Existing.

  2. Use the search fields to find the contact list that you want to duplicate.

  3. From the search results, click the contact list that you want to duplicate.

  4. From the context menu, click Duplicate.

  5. Enter a new name for the contact list.

  6. Click Save.

Delete a Manual Contact List

When you delete a manual contact list, the list is removed from the deployment and can no longer be assigned to authentication agents. Unless you assign a new manual contact list to the agent, RSA Authentication Manager automatically assigns an automatic contact list the next time the agent authenticates.

Before you begin 

You must be a Super Admin.

Procedure 

  1. In the Security Console, click Access > Authentication Agents > Authentication Manager Contact List > Manage Existing.

  2. Use the search fields to find the contact list with which you want to work.

  3. From the search results, click the contact list that you want to delete.

  4. From the context menu, click Delete.

  5. Click OK.

Update Contact Lists Automatically

As replica instances are added or removed from your deployment, your contact lists must occasionally be updated to add or remove references to these instances. To update your manual and automatic contact lists, you must perform an automatic rebalance.

When you perform an automatic rebalance, the following happens:

  • Manual Contact Lists.RSA Authentication Manager deletes references to instances that have been removed from the deployment.

  • Automatic Contact Lists.Authentication Manager deletes instances that have been removed from the deployment, and adds references to instances that have been added to the deployment.

Note:  In a deployment with more than ten replica instances, the lists must be edited manually.

Procedure 

  1. In the Security Console, click Access > Authentication Agents >Authentication Manager Contact List > Automatic Rebalance.

  2. Click Rebalance.

 

 

 

 


Attachments

    Outcomes