Contact Lists for Authentication Requests

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Feb 12, 2018
Version 3Show Document
  • View in full screen mode

Contact lists are ordered lists of instances available to accept authentication requests, and are created either automatically by Authentication Manager, or manually by an administrator.

Authentication Manager uses contact lists to determine to which instance authentication requests are sent. Authentication Manager sends contact lists to each agent after the initial contact between the agent and Authentication Manager.

Depending on your license type, your Authentication Manager deployment can have a primary instance and up to 15 replica instances. To increase efficiency, use contact lists to route authentication requests from agents to the instances that can respond the quickest.

Agents request new contact lists as a part of subsequent authentications. Periodically, the agent reviews all the instances listed in the contact list to determine where to send authentication requests. The agent uses metrics, such as the amount of time it takes the instance to respond to authentication requests, to determine where to send requests.

If none of the servers on the contact list respond to authentication requests, the agent reverts to the Authentication Manager configuration file and uses an IP address in the configuration file to reconnect with Authentication Manager.

RSA RADIUS supports contact lists for the RADIUS server agent. RADIUS client agents do not support contact lists because there is no authentication agent software installed on RADIUS clients. The associated agent record in the internal database enables Authentication Manager to track RADIUS authentication attempts made through the RADIUS server. For more information, see RADIUS Clients.

IPv4/IPv6 agents do not support contact lists.

Automatic Contact Lists

An automatic contact list is assigned to each instance in your deployment. The list contains the IP addresses of each instance the contact list is assigned to, up to a limit of 11. Agents receive automatic contact lists by default.

Authentication Manager automatically updates these lists each time a new instance is added to the deployment. When the list is updated, a time stamp associated with the list is also updated. Agents use this time stamp to determine when to request an updated list.

The Super Admin can edit an automatic contact list in the Security Console on the Edit Authentication Manager Contact List page. Any edits that you make to an automatic contact list may be overwritten when a new instance is added to the deployment.

Manual Contact Lists

The Super Admin updates manual contact lists to reflect the most recent list of instances. Manual lists can contain the IP address of any instance in the deployment, up to a limit of 11.

For many organizations, automatic contact lists are sufficient. However, you may choose to create a manual contact list if you have a specific way that you want to route authentication requests.

For example, suppose that you are an administrator at a company that has Boston, New York, and San Jose locations. The New York and San Jose locations are small and all authentications are routed to Authentication Manager replica instances at each site. The Boston location, however, is largest, and the primary instance at that location handles all Boston location users, as well as all VPN requests from external users. You can create a manual contact list that routes authentication requests to the replica instances. This leaves the primary instance free to replicate data to the replica instances in New York and San Jose.

For instructions, see Add a Manual Contact List, Assign a Contact List to an Authentication Agent, and Edit a Manual Contact List.