Add a RADIUS Client

You must add a RADIUS client to the deployment for each RADIUS device that is configured to use RSA SecurID as its authentication method. The RADIUS client sends authentication requests to the RSA RADIUS server, which then forwards the request to RSA Authentication Manager.

If you want to use risk-based authentication (RBA), RBA must be enabled for the agent associated with the RADIUS client.

Before you begin 

(Optional) Before you can add a RADIUS client with an IPv6 address, you must create IPv6 network settings on each primary and replica instance in your deployment. For instructions, see Create IPv6 Network Settings on a Primary or Replica Instance.

Procedure 

1. In the Security Console, click RADIUS > RADIUS Clients > Add New.

2. In the Client Name field, enter the name of the client, for example, VPN-London. If you are creating the <ANY> client in step 3, do not enter a name.

   The name can contain letters, digits, hyphens (–), underlines(_), and spaces. Tabs, @ signs, most symbols, and non-printable characters are not allowed. This field is limited to 50 characters.

   After you save the client, you cannot change its name. If you want to rename the client, you must delete it and then add a new client with the new name.

3. (Optional) Select the ANY Client checkbox if you do not want to track which RADIUS client sends authentication requests (for example, because you want to quickly add many RADIUS clients). Client authentication statistics are not supported for the <ANY> client.

   Authentication requests using the shared secret specified for the <ANY> client are processed regardless of the originating client’s IP address.

   You cannot enter an IP address if you select ANY Client because the IP address is not applicable. Go to step 5.

   If you select this option, you also need to disable proxy authentication so that the RADIUS server does not authenticate on behalf of this RADIUS client.

4. In the IP Address Type field, select the RADIUS client IP address type that is required by your agents.

   • If this is an IPv4 RADIUS client, do the following:

     1. Select IPv4.

     2. In the IPv4 Address field, enter the IPv4 address of the RADIUS client, for example, 111.222.33.44.

   • If this is an IPv6 RADIUS client, do the following:

     1. Select IPv6.

     2. In the IPv6 Address field, enter the IPv6 address of the RADIUS client, for example, 2001:0db8:85a3:0000:0000:8a2e:0370:7335.

     In addition to the IPv6 address that you enter, Authentication Manager automatically creates an IPv4 address for the RADIUS client. This IPv4 address begins with the number “255,” and it is not used for communication with agents. Authentication Manager uses this number to identify the RADIUS client.

5. In the Make/Model drop-down list, select the type of RADIUS client. If you are unsure of the make and model of the RADIUS client, select Standard Radius.

   The RADIUS server uses the make and model to determine which dictionary of RADIUS attributes to use when communicating with this client.

6. In the Shared Secret field, enter the authentication shared secret (case-sensitive password) that you specified during the RADIUS client installation and configuration.

   The RADIUS client uses the same shared secret when communicating with the RADIUS on the primary server or RADIUS on the replica server.

7. In the Notes field, enter any notes for this client, for example, “Located at London site.”

8. In the Authentication Settings section, select how validation is performed for user requests to this RADIUS Client.

   • Apply Local RADIUS Client Settings: Enable this option to override global settings and apply local settings.

   • Password Authentication: Select this option to use the password as the primary authentication method. This allows AM to validate your password for this client.

     When enabled, you must first provide your password for authentication. Once the password is successfully verified, you are prompted to authenticate using any available step-up authentication methods. For example, if using SecurID, you must enter your password first. Once verified, you are prompted to select the SecurID authentication method and enter the SecurID OTP. Inline password changes are not supported during RADIUS authentication.

     Note:  RADIUS authentication for Trusted Realms is supported only if both AM servers are on version 8.8 or later. For more details, see Add a RADIUS Client Agent.

   • Cloud MFA Experience: A connection to Cloud Authentication Service (CAS) allows you to enable or disable the Cloud MFA Experience. If you select this option, you can configure the RADIUS client to use Cloud MFA authentication methods. If you enable Cloud MFA Experience, you must configure an Access policy, and you can optionally set up Push notification.

     Note:  The Cloud MFA Experience is not supported for users authenticating through Trusted Realms.

     If enabled, configure the following:

     Note:  The options for Access Policy, Push Notification, Authentication Method Timeout and Allow Code Matching, appear only when Cloud MFA Experience is enabled. If Cloud MFA Experience is not enabled, these options are not available.

     • Access policy: This field is, by default, populated with CAS policy used when the AM is connected to the CAS. You can change it to any custom CAS access policy that is up to 255 characters. Ensure it includes at least one of following methods: Approve, SecurID OTP, Authenticate OTP, Device Biometrics, SMS OTP, Voice OTP, or Emergency Access Code.

       Note:  RADIUS does not support other methods or authentication conditions in access policies. For more details on authentication conditions, see Access Policies.

     • Push Notification: (Optional) Enable this option to allow the RADIUS client to send push notifications for Approve and Device Biometrics methods. This setting enables users to authenticate without manually selecting a method. If you do not respond within 40 seconds, they are prompted to choose an alternative method from the Access policy.

       • Always Send Push Notification: This option is available only when Push Notification is enabled. If selected, you must authenticate using Approve or Device Biometrics, based on the assurance level specified in the access policy for the RADIUS client.

     • Authentication Method Timeout: Configure a timeout when you have enabled Password Authentication, Cloud MFA Experience, and Push Notification. The default server timeout is 40 seconds, but it can be adjusted. If the assurance level provides an alternate method, SecurID recommends allowing users 10-40 seconds to complete that method, without exceeding the client's connection timeout.

       • If the user interacts with notification or opens the SecurID app, the timeout resets to 60 seconds. If there is no interaction and the device does not receive notification, mobile authentication will time out on the RADIUS Client after 90 seconds, resulting in authentication failure.
         

         Note:  You cannot configure the timeout if Cloud MFA Experience and Push Notification are enabled without Password authentication. In this case, the default timeout will be 90 seconds.

     • Allow Code Matching: This field is enabled by default to allow the RADIUS client to send code matching prompts to users based on the CAS configuration. For more details, see Configure Code Matching Settings.

       Note:  Ensure that this setting is enabled on both CAS and AM so users can receive prompts for Approve or Device Biometrics methods. Disable this setting in AM for any RADIUS client that does not support code matching.

9. To save your changes, do one of the following:

   • Click Save and Create Associated RSA Agent. This choice allows Authentication Manager to determine which RADIUS agent is used for authentication and to log this information. This option is required if you want to use risk-based authentication (RBA).

   • Click Save only if you have disabled proxied authentication (by setting the securid.ini file parameter CheckUserAllowedByClient to 0). In this case, you cannot assign a profile to this client, and all authentications appear to Authentication Manager as though they are coming from the RADIUS server.

After you finish 

If you created an associated RSA agent for this RADIUS client, you must configure the agent.