RADIUS Clients
A RADIUS client is a RADIUS-enabled device at the network perimeter that enforces access control for users attempting to access network resources.
A RADIUS client can be one of the following:
VPN server
Wireless access point
Network access server supporting dial-in modems
Dial-in modem
A RADIUS client sends a user’s access request to the RADIUS server. The RADIUS server forwards the request to AM (AM) for validation. If AM validates the access request, the RADIUS client accepts the user’s request for network access. Otherwise, the RADIUS client rejects the user’s request for network access.
You can configure RADIUS clients with or without an assigned authentication agent. The difference between the two methods is in the level of access control and logging you want to have.
RADIUS client with an agent. Adding an agent to a RADIUS client allows AM to determine which RADIUS client is used for authentication and to save this information in log files.
When you add a RADIUS client, you have the option to create an associated agent. If you manually configure an agent with the same hostname and IP address as the RADIUS client, the agent is automatically recognized as a RADIUS client agent.
RADIUS client without an agent. Without an assigned RADIUS client agent, AM cannot track which RADIUS client sends authentication requests and you cannot assign a profile to the client. The RADIUS server simply confirms that the shared secret from the RADIUS client matches the shared secret stored in RSA RADIUS, and then forwards the request without any client information to AM.
All authentication requests appear to be coming from the RADIUS server through its assigned authentication agent. While using this method, if you add an agent to a RADIUS client in the Security Console, AM does not associate the agent with the client, so it does not apply any of the agent properties that you specify to the client.
To allow the system to authenticate users from clients with no assigned agent, you must set the SecurID.ini file parameter CheckUserAllowedByClient to 0. By default, this parameter is set to 1, which allows the system to authenticate users from clients with an assigned agent. For more information, see the RSA Authentication Manager RADIUS Reference Guide.
If you need to add a large number of RADIUS clients to AM, you might not want to assign agents to RADIUS clients. For example, you are an ISP administrator and need to add and configure one thousand network access servers with the RSA RADIUS server. Instead of adding an agent to each RADIUS client, you select ANY RADIUS client, and enter the same shared secret for each RADIUS client. When an ANY client sends a network request to its associated RADIUS server, the RADIUS server confirms the shared secret and forwards the request without any client information to AM.
Note: Client refresh time takes ten minutes to reflect the changes on the FreeRADIUS server.
For example, if you change the shared secret for a RADIUS client that has already authenticated to a RADIUS server, the RADIUS server continues to use the older client data for up to ten minutes.
Add a RADIUS Client
You must add a RADIUS client to the deployment for each RADIUS device that is configured to use RSA SecurID as its authentication method. The RADIUS client sends authentication requests to the RSA RADIUS server, which then forwards the request to AM.
If you want to use risk-based authentication (RBA), RBA must be enabled for the agent associated with the RADIUS client.
Before you begin
(Optional) Before you can add a RADIUS client with an IPv6 address, you must create IPv6 network settings on each primary and replica instance in your deployment. For more information, see Create IPv6 Network Settings on a Primary or Replica Instance.
Procedure
In the Security Console, click RADIUS > RADIUS Clients > Add New.
In the Client Name field, enter the name of the client, for example, VPN-London. If you are creating the <ANY> client in step 3, do not enter a name.
The name can contain letters, digits, hyphens (–), underlines(_), and spaces. Tabs, @ signs, most symbols, and non-printable characters are not allowed. This field is limited to 50 characters.
After you save the client, you cannot change its name. If you want to rename the client, you must delete it and then add a new client with the new name.
(Optional) Select the ANY Client checkbox if you do not want to track which RADIUS client sends authentication requests (for example, because you want to quickly add many RADIUS clients). Client authentication statistics are not supported for the <ANY> client.
Authentication requests using the shared secret specified for the <ANY> client are processed regardless of the originating client’s IP address.
You cannot enter an IP address if you select ANY Client because the IP address is not applicable. Go to step 5.
If you select this option, you also need to disable proxy authentication so that the RADIUS server does not authenticate on behalf of this RADIUS client.
In the IP Address Type field, select the RADIUS client IP address type that is required by your agents.
If this is an IPv4 RADIUS client, do the following:
Select IPv4.
In the IPv4 Address field, enter the IPv4 address of the RADIUS client, for example, 111.222.33.44.
If this is an IPv6 RADIUS client, do the following:
Select IPv6.
In the IPv6 Address field, enter the IPv6 address of the RADIUS client, for example, 2001:0db8:85a3:0000:0000:8a2e:0370:7335.
In addition to the IPv6 address that you enter, AM automatically creates an IPv4 address for the RADIUS client. This IPv4 address begins with the number “255,” and it is not used for communication with agents. Authentication Manager uses this number to identify the RADIUS client.
In the Make/Model drop-down list, select the type of RADIUS client. If you are unsure of the make and model of the RADIUS client, select Standard Radius.
The RADIUS server uses the make and model to determine which dictionary of RADIUS attributes to use when communicating with this client.
In the Shared Secret field, enter the authentication shared secret (case-sensitive password) that you specified during the RADIUS client installation and configuration.
The RADIUS client uses the same shared secret when communicating with RADIUS on the primary server or RADIUS on the replica server.
In the Notes field, enter any notes for this client, for example, “Located at London site.”
In the Authentication Settings section, select how validation is performed for user requests to this RADIUS Client.
Apply Local RADIUS Client Settings: Enable this option to override global settings and apply local settings.
Password Authentication: Select this option to use the password as the primary authentication method. This allows AM to validate your password for this client.
When enabled, you must first provide your password for authentication. Once the password is successfully verified, you are prompted to authenticate using any available step-up authentication methods. For example, if using SecurID, you must enter your password first. Once verified, you are prompted to select the SecurID authentication method and enter the SecurID OTP. Inline password changes are not supported during RADIUS authentication.
Note: RADIUS authentication for Trusted Realms is supported only if both AM servers are on version 8.8 or later. For more information, see Add a RADIUS Client Agent.
Cloud MFA Experience: A connection to CAS allows you to enable or disable the Cloud MFA Experience. If you select this option, you can configure the RADIUS client to use Cloud MFA authentication methods. If you enable Cloud MFA Experience, you must configure an Access policy, and you can optionally set up Push notification.
Note: The Cloud MFA Experience is not supported for users authenticating through Trusted Realms.
If enabled, configure the following:
Note: The options for Access Policy, Push Notification, Authentication Method Timeout and Allow Code Matching, appear only when Cloud MFA Experience is enabled. If Cloud MFA Experience is not enabled, these options are not available.
Access policy: This field is, by default, populated with CAS policy used when the AM is connected to the CAS. You can change it to any custom CAS access policy that is up to 255 characters. Ensure it includes at least one of following methods: Approve, SecurID OTP, Authenticate OTP, Device Biometrics, SMS OTP, Voice OTP, or Emergency Access Code.
Note: RADIUS does not support other methods or authentication conditions in access policies. For more information on authentication conditions, see Access Policies.
Push Notification: (Optional) Enable this option to allow the RADIUS client to send push notifications for Approve and Device Biometrics methods. This setting enables users to authenticate without manually selecting a method. If you do not respond within 40 seconds, they are prompted to choose an alternative method from the Access policy.
Always Send Push Notification: This option is available only when Push Notification is enabled. If selected, you must authenticate using Approve or Device Biometrics, based on the assurance level specified in the access policy for the RADIUS client.
Authentication Method Timeout: Configure a timeout when you have enabled Password Authentication, Cloud MFA Experience, and Push Notification. The default server timeout is 40 seconds, but it can be adjusted. If the assurance level provides an alternate method, SecurID recommends allowing users 10-40 seconds to complete that method, without exceeding the client's connection timeout.
If the user interacts with notification or opens the RSA Authenticator app, the timeout resets to 60 seconds. If there is no interaction and the device does not receive notification, mobile authentication will time out on the RADIUS Client after 90 seconds, resulting in authentication failure.
Note: You cannot configure the timeout if Cloud MFA Experience and Push Notification are enabled without Password authentication. In this case, the default timeout will be 90 seconds.
Allow Code Matching: This field is enabled by default to allow the RADIUS client to send code matching prompts to users based on the CAS configuration. For more information, see Configure Code Matching Settings.
Note: Ensure that this setting is enabled on both CAS and AM so users can receive prompts for Approve or Device Biometrics methods. Disable this setting in AM for any RADIUS client that does not support code matching.
To save your changes, do one of the following:
Click Save and Create Associated RSA Agent. This choice allows Authentication Manager to determine which RADIUS agent is used for authentication and to log this information. This option is required if you want to use risk-based authentication (RBA).
Click Save only if you have disabled proxied authentication (by setting the securid.ini file parameter CheckUserAllowedByClient to 0). In this case, you cannot assign a profile to this client, and all authentications appear to Authentication Manager as though they are coming from the RADIUS server.
After you finish
If you created an associated RSA agent for this RADIUS client, you must configure the agent.
Edit a RADIUS Client
Edit a RADIUS client if you need to change its properties, such as the Shared secret, IP address or Authentication Settings. For example, you might edit the shared secret because your corporate security policy requires a password change. When you update a RADIUS client make and model, you might need to update the RADIUS profile attributes. If a make and model is no longer used in your deployment, any unused attributes are marked as unknown. You can edit the authentication settings to enable or disable Password Authentication and the Cloud MFA Experience.
Procedure
In the Security Console, click RADIUS > RADIUS Clients > Manage Existing.
Click the client that you want to edit.
From the context menu, click Edit.
On the RADIUS Client page, make any necessary changes to the client. For more information, see Add a RADIUS Client or Add a RADIUS Client Agent.
Click Save.
After you save the client record, the Security Console displays the secret as eight asterisks (*) in the client properties, regardless of how many characters you entered.
By default, Authentication Manager requires up to 600 seconds (10 minutes) to reflect any updates that are made to RADIUS clients that previously authenticated to the RADIUS server. To change this time, see Change How Often the RADIUS Server Updates RADIUS Client Information.
Restarting the RADIUS server causes any changes to take effect immediately. See Restart a RADIUS Server.
Authentication Manager replication notifies the RADIUS servers on the replica instances about this updated client.
Delete a RADIUS Client
Delete a RADIUS client to permanently remove the RADIUS client from RSA Authentication Manager. For example, you might delete a RADIUS client if you remove the RADIUS device from the network.
If you delete a RADIUS client, AM also deletes the agent associated with the RADIUS client.
Procedure
In the Security Console, click RADIUS > RADIUS Clients > Manage Existing.
Click the client that you want to delete.
From the context menu, click Delete.
Related Articles
RADIUS shared secret limitations of RADIUS clients configured with RSA Authentication Manager Number of Views Attributes for RADIUS Clients and Profiles for Cloud Access Service Number of Views Cloud Access Service Quick Setup Guide for RADIUS Clients - Step 7: Protect a Resource Number of Views Manage RADIUS Clients and Profiles for Cloud Access Service Number of Views RADIUS Client Authentication Statistics Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
